... | ... | @@ -1249,6 +1249,43 @@ We take the [separate bucket](https://docs.gitlab.com/ee/administration/object_s |
|
|
object storage has its own bucket assigned. This required a special
|
|
|
policy to be applied to the `gitlab` MinIO user:
|
|
|
|
|
|
```
|
|
|
{
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
|
|
{
|
|
|
"Sid": "BucketAccessForUser",
|
|
|
"Effect": "Allow",
|
|
|
"Action": [
|
|
|
"s3:*"
|
|
|
],
|
|
|
"Resource": [
|
|
|
"arn:aws:s3:::gitlab/*",
|
|
|
"arn:aws:s3:::gitlab"
|
|
|
]
|
|
|
},
|
|
|
{
|
|
|
"Sid": "BucketAccessForUser",
|
|
|
"Effect": "Allow",
|
|
|
"Action": [
|
|
|
"s3:*"
|
|
|
],
|
|
|
"Resource": [
|
|
|
"arn:aws:s3:::gitlab*"
|
|
|
]
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
|
|
|
That is the policy called `gitlab-star-bucket-policy` which grants
|
|
|
access to all buckets prefixed with `gitlab` (as opposed to only the
|
|
|
`gitlab` bucket itself).
|
|
|
|
|
|
Then we have an access token specifically made for this project called
|
|
|
`gitlab-registry` and that restricts the above policy to only the
|
|
|
`gitlab-registry` bucket.
|
|
|
|
|
|
{
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
... | ... | @@ -1258,17 +1295,14 @@ policy to be applied to the `gitlab` MinIO user: |
|
|
],
|
|
|
"Effect": "Allow",
|
|
|
"Resource": [
|
|
|
"arn:aws:s3:::gitlab*"
|
|
|
"arn:aws:s3:::gitlab-registry",
|
|
|
"arn:aws:s3:::gitlab-registry/*"
|
|
|
],
|
|
|
"Sid": "BucketAccessForUser"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
|
|
|
That is the policy called `gitlab-star-bucket-policy` which grants
|
|
|
access to all buckets prefixed with `gitlab` (as opposed to only the
|
|
|
`gitlab` bucket itself).
|
|
|
|
|
|
It might be possible to manage the Docker registry software and
|
|
|
configuration directly from Puppet, with Debian package, but that
|
|
|
configuration is actually [deprecated since 15.8 and unsupported in
|
... | ... | |