Merge pull request #131 from genestack/feature/ODM-12563-admin-docs

genestack-okunitsyn · web-flow · commit 862718ca9fcc · 2025-08-11T16:46:38.000+02:00
[ODM-12761] Processors-controller doc
diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md
@@ -133,9 +133,71 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
 
 - in the `Key policy` of the KMS key that is used to encrypt data in the S3 bucket
 
+## Cross-account ECR access
+
+⚠️ **Mandatory in case of processors-controller usage**
+
+The approach is based on the [official AWS documentation](https://repost.aws/knowledge-center/secondary-account-access-ecr) for ECR repository policies and cross-account access patterns.
+
+ECR cross-account access requires configuring both:
+
+- `IAM policy` attached to the IAM role/user
+
+If the ECR repository uses `KMS encryption` with a customer-managed key, then it is necessary to additionally grant access to the KMS key in:
+
+- The `IAM policy` that is attached to the IAM role/user
+
+- The `Key policy` of the KMS key used to encrypt the ECR repository
+
 ## Configuration examples
 
+<details><summary>IAM policy for ECR access</summary>
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ECRRepositoryAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "ECRImagePull",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:DescribeRepositories",
+        "ecr:DescribeImages",
+        "ecr:ListImages"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid" : "AllowUseOfTheKey",
+      "Effect": "Allow",
+      "Action" : [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource" : ["KMS_KEY_ARN"]
+    }
+  ]
+}
+```
+
+</details>
+
 <details><summary>AbortIncompleteMultipartUpload rule</summary>
+
 ```json
 {
     "Rules": [
@@ -149,27 +211,29 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     ]
 }
 ```
+
 </details>
 
 <details><summary>IAM policy for S3 access</summary>
+
 ```json
 {
   "Version" : "2012-10-17",
   "Statement" : [
     {
       "Sid" : "ListObjectsInBucket",
-      "Effect" : "Allow",
+      "Effect": "Allow",
       "Action" : [
         "s3:ListBucket",
         "s3:GetBucketLocation",
         "s3:ListBucketMultipartUploads",
         "s3:ListBucketVersions"
       ],
-      "Resource" : ["S3_BUCKET_ARN"]
+      "Resource": ["S3_BUCKET_ARN"]
     },
     {
       "Sid" : "AllObjectActions",
-      "Effect" : "Allow",
+      "Effect": "Allow",
       "Action" : [
         "s3:*Object*",
         "s3:AbortMultipartUpload",
@@ -179,7 +243,7 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     },
     {
       "Sid" : "AllowUseOfTheKey",
-      "Effect" : "Allow",
+      "Effect": "Allow",
       "Action" : [
         "kms:Encrypt",
         "kms:Decrypt",
@@ -192,9 +256,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
   ]
 }
 ```
+
 </details>
 
 <details><summary>IRSA Trust Relationships</summary>
+
 ```json
 {
     "Version": "2012-10-17",
@@ -215,9 +281,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     ]
 }
 ```
+
 </details>
 
 <details><summary>Pod Identity Trust Relationships</summary>
+
 ```json
 {
     "Version": "2012-10-17",
@@ -235,9 +303,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     ]
 }
 ```
+
 </details>
 
 <details><summary>GP3 StorageClass example</summary>
+
 ```yaml
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
@@ -249,9 +319,11 @@ provisioner: ebs.csi.aws.com
 volumeBindingMode: Immediate
 allowVolumeExpansion: true
 ```
+
 </details>
 
 <details><summary>TargetGroupBinding example</summary>
+
 ```yaml
 apiVersion: elbv2.k8s.aws/v1beta1
 kind: TargetGroupBinding
@@ -265,4 +337,5 @@ spec:
     port: 80
   targetGroupARN: TARGET_GROUP_ARN
 ```
+
 </details>
diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md
@@ -1,5 +1,17 @@
 # Release notes
 
+## Version 1.62
+
+!!! tip ""
+    Helm chart version 1.62.0
+
+### Helm configuration changes
+
+- Added a new service, `processors-controller`, which manages the lifecycle of `transformation` pods.
+    - To use transformations, configure cross-account ECR access. See [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
+    - The `processors-controller` requires RBAC permissions to manage `Pods`, `ConfigMaps`, and `PersistentVolumeClaims`.
+      The required manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
+
 ## Version 1.61
 
 !!! tip ""
