Skip to content

fix: GitLab registry configuration #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
babychm merged 5 commits into from
May 26, 2025
Merged

fix: GitLab registry configuration #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1da8d28
fix: Release workflow
May 23, 2025
e7c9088
fix: S3 access role permissions
May 23, 2025
22eafe5
fix: Add secret creation for registry strorage config
May 23, 2025
8d7fb09
chore: Provider version
May 23, 2025
714e845
chore: Examples update
May 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ jobs:
uses: cycjimmy/semantic-release-action@v4
with:
semantic_version: 23.0.2
branches: main
extra_plugins: |
@semantic-release/changelog@6.0.3
@semantic-release/git@10.0.1
Expand Down
4 changes: 3 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.36.0 |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.37.1 |

## Modules

Expand All @@ -45,6 +45,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
| [kubernetes_namespace.gitlab](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_secret.gitlab_omniauth_providers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.gitlab_rails_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.gitlab_registry_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.ldap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_secret.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
Expand All @@ -57,6 +58,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Prefix used for S3 buckets | `string` | `""` | no |
| <a name="input_buckets_lifecycles"></a> [buckets\_lifecycles](#input\_buckets\_lifecycles) | Lifecycle rules for buckets | `map(string)` | `{}` | no |
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name where you want to deploy the release | `string` | n/a | yes |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | Password to access PostgreSQL database | `string` | n/a | yes |
Expand Down
4 changes: 3 additions & 1 deletion examples/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ args:
]
}
EOF
bucket_prefix = "gitlab-mycompany"
}

module "gitlab" {
Expand All @@ -31,6 +32,7 @@ module "gitlab" {
"gitlab-omniauth-saml" = local.saml_google_provider
}

bucket_prefix = local.bucket_prefix
buckets_lifecycles = {
artifacts = <<EOF
{
Expand Down Expand Up @@ -71,7 +73,7 @@ EOF
redis_host = "master.gitlab.xxxxxx.euc1.cache.amazonaws.com"
redis_port = "6379"
release_name = "gitlab"
bucket_prefix = "gitlab-mycompany"
bucket_prefix = local.bucket_prefix
domain = "example.com"
smtp_address = "smtp.gmail.com"
})
Expand Down
3 changes: 3 additions & 0 deletions examples/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,9 @@ gitlab:
registry:
enabled: true
bucket: ${bucket_prefix}-registry
storage:
secret: ${release_name}-registry-storage
key: config
redis:
cache:
password:
Expand Down
38 changes: 38 additions & 0 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,22 @@ resource "kubernetes_secret" "ldap" {
type = "Opaque"
}

resource "kubernetes_secret" "gitlab_registry_storage" {
metadata {
name = "${var.release_name}-registry-storage"
namespace = local.release_namespace
}

data = {
config = <<EOF
s3:
bucket: ${var.bucket_prefix}-registry
region: ${data.aws_region.current.name}
v4auth: true
EOF
}
}

data "aws_iam_policy_document" "s3_bucket_policy" {
for_each = local.buckets_list

Expand Down Expand Up @@ -162,6 +178,28 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
actions = ["s3:GetObjectAcl"]
resources = ["arn:aws:s3:::${each.value}/*"]
}

statement {
sid = "AllowListBucketMultipartUploads"
effect = "Allow"
principals {
type = "AWS"
identifiers = [module.gitlab_role.iam_role_arn]
}
actions = ["s3:ListBucketMultipartUploads"]
resources = ["arn:aws:s3:::${each.value}"]
}

statement {
sid = "AllowListMultipartUploadParts"
effect = "Allow"
principals {
type = "AWS"
identifiers = [module.gitlab_role.iam_role_arn]
}
actions = ["s3:ListMultipartUploadParts"]
resources = ["arn:aws:s3:::${each.value}/*"]
}
}

module "s3_bucket" {
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,12 @@ variable "namespace_labels" {
default = {}
}

variable "bucket_prefix" {
description = "Prefix used for S3 buckets"
type = string
default = ""
}

variable "buckets_lifecycles" {
description = "Lifecycle rules for buckets"
type = map(string)
Expand Down