From 3e3f83643506283032e0ee1007ce8e9644a44f62 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Fri, 18 Jan 2019 09:43:11 -0800 Subject: [PATCH] docker: add ability to restrict repository names This allows us to construct a job which allows users to pass in a secret (via pass-to-parent) which includes not only the user/pass, but also a restriction for what docker image repositories may be accessed using that user/pass. This allows an operator to create one credential, and then use that credential in multiple secrets for multiple projects, each with a distinct restriction on where images may be uploaded. Change-Id: I7a3cf97a16d34c76df8601990954e1f2b0e498f5 --- roles/build-docker-image/common.rst | 11 ++++++++++- roles/promote-docker-image/tasks/main.yaml | 7 +++++++ roles/upload-docker-image/tasks/main.yaml | 7 +++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/roles/build-docker-image/common.rst b/roles/build-docker-image/common.rst index 42757816f..45484a9aa 100644 --- a/roles/build-docker-image/common.rst +++ b/roles/build-docker-image/common.rst @@ -54,7 +54,16 @@ using this role. .. zuul:rolevar:: password - The Docker Hub password + The Docker Hub password. + + .. zuul:rolevar:: repository + + Optional; if supplied this is a regular expression which + restricts to what repositories the image may be uploaded. The + following example allows projects to upload images to + repositories within an organization based on their own names:: + + repository: "^myorgname/{{ zuul.project.short_name }}.*" .. zuul:rolevar:: docker_images :type: list diff --git a/roles/promote-docker-image/tasks/main.yaml b/roles/promote-docker-image/tasks/main.yaml index 0eb42dece..80ad09a45 100644 --- a/roles/promote-docker-image/tasks/main.yaml +++ b/roles/promote-docker-image/tasks/main.yaml @@ -1,3 +1,10 @@ +- name: Verify repository names + when: | + docker_credentials.repository is defined + and not item.repository | regex_search(docker_credentials.repository) + loop: "{{ docker_images }}" + fail: + msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}" # This is used by the delete tasks - name: Get dockerhub JWT token no_log: true diff --git a/roles/upload-docker-image/tasks/main.yaml b/roles/upload-docker-image/tasks/main.yaml index 65be3c59f..d7e8c81ee 100644 --- a/roles/upload-docker-image/tasks/main.yaml +++ b/roles/upload-docker-image/tasks/main.yaml @@ -1,3 +1,10 @@ +- name: Verify repository names + when: | + docker_credentials.repository is defined + and not item.repository | regex_search(docker_credentials.repository) + loop: "{{ docker_images }}" + fail: + msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}" - name: Log in to dockerhub command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}" no_log: true