summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames E. Blair <jeblair@redhat.com>2019-01-18 09:43:11 -0800
committerJames E. Blair <jeblair@redhat.com>2019-01-18 09:43:11 -0800
commit3e3f83643506283032e0ee1007ce8e9644a44f62 (patch)
treeffcd219d3efbb09a784c47a84042a642c182a94e
parent1c827e4761216506cd77db21b232402ff27a9332 (diff)
docker: add ability to restrict repository names
This allows us to construct a job which allows users to pass in a secret (via pass-to-parent) which includes not only the user/pass, but also a restriction for what docker image repositories may be accessed using that user/pass. This allows an operator to create one credential, and then use that credential in multiple secrets for multiple projects, each with a distinct restriction on where images may be uploaded. Change-Id: I7a3cf97a16d34c76df8601990954e1f2b0e498f5
Notes
Notes (review): Code-Review+2: Monty Taylor <mordred@inaugust.com> Code-Review+2: Andreas Jaeger <jaegerandi@gmail.com> Workflow+1: Andreas Jaeger <jaegerandi@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Mon, 21 Jan 2019 18:15:29 +0000 Reviewed-on: https://review.openstack.org/631848 Project: openstack-infra/zuul-jobs Branch: refs/heads/master
-rw-r--r--roles/build-docker-image/common.rst11
-rw-r--r--roles/promote-docker-image/tasks/main.yaml7
-rw-r--r--roles/upload-docker-image/tasks/main.yaml7
3 files changed, 24 insertions, 1 deletions
diff --git a/roles/build-docker-image/common.rst b/roles/build-docker-image/common.rst
index 4275781..45484a9 100644
--- a/roles/build-docker-image/common.rst
+++ b/roles/build-docker-image/common.rst
@@ -54,7 +54,16 @@ using this role.
54 54
55 .. zuul:rolevar:: password 55 .. zuul:rolevar:: password
56 56
57 The Docker Hub password 57 The Docker Hub password.
58
59 .. zuul:rolevar:: repository
60
61 Optional; if supplied this is a regular expression which
62 restricts to what repositories the image may be uploaded. The
63 following example allows projects to upload images to
64 repositories within an organization based on their own names::
65
66 repository: "^myorgname/{{ zuul.project.short_name }}.*"
58 67
59.. zuul:rolevar:: docker_images 68.. zuul:rolevar:: docker_images
60 :type: list 69 :type: list
diff --git a/roles/promote-docker-image/tasks/main.yaml b/roles/promote-docker-image/tasks/main.yaml
index 0eb42de..80ad09a 100644
--- a/roles/promote-docker-image/tasks/main.yaml
+++ b/roles/promote-docker-image/tasks/main.yaml
@@ -1,3 +1,10 @@
1- name: Verify repository names
2 when: |
3 docker_credentials.repository is defined
4 and not item.repository | regex_search(docker_credentials.repository)
5 loop: "{{ docker_images }}"
6 fail:
7 msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
1# This is used by the delete tasks 8# This is used by the delete tasks
2- name: Get dockerhub JWT token 9- name: Get dockerhub JWT token
3 no_log: true 10 no_log: true
diff --git a/roles/upload-docker-image/tasks/main.yaml b/roles/upload-docker-image/tasks/main.yaml
index 65be3c5..d7e8c81 100644
--- a/roles/upload-docker-image/tasks/main.yaml
+++ b/roles/upload-docker-image/tasks/main.yaml
@@ -1,3 +1,10 @@
1- name: Verify repository names
2 when: |
3 docker_credentials.repository is defined
4 and not item.repository | regex_search(docker_credentials.repository)
5 loop: "{{ docker_images }}"
6 fail:
7 msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
1- name: Log in to dockerhub 8- name: Log in to dockerhub
2 command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}" 9 command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}"
3 no_log: true 10 no_log: true