docker: add ability to restrict repository names

This allows us to construct a job which allows users to pass in a
secret (via pass-to-parent) which includes not only the user/pass,
but also a restriction for what docker image repositories may be
accessed using that user/pass.  This allows an operator to create
one credential, and then use that credential in multiple secrets
for multiple projects, each with a distinct restriction on where
images may be uploaded.

Change-Id: I7a3cf97a16d34c76df8601990954e1f2b0e498f5

roles/build-docker-image/common.rst

@@ -54,7 +54,16 @@ using this role.
 
    .. zuul:rolevar:: password
 
-      The Docker Hub password
+      The Docker Hub password.
+
+   .. zuul:rolevar:: repository
+
+      Optional; if supplied this is a regular expression which
+      restricts to what repositories the image may be uploaded.  The
+      following example allows projects to upload images to
+      repositories within an organization based on their own names::
+
+        repository: "^myorgname/{{ zuul.project.short_name }}.*"
 
 .. zuul:rolevar:: docker_images
    :type: list

roles/promote-docker-image/tasks/main.yaml

@@ -1,3 +1,10 @@
+- name: Verify repository names
+  when: |
+    docker_credentials.repository is defined
+    and not item.repository | regex_search(docker_credentials.repository)
+  loop: "{{ docker_images }}"
+  fail:
+    msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
 # This is used by the delete tasks
 - name: Get dockerhub JWT token
   no_log: true

roles/upload-docker-image/tasks/main.yaml

@@ -1,3 +1,10 @@
+- name: Verify repository names
+  when: |
+    docker_credentials.repository is defined
+    and not item.repository | regex_search(docker_credentials.repository)
+  loop: "{{ docker_images }}"
+  fail:
+    msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}"
 - name: Log in to dockerhub
   command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}"
   no_log: true