docker: add ability to restrict repository names

This allows us to construct a job which allows users to pass in a
secret (via pass-to-parent) which includes not only the user/pass,
but also a restriction for what docker image repositories may be
accessed using that user/pass.  This allows an operator to create
one credential, and then use that credential in multiple secrets
for multiple projects, each with a distinct restriction on where
images may be uploaded.

Change-Id: I7a3cf97a16d34c76df8601990954e1f2b0e498f5
This commit is contained in:
James E. Blair 2019-01-18 09:43:11 -08:00
parent 1c827e4761
commit 3e3f836435
3 changed files with 24 additions and 1 deletions

View File

@ -54,7 +54,16 @@ using this role.
.. zuul:rolevar:: password
The Docker Hub password
The Docker Hub password.
.. zuul:rolevar:: repository
Optional; if supplied this is a regular expression which
restricts to what repositories the image may be uploaded. The
following example allows projects to upload images to
repositories within an organization based on their own names::
repository: "^myorgname/{{ zuul.project.short_name }}.*"
.. zuul:rolevar:: docker_images
:type: list

View File

@ -1,3 +1,10 @@
- name: Verify repository names
when: |
docker_credentials.repository is defined
and not item.repository | regex_search(docker_credentials.repository)
loop: "{{ docker_images }}"
fail:
msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
# This is used by the delete tasks
- name: Get dockerhub JWT token
no_log: true

View File

@ -1,3 +1,10 @@
- name: Verify repository names
when: |
docker_credentials.repository is defined
and not item.repository | regex_search(docker_credentials.repository)
loop: "{{ docker_images }}"
fail:
msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
- name: Log in to dockerhub
command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}"
no_log: true