From b62a09113ddd1e762dcbded8467741860166c4b5 Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 14:47:40 +0200
Subject: [PATCH 1/7] [ODM-12761] Add version 1.62 section with
 processors-controller description

---
 docs/home/release-notes/v1.60-v1.69.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md
index bda5a27..14e23ab 100644
--- a/docs/home/release-notes/v1.60-v1.69.md
+++ b/docs/home/release-notes/v1.60-v1.69.md
@@ -1,5 +1,16 @@
 # Release notes
 
+## Version 1.62
+
+!!! tip ""
+    Helm chart version 1.62.0
+
+### Helm configuration changes
+
+- A new service `processors-controller` has been added. This service is responsible for managing the lifecycle of the `transformation` pods.
+The `processors-controller` requires RBAC permissions to manage pods, configmaps, and persistent volume claims.
+The necessary manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
+
 ## Version 1.61
 
 !!! tip ""

From 61f875921202b560fbfd44c0f1de5ef1d68efa3d Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 15:59:25 +0200
Subject: [PATCH 2/7] [ODM-12563] Add policy for ECR

---
 docs/home/clouds/aws.md | 79 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 75 insertions(+), 4 deletions(-)

diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md
index 30de84b..5425c74 100644
--- a/docs/home/clouds/aws.md
+++ b/docs/home/clouds/aws.md
@@ -133,9 +133,69 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
 
 - in the `Key policy` of the KMS key that is used to encrypt data in the S3 bucket
 
+## Cross-account ECR access
+
+The approach is based on the [official AWS documentation](https://repost.aws/knowledge-center/secondary-account-access-ecr) for ECR repository policies and cross-account access patterns.
+
+ECR cross-account access requires configuring both:
+
+- `IAM policy` attached to the IAM role/user
+
+If the ECR repository uses `KMS encryption` with a customer-managed key, then it is necessary to additionally grant access to the KMS key in:
+
+- The `IAM policy` that is attached to the IAM role/user
+
+- The `Key policy` of the KMS key used to encrypt the ECR repository
+
 ## Configuration examples
 
+<details><summary>IAM policy for ECR access</summary>
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ECRRepositoryAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "ECRImagePull",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:DescribeRepositories",
+        "ecr:DescribeImages",
+        "ecr:ListImages"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid" : "AllowUseOfTheKey",
+      "Effect": "Allow",
+      "Action" : [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource" : ["KMS_KEY_ARN"]
+    }
+  ]
+}
+```
+
+</details>
+
 <details><summary>AbortIncompleteMultipartUpload rule</summary>
+
 ```json
 {
     "Rules": [
@@ -149,27 +209,29 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     ]
 }
 ```
+
 </details>
 
 <details><summary>IAM policy for S3 access</summary>
+
 ```json
 {
   "Version" : "2012-10-17",
   "Statement" : [
     {
       "Sid" : "ListObjectsInBucket",
-      "Effect" : "Allow",
+      "Effect": "Allow",
       "Action" : [
         "s3:ListBucket",
         "s3:GetBucketLocation",
         "s3:ListBucketMultipartUploads",
         "s3:ListBucketVersions"
       ],
-      "Resource" : ["S3_BUCKET_ARN"]
+      "Resource": ["S3_BUCKET_ARN"]
     },
     {
       "Sid" : "AllObjectActions",
-      "Effect" : "Allow",
+      "Effect": "Allow",
       "Action" : [
         "s3:*Object*",
         "s3:AbortMultipartUpload",
@@ -179,7 +241,7 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     },
     {
       "Sid" : "AllowUseOfTheKey",
-      "Effect" : "Allow",
+      "Effect": "Allow",
       "Action" : [
         "kms:Encrypt",
         "kms:Decrypt",
@@ -192,9 +254,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
   ]
 }
 ```
+
 </details>
 
 <details><summary>IRSA Trust Relationships</summary>
+
 ```json
 {
     "Version": "2012-10-17",
@@ -215,9 +279,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     ]
 }
 ```
+
 </details>
 
 <details><summary>Pod Identity Trust Relationships</summary>
+
 ```json
 {
     "Version": "2012-10-17",
@@ -235,9 +301,11 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
     ]
 }
 ```
+
 </details>
 
 <details><summary>GP3 StorageClass example</summary>
+
 ```yaml
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
@@ -249,9 +317,11 @@ provisioner: ebs.csi.aws.com
 volumeBindingMode: Immediate
 allowVolumeExpansion: true
 ```
+
 </details>
 
 <details><summary>TargetGroupBinding example</summary>
+
 ```yaml
 apiVersion: elbv2.k8s.aws/v1beta1
 kind: TargetGroupBinding
@@ -265,4 +335,5 @@ spec:
     port: 80
   targetGroupARN: TARGET_GROUP_ARN
 ```
+
 </details>

From e71343ffaff4ac6ba14c0aef785721bca1ddeff5 Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 16:20:47 +0200
Subject: [PATCH 3/7] [ODM-12563] Add note for ecr access

---
 docs/home/clouds/aws.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md
index 5425c74..1e7d3ac 100644
--- a/docs/home/clouds/aws.md
+++ b/docs/home/clouds/aws.md
@@ -135,6 +135,8 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
 
 ## Cross-account ECR access
 
+⚠️ **Important: Mandatory in case of processors-controller usage**
+
 The approach is based on the [official AWS documentation](https://repost.aws/knowledge-center/secondary-account-access-ecr) for ECR repository policies and cross-account access patterns.
 
 ECR cross-account access requires configuring both:

From 4126b0f866a0c9a8d0db73856158848222ee3c30 Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 16:22:59 +0200
Subject: [PATCH 4/7] [ODM-12563] Add note for ecr acess

---
 docs/home/clouds/aws.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md
index 1e7d3ac..af32370 100644
--- a/docs/home/clouds/aws.md
+++ b/docs/home/clouds/aws.md
@@ -135,7 +135,7 @@ If the S3 bucket uses `SSE-KMS` encryption, then it is necessary to additionally
 
 ## Cross-account ECR access
 
-⚠️ **Important: Mandatory in case of processors-controller usage**
+⚠️ **Mandatory in case of processors-controller usage**
 
 The approach is based on the [official AWS documentation](https://repost.aws/knowledge-center/secondary-account-access-ecr) for ECR repository policies and cross-account access patterns.
 

From 24441dfcf77f889dbefa4f52e1a1eccd0fef639f Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 16:34:24 +0200
Subject: [PATCH 5/7] [ODM-12563] Add reference to release notes

---
 docs/home/release-notes/v1.60-v1.69.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md
index 14e23ab..ef51987 100644
--- a/docs/home/release-notes/v1.60-v1.69.md
+++ b/docs/home/release-notes/v1.60-v1.69.md
@@ -8,7 +8,8 @@
 ### Helm configuration changes
 
 - A new service `processors-controller` has been added. This service is responsible for managing the lifecycle of the `transformation` pods.
-The `processors-controller` requires RBAC permissions to manage pods, configmaps, and persistent volume claims.
+For using `transformations` it's necessary to configure cross-account ECR access, see [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
+- The `processors-controller` requires RBAC permissions to manage pods, configmaps, and persistent volume claims.
 The necessary manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
 
 ## Version 1.61

From 84e5b17e767f68159049aebace6f7845ead1458a Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 16:37:40 +0200
Subject: [PATCH 6/7] [ODM-12563] Separate using identity

---
 docs/home/release-notes/v1.60-v1.69.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md
index ef51987..55457b7 100644
--- a/docs/home/release-notes/v1.60-v1.69.md
+++ b/docs/home/release-notes/v1.60-v1.69.md
@@ -8,9 +8,9 @@
 ### Helm configuration changes
 
 - A new service `processors-controller` has been added. This service is responsible for managing the lifecycle of the `transformation` pods.
-For using `transformations` it's necessary to configure cross-account ECR access, see [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
-- The `processors-controller` requires RBAC permissions to manage pods, configmaps, and persistent volume claims.
-The necessary manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
+    - For using `transformations` it's necessary to configure cross-account ECR access, see [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
+    - The `processors-controller` requires RBAC permissions to manage pods, configmaps, and persistent volume claims.
+    The necessary manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
 
 ## Version 1.61
 

From 840f6a732410002a5cb3738ca5104f902ceb88c0 Mon Sep 17 00:00:00 2001
From: Oleg Kunitsyn <you@example.com>
Date: Mon, 11 Aug 2025 16:39:42 +0200
Subject: [PATCH 7/7] [ODM-12563] Rephrase

---
 docs/home/release-notes/v1.60-v1.69.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md
index 55457b7..48cd3a6 100644
--- a/docs/home/release-notes/v1.60-v1.69.md
+++ b/docs/home/release-notes/v1.60-v1.69.md
@@ -7,10 +7,10 @@
 
 ### Helm configuration changes
 
-- A new service `processors-controller` has been added. This service is responsible for managing the lifecycle of the `transformation` pods.
-    - For using `transformations` it's necessary to configure cross-account ECR access, see [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
-    - The `processors-controller` requires RBAC permissions to manage pods, configmaps, and persistent volume claims.
-    The necessary manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
+- Added a new service, `processors-controller`, which manages the lifecycle of `transformation` pods.
+    - To use transformations, configure cross-account ECR access. See [Cross-account ECR access](./../clouds/aws.md#cross-account-ecr-access).
+    - The `processors-controller` requires RBAC permissions to manage `Pods`, `ConfigMaps`, and `PersistentVolumeClaims`.
+      The required manifests are included in the Helm chart and can be disabled by setting `processorsController.rbac.enabled` to `false`.
 
 ## Version 1.61