remind101
Lock an empire app with a specific Docker repo
Right now, it's really easy for a dev to deploy an image from a different repository to an existing app. This can obviously cause a lot of damages :boom:
Is there any plan to add this protection?
We have no immediate plans to add this ourselves, but I agree this would be a great addition as deploying a different Docker image would almost never be desirable (there's a couple of cases where it would be, like moving to a different Docker registry, but I think that could be handled with an extra flag to emp deploy).
I worked around this by creating a manifest file that has 2 columns, app name and image version and another static file that defines app name and repository/base image name.
Then I have a 1-2 liner bash script that joins these up and spits the commands to deploy into empire.
To deploy new version(s) we just edit the manifest/versions file with the new set of versions then run the deploy script to deploy them all.
I also wrote one to deploy just 1 app using the same input files.
On a related note, it would be nice if Empire integrated with content trust in Docker, so that you could only deploy images that you explicitly trust.