diff --git a/roles/build-docker-image/common.rst b/roles/build-docker-image/common.rst index 42757816f..45484a9aa 100644 --- a/roles/build-docker-image/common.rst +++ b/roles/build-docker-image/common.rst @@ -54,7 +54,16 @@ using this role. .. zuul:rolevar:: password - The Docker Hub password + The Docker Hub password. + + .. zuul:rolevar:: repository + + Optional; if supplied this is a regular expression which + restricts to what repositories the image may be uploaded. The + following example allows projects to upload images to + repositories within an organization based on their own names:: + + repository: "^myorgname/{{ zuul.project.short_name }}.*" .. zuul:rolevar:: docker_images :type: list diff --git a/roles/promote-docker-image/tasks/main.yaml b/roles/promote-docker-image/tasks/main.yaml index 0eb42dece..80ad09a45 100644 --- a/roles/promote-docker-image/tasks/main.yaml +++ b/roles/promote-docker-image/tasks/main.yaml @@ -1,3 +1,10 @@ +- name: Verify repository names + when: | + docker_credentials.repository is defined + and not item.repository | regex_search(docker_credentials.repository) + loop: "{{ docker_images }}" + fail: + msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}" # This is used by the delete tasks - name: Get dockerhub JWT token no_log: true diff --git a/roles/upload-docker-image/tasks/main.yaml b/roles/upload-docker-image/tasks/main.yaml index 65be3c59f..d7e8c81ee 100644 --- a/roles/upload-docker-image/tasks/main.yaml +++ b/roles/upload-docker-image/tasks/main.yaml @@ -1,3 +1,10 @@ +- name: Verify repository names + when: | + docker_credentials.repository is defined + and not item.repository | regex_search(docker_credentials.repository) + loop: "{{ docker_images }}" + fail: + msg: "{{ item.repository }} not permitted by {{ docker_credentials.repository }}" - name: Log in to dockerhub command: "docker login -u {{ docker_credentials.username }} -p {{ docker_credentials.password }}" no_log: true