One of the promise of the CNAB storage to a registry is that if a CNAB manifest is deeply copied (or mounted) into another repo (on the same or an other registry), it will:
just work
override all component images with images coming from the new repo at install time
This is to ensure that if a user has Pull access to a repo where a CNAB lives, he also has sufficient rights to install it by design. (other bonus effects are: security scanning can work at the application level trough manifest crawling, image promotion works at the application level as well).
Test steps:
Build a sample Docker-app
Push it to a registry
Deep-copy the app manifest to another registry
Install the app from this new registry
Check that all services are referencing digested references coming from the same repo as the app itself.
Description
One of the promise of the CNAB storage to a registry is that if a CNAB manifest is deeply copied (or mounted) into another repo (on the same or an other registry), it will:
This is to ensure that if a user has Pull access to a repo where a CNAB lives, he also has sufficient rights to install it by design. (other bonus effects are: security scanning can work at the application level trough manifest crawling, image promotion works at the application level as well).
Test steps: