diff --git a/.gitattributes b/.gitattributes index db3a568628..ef3e885a1a 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,5 +1,8 @@ -# Set this repository to use unix style line endings * text eol=lf -*.png -text -*.gif -text -*.jpg -text + +*.png binary +*.jpg binary +*.gif binary +*.zst binary +*.tar binary +*.part00* binary diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d08047ec3..e2194a24f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -179,7 +179,7 @@ jobs: - name: Get Brew tap repo token id: brew-tap-token - uses: actions/create-github-app-token@3378cda945da322a8db4b193e19d46352ebe2de5 # v1.10.4 + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 with: app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }} private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }} diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml index d1815026c9..a5190e7fc7 100644 --- a/.github/workflows/scan-codeql.yml +++ b/.github/workflows/scan-codeql.yml @@ -16,16 +16,6 @@ on: - "adr/**" - "docs/**" - "CODEOWNERS" - merge_group: - paths-ignore: - - "**.md" - - "**.jpg" - - "**.png" - - "**.gif" - - "**.svg" - - "adr/**" - - "docs/**" - - "CODEOWNERS" schedule: - cron: "32 2 * * 5" @@ -53,7 +43,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: languages: ${{ matrix.language }} config-file: ./.github/codeql.yaml @@ -62,6 +52,6 @@ jobs: run: make build-cli-linux-amd - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index b085ba42cd..7bc855f0b6 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -44,6 +44,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 with: sarif_file: results.sarif diff --git a/site/src/content/docs/commands/zarf.md b/site/src/content/docs/commands/zarf.md index a72d554da9..0ed3312946 100644 --- a/site/src/content/docs/commands/zarf.md +++ b/site/src/content/docs/commands/zarf.md @@ -22,15 +22,16 @@ zarf COMMAND [flags] ### Options ``` - -a, --architecture string Architecture for OCI images and Zarf packages - -h, --help help for zarf - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + -h, --help help for zarf + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion.md b/site/src/content/docs/commands/zarf_completion.md index 151c7d9198..99a58b833a 100644 --- a/site/src/content/docs/commands/zarf_completion.md +++ b/site/src/content/docs/commands/zarf_completion.md @@ -25,14 +25,15 @@ See each sub-command's help for details on how to use the generated script. ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_bash.md b/site/src/content/docs/commands/zarf_completion_bash.md index dce8642c87..349bbf7e0a 100644 --- a/site/src/content/docs/commands/zarf_completion_bash.md +++ b/site/src/content/docs/commands/zarf_completion_bash.md @@ -48,14 +48,15 @@ zarf completion bash ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_fish.md b/site/src/content/docs/commands/zarf_completion_fish.md index f8cb9f27ed..de3f70b160 100644 --- a/site/src/content/docs/commands/zarf_completion_fish.md +++ b/site/src/content/docs/commands/zarf_completion_fish.md @@ -39,14 +39,15 @@ zarf completion fish [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_powershell.md b/site/src/content/docs/commands/zarf_completion_powershell.md index 26ed47298c..53add1dc9a 100644 --- a/site/src/content/docs/commands/zarf_completion_powershell.md +++ b/site/src/content/docs/commands/zarf_completion_powershell.md @@ -36,14 +36,15 @@ zarf completion powershell [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_completion_zsh.md b/site/src/content/docs/commands/zarf_completion_zsh.md index 9b6af13363..94bdf43f4d 100644 --- a/site/src/content/docs/commands/zarf_completion_zsh.md +++ b/site/src/content/docs/commands/zarf_completion_zsh.md @@ -50,14 +50,15 @@ zarf completion zsh [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_connect.md b/site/src/content/docs/commands/zarf_connect.md index f0eb9b84ce..1b504873ab 100644 --- a/site/src/content/docs/commands/zarf_connect.md +++ b/site/src/content/docs/commands/zarf_connect.md @@ -39,14 +39,15 @@ zarf connect { REGISTRY | GIT | connect-name } [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_connect_list.md b/site/src/content/docs/commands/zarf_connect_list.md index 5767cf2176..8829b812e0 100644 --- a/site/src/content/docs/commands/zarf_connect_list.md +++ b/site/src/content/docs/commands/zarf_connect_list.md @@ -23,14 +23,15 @@ zarf connect list [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_destroy.md b/site/src/content/docs/commands/zarf_destroy.md index 1e61fb0d70..64608f4e58 100644 --- a/site/src/content/docs/commands/zarf_destroy.md +++ b/site/src/content/docs/commands/zarf_destroy.md @@ -35,14 +35,15 @@ zarf destroy --confirm [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev.md b/site/src/content/docs/commands/zarf_dev.md index a12090183d..0dd4d1e4f1 100644 --- a/site/src/content/docs/commands/zarf_dev.md +++ b/site/src/content/docs/commands/zarf_dev.md @@ -19,14 +19,15 @@ Commands useful for developing packages ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_deploy.md b/site/src/content/docs/commands/zarf_dev_deploy.md index 41ee7f0b85..7b7131af51 100644 --- a/site/src/content/docs/commands/zarf_dev_deploy.md +++ b/site/src/content/docs/commands/zarf_dev_deploy.md @@ -37,14 +37,15 @@ zarf dev deploy [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_find-images.md b/site/src/content/docs/commands/zarf_dev_find-images.md index d1dcf31ea0..a5f94578ee 100644 --- a/site/src/content/docs/commands/zarf_dev_find-images.md +++ b/site/src/content/docs/commands/zarf_dev_find-images.md @@ -37,14 +37,15 @@ zarf dev find-images [ PACKAGE ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_generate-config.md b/site/src/content/docs/commands/zarf_dev_generate-config.md index 9610b0e593..cb5040f133 100644 --- a/site/src/content/docs/commands/zarf_dev_generate-config.md +++ b/site/src/content/docs/commands/zarf_dev_generate-config.md @@ -32,14 +32,15 @@ zarf dev generate-config [ FILENAME ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_generate.md b/site/src/content/docs/commands/zarf_dev_generate.md index eb22d24a91..306677a7da 100644 --- a/site/src/content/docs/commands/zarf_dev_generate.md +++ b/site/src/content/docs/commands/zarf_dev_generate.md @@ -34,14 +34,15 @@ zarf dev generate podinfo --url https://github.com/stefanprodan/podinfo.git --ve ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_lint.md b/site/src/content/docs/commands/zarf_dev_lint.md index 91d446cbc3..57827ee0ed 100644 --- a/site/src/content/docs/commands/zarf_dev_lint.md +++ b/site/src/content/docs/commands/zarf_dev_lint.md @@ -29,14 +29,15 @@ zarf dev lint [ DIRECTORY ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_patch-git.md b/site/src/content/docs/commands/zarf_dev_patch-git.md index bbb3933f39..4a3b2553d0 100644 --- a/site/src/content/docs/commands/zarf_dev_patch-git.md +++ b/site/src/content/docs/commands/zarf_dev_patch-git.md @@ -25,14 +25,15 @@ zarf dev patch-git HOST FILE [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_dev_sha256sum.md b/site/src/content/docs/commands/zarf_dev_sha256sum.md index 6c910106b4..91419a9665 100644 --- a/site/src/content/docs/commands/zarf_dev_sha256sum.md +++ b/site/src/content/docs/commands/zarf_dev_sha256sum.md @@ -24,14 +24,15 @@ zarf dev sha256sum { FILE | URL } [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_init.md b/site/src/content/docs/commands/zarf_init.md index 5702caa72b..21758f634c 100644 --- a/site/src/content/docs/commands/zarf_init.md +++ b/site/src/content/docs/commands/zarf_init.md @@ -76,6 +76,7 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA --registry-url string External registry url address to use for this Zarf cluster --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) + --skip-signature-validation Skip validating the signature of the Zarf package --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed --storage-class string Specify the storage class to use for the registry and git server. E.g. --storage-class=standard --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) @@ -84,14 +85,15 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package.md b/site/src/content/docs/commands/zarf_package.md index 0727c57793..a8d1244e58 100644 --- a/site/src/content/docs/commands/zarf_package.md +++ b/site/src/content/docs/commands/zarf_package.md @@ -21,14 +21,15 @@ Zarf package commands for creating, deploying, and inspecting packages ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_create.md b/site/src/content/docs/commands/zarf_package_create.md index 0a8057bf38..b3ef73bb78 100644 --- a/site/src/content/docs/commands/zarf_package_create.md +++ b/site/src/content/docs/commands/zarf_package_create.md @@ -42,15 +42,16 @@ zarf package create [ DIRECTORY ] [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_deploy.md b/site/src/content/docs/commands/zarf_package_deploy.md index d89b0f1bbc..2dda0e6fad 100644 --- a/site/src/content/docs/commands/zarf_package_deploy.md +++ b/site/src/content/docs/commands/zarf_package_deploy.md @@ -22,30 +22,32 @@ zarf package deploy [ PACKAGE_SOURCE ] [flags] ### Options ``` - --adopt-existing-resources Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover. - --components string Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported. - --confirm Confirms package deployment without prompting. ONLY use with packages you trust. Skips prompts to review SBOM, configure variables, select optional components and review potential breaking changes. - -h, --help help for deploy - --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) - --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) - --shasum string Shasum of the package to deploy. Required if deploying a remote package and "--insecure" is not provided - --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed - --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) + --adopt-existing-resources Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover. + --components string Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported. + --confirm Confirms package deployment without prompting. ONLY use with packages you trust. Skips prompts to review SBOM, configure variables, select optional components and review potential breaking changes. + -h, --help help for deploy + --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) + --set stringToString Specify deployment variables to set on the command line (KEY=value) (default []) + --shasum string Shasum of the package to deploy. Required if deploying a remote https package. + --skip-signature-validation Skip validating the signature of the Zarf package + --skip-webhooks [alpha] Skip waiting for external webhooks to execute as each package component is deployed + --timeout duration Timeout for health checks and Helm operations such as installs and rollbacks (default 15m0s) ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_inspect.md b/site/src/content/docs/commands/zarf_package_inspect.md index 7a27daff9f..8881bbe248 100644 --- a/site/src/content/docs/commands/zarf_package_inspect.md +++ b/site/src/content/docs/commands/zarf_package_inspect.md @@ -21,25 +21,27 @@ zarf package inspect [ PACKAGE_SOURCE ] [flags] ### Options ``` - -h, --help help for inspect - --list-images List images in the package (prints to stdout) - -s, --sbom View SBOM contents while inspecting the package - --sbom-out string Specify an output directory for the SBOMs from the inspected Zarf package + -h, --help help for inspect + --list-images List images in the package (prints to stdout) + -s, --sbom View SBOM contents while inspecting the package + --sbom-out string Specify an output directory for the SBOMs from the inspected Zarf package + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_list.md b/site/src/content/docs/commands/zarf_package_list.md index b8f215ade3..4fddd0dd13 100644 --- a/site/src/content/docs/commands/zarf_package_list.md +++ b/site/src/content/docs/commands/zarf_package_list.md @@ -23,16 +23,17 @@ zarf package list [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_mirror-resources.md b/site/src/content/docs/commands/zarf_package_mirror-resources.md index 1b6abb8fd9..20a60964ab 100644 --- a/site/src/content/docs/commands/zarf_package_mirror-resources.md +++ b/site/src/content/docs/commands/zarf_package_mirror-resources.md @@ -25,7 +25,7 @@ zarf package mirror-resources [ PACKAGE_SOURCE ] [flags] # Mirror resources to internal Zarf resources $ zarf package mirror-resources \ - --registry-url 127.0.0.1:31999 \ + --registry-url http://zarf-docker-registry.zarf.svc.cluster.local:5000 \ --registry-push-username zarf-push \ --registry-push-password \ --git-url http://zarf-gitea-http.zarf.svc.cluster.local:3000 \ @@ -57,21 +57,24 @@ $ zarf package mirror-resources \ --registry-push-username string Username to access to the registry Zarf is configured to use (default "zarf-push") --registry-url string External registry url address to use for this Zarf cluster --retries int Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs (default 3) + --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_publish.md b/site/src/content/docs/commands/zarf_package_publish.md index 1507c83e0a..310e4481c5 100644 --- a/site/src/content/docs/commands/zarf_package_publish.md +++ b/site/src/content/docs/commands/zarf_package_publish.md @@ -29,24 +29,26 @@ $ zarf package publish ./path/to/dir oci://my-registry.com/my-namespace ### Options ``` - -h, --help help for publish - --signing-key string Path to a private key file for signing or re-signing packages with a new key - --signing-key-pass string Password to the private key file used for publishing packages + -h, --help help for publish + --signing-key string Path to a private key file for signing or re-signing packages with a new key + --signing-key-pass string Password to the private key file used for publishing packages + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_pull.md b/site/src/content/docs/commands/zarf_package_pull.md index 2bb98e5742..81bee3464c 100644 --- a/site/src/content/docs/commands/zarf_package_pull.md +++ b/site/src/content/docs/commands/zarf_package_pull.md @@ -33,21 +33,23 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk ``` -h, --help help for pull -o, --output-directory string Specify the output directory for the pulled Zarf package + --shasum string Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum ' ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_package_remove.md b/site/src/content/docs/commands/zarf_package_remove.md index 34cd131c32..edebd01408 100644 --- a/site/src/content/docs/commands/zarf_package_remove.md +++ b/site/src/content/docs/commands/zarf_package_remove.md @@ -17,24 +17,26 @@ zarf package remove { PACKAGE_SOURCE | PACKAGE_NAME } --confirm [flags] ### Options ``` - --components string Comma-separated list of components to remove. This list will be respected regardless of a component's 'required' or 'default' status. Globbing component names with '*' and deselecting components with a leading '-' are also supported. - --confirm REQUIRED. Confirm the removal action to prevent accidental deletions - -h, --help help for remove + --components string Comma-separated list of components to remove. This list will be respected regardless of a component's 'required' or 'default' status. Globbing component names with '*' and deselecting components with a leading '-' are also supported. + --confirm REQUIRED. Confirm the removal action to prevent accidental deletions + -h, --help help for remove + --skip-signature-validation Skip validating the signature of the Zarf package ``` ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -k, --key string Path to public key file for validating signed packages - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -k, --key string Path to public key file for validating signed packages + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --oci-concurrency int Number of concurrent layer operations to perform when interacting with a remote package. (default 3) + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools.md b/site/src/content/docs/commands/zarf_tools.md index ea4d9548da..51e9e472d1 100644 --- a/site/src/content/docs/commands/zarf_tools.md +++ b/site/src/content/docs/commands/zarf_tools.md @@ -19,14 +19,15 @@ Collection of additional tools to make airgap easier ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver.md b/site/src/content/docs/commands/zarf_tools_archiver.md index 8f35492acb..edd7615755 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver.md +++ b/site/src/content/docs/commands/zarf_tools_archiver.md @@ -19,14 +19,15 @@ Compresses/Decompresses generic archives, including Zarf packages ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver_compress.md b/site/src/content/docs/commands/zarf_tools_archiver_compress.md index bf79a91511..de2cc0518a 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver_compress.md +++ b/site/src/content/docs/commands/zarf_tools_archiver_compress.md @@ -23,14 +23,15 @@ zarf tools archiver compress SOURCES ARCHIVE [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver_decompress.md b/site/src/content/docs/commands/zarf_tools_archiver_decompress.md index 8c2cb441fa..ead2ce66ac 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver_decompress.md +++ b/site/src/content/docs/commands/zarf_tools_archiver_decompress.md @@ -24,14 +24,15 @@ zarf tools archiver decompress ARCHIVE DESTINATION [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_archiver_version.md b/site/src/content/docs/commands/zarf_tools_archiver_version.md index 0dd240f9eb..169ece563b 100644 --- a/site/src/content/docs/commands/zarf_tools_archiver_version.md +++ b/site/src/content/docs/commands/zarf_tools_archiver_version.md @@ -23,14 +23,15 @@ zarf tools archiver version [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_clear-cache.md b/site/src/content/docs/commands/zarf_tools_clear-cache.md index e0031b87d5..c2e7f8d94e 100644 --- a/site/src/content/docs/commands/zarf_tools_clear-cache.md +++ b/site/src/content/docs/commands/zarf_tools_clear-cache.md @@ -24,13 +24,14 @@ zarf tools clear-cache [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_download-init.md b/site/src/content/docs/commands/zarf_tools_download-init.md index adfc4ab508..723c4d3d83 100644 --- a/site/src/content/docs/commands/zarf_tools_download-init.md +++ b/site/src/content/docs/commands/zarf_tools_download-init.md @@ -24,14 +24,15 @@ zarf tools download-init [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_gen-key.md b/site/src/content/docs/commands/zarf_tools_gen-key.md index 9a15bab77a..421f4029ad 100644 --- a/site/src/content/docs/commands/zarf_tools_gen-key.md +++ b/site/src/content/docs/commands/zarf_tools_gen-key.md @@ -23,14 +23,15 @@ zarf tools gen-key [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_gen-pki.md b/site/src/content/docs/commands/zarf_tools_gen-pki.md index 8500adc10b..641fe08402 100644 --- a/site/src/content/docs/commands/zarf_tools_gen-pki.md +++ b/site/src/content/docs/commands/zarf_tools_gen-pki.md @@ -24,14 +24,15 @@ zarf tools gen-pki HOST [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_get-creds.md b/site/src/content/docs/commands/zarf_tools_get-creds.md index 4d56b4e2b8..8d8511ffb3 100644 --- a/site/src/content/docs/commands/zarf_tools_get-creds.md +++ b/site/src/content/docs/commands/zarf_tools_get-creds.md @@ -43,14 +43,15 @@ $ zarf tools get-creds artifact ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_helm.md b/site/src/content/docs/commands/zarf_tools_helm.md index 44932c83f3..3b836a8cd0 100644 --- a/site/src/content/docs/commands/zarf_tools_helm.md +++ b/site/src/content/docs/commands/zarf_tools_helm.md @@ -36,6 +36,13 @@ Subset of the Helm CLI that includes the repo and dependency commands for managi --repository-config string path to the file containing repository names and URLs ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency.md b/site/src/content/docs/commands/zarf_tools_helm_dependency.md index 034b077242..fdbb387c52 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency.md @@ -71,6 +71,7 @@ for this case. ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -81,6 +82,7 @@ for this case. --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md b/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md index 4721f010ba..ff1b47e6fd 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency_build.md @@ -41,6 +41,7 @@ zarf tools helm dependency build CHART [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -51,6 +52,7 @@ zarf tools helm dependency build CHART [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md b/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md index afea96a40e..04b786e8d6 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency_list.md @@ -37,6 +37,7 @@ zarf tools helm dependency list CHART [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -47,6 +48,7 @@ zarf tools helm dependency list CHART [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md b/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md index 845bba70e2..15486dfabb 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md +++ b/site/src/content/docs/commands/zarf_tools_helm_dependency_update.md @@ -45,6 +45,7 @@ zarf tools helm dependency update CHART [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -55,6 +56,7 @@ zarf tools helm dependency update CHART [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo.md b/site/src/content/docs/commands/zarf_tools_helm_repo.md index cc51f6c4db..bb890b0631 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo.md @@ -29,6 +29,7 @@ It can be used to add, remove, list, and index chart repositories. ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -39,6 +40,7 @@ It can be used to add, remove, list, and index chart repositories. --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_add.md b/site/src/content/docs/commands/zarf_tools_helm_repo_add.md index c6226e3137..427fa498f4 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_add.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_add.md @@ -46,6 +46,7 @@ zarf tools helm repo add [NAME] [URL] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_index.md b/site/src/content/docs/commands/zarf_tools_helm_repo_index.md index 62db97073b..2568672be9 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_index.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_index.md @@ -40,6 +40,7 @@ zarf tools helm repo index [DIR] [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -50,6 +51,7 @@ zarf tools helm repo index [DIR] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_list.md b/site/src/content/docs/commands/zarf_tools_helm_repo_list.md index 4e548393ca..987cd7fe3c 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_list.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_list.md @@ -26,6 +26,7 @@ zarf tools helm repo list [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -36,6 +37,7 @@ zarf tools helm repo list [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md b/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md index ca042bdb1c..af693c1ad9 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_remove.md @@ -25,6 +25,7 @@ zarf tools helm repo remove [REPO1 [REPO2 ...]] [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -35,6 +36,7 @@ zarf tools helm repo remove [REPO1 [REPO2 ...]] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_repo_update.md b/site/src/content/docs/commands/zarf_tools_helm_repo_update.md index 87b19a94da..687c1c01e2 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_repo_update.md +++ b/site/src/content/docs/commands/zarf_tools_helm_repo_update.md @@ -37,6 +37,7 @@ zarf tools helm repo update [REPO1 [REPO2 ...]] [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -47,6 +48,7 @@ zarf tools helm repo update [REPO1 [REPO2 ...]] [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_helm_version.md b/site/src/content/docs/commands/zarf_tools_helm_version.md index c34e4c17c8..3c70426811 100644 --- a/site/src/content/docs/commands/zarf_tools_helm_version.md +++ b/site/src/content/docs/commands/zarf_tools_helm_version.md @@ -25,6 +25,7 @@ zarf tools helm version [flags] ``` --burst-limit int client-side default throttling limit (default 100) --debug enable verbose output + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation @@ -35,6 +36,7 @@ zarf tools helm version [flags] --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --qps float32 queries per second used when communicating with the Kubernetes API, not including bursting --registry-config string path to the registry config file --repository-cache string path to the file containing cached repository indexes diff --git a/site/src/content/docs/commands/zarf_tools_kubectl.md b/site/src/content/docs/commands/zarf_tools_kubectl.md index 18128b35e3..ebf487c50f 100644 --- a/site/src/content/docs/commands/zarf_tools_kubectl.md +++ b/site/src/content/docs/commands/zarf_tools_kubectl.md @@ -20,6 +20,13 @@ zarf tools kubectl [flags] -h, --help help for kubectl ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_monitor.md b/site/src/content/docs/commands/zarf_tools_monitor.md index 73c8d766be..3303fde13b 100644 --- a/site/src/content/docs/commands/zarf_tools_monitor.md +++ b/site/src/content/docs/commands/zarf_tools_monitor.md @@ -44,6 +44,12 @@ zarf tools monitor [flags] --write Sets write mode by overriding the readOnly configuration setting ``` +### Options inherited from parent commands + +``` + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_registry.md b/site/src/content/docs/commands/zarf_tools_registry.md index 67b56aa34f..c99882cb04 100644 --- a/site/src/content/docs/commands/zarf_tools_registry.md +++ b/site/src/content/docs/commands/zarf_tools_registry.md @@ -20,6 +20,13 @@ Tools for working with container registries using go-containertools -v, --verbose Enable debug logs ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_registry_catalog.md b/site/src/content/docs/commands/zarf_tools_registry_catalog.md index 5b01ae2d43..ea2a8fa3cb 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_catalog.md +++ b/site/src/content/docs/commands/zarf_tools_registry_catalog.md @@ -38,6 +38,8 @@ $ zarf tools registry catalog reg.example.com ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_copy.md b/site/src/content/docs/commands/zarf_tools_registry_copy.md index 4c975d811d..fdaec2d183 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_copy.md +++ b/site/src/content/docs/commands/zarf_tools_registry_copy.md @@ -28,6 +28,8 @@ zarf tools registry copy SRC DST [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_delete.md b/site/src/content/docs/commands/zarf_tools_registry_delete.md index 02f234e0f5..6622747930 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_delete.md +++ b/site/src/content/docs/commands/zarf_tools_registry_delete.md @@ -37,6 +37,8 @@ $ zarf tools registry delete reg.example.com/stefanprodan/podinfo@sha256:57a654a ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_digest.md b/site/src/content/docs/commands/zarf_tools_registry_digest.md index b2754a6d65..2b5be1bd26 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_digest.md +++ b/site/src/content/docs/commands/zarf_tools_registry_digest.md @@ -39,6 +39,8 @@ $ zarf tools registry digest reg.example.com/stefanprodan/podinfo:6.4.0 ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_login.md b/site/src/content/docs/commands/zarf_tools_registry_login.md index 72d7ac95d7..79c59a740c 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_login.md +++ b/site/src/content/docs/commands/zarf_tools_registry_login.md @@ -28,6 +28,8 @@ zarf tools registry login [OPTIONS] [SERVER] [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_ls.md b/site/src/content/docs/commands/zarf_tools_registry_ls.md index f7754e813f..683c1837e5 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_ls.md +++ b/site/src/content/docs/commands/zarf_tools_registry_ls.md @@ -39,6 +39,8 @@ $ zarf tools registry ls reg.example.com/stefanprodan/podinfo ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_prune.md b/site/src/content/docs/commands/zarf_tools_registry_prune.md index 77fb9bf04a..ec745c4a1b 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_prune.md +++ b/site/src/content/docs/commands/zarf_tools_registry_prune.md @@ -26,6 +26,8 @@ zarf tools registry prune [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_pull.md b/site/src/content/docs/commands/zarf_tools_registry_pull.md index cb2e467f23..5e94aa0b7f 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_pull.md +++ b/site/src/content/docs/commands/zarf_tools_registry_pull.md @@ -40,6 +40,8 @@ $ zarf tools registry pull reg.example.com/stefanprodan/podinfo:6.4.0 image.tar ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_push.md b/site/src/content/docs/commands/zarf_tools_registry_push.md index beb58ad1f1..efbbe885f6 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_push.md +++ b/site/src/content/docs/commands/zarf_tools_registry_push.md @@ -43,6 +43,8 @@ $ zarf tools registry push image.tar reg.example.com/stefanprodan/podinfo:6.4.0 ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_registry_version.md b/site/src/content/docs/commands/zarf_tools_registry_version.md index aca0c7176f..2547913064 100644 --- a/site/src/content/docs/commands/zarf_tools_registry_version.md +++ b/site/src/content/docs/commands/zarf_tools_registry_version.md @@ -32,6 +32,8 @@ zarf tools registry version [flags] ``` --allow-nondistributable-artifacts Allow pushing non-distributable (foreign) layers --insecure Allow image references to be fetched without TLS + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. --platform string Specifies the platform in the form os/arch[/variant][:osversion] (e.g. linux/amd64). (default "all") -v, --verbose Enable debug logs ``` diff --git a/site/src/content/docs/commands/zarf_tools_sbom.md b/site/src/content/docs/commands/zarf_tools_sbom.md index b6a733f6ff..963ee996ad 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom.md +++ b/site/src/content/docs/commands/zarf_tools_sbom.md @@ -38,6 +38,13 @@ zarf tools sbom [flags] -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_sbom_attest.md b/site/src/content/docs/commands/zarf_tools_sbom_attest.md index 89c673210f..66d6eac62b 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_attest.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_attest.md @@ -36,9 +36,11 @@ zarf tools sbom attest --output [FORMAT] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_convert.md b/site/src/content/docs/commands/zarf_tools_sbom_convert.md index 96936399a7..dc08f90913 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_convert.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_convert.md @@ -30,9 +30,11 @@ zarf tools sbom convert [SOURCE-SBOM] -o [FORMAT] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_login.md b/site/src/content/docs/commands/zarf_tools_sbom_login.md index a5995424a3..4555edc1a8 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_login.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_login.md @@ -26,9 +26,11 @@ zarf tools sbom login [OPTIONS] [SERVER] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_scan.md b/site/src/content/docs/commands/zarf_tools_sbom_scan.md index 4c25172c0e..fcc63cbe14 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_scan.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_scan.md @@ -38,9 +38,11 @@ zarf tools sbom scan [SOURCE] [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_sbom_version.md b/site/src/content/docs/commands/zarf_tools_sbom_version.md index 2d141d1f12..3530449fc7 100644 --- a/site/src/content/docs/commands/zarf_tools_sbom_version.md +++ b/site/src/content/docs/commands/zarf_tools_sbom_version.md @@ -24,9 +24,11 @@ zarf tools sbom version [flags] ### Options inherited from parent commands ``` - -c, --config string syft configuration file - -q, --quiet suppress all logging output - -v, --verbose count increase verbosity (-v = info, -vv = debug) + -c, --config string syft configuration file + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + -q, --quiet suppress all logging output + -v, --verbose count increase verbosity (-v = info, -vv = debug) ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_update-creds.md b/site/src/content/docs/commands/zarf_tools_update-creds.md index b023dc0c56..6ff620ea1a 100644 --- a/site/src/content/docs/commands/zarf_tools_update-creds.md +++ b/site/src/content/docs/commands/zarf_tools_update-creds.md @@ -72,14 +72,15 @@ $ zarf tools update-creds artifact --artifact-push-username={USERNAME} --artifac ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/commands/zarf_tools_wait-for.md b/site/src/content/docs/commands/zarf_tools_wait-for.md index 747db896f1..ce19b5590f 100644 --- a/site/src/content/docs/commands/zarf_tools_wait-for.md +++ b/site/src/content/docs/commands/zarf_tools_wait-for.md @@ -54,6 +54,13 @@ $ zarf tools wait-for http google.com success # wait --timeout string Specify the timeout duration for the wait command. (default "5m") ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_yq.md b/site/src/content/docs/commands/zarf_tools_yq.md index 7e865330fa..8916e18e3b 100644 --- a/site/src/content/docs/commands/zarf_tools_yq.md +++ b/site/src/content/docs/commands/zarf_tools_yq.md @@ -81,6 +81,13 @@ zarf tools yq -P sample.json --xml-strict-mode enables strict parsing of XML. See https://pkg.go.dev/encoding/xml for more details. ``` +### Options inherited from parent commands + +``` + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. +``` + ### SEE ALSO * [zarf tools](/commands/zarf_tools/) - Collection of additional tools to make airgap easier diff --git a/site/src/content/docs/commands/zarf_tools_yq_completion.md b/site/src/content/docs/commands/zarf_tools_yq_completion.md index c67ed20899..13651b3536 100644 --- a/site/src/content/docs/commands/zarf_tools_yq_completion.md +++ b/site/src/content/docs/commands/zarf_tools_yq_completion.md @@ -68,6 +68,7 @@ zarf tools yq completion [bash|zsh|fish|powershell] -I, --indent int sets indent level for output (default 2) -i, --inplace update the file in place of first file given. -p, --input-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|lua|l] parse format for input. (default "auto") + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --lua-globals output keys as top-level global variables --lua-prefix string prefix (default "return ") --lua-suffix string suffix (default ";\n") @@ -77,6 +78,7 @@ zarf tools yq completion [bash|zsh|fish|powershell] -0, --nul-output Use NUL char to separate values. If unwrap scalar is also set, fail if unwrapped scalar contains NUL char. -n, --null-input Don't read input, simply evaluate the expression given. Useful for creating docs from scratch. -o, --output-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|shell|s|lua|l] output format type. (default "auto") + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. -P, --prettyPrint pretty print, shorthand for '... style = ""' --properties-array-brackets use [x] in array paths (e.g. for SpringBoot) --properties-separator string separator to use between keys and values (default " = ") diff --git a/site/src/content/docs/commands/zarf_tools_yq_eval-all.md b/site/src/content/docs/commands/zarf_tools_yq_eval-all.md index 29d8b065fa..07cbc3b70e 100644 --- a/site/src/content/docs/commands/zarf_tools_yq_eval-all.md +++ b/site/src/content/docs/commands/zarf_tools_yq_eval-all.md @@ -64,6 +64,7 @@ cat file2.yml | zarf tools yq ea '.a.b' file1.yml - file3.yml -I, --indent int sets indent level for output (default 2) -i, --inplace update the file in place of first file given. -p, --input-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|lua|l] parse format for input. (default "auto") + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --lua-globals output keys as top-level global variables --lua-prefix string prefix (default "return ") --lua-suffix string suffix (default ";\n") @@ -73,6 +74,7 @@ cat file2.yml | zarf tools yq ea '.a.b' file1.yml - file3.yml -0, --nul-output Use NUL char to separate values. If unwrap scalar is also set, fail if unwrapped scalar contains NUL char. -n, --null-input Don't read input, simply evaluate the expression given. Useful for creating docs from scratch. -o, --output-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|shell|s|lua|l] output format type. (default "auto") + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. -P, --prettyPrint pretty print, shorthand for '... style = ""' --properties-array-brackets use [x] in array paths (e.g. for SpringBoot) --properties-separator string separator to use between keys and values (default " = ") diff --git a/site/src/content/docs/commands/zarf_tools_yq_eval.md b/site/src/content/docs/commands/zarf_tools_yq_eval.md index 215184cf00..bdc33ee6cf 100644 --- a/site/src/content/docs/commands/zarf_tools_yq_eval.md +++ b/site/src/content/docs/commands/zarf_tools_yq_eval.md @@ -66,6 +66,7 @@ zarf tools yq e '.a.b = "cool"' -i file.yaml -I, --indent int sets indent level for output (default 2) -i, --inplace update the file in place of first file given. -p, --input-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|lua|l] parse format for input. (default "auto") + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. --lua-globals output keys as top-level global variables --lua-prefix string prefix (default "return ") --lua-suffix string suffix (default ";\n") @@ -75,6 +76,7 @@ zarf tools yq e '.a.b = "cool"' -i file.yaml -0, --nul-output Use NUL char to separate values. If unwrap scalar is also set, fail if unwrapped scalar contains NUL char. -n, --null-input Don't read input, simply evaluate the expression given. Useful for creating docs from scratch. -o, --output-format string [auto|a|yaml|y|json|j|props|p|csv|c|tsv|t|xml|x|base64|uri|toml|shell|s|lua|l] output format type. (default "auto") + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. -P, --prettyPrint pretty print, shorthand for '... style = ""' --properties-array-brackets use [x] in array paths (e.g. for SpringBoot) --properties-separator string separator to use between keys and values (default " = ") diff --git a/site/src/content/docs/commands/zarf_version.md b/site/src/content/docs/commands/zarf_version.md index 2bffaa5403..ab3859c1ec 100644 --- a/site/src/content/docs/commands/zarf_version.md +++ b/site/src/content/docs/commands/zarf_version.md @@ -28,14 +28,15 @@ zarf version [flags] ### Options inherited from parent commands ``` - -a, --architecture string Architecture for OCI images and Zarf packages - --insecure Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture. - -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") - --no-color Disable colors in output - --no-log-file Disable log file creation - --no-progress Disable fancy UI progress bars, spinners, logos, etc - --tmpdir string Specify the temporary directory to use for intermediate files - --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") + -a, --architecture string Architecture for OCI images and Zarf packages + --insecure-skip-tls-verify Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture. + -l, --log-level string Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info") + --no-color Disable colors in output + --no-log-file Disable log file creation + --no-progress Disable fancy UI progress bars, spinners, logos, etc + --plain-http Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture. + --tmpdir string Specify the temporary directory to use for intermediate files + --zarf-cache string Specify the location of the Zarf cache directory (default "~/.zarf-cache") ``` ### SEE ALSO diff --git a/site/src/content/docs/ref/deploy.mdx b/site/src/content/docs/ref/deploy.mdx index b0974485d6..0e700b0083 100644 --- a/site/src/content/docs/ref/deploy.mdx +++ b/site/src/content/docs/ref/deploy.mdx @@ -117,7 +117,7 @@ $ zarf connect [service name] :::note -You can also specify a package locally, or via oci such as `zarf package deploy oci://defenseunicorns/dos-games:1.0.0 --key=https://zarf.dev/cosign.pub` +You can also specify a package locally, or via oci such as `zarf package deploy oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0 --key=https://zarf.dev/cosign.pub` ::: diff --git a/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx b/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx index ebb499ffbb..08c71a810e 100644 --- a/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx +++ b/site/src/content/docs/tutorials/3-deploy-a-retro-arcade.mdx @@ -22,7 +22,7 @@ Before beginning this tutorial you will need the following: ## Deploying the Arcade -1. The `dos-games` package is easily deployable via `oci://` by running `zarf package deploy oci://defenseunicorns/dos-games:1.0.0 --key=https://zarf.dev/cosign.pub`. +1. The `dos-games` package is easily deployable via `oci://` by running `zarf package deploy oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0 --key=https://zarf.dev/cosign.pub`. :::tip diff --git a/site/src/content/docs/tutorials/6-publish-and-deploy.mdx b/site/src/content/docs/tutorials/6-publish-and-deploy.mdx index a03b0ec392..5787bfd673 100644 --- a/site/src/content/docs/tutorials/6-publish-and-deploy.mdx +++ b/site/src/content/docs/tutorials/6-publish-and-deploy.mdx @@ -142,7 +142,7 @@ You attempted to publish a package with no version metadata. You attempted to publish a package to an insecure registry, using http instead of https. -1. Use the `--insecure` flag. Note that this is not suitable for production workloads. +1. Use the `--plain-http` flag. Note that this is not suitable for production workloads. ::: diff --git a/src/cmd/common/viper.go b/src/cmd/common/viper.go index 1077b654a0..0e82a33676 100644 --- a/src/cmd/common/viper.go +++ b/src/cmd/common/viper.go @@ -20,14 +20,16 @@ const ( // Root config keys - VLogLevel = "log_level" - VArchitecture = "architecture" - VNoLogFile = "no_log_file" - VNoProgress = "no_progress" - VNoColor = "no_color" - VZarfCache = "zarf_cache" - VTmpDir = "tmp_dir" - VInsecure = "insecure" + VLogLevel = "log_level" + VArchitecture = "architecture" + VNoLogFile = "no_log_file" + VNoProgress = "no_progress" + VNoColor = "no_color" + VZarfCache = "zarf_cache" + VTmpDir = "tmp_dir" + VInsecure = "insecure" + VPlainHTTP = "plain_http" + VInsecureSkipTLSVerify = "insecure_skip_tls_verify" // Init config keys diff --git a/src/cmd/dev.go b/src/cmd/dev.go index fc10f80b8d..d2f36002fa 100644 --- a/src/cmd/dev.go +++ b/src/cmd/dev.go @@ -302,13 +302,7 @@ var devLintCmd = &cobra.Command{ pkgConfig.CreateOpts.SetVariables = helpers.TransformAndMergeMap( v.GetStringMapString(common.VPkgCreateSet), pkgConfig.CreateOpts.SetVariables, strings.ToUpper) - pkgClient, err := packager.New(&pkgConfig) - if err != nil { - return err - } - defer pkgClient.ClearTempPaths() - - err = lint.Validate(cmd.Context(), pkgConfig.CreateOpts) + err := lint.Validate(cmd.Context(), pkgConfig.CreateOpts.BaseDir, pkgConfig.CreateOpts.Flavor, pkgConfig.CreateOpts.SetVariables) var lintErr *lint.LintError if errors.As(err, &lintErr) { common.PrintFindings(lintErr) diff --git a/src/cmd/initialize.go b/src/cmd/initialize.go index 4d1c61363b..376db85da9 100644 --- a/src/cmd/initialize.go +++ b/src/cmd/initialize.go @@ -223,6 +223,7 @@ func init() { initCmd.Flags().IntVar(&pkgConfig.PkgOpts.Retries, "retries", v.GetInt(common.VPkgRetries), lang.CmdPackageFlagRetries) initCmd.Flags().StringVarP(&pkgConfig.PkgOpts.PublicKeyPath, "key", "k", v.GetString(common.VPkgPublicKey), lang.CmdPackageFlagFlagPublicKey) + initCmd.Flags().BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) initCmd.Flags().SortFlags = true } diff --git a/src/cmd/package.go b/src/cmd/package.go index a40439d53f..d168ed80dd 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -8,26 +8,30 @@ import ( "context" "errors" "fmt" + "os" "path/filepath" "regexp" + "runtime" "strings" - "github.com/zarf-dev/zarf/src/cmd/common" - "github.com/zarf-dev/zarf/src/config/lang" - "github.com/zarf-dev/zarf/src/pkg/lint" - "github.com/zarf-dev/zarf/src/pkg/message" - "github.com/zarf-dev/zarf/src/pkg/packager/sources" - "github.com/zarf-dev/zarf/src/types" - - "oras.land/oras-go/v2/registry" - "github.com/AlecAivazis/survey/v2" "github.com/defenseunicorns/pkg/helpers/v2" "github.com/spf13/cobra" "github.com/spf13/viper" + "oras.land/oras-go/v2/registry" + + "github.com/zarf-dev/zarf/src/cmd/common" "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/config/lang" + "github.com/zarf-dev/zarf/src/internal/dns" + "github.com/zarf-dev/zarf/src/internal/packager2" "github.com/zarf-dev/zarf/src/pkg/cluster" + "github.com/zarf-dev/zarf/src/pkg/lint" + "github.com/zarf-dev/zarf/src/pkg/message" "github.com/zarf-dev/zarf/src/pkg/packager" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/packager/sources" + "github.com/zarf-dev/zarf/src/types" ) var packageCmd = &cobra.Command{ @@ -79,6 +83,12 @@ var packageDeployCmd = &cobra.Command{ Short: lang.CmdPackageDeployShort, Long: lang.CmdPackageDeployLong, Args: cobra.MaximumNArgs(1), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -112,19 +122,54 @@ var packageMirrorCmd = &cobra.Command{ Long: lang.CmdPackageMirrorLong, Example: lang.CmdPackageMirrorExample, Args: cobra.MaximumNArgs(1), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { - packageSource, err := choosePackage(args) + var c *cluster.Cluster + if dns.IsServiceURL(pkgConfig.InitOpts.RegistryInfo.Address) || dns.IsServiceURL(pkgConfig.InitOpts.GitServer.Address) { + var err error + c, err = cluster.NewCluster() + if err != nil { + return err + } + } + src, err := choosePackage(args) if err != nil { return err } - pkgConfig.PkgOpts.PackageSource = packageSource - pkgClient, err := packager.New(&pkgConfig) + filter := filters.Combine( + filters.ByLocalOS(runtime.GOOS), + filters.BySelectState(pkgConfig.PkgOpts.OptionalComponents), + ) + + loadOpt := packager2.LoadOptions{ + Source: src, + Shasum: pkgConfig.PkgOpts.Shasum, + PublicKeyPath: pkgConfig.PkgOpts.PublicKeyPath, + SkipSignatureValidation: pkgConfig.PkgOpts.SkipSignatureValidation, + Filter: filter, + } + pkgPaths, err := packager2.LoadPackage(cmd.Context(), loadOpt) if err != nil { return err } - defer pkgClient.ClearTempPaths() - if err := pkgClient.Mirror(cmd.Context()); err != nil { - return fmt.Errorf("failed to mirror package: %w", err) + defer os.RemoveAll(pkgPaths.Base) + mirrorOpt := packager2.MirrorOptions{ + Cluster: c, + PackagePaths: *pkgPaths, + Filter: filter, + RegistryInfo: pkgConfig.InitOpts.RegistryInfo, + GitInfo: pkgConfig.InitOpts.GitServer, + NoImageChecksum: pkgConfig.MirrorOpts.NoImgChecksum, + Retries: pkgConfig.PkgOpts.Retries, + } + err = packager2.Mirror(cmd.Context(), mirrorOpt) + if err != nil { + return err } return nil }, @@ -136,6 +181,12 @@ var packageInspectCmd = &cobra.Command{ Short: lang.CmdPackageInspectShort, Long: lang.CmdPackageInspectLong, Args: cobra.MaximumNArgs(1), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -208,6 +259,12 @@ var packageRemoveCmd = &cobra.Command{ Aliases: []string{"u", "rm"}, Args: cobra.MaximumNArgs(1), Short: lang.CmdPackageRemoveShort, + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { packageSource, err := choosePackage(args) if err != nil { @@ -236,6 +293,12 @@ var packagePublishCmd = &cobra.Command{ Short: lang.CmdPackagePublishShort, Example: lang.CmdPackagePublishExample, Args: cobra.ExactArgs(2), + PreRun: func(_ *cobra.Command, _ []string) { + // If --insecure was provided, set --skip-signature-validation to match + if config.CommonOptions.Insecure { + pkgConfig.PkgOpts.SkipSignatureValidation = true + } + }, RunE: func(cmd *cobra.Command, args []string) error { pkgConfig.PkgOpts.PackageSource = args[0] @@ -278,15 +341,18 @@ var packagePullCmd = &cobra.Command{ Example: lang.CmdPackagePullExample, Args: cobra.ExactArgs(1), RunE: func(cmd *cobra.Command, args []string) error { - pkgConfig.PkgOpts.PackageSource = args[0] - pkgClient, err := packager.New(&pkgConfig) + outputDir := pkgConfig.PullOpts.OutputDirectory + if outputDir == "" { + wd, err := os.Getwd() + if err != nil { + return err + } + outputDir = wd + } + err := packager2.Pull(cmd.Context(), args[0], outputDir, pkgConfig.PkgOpts.Shasum, filters.Empty()) if err != nil { return err } - defer pkgClient.ClearTempPaths() - if err := pkgClient.Pull(cmd.Context()); err != nil { - return fmt.Errorf("failed to pull package: %w", err) - } return nil }, } @@ -430,6 +496,7 @@ func bindDeployFlags(v *viper.Viper) { deployFlags.StringVar(&pkgConfig.PkgOpts.OptionalComponents, "components", v.GetString(common.VPkgDeployComponents), lang.CmdPackageDeployFlagComponents) deployFlags.StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", v.GetString(common.VPkgDeployShasum), lang.CmdPackageDeployFlagShasum) deployFlags.StringVar(&pkgConfig.PkgOpts.SGetKeyPath, "sget", v.GetString(common.VPkgDeploySget), lang.CmdPackageDeployFlagSget) + deployFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) deployFlags.MarkHidden("sget") } @@ -445,7 +512,9 @@ func bindMirrorFlags(v *viper.Viper) { // Always require confirm flag (no viper) mirrorFlags.BoolVar(&config.CommonOptions.Confirm, "confirm", false, lang.CmdPackageDeployFlagConfirm) + mirrorFlags.StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum) mirrorFlags.BoolVar(&pkgConfig.MirrorOpts.NoImgChecksum, "no-img-checksum", false, lang.CmdPackageMirrorFlagNoChecksum) + mirrorFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) mirrorFlags.IntVar(&pkgConfig.PkgOpts.Retries, "retries", v.GetInt(common.VPkgRetries), lang.CmdPackageFlagRetries) mirrorFlags.StringVar(&pkgConfig.PkgOpts.OptionalComponents, "components", v.GetString(common.VPkgDeployComponents), lang.CmdPackageMirrorFlagComponents) @@ -466,12 +535,14 @@ func bindInspectFlags(_ *viper.Viper) { inspectFlags.BoolVarP(&pkgConfig.InspectOpts.ViewSBOM, "sbom", "s", false, lang.CmdPackageInspectFlagSbom) inspectFlags.StringVar(&pkgConfig.InspectOpts.SBOMOutputDir, "sbom-out", "", lang.CmdPackageInspectFlagSbomOut) inspectFlags.BoolVar(&pkgConfig.InspectOpts.ListImages, "list-images", false, lang.CmdPackageInspectFlagListImages) + inspectFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) } func bindRemoveFlags(v *viper.Viper) { removeFlags := packageRemoveCmd.Flags() removeFlags.BoolVar(&config.CommonOptions.Confirm, "confirm", false, lang.CmdPackageRemoveFlagConfirm) removeFlags.StringVar(&pkgConfig.PkgOpts.OptionalComponents, "components", v.GetString(common.VPkgDeployComponents), lang.CmdPackageRemoveFlagComponents) + removeFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) _ = packageRemoveCmd.MarkFlagRequired("confirm") } @@ -479,9 +550,11 @@ func bindPublishFlags(v *viper.Viper) { publishFlags := packagePublishCmd.Flags() publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPath, "signing-key", v.GetString(common.VPkgPublishSigningKey), lang.CmdPackagePublishFlagSigningKey) publishFlags.StringVar(&pkgConfig.PublishOpts.SigningKeyPassword, "signing-key-pass", v.GetString(common.VPkgPublishSigningKeyPassword), lang.CmdPackagePublishFlagSigningKeyPassword) + publishFlags.BoolVar(&pkgConfig.PkgOpts.SkipSignatureValidation, "skip-signature-validation", false, lang.CmdPackageFlagSkipSignatureValidation) } func bindPullFlags(v *viper.Viper) { pullFlags := packagePullCmd.Flags() + pullFlags.StringVar(&pkgConfig.PkgOpts.Shasum, "shasum", "", lang.CmdPackagePullFlagShasum) pullFlags.StringVarP(&pkgConfig.PullOpts.OutputDirectory, "output-directory", "o", v.GetString(common.VPkgPullOutputDir), lang.CmdPackagePullFlagOutputDirectory) } diff --git a/src/cmd/root.go b/src/cmd/root.go index 62e0582c8e..188f91e8cc 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -37,6 +37,12 @@ var ( var rootCmd = &cobra.Command{ Use: "zarf COMMAND", PersistentPreRunE: func(cmd *cobra.Command, _ []string) error { + // If --insecure was provided, set --insecure-skip-tls-verify and --plain-http to match + if config.CommonOptions.Insecure { + config.CommonOptions.InsecureSkipTLSVerify = true + config.CommonOptions.PlainHTTP = true + } + // Skip for vendor only commands if common.CheckVendorOnlyFromPath(cmd) { return nil @@ -121,4 +127,7 @@ func init() { rootCmd.PersistentFlags().StringVar(&config.CommonOptions.CachePath, "zarf-cache", v.GetString(common.VZarfCache), lang.RootCmdFlagCachePath) rootCmd.PersistentFlags().StringVar(&config.CommonOptions.TempDirectory, "tmpdir", v.GetString(common.VTmpDir), lang.RootCmdFlagTempDir) rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.Insecure, "insecure", v.GetBool(common.VInsecure), lang.RootCmdFlagInsecure) + rootCmd.PersistentFlags().MarkDeprecated("insecure", "please use --plain-http, --insecure-skip-tls-verify, or --skip-signature-validation instead.") + rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.PlainHTTP, "plain-http", v.GetBool(common.VPlainHTTP), lang.RootCmdFlagPlainHTTP) + rootCmd.PersistentFlags().BoolVar(&config.CommonOptions.InsecureSkipTLSVerify, "insecure-skip-tls-verify", v.GetBool(common.VInsecureSkipTLSVerify), lang.RootCmdFlagInsecureSkipTLSVerify) } diff --git a/src/cmd/tools/helm/load_plugins.go b/src/cmd/tools/helm/load_plugins.go index 28ea155030..df8b7cad67 100644 --- a/src/cmd/tools/helm/load_plugins.go +++ b/src/cmd/tools/helm/load_plugins.go @@ -318,11 +318,14 @@ func loadFile(path string) (*pluginCommand, error) { cmds := new(pluginCommand) b, err := os.ReadFile(path) if err != nil { - return cmds, fmt.Errorf("file (%s) not provided by plugin. No plugin auto-completion possible", path) + return nil, fmt.Errorf("file (%s) not provided by plugin. No plugin auto-completion possible", path) } err = yaml.Unmarshal(b, cmds) - return cmds, err + if err != nil { + return nil, err + } + return cmds, nil } // pluginDynamicComp call the plugin.complete script of the plugin (if available) diff --git a/src/config/lang/english.go b/src/config/lang/english.go index 1afdfab83c..2e2a7e2177 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -45,14 +45,16 @@ const ( RootCmdLong = "Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud native workloads\n" + "using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments." - RootCmdFlagLogLevel = "Log level when running Zarf. Valid options are: warn, info, debug, trace" - RootCmdFlagArch = "Architecture for OCI images and Zarf packages" - RootCmdFlagSkipLogFile = "Disable log file creation" - RootCmdFlagNoProgress = "Disable fancy UI progress bars, spinners, logos, etc" - RootCmdFlagNoColor = "Disable colors in output" - RootCmdFlagCachePath = "Specify the location of the Zarf cache directory" - RootCmdFlagTempDir = "Specify the temporary directory to use for intermediate files" - RootCmdFlagInsecure = "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagLogLevel = "Log level when running Zarf. Valid options are: warn, info, debug, trace" + RootCmdFlagArch = "Architecture for OCI images and Zarf packages" + RootCmdFlagSkipLogFile = "Disable log file creation" + RootCmdFlagNoProgress = "Disable fancy UI progress bars, spinners, logos, etc" + RootCmdFlagNoColor = "Disable colors in output" + RootCmdFlagCachePath = "Specify the location of the Zarf cache directory" + RootCmdFlagTempDir = "Specify the temporary directory to use for intermediate files" + RootCmdFlagInsecure = "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagPlainHTTP = "Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture." + RootCmdFlagInsecureSkipTLSVerify = "Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture." RootCmdDeprecatedDeploy = "Deprecated: Please use \"zarf package deploy %s\" to deploy this package. This warning will be removed in Zarf v1.0.0." RootCmdDeprecatedCreate = "Deprecated: Please use \"zarf package create\" to create this package. This warning will be removed in Zarf v1.0.0." @@ -210,10 +212,11 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA CmdInternalCrc32Short = "Generates a decimal CRC32 for the given text" // zarf package - CmdPackageShort = "Zarf package commands for creating, deploying, and inspecting packages" - CmdPackageFlagConcurrency = "Number of concurrent layer operations to perform when interacting with a remote package." - CmdPackageFlagFlagPublicKey = "Path to public key file for validating signed packages" - CmdPackageFlagRetries = "Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs" + CmdPackageShort = "Zarf package commands for creating, deploying, and inspecting packages" + CmdPackageFlagConcurrency = "Number of concurrent layer operations to perform when interacting with a remote package." + CmdPackageFlagFlagPublicKey = "Path to public key file for validating signed packages" + CmdPackageFlagSkipSignatureValidation = "Skip validating the signature of the Zarf package" + CmdPackageFlagRetries = "Number of retries to perform for Zarf deploy operations like git/image pushes or Helm installs" CmdPackageCreateShort = "Creates a Zarf package from a given directory or the current directory" CmdPackageCreateLong = "Builds an archive of resources and dependencies defined by the 'zarf.yaml' in the specified directory.\n" + @@ -230,7 +233,7 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA CmdPackageMirrorExample = ` # Mirror resources to internal Zarf resources $ zarf package mirror-resources \ - --registry-url 127.0.0.1:31999 \ + --registry-url http://zarf-docker-registry.zarf.svc.cluster.local:5000 \ --registry-push-username zarf-push \ --registry-push-password \ --git-url http://zarf-gitea-http.zarf.svc.cluster.local:3000 \ @@ -273,7 +276,7 @@ $ zarf package mirror-resources \ CmdPackageDeployFlagAdoptExistingResources = "Adopts any pre-existing K8s resources into the Helm charts managed by Zarf. ONLY use when you have existing deployments you want Zarf to takeover." CmdPackageDeployFlagSet = "Specify deployment variables to set on the command line (KEY=value)" CmdPackageDeployFlagComponents = "Comma-separated list of components to deploy. Adding this flag will skip the prompts for selected components. Globbing component names with '*' and deselecting 'default' components with a leading '-' are also supported." - CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote package and \"--insecure\" is not provided" + CmdPackageDeployFlagShasum = "Shasum of the package to deploy. Required if deploying a remote https package." CmdPackageDeployFlagSget = "[Deprecated] Path to public sget key file for remote packages signed via cosign. This flag will be removed in v1.0.0 please use the --key flag instead." CmdPackageDeployFlagSkipWebhooks = "[alpha] Skip waiting for external webhooks to execute as each package component is deployed" CmdPackageDeployFlagTimeout = "Timeout for health checks and Helm operations such as installs and rollbacks" @@ -314,6 +317,7 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a ar # Pull a skeleton package $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a skeleton` CmdPackagePullFlagOutputDirectory = "Specify the output directory for the pulled Zarf package" + CmdPackagePullFlagShasum = "Shasum of the package to pull. Required if pulling a https package. A shasum can be retrieved using 'zarf dev sha256sum '" CmdPackageChoose = "Choose or type the package file" CmdPackageClusterSourceFallback = "%q does not satisfy any current sources, assuming it is a package deployed to a cluster" diff --git a/src/internal/agent/hooks/argocd-application.go b/src/internal/agent/hooks/argocd-application.go index b234f29e84..e7351c89fd 100644 --- a/src/internal/agent/hooks/argocd-application.go +++ b/src/internal/agent/hooks/argocd-application.go @@ -59,7 +59,7 @@ func NewApplicationMutationHook(ctx context.Context, cluster *cluster.Cluster) o } // mutateApplication mutates the git repository url to point to the repository URL defined in the ZarfState. -func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (result *operations.Result, err error) { +func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) { state, err := cluster.LoadZarfState(ctx) if err != nil { return nil, err @@ -72,8 +72,7 @@ func mutateApplication(ctx context.Context, r *v1.AdmissionRequest, cluster *clu return nil, fmt.Errorf(lang.ErrUnmarshal, err) } - patches := []operations.PatchOperation{} - + patches := make([]operations.PatchOperation, 0) if app.Spec.Source != nil { patchedURL, err := getPatchedRepoURL(app.Spec.Source.RepoURL, state.GitServer, r) if err != nil { diff --git a/src/internal/agent/hooks/argocd-repository.go b/src/internal/agent/hooks/argocd-repository.go index 1875772d05..cf2e9d895e 100644 --- a/src/internal/agent/hooks/argocd-repository.go +++ b/src/internal/agent/hooks/argocd-repository.go @@ -47,7 +47,7 @@ func NewRepositorySecretMutationHook(ctx context.Context, cluster *cluster.Clust } // mutateRepositorySecret mutates the git URL in the ArgoCD repository secret to point to the repository URL defined in the ZarfState. -func mutateRepositorySecret(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (result *operations.Result, err error) { +func mutateRepositorySecret(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) { isCreate := r.Operation == v1.Create isUpdate := r.Operation == v1.Update var isPatched bool diff --git a/src/internal/agent/hooks/flux-gitrepo.go b/src/internal/agent/hooks/flux-gitrepo.go index 2fda2969bb..77447b7c34 100644 --- a/src/internal/agent/hooks/flux-gitrepo.go +++ b/src/internal/agent/hooks/flux-gitrepo.go @@ -37,7 +37,7 @@ func NewGitRepositoryMutationHook(ctx context.Context, cluster *cluster.Cluster) } // mutateGitRepoCreate mutates the git repository url to point to the repository URL defined in the ZarfState. -func mutateGitRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (result *operations.Result, err error) { +func mutateGitRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster.Cluster) (*operations.Result, error) { var ( patches []operations.PatchOperation isPatched bool diff --git a/src/internal/dns/dns.go b/src/internal/dns/dns.go new file mode 100644 index 0000000000..54f821e631 --- /dev/null +++ b/src/internal/dns/dns.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package dns contains DNS related functionality. +package dns + +import ( + "errors" + "fmt" + "net/url" + "regexp" + "strconv" +) + +var ( + // localClusterServiceRegex is used to match the local cluster service format: + localClusterServiceRegex = regexp.MustCompile(`^(?P[^\.]+)\.(?P[^\.]+)\.svc\.cluster\.local$`) +) + +// IsServiceURL returns true if the give url complies with the service url format. +func IsServiceURL(serviceURL string) bool { + _, _, _, err := ParseServiceURL(serviceURL) + return err == nil +} + +// ParseServiceURL takes a serviceURL and parses it to find the service info for connecting to the cluster. The string is expected to follow the following format: +// Example serviceURL: http://{SERVICE_NAME}.{NAMESPACE}.svc.cluster.local:{PORT}. +func ParseServiceURL(serviceURL string) (string, string, int, error) { + if serviceURL == "" { + return "", "", 0, errors.New("service url cannot be empty") + } + parsedURL, err := url.Parse(serviceURL) + if err != nil { + return "", "", 0, err + } + if parsedURL.Port() == "" { + return "", "", 0, errors.New("service url does not have a port") + } + remotePort, err := strconv.Atoi(parsedURL.Port()) + if err != nil { + return "", "", 0, err + } + matches := localClusterServiceRegex.FindStringSubmatch(parsedURL.Hostname()) + if len(matches) != 3 { + return "", "", 0, fmt.Errorf("invalid service url %s", serviceURL) + } + return matches[2], matches[1], remotePort, nil +} diff --git a/src/internal/dns/dns_test.go b/src/internal/dns/dns_test.go new file mode 100644 index 0000000000..69d0ade538 --- /dev/null +++ b/src/internal/dns/dns_test.go @@ -0,0 +1,63 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package dns + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestServiceURL(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + serviceURL string + expectedErr string + expectedNamespace string + expectedName string + expectedPort int + }{ + { + name: "correct service url", + serviceURL: "http://foo.bar.svc.cluster.local:5000", + expectedNamespace: "bar", + expectedName: "foo", + expectedPort: 5000, + }, + { + name: "invalid service url without port", + serviceURL: "http://google.com", + expectedErr: "service url does not have a port", + }, + { + name: "invalid service url with port", + serviceURL: "http://google.com:3000", + expectedErr: "invalid service url http://google.com:3000", + }, + { + name: "empty service url", + serviceURL: "", + expectedErr: "service url cannot be empty", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + isServiceURL := IsServiceURL(tt.serviceURL) + namespace, name, port, err := ParseServiceURL(tt.serviceURL) + if tt.expectedErr != "" { + require.False(t, isServiceURL) + require.EqualError(t, err, tt.expectedErr) + return + } + require.True(t, isServiceURL) + require.Equal(t, tt.expectedNamespace, namespace) + require.Equal(t, tt.expectedName, name) + require.Equal(t, tt.expectedPort, port) + }) + } +} diff --git a/src/internal/packager/helm/chart.go b/src/internal/packager/helm/chart.go index daf59902e5..656b5560b5 100644 --- a/src/internal/packager/helm/chart.go +++ b/src/internal/packager/helm/chart.go @@ -143,7 +143,7 @@ func (h *Helm) TemplateChart(ctx context.Context) (manifest string, chartValues client.IncludeCRDs = true // TODO: Further research this with regular/OCI charts client.Verify = false - client.InsecureSkipTLSverify = config.CommonOptions.Insecure + client.InsecureSkipTLSverify = config.CommonOptions.InsecureSkipTLSVerify if h.kubeVersion != "" { parsedKubeVersion, err := chartutil.ParseKubeVersion(h.kubeVersion) if err != nil { diff --git a/src/internal/packager/helm/repo.go b/src/internal/packager/helm/repo.go index 378b12c9cf..249f19f0f2 100644 --- a/src/internal/packager/helm/repo.go +++ b/src/internal/packager/helm/repo.go @@ -192,7 +192,7 @@ func (h *Helm) DownloadPublishedChart(ctx context.Context, cosignKeyPath string) Verify: downloader.VerifyNever, Getters: getter.All(pull.Settings), Options: []getter.Option{ - getter.WithInsecureSkipVerifyTLS(config.CommonOptions.Insecure), + getter.WithInsecureSkipVerifyTLS(config.CommonOptions.InsecureSkipTLSVerify), getter.WithBasicAuth(username, password), }, } diff --git a/src/internal/packager/images/common.go b/src/internal/packager/images/common.go index 3e2ad406ff..285c541edb 100644 --- a/src/internal/packager/images/common.go +++ b/src/internal/packager/images/common.go @@ -50,9 +50,9 @@ type PushConfig struct { func NoopOpt(*crane.Options) {} // WithGlobalInsecureFlag returns an option for crane that configures insecure -// based upon Zarf's global --insecure flag. +// based upon Zarf's global --insecure-skip-tls-verify (and --insecure) flags. func WithGlobalInsecureFlag() []crane.Option { - if config.CommonOptions.Insecure { + if config.CommonOptions.InsecureSkipTLSVerify { return []crane.Option{crane.Insecure} } // passing a nil option will cause panic @@ -103,7 +103,7 @@ func createPushOpts(cfg PushConfig, pb *message.ProgressBar) []crane.Option { opts = append(opts, WithPushAuth(cfg.RegInfo)) transport := http.DefaultTransport.(*http.Transport).Clone() - transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.Insecure + transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.InsecureSkipTLSVerify // TODO (@WSTARR) This is set to match the TLSHandshakeTimeout to potentially mitigate effects of https://github.com/zarf-dev/zarf/issues/1444 transport.ResponseHeaderTimeout = 10 * time.Second diff --git a/src/internal/packager2/load.go b/src/internal/packager2/load.go new file mode 100644 index 0000000000..b20eea6195 --- /dev/null +++ b/src/internal/packager2/load.go @@ -0,0 +1,225 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "archive/tar" + "context" + "encoding/json" + "errors" + "fmt" + "io" + "net/url" + "os" + "path/filepath" + "slices" + "strings" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/mholt/archiver/v3" + + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/packager/sources" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/types" +) + +// LoadOptions are the options for LoadPackage. +type LoadOptions struct { + Source string + Shasum string + PublicKeyPath string + SkipSignatureValidation bool + Filter filters.ComponentFilterStrategy +} + +// LoadPackage optionally fetches and loads the package from the given source. +func LoadPackage(ctx context.Context, opt LoadOptions) (*layout.PackagePaths, error) { + srcType, err := identifySource(opt.Source) + if err != nil { + return nil, err + } + + tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return nil, err + } + defer os.Remove(tmpDir) + tarPath := filepath.Join(tmpDir, "data.tar.zst") + + isPartial := false + switch srcType { + case "oci": + isPartial, err = pullOCI(ctx, opt.Source, tarPath, opt.Shasum, opt.Filter) + if err != nil { + return nil, err + } + case "http", "https": + err = pullHTTP(ctx, opt.Source, tarPath, opt.Shasum) + if err != nil { + return nil, err + } + case "split": + err = assembleSplitTar(opt.Source, tarPath) + if err != nil { + return nil, err + } + case "tarball": + tarPath = opt.Source + default: + return nil, fmt.Errorf("unknown source type: %s", opt.Source) + } + if srcType != "oci" && opt.Shasum != "" { + err := helpers.SHAsMatch(tarPath, opt.Shasum) + if err != nil { + return nil, err + } + } + + // Extract the package + packageDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return nil, err + } + pathsExtracted := []string{} + err = archiver.Walk(tarPath, func(f archiver.File) error { + if f.IsDir() { + return nil + } + header, ok := f.Header.(*tar.Header) + if !ok { + return fmt.Errorf("expected header to be *tar.Header but was %T", f.Header) + } + // If path has nested directories we want to create them. + dir := filepath.Dir(header.Name) + if dir != "." { + err := os.MkdirAll(filepath.Join(packageDir, dir), helpers.ReadExecuteAllWriteUser) + if err != nil { + return err + } + } + dst, err := os.Create(filepath.Join(packageDir, header.Name)) + if err != nil { + return err + } + defer dst.Close() + _, err = io.Copy(dst, f) + if err != nil { + return err + } + pathsExtracted = append(pathsExtracted, header.Name) + return nil + }) + if err != nil { + return nil, err + } + + // Load the package paths + pkgPaths := layout.New(packageDir) + pkgPaths.SetFromPaths(pathsExtracted) + pkg, _, err := pkgPaths.ReadZarfYAML() + if err != nil { + return nil, err + } + // TODO: Filter is not persistently applied. + pkg.Components, err = opt.Filter.Apply(pkg) + if err != nil { + return nil, err + } + if err := pkgPaths.MigrateLegacy(); err != nil { + return nil, err + } + if !pkgPaths.IsLegacyLayout() { + if err := sources.ValidatePackageIntegrity(pkgPaths, pkg.Metadata.AggregateChecksum, isPartial); err != nil { + return nil, err + } + if opt.SkipSignatureValidation { + if err := sources.ValidatePackageSignature(ctx, pkgPaths, opt.PublicKeyPath); err != nil { + return nil, err + } + } + } + for _, component := range pkg.Components { + if err := pkgPaths.Components.Unarchive(component); err != nil { + if errors.Is(err, layout.ErrNotLoaded) { + _, err := pkgPaths.Components.Create(component) + if err != nil { + return nil, err + } + } else { + return nil, err + } + } + } + if pkgPaths.SBOMs.Path != "" { + if err := pkgPaths.SBOMs.Unarchive(); err != nil { + return nil, err + } + } + return pkgPaths, nil +} + +func identifySource(src string) (string, error) { + parsed, err := url.Parse(src) + if err == nil && parsed.Scheme != "" && parsed.Host != "" { + return parsed.Scheme, nil + } + if strings.HasSuffix(src, ".tar.zst") || strings.HasSuffix(src, ".tar") { + return "tarball", nil + } + if strings.Contains(src, ".part000") { + return "split", nil + } + return "", fmt.Errorf("unknown source %s", src) +} + +func assembleSplitTar(src, tarPath string) error { + pattern := strings.Replace(src, ".part000", ".part*", 1) + splitFiles, err := filepath.Glob(pattern) + if err != nil { + return fmt.Errorf("unable to find split tarball files: %w", err) + } + // Ensure the files are in order so they are appended in the correct order + slices.Sort(splitFiles) + + tarFile, err := os.Create(tarPath) + if err != nil { + return err + } + defer tarFile.Close() + for i, splitFile := range splitFiles { + if i == 0 { + b, err := os.ReadFile(splitFile) + if err != nil { + return err + } + var pkgData types.ZarfSplitPackageData + err = json.Unmarshal(b, &pkgData) + if err != nil { + return err + } + expectedCount := len(splitFiles) - 1 + if expectedCount != pkgData.Count { + return fmt.Errorf("split file count to not match, expected %d but have %d", pkgData.Count, expectedCount) + } + continue + } + f, err := os.Open(splitFile) + if err != nil { + return err + } + defer f.Close() + _, err = io.Copy(tarFile, f) + if err != nil { + return err + } + err = f.Close() + if err != nil { + return err + } + } + return nil +} diff --git a/src/internal/packager2/load_test.go b/src/internal/packager2/load_test.go new file mode 100644 index 0000000000..b9b6cf37c2 --- /dev/null +++ b/src/internal/packager2/load_test.go @@ -0,0 +1,136 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "fmt" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/test/testutil" +) + +func TestLoadPackage(t *testing.T) { + t.Parallel() + + ctx := testutil.TestContext(t) + + tests := []struct { + name string + source string + shasum string + }{ + { + name: "tarball", + source: "./testdata/zarf-package-test-amd64-0.0.1.tar.zst", + shasum: "307294e3a066cebea6f04772c2ba31210b2753b40b0d5da86a1983c29c5545dd", + }, + { + name: "split", + source: "./testdata/zarf-package-test-amd64-0.0.1.tar.zst.part000", + shasum: "6c0de217e3eeff224679ec0a26751655759a30f4aae7fbe793ca1617ddfc4228", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + for _, shasum := range []string{tt.shasum, ""} { + opt := LoadOptions{ + Source: tt.source, + Shasum: shasum, + PublicKeyPath: "", + SkipSignatureValidation: false, + Filter: filters.Empty(), + } + pkgPaths, err := LoadPackage(ctx, opt) + require.NoError(t, err) + + pkg, _, err := pkgPaths.ReadZarfYAML() + require.NoError(t, err) + require.Equal(t, "test", pkg.Metadata.Name) + require.Equal(t, "0.0.1", pkg.Metadata.Version) + require.Len(t, pkg.Components, 1) + } + + opt := LoadOptions{ + Source: tt.source, + Shasum: "foo", + PublicKeyPath: "", + SkipSignatureValidation: false, + Filter: filters.Empty(), + } + _, err := LoadPackage(ctx, opt) + require.ErrorContains(t, err, fmt.Sprintf("to be %s, found %s", opt.Shasum, tt.shasum)) + }) + } +} + +func TestIdentifySource(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + src string + expectedSrcType string + }{ + { + name: "oci", + src: "oci://ghcr.io/defenseunicorns/packages/init:1.0.0", + expectedSrcType: "oci", + }, + { + name: "sget with sub path", + src: "sget://github.com/defenseunicorns/zarf-hello-world:x86", + expectedSrcType: "sget", + }, + { + name: "sget without host", + src: "sget://defenseunicorns/zarf-hello-world:x86_64", + expectedSrcType: "sget", + }, + { + name: "https", + src: "https://github.com/zarf-dev/zarf/releases/download/v1.0.0/zarf-init-amd64-v1.0.0.tar.zst", + expectedSrcType: "https", + }, + { + name: "http", + src: "http://github.com/zarf-dev/zarf/releases/download/v1.0.0/zarf-init-amd64-v1.0.0.tar.zst", + expectedSrcType: "http", + }, + { + name: "local tar init zst", + src: "zarf-init-amd64-v1.0.0.tar.zst", + expectedSrcType: "tarball", + }, + { + name: "local tar", + src: "zarf-package-manifests-amd64-v1.0.0.tar", + expectedSrcType: "tarball", + }, + { + name: "local tar manifest zst", + src: "zarf-package-manifests-amd64-v1.0.0.tar.zst", + expectedSrcType: "tarball", + }, + { + name: "local tar split", + src: "testdata/.part000", + expectedSrcType: "split", + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + srcType, err := identifySource(tt.src) + require.NoError(t, err) + require.Equal(t, tt.expectedSrcType, srcType) + }) + } +} diff --git a/src/internal/packager2/mirror.go b/src/internal/packager2/mirror.go new file mode 100644 index 0000000000..7649b62757 --- /dev/null +++ b/src/internal/packager2/mirror.go @@ -0,0 +1,246 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "context" + "errors" + "fmt" + "net/http" + "time" + + "github.com/avast/retry-go/v4" + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/google/go-containerregistry/pkg/authn" + "github.com/google/go-containerregistry/pkg/crane" + "github.com/google/go-containerregistry/pkg/logs" + v1 "github.com/google/go-containerregistry/pkg/v1" + + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/internal/dns" + "github.com/zarf-dev/zarf/src/internal/git" + "github.com/zarf-dev/zarf/src/internal/gitea" + "github.com/zarf-dev/zarf/src/pkg/cluster" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/message" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/transform" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/types" +) + +// MirrorOptions are the options for Mirror. +type MirrorOptions struct { + Cluster *cluster.Cluster + PackagePaths layout.PackagePaths + Filter filters.ComponentFilterStrategy + RegistryInfo types.RegistryInfo + GitInfo types.GitServerInfo + NoImageChecksum bool + Retries int +} + +// Mirror mirrors the package contents to the given registry and git server. +func Mirror(ctx context.Context, opt MirrorOptions) error { + err := pushImagesToRegistry(ctx, opt.Cluster, opt.PackagePaths, opt.Filter, opt.RegistryInfo, opt.NoImageChecksum, opt.Retries) + if err != nil { + return err + } + err = pushReposToRepository(ctx, opt.Cluster, opt.PackagePaths, opt.Filter, opt.GitInfo, opt.Retries) + if err != nil { + return err + } + return nil +} + +func pushImagesToRegistry(ctx context.Context, c *cluster.Cluster, pkgPaths layout.PackagePaths, filter filters.ComponentFilterStrategy, regInfo types.RegistryInfo, noImgChecksum bool, retries int) error { + logs.Warn.SetOutput(&message.DebugWriter{}) + logs.Progress.SetOutput(&message.DebugWriter{}) + + pkg, _, err := pkgPaths.ReadZarfYAML() + if err != nil { + return err + } + components, err := filter.Apply(pkg) + if err != nil { + return err + } + pkg.Components = components + + images := map[transform.Image]v1.Image{} + for _, component := range pkg.Components { + for _, img := range component.Images { + ref, err := transform.ParseImageRef(img) + if err != nil { + return fmt.Errorf("failed to create ref for image %s: %w", img, err) + } + if _, ok := images[ref]; ok { + continue + } + ociImage, err := utils.LoadOCIImage(pkgPaths.Images.Base, ref) + if err != nil { + return err + } + images[ref] = ociImage + } + } + if len(images) == 0 { + return nil + } + + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig.InsecureSkipVerify = config.CommonOptions.InsecureSkipTLSVerify + // TODO (@WSTARR) This is set to match the TLSHandshakeTimeout to potentially mitigate effects of https://github.com/zarf-dev/zarf/issues/1444 + transport.ResponseHeaderTimeout = 10 * time.Second + transportWithProgressBar := helpers.NewTransport(transport, nil) + + pushOptions := []crane.Option{ + crane.WithPlatform(&v1.Platform{OS: "linux", Architecture: pkg.Build.Architecture}), + crane.WithTransport(transportWithProgressBar), + crane.WithAuth(authn.FromConfig(authn.AuthConfig{ + Username: regInfo.PushUsername, + Password: regInfo.PushPassword, + })), + crane.WithUserAgent("zarf"), + crane.WithNoClobber(true), + crane.WithJobs(1), + } + if config.CommonOptions.InsecureSkipTLSVerify { + pushOptions = append(pushOptions, crane.Insecure) + } + + for refInfo, img := range images { + err = retry.Do(func() error { + pushImage := func(registryUrl string) error { + names := []string{} + if !noImgChecksum { + offlineNameCRC, err := transform.ImageTransformHost(registryUrl, refInfo.Reference) + if err != nil { + return retry.Unrecoverable(err) + } + names = append(names, offlineNameCRC) + } + offlineName, err := transform.ImageTransformHostWithoutChecksum(registryUrl, refInfo.Reference) + if err != nil { + return retry.Unrecoverable(err) + } + names = append(names, offlineName) + for _, name := range names { + message.Infof("Pushing image %s", name) + err = crane.Push(img, name, pushOptions...) + if err != nil { + return err + } + } + return nil + } + + if !dns.IsServiceURL(regInfo.Address) { + return pushImage(regInfo.Address) + } + + if c == nil { + return retry.Unrecoverable(errors.New("cannot push to internal OCI registry when cluster is nil")) + } + namespace, name, port, err := dns.ParseServiceURL(regInfo.Address) + if err != nil { + return err + } + tunnel, err := c.NewTunnel(namespace, cluster.SvcResource, name, "", 0, port) + if err != nil { + return err + } + _, err = tunnel.Connect(ctx) + if err != nil { + return err + } + defer tunnel.Close() + err = tunnel.Wrap(func() error { + return pushImage(tunnel.Endpoint()) + }) + if err != nil { + return err + } + return nil + }, retry.Context(ctx), retry.Attempts(uint(retries)), retry.Delay(500*time.Millisecond)) + if err != nil { + return err + } + } + return nil +} + +func pushReposToRepository(ctx context.Context, c *cluster.Cluster, pkgPaths layout.PackagePaths, filter filters.ComponentFilterStrategy, gitInfo types.GitServerInfo, retries int) error { + pkg, _, err := pkgPaths.ReadZarfYAML() + if err != nil { + return err + } + components, err := filter.Apply(pkg) + if err != nil { + return err + } + pkg.Components = components + + for _, component := range pkg.Components { + for _, repoURL := range component.Repos { + repository, err := git.Open(pkgPaths.Components.Dirs[component.Name].Repos, repoURL) + if err != nil { + return err + } + err = retry.Do(func() error { + if !dns.IsServiceURL(gitInfo.Address) { + message.Infof("Pushing repository %s to server %s", repoURL, gitInfo.Address) + err = repository.Push(ctx, gitInfo.Address, gitInfo.PushUsername, gitInfo.PushPassword) + if err != nil { + return err + } + return nil + } + + if c == nil { + return retry.Unrecoverable(errors.New("cannot push to internal Git server when cluster is nil")) + } + namespace, name, port, err := dns.ParseServiceURL(gitInfo.Address) + if err != nil { + return retry.Unrecoverable(err) + } + tunnel, err := c.NewTunnel(namespace, cluster.SvcResource, name, "", 0, port) + if err != nil { + return err + } + _, err = tunnel.Connect(ctx) + if err != nil { + return err + } + defer tunnel.Close() + giteaClient, err := gitea.NewClient(tunnel.HTTPEndpoint(), gitInfo.PushUsername, gitInfo.PushPassword) + if err != nil { + return err + } + return tunnel.Wrap(func() error { + message.Infof("Pushing repository %s to server %s", repoURL, tunnel.HTTPEndpoint()) + err = repository.Push(ctx, tunnel.HTTPEndpoint(), gitInfo.PushUsername, gitInfo.PushPassword) + if err != nil { + return err + } + // Add the read-only user to this repo + // TODO: This should not be done here. Or the function name should be changed. + repoName, err := transform.GitURLtoRepoName(repoURL) + if err != nil { + return retry.Unrecoverable(err) + } + err = giteaClient.AddReadOnlyUserToRepository(ctx, repoName, gitInfo.PullUsername) + if err != nil { + return fmt.Errorf("unable to add the read only user to the repo %s: %w", repoName, err) + } + return nil + }) + }, retry.Context(ctx), retry.Attempts(uint(retries)), retry.Delay(500*time.Millisecond)) + if err != nil { + return fmt.Errorf("unable to push repo %s to the Git Server: %w", repoURL, err) + } + } + } + return nil +} diff --git a/src/internal/packager2/packager2.go b/src/internal/packager2/packager2.go new file mode 100644 index 0000000000..b0e8dc79a0 --- /dev/null +++ b/src/internal/packager2/packager2.go @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package packager2 is the new implementation for packager. +package packager2 diff --git a/src/internal/packager2/pull.go b/src/internal/packager2/pull.go new file mode 100644 index 0000000000..538facc5b9 --- /dev/null +++ b/src/internal/packager2/pull.go @@ -0,0 +1,239 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "context" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "os" + "path/filepath" + "strings" + + "github.com/defenseunicorns/pkg/helpers/v2" + "github.com/defenseunicorns/pkg/oci" + goyaml "github.com/goccy/go-yaml" + "github.com/mholt/archiver/v3" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + + "github.com/zarf-dev/zarf/src/api/v1alpha1" + "github.com/zarf-dev/zarf/src/config" + "github.com/zarf-dev/zarf/src/pkg/layout" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/utils" + "github.com/zarf-dev/zarf/src/pkg/zoci" +) + +// Pull fetches the Zarf package from the given sources. +func Pull(ctx context.Context, src, dir, shasum string, filter filters.ComponentFilterStrategy) error { + u, err := url.Parse(src) + if err != nil { + return err + } + if u.Scheme == "" { + return errors.New("scheme cannot be empty") + } + if u.Host == "" { + return errors.New("host cannot be empty") + } + + tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return err + } + defer os.Remove(tmpDir) + tmpPath := filepath.Join(tmpDir, "data.tar.zst") + + switch u.Scheme { + case "oci": + _, err := pullOCI(ctx, src, tmpPath, shasum, filter) + if err != nil { + return err + } + case "http", "https": + err := pullHTTP(ctx, src, tmpPath, shasum) + if err != nil { + return err + } + default: + return fmt.Errorf("unknown scheme %s", u.Scheme) + } + + name, err := nameFromMetadata(tmpPath) + if err != nil { + return err + } + tarPath := filepath.Join(dir, name) + err = os.Remove(tarPath) + if err != nil && !errors.Is(err, os.ErrNotExist) { + return err + } + dstFile, err := os.Create(tarPath) + if err != nil { + return err + } + defer dstFile.Close() + srcFile, err := os.Open(tmpPath) + if err != nil { + return err + } + defer srcFile.Close() + _, err = io.Copy(dstFile, srcFile) + if err != nil { + return err + } + return nil +} + +func pullOCI(ctx context.Context, src, tarPath, shasum string, filter filters.ComponentFilterStrategy) (bool, error) { + tmpDir, err := utils.MakeTempDir(config.CommonOptions.TempDirectory) + if err != nil { + return false, err + } + defer os.Remove(tmpDir) + if shasum != "" { + src = fmt.Sprintf("%s@sha256:%s", src, shasum) + } + arch := config.GetArch() + remote, err := zoci.NewRemote(src, oci.PlatformForArch(arch)) + if err != nil { + return false, err + } + desc, err := remote.ResolveRoot(ctx) + if err != nil { + return false, fmt.Errorf("could not fetch images index: %w", err) + } + layersToPull := []ocispec.Descriptor{} + isPartial := false + if supportsFiltering(desc.Platform) { + root, err := remote.FetchRoot(ctx) + if err != nil { + return false, err + } + if len(root.Layers) != len(layersToPull) { + isPartial = true + } + pkg, err := remote.FetchZarfYAML(ctx) + if err != nil { + return false, err + } + pkg.Components, err = filter.Apply(pkg) + if err != nil { + return false, err + } + layersToPull, err = remote.LayersFromRequestedComponents(ctx, pkg.Components) + if err != nil { + return false, err + } + } + _, err = remote.PullPackage(ctx, tmpDir, config.CommonOptions.OCIConcurrency, layersToPull...) + if err != nil { + return false, err + } + allTheLayers, err := filepath.Glob(filepath.Join(tmpDir, "*")) + if err != nil { + return false, err + } + err = archiver.Archive(allTheLayers, tarPath) + if err != nil { + return false, err + } + return isPartial, nil +} + +func pullHTTP(ctx context.Context, src, tarPath, shasum string) error { + if shasum == "" { + return errors.New("shasum cannot be empty") + } + f, err := os.Create(tarPath) + if err != nil { + return err + } + defer f.Close() + req, err := http.NewRequestWithContext(ctx, http.MethodGet, src, nil) + if err != nil { + return err + } + resp, err := http.DefaultClient.Do(req) + if err != nil { + return err + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + _, err := io.Copy(io.Discard, resp.Body) + if err != nil { + return err + } + return fmt.Errorf("unexpected http response status code %s for source %s", resp.Status, src) + } + _, err = io.Copy(f, resp.Body) + if err != nil { + return err + } + received, err := helpers.GetSHA256OfFile(tarPath) + if err != nil { + return err + } + if received != shasum { + return fmt.Errorf("shasum mismatch for file %s, expected %s but got %s", tarPath, shasum, received) + } + return nil +} + +func nameFromMetadata(path string) (string, error) { + var pkg v1alpha1.ZarfPackage + err := archiver.Walk(path, func(f archiver.File) error { + if f.Name() == layout.ZarfYAML { + b, err := io.ReadAll(f) + if err != nil { + return err + } + if err := goyaml.Unmarshal(b, &pkg); err != nil { + return err + } + } + return nil + }) + if err != nil { + return "", err + } + if pkg.Metadata.Name == "" { + return "", fmt.Errorf("%s does not contain a zarf.yaml", path) + } + + arch := config.GetArch(pkg.Metadata.Architecture, pkg.Build.Architecture) + if pkg.Build.Architecture == zoci.SkeletonArch { + arch = zoci.SkeletonArch + } + + var name string + switch pkg.Kind { + case v1alpha1.ZarfInitConfig: + name = fmt.Sprintf("zarf-init-%s", arch) + case v1alpha1.ZarfPackageConfig: + name = fmt.Sprintf("zarf-package-%s-%s", pkg.Metadata.Name, arch) + default: + name = fmt.Sprintf("zarf-%s-%s", strings.ToLower(string(pkg.Kind)), arch) + } + if pkg.Build.Differential { + name = fmt.Sprintf("%s-%s-differential-%s", name, pkg.Build.DifferentialPackageVersion, pkg.Metadata.Version) + } else if pkg.Metadata.Version != "" { + name = fmt.Sprintf("%s-%s", name, pkg.Metadata.Version) + } + return fmt.Sprintf("%s.tar.zst", name), nil +} + +func supportsFiltering(platform *ocispec.Platform) bool { + if platform == nil { + return false + } + skeletonPlatform := zoci.PlatformForSkeleton() + if platform.Architecture == skeletonPlatform.Architecture && platform.OS == skeletonPlatform.OS { + return false + } + return true +} diff --git a/src/internal/packager2/pull_test.go b/src/internal/packager2/pull_test.go new file mode 100644 index 0000000000..72c85ac4d5 --- /dev/null +++ b/src/internal/packager2/pull_test.go @@ -0,0 +1,85 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +package packager2 + +import ( + "io" + "net/http" + "net/http/httptest" + "os" + "path/filepath" + "testing" + + "github.com/defenseunicorns/pkg/oci" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/stretchr/testify/require" + "github.com/zarf-dev/zarf/src/pkg/packager/filters" + "github.com/zarf-dev/zarf/src/pkg/zoci" + "github.com/zarf-dev/zarf/src/test/testutil" +) + +func TestPull(t *testing.T) { + t.Parallel() + + ctx := testutil.TestContext(t) + packagePath := "./testdata/zarf-package-test-amd64-0.0.1.tar.zst" + srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) { + file, err := os.Open(packagePath) + if err != nil { + rw.WriteHeader(http.StatusInternalServerError) + return + } + //nolint:errcheck // ignore + io.Copy(rw, file) + })) + t.Cleanup(func() { + srv.Close() + }) + + dir := t.TempDir() + shasum := "307294e3a066cebea6f04772c2ba31210b2753b40b0d5da86a1983c29c5545dd" + err := Pull(ctx, srv.URL, dir, shasum, filters.Empty()) + require.NoError(t, err) + + packageData, err := os.ReadFile(packagePath) + require.NoError(t, err) + pulledPath := filepath.Join(dir, "zarf-package-test-amd64-0.0.1.tar.zst") + pulledData, err := os.ReadFile(pulledPath) + require.NoError(t, err) + require.Equal(t, packageData, pulledData) +} + +func TestSupportsFiltering(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + platform *ocispec.Platform + expected bool + }{ + { + name: "nil platform", + platform: nil, + expected: false, + }, + { + name: "skeleton platform", + platform: &ocispec.Platform{OS: oci.MultiOS, Architecture: zoci.SkeletonArch}, + expected: false, + }, + { + name: "linux platform", + platform: &ocispec.Platform{OS: "linux", Architecture: "amd64"}, + expected: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + result := supportsFiltering(tt.platform) + require.Equal(t, tt.expected, result) + }) + } +} diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst new file mode 100644 index 0000000000..19b43aa279 Binary files /dev/null and b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst differ diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part000 b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part000 new file mode 100644 index 0000000000..2bb849cd7e --- /dev/null +++ b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part000 @@ -0,0 +1 @@ +{"sha256Sum":"6c0de217e3eeff224679ec0a26751655759a30f4aae7fbe793ca1617ddfc4228","bytes":3683508,"count":4} \ No newline at end of file diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part001 b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part001 new file mode 100644 index 0000000000..5ed2b42c1b Binary files /dev/null and b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part001 differ diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part002 b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part002 new file mode 100644 index 0000000000..55b6a5bb67 Binary files /dev/null and b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part002 differ diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part003 b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part003 new file mode 100644 index 0000000000..2dac39314d Binary files /dev/null and b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part003 differ diff --git a/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part004 b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part004 new file mode 100644 index 0000000000..d04f2ef445 Binary files /dev/null and b/src/internal/packager2/testdata/zarf-package-test-amd64-0.0.1.tar.zst.part004 differ diff --git a/src/internal/packager2/testdata/zarf.yaml b/src/internal/packager2/testdata/zarf.yaml new file mode 100644 index 0000000000..c388a95be4 --- /dev/null +++ b/src/internal/packager2/testdata/zarf.yaml @@ -0,0 +1,9 @@ +kind: ZarfPackageConfig +metadata: + name: test + version: 0.0.1 +components: + - name: test + required: true + images: + - docker.io/library/alpine:3.20 diff --git a/src/pkg/cluster/pvc.go b/src/pkg/cluster/pvc.go index 21a0a45ecf..6bef179623 100644 --- a/src/pkg/cluster/pvc.go +++ b/src/pkg/cluster/pvc.go @@ -10,6 +10,8 @@ import ( ) // UpdateGiteaPVC updates the existing Gitea persistent volume claim and tells Gitea whether to create or not. +// TODO(mkcp): We return both string true/false and errors here so our callers get a string. This should be returning an +// empty val if we error, but we'll have to refactor upstream beforehand. func (c *Cluster) UpdateGiteaPVC(ctx context.Context, pvcName string, shouldRollBack bool) (string, error) { if shouldRollBack { pvc, err := c.Clientset.CoreV1().PersistentVolumeClaims(ZarfNamespaceName).Get(ctx, pvcName, metav1.GetOptions{}) diff --git a/src/pkg/cluster/state.go b/src/pkg/cluster/state.go index 3c31ccf128..f2279b0221 100644 --- a/src/pkg/cluster/state.go +++ b/src/pkg/cluster/state.go @@ -193,12 +193,14 @@ func (c *Cluster) InitZarfState(ctx context.Context, initOptions types.ZarfInitO } // LoadZarfState returns the current zarf/zarf-state secret data or an empty ZarfState. -func (c *Cluster) LoadZarfState(ctx context.Context) (state *types.ZarfState, err error) { +func (c *Cluster) LoadZarfState(ctx context.Context) (*types.ZarfState, error) { stateErr := errors.New("failed to load the Zarf State from the cluster, has Zarf been initiated?") secret, err := c.Clientset.CoreV1().Secrets(ZarfNamespaceName).Get(ctx, ZarfStateSecretName, metav1.GetOptions{}) if err != nil { return nil, fmt.Errorf("%w: %w", stateErr, err) } + + state := &types.ZarfState{} err = json.Unmarshal(secret.Data[ZarfStateDataKey], &state) if err != nil { return nil, fmt.Errorf("%w: %w", stateErr, err) diff --git a/src/pkg/cluster/tunnel.go b/src/pkg/cluster/tunnel.go index 764ae9a6eb..9798fd3272 100644 --- a/src/pkg/cluster/tunnel.go +++ b/src/pkg/cluster/tunnel.go @@ -83,7 +83,6 @@ func (c *Cluster) ListConnections(ctx context.Context) (types.ConnectStrings, er // NewTargetTunnelInfo returns a new TunnelInfo object for the specified target. func (c *Cluster) NewTargetTunnelInfo(ctx context.Context, target string) (TunnelInfo, error) { - var err error zt := TunnelInfo{ Namespace: ZarfNamespaceName, ResourceType: SvcResource, @@ -102,9 +101,11 @@ func (c *Cluster) NewTargetTunnelInfo(ctx context.Context, target string) (Tunne zt.RemotePort = ZarfInjectorPort default: if target != "" { - if zt, err = c.checkForZarfConnectLabel(ctx, target); err != nil { + ztNew, err := c.checkForZarfConnectLabel(ctx, target) + if err != nil { return TunnelInfo{}, fmt.Errorf("problem looking for a zarf connect label in the cluster: %s", err.Error()) } + zt = ztNew } if zt.ResourceName == "" { return TunnelInfo{}, fmt.Errorf("missing resource name") @@ -113,7 +114,7 @@ func (c *Cluster) NewTargetTunnelInfo(ctx context.Context, target string) (Tunne return TunnelInfo{}, fmt.Errorf("missing remote port") } } - return zt, err + return zt, nil } // Connect will establish a tunnel to the specified target. diff --git a/src/pkg/cluster/zarf.go b/src/pkg/cluster/zarf.go index 3557544e14..b38b55d783 100644 --- a/src/pkg/cluster/zarf.go +++ b/src/pkg/cluster/zarf.go @@ -52,7 +52,11 @@ func (c *Cluster) GetDeployedZarfPackages(ctx context.Context) ([]types.Deployed deployedPackages = append(deployedPackages, deployedPackage) } - return deployedPackages, errors.Join(errs...) + err = errors.Join(errs...) + if err != nil { + return nil, err + } + return deployedPackages, nil } // GetDeployedPackage gets the metadata information about the package name provided (if it exists in the cluster). @@ -174,7 +178,7 @@ func (c *Cluster) RecordPackageDeploymentAndWait(ctx context.Context, pkg v1alph } // RecordPackageDeployment saves metadata about a package that has been deployed to the cluster. -func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.ZarfPackage, components []types.DeployedComponent, generation int) (deployedPackage *types.DeployedPackage, err error) { +func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.ZarfPackage, components []types.DeployedComponent, generation int) (*types.DeployedPackage, error) { packageName := pkg.Metadata.Name // Attempt to load information about webhooks for the package @@ -187,7 +191,7 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.Zarf componentWebhooks = existingPackageSecret.ComponentWebhooks } - // TODO: This is done for backwards compartibility and could be removed in the future. + // TODO: This is done for backwards compatibility and could be removed in the future. connectStrings := types.ConnectStrings{} for _, comp := range components { for _, chart := range comp.InstalledCharts { @@ -197,7 +201,7 @@ func (c *Cluster) RecordPackageDeployment(ctx context.Context, pkg v1alpha1.Zarf } } - deployedPackage = &types.DeployedPackage{ + deployedPackage := &types.DeployedPackage{ Name: packageName, CLIVersion: config.CLIVersion, Data: pkg, @@ -285,12 +289,13 @@ func (c *Cluster) DisableRegHPAScaleDown(ctx context.Context) error { } // GetInstalledChartsForComponent returns any installed Helm Charts for the provided package component. -func (c *Cluster) GetInstalledChartsForComponent(ctx context.Context, packageName string, component v1alpha1.ZarfComponent) (installedCharts []types.InstalledChart, err error) { +func (c *Cluster) GetInstalledChartsForComponent(ctx context.Context, packageName string, component v1alpha1.ZarfComponent) ([]types.InstalledChart, error) { deployedPackage, err := c.GetDeployedPackage(ctx, packageName) if err != nil { - return installedCharts, err + return nil, err } + installedCharts := make([]types.InstalledChart, 0) for _, deployedComponent := range deployedPackage.DeployedComponents { if deployedComponent.Name == component.Name { installedCharts = append(installedCharts, deployedComponent.InstalledCharts...) @@ -324,7 +329,10 @@ func (c *Cluster) UpdateInternalArtifactServerToken(ctx context.Context, oldGitS } return nil }) - return newToken, err + if err != nil { + return "", err + } + return newToken, nil } // UpdateInternalGitServerSecret updates the internal gitea server secrets with the new git server info diff --git a/src/pkg/interactive/components.go b/src/pkg/interactive/components.go index 719228cb5c..b742aeed4c 100644 --- a/src/pkg/interactive/components.go +++ b/src/pkg/interactive/components.go @@ -15,7 +15,7 @@ import ( ) // SelectOptionalComponent prompts to confirm optional components -func SelectOptionalComponent(component v1alpha1.ZarfComponent) (confirm bool, err error) { +func SelectOptionalComponent(component v1alpha1.ZarfComponent) (bool, error) { message.HorizontalRule() displayComponent := component @@ -30,7 +30,12 @@ func SelectOptionalComponent(component v1alpha1.ZarfComponent) (confirm bool, er Default: component.Default, } - return confirm, survey.AskOne(prompt, &confirm) + var confirm bool + err := survey.AskOne(prompt, &confirm) + if err != nil { + return false, err + } + return confirm, nil } // SelectChoiceGroup prompts to select component groups diff --git a/src/pkg/interactive/prompt.go b/src/pkg/interactive/prompt.go index 5af5f9c451..b6b6e69c94 100644 --- a/src/pkg/interactive/prompt.go +++ b/src/pkg/interactive/prompt.go @@ -19,11 +19,15 @@ func PromptSigPassword() ([]byte, error) { prompt := &survey.Password{ Message: "Private key password (empty for no password): ", } - return []byte(password), survey.AskOne(prompt, &password) + err := survey.AskOne(prompt, &password) + if err != nil { + return []byte{}, err + } + return []byte(password), nil } // PromptVariable prompts the user for a value for a variable -func PromptVariable(variable v1alpha1.InteractiveVariable) (value string, err error) { +func PromptVariable(variable v1alpha1.InteractiveVariable) (string, error) { if variable.Description != "" { message.Question(variable.Description) } @@ -33,5 +37,10 @@ func PromptVariable(variable v1alpha1.InteractiveVariable) (value string, err er Default: variable.Default, } - return value, survey.AskOne(prompt, &value) + var value string + err := survey.AskOne(prompt, &value) + if err != nil { + return "", err + } + return value, nil } diff --git a/src/pkg/layout/component.go b/src/pkg/layout/component.go index fee2d90082..c3ce6ae930 100644 --- a/src/pkg/layout/component.go +++ b/src/pkg/layout/component.go @@ -39,7 +39,7 @@ type Components struct { var ErrNotLoaded = fmt.Errorf("not loaded") // Archive archives a component. -func (c *Components) Archive(component v1alpha1.ZarfComponent, cleanupTemp bool) (err error) { +func (c *Components) Archive(component v1alpha1.ZarfComponent, cleanupTemp bool) error { name := component.Name if _, ok := c.Dirs[name]; !ok { return &fs.PathError{ @@ -75,7 +75,7 @@ func (c *Components) Archive(component v1alpha1.ZarfComponent, cleanupTemp bool) } // Unarchive unarchives a component. -func (c *Components) Unarchive(component v1alpha1.ZarfComponent) (err error) { +func (c *Components) Unarchive(component v1alpha1.ZarfComponent) error { name := component.Name tb, ok := c.Tarballs[name] if !ok { @@ -138,7 +138,7 @@ func (c *Components) Unarchive(component v1alpha1.ZarfComponent) (err error) { } // Create creates a new component directory structure. -func (c *Components) Create(component v1alpha1.ZarfComponent) (cp *ComponentPaths, err error) { +func (c *Components) Create(component v1alpha1.ZarfComponent) (*ComponentPaths, error) { name := component.Name _, ok := c.Tarballs[name] @@ -150,41 +150,41 @@ func (c *Components) Create(component v1alpha1.ZarfComponent) (cp *ComponentPath } } - if err = helpers.CreateDirectory(c.Base, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(c.Base, helpers.ReadWriteExecuteUser); err != nil { return nil, err } base := filepath.Join(c.Base, name) - if err = helpers.CreateDirectory(base, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(base, helpers.ReadWriteExecuteUser); err != nil { return nil, err } - cp = &ComponentPaths{ + cp := &ComponentPaths{ Base: base, } cp.Temp = filepath.Join(base, TempDir) - if err = helpers.CreateDirectory(cp.Temp, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Temp, helpers.ReadWriteExecuteUser); err != nil { return nil, err } if len(component.Files) > 0 { cp.Files = filepath.Join(base, FilesDir) - if err = helpers.CreateDirectory(cp.Files, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Files, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } if len(component.Charts) > 0 { cp.Charts = filepath.Join(base, ChartsDir) - if err = helpers.CreateDirectory(cp.Charts, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Charts, helpers.ReadWriteExecuteUser); err != nil { return nil, err } for _, chart := range component.Charts { cp.Values = filepath.Join(base, ValuesDir) if len(chart.ValuesFiles) > 0 { - if err = helpers.CreateDirectory(cp.Values, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Values, helpers.ReadWriteExecuteUser); err != nil { return nil, err } break @@ -194,21 +194,21 @@ func (c *Components) Create(component v1alpha1.ZarfComponent) (cp *ComponentPath if len(component.Repos) > 0 { cp.Repos = filepath.Join(base, ReposDir) - if err = helpers.CreateDirectory(cp.Repos, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Repos, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } if len(component.Manifests) > 0 { cp.Manifests = filepath.Join(base, ManifestsDir) - if err = helpers.CreateDirectory(cp.Manifests, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.Manifests, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } if len(component.DataInjections) > 0 { cp.DataInjections = filepath.Join(base, DataInjectionsDir) - if err = helpers.CreateDirectory(cp.DataInjections, helpers.ReadWriteExecuteUser); err != nil { + if err := helpers.CreateDirectory(cp.DataInjections, helpers.ReadWriteExecuteUser); err != nil { return nil, err } } diff --git a/src/pkg/layout/package.go b/src/pkg/layout/package.go index a38ec599a1..532f46653d 100644 --- a/src/pkg/layout/package.go +++ b/src/pkg/layout/package.go @@ -52,11 +52,14 @@ func New(baseDir string) *PackagePaths { // ReadZarfYAML reads a zarf.yaml file into memory, // checks if it's using the legacy layout, and migrates deprecated component configs. -func (pp *PackagePaths) ReadZarfYAML() (pkg v1alpha1.ZarfPackage, warnings []string, err error) { +func (pp *PackagePaths) ReadZarfYAML() (v1alpha1.ZarfPackage, []string, error) { + var pkg v1alpha1.ZarfPackage + if err := utils.ReadYaml(pp.ZarfYAML, &pkg); err != nil { return v1alpha1.ZarfPackage{}, nil, fmt.Errorf("unable to read zarf.yaml: %w", err) } + warnings := make([]string, 0) if pp.IsLegacyLayout() { warnings = append(warnings, "Detected deprecated package layout, migrating to new layout - support for this package will be dropped in v1.0.0") } @@ -74,7 +77,7 @@ func (pp *PackagePaths) ReadZarfYAML() (pkg v1alpha1.ZarfPackage, warnings []str } // MigrateLegacy migrates a legacy package layout to the new layout. -func (pp *PackagePaths) MigrateLegacy() (err error) { +func (pp *PackagePaths) MigrateLegacy() error { var pkg v1alpha1.ZarfPackage base := pp.Base diff --git a/src/pkg/layout/sbom.go b/src/pkg/layout/sbom.go index 7ac39c02a7..fcfb300be6 100644 --- a/src/pkg/layout/sbom.go +++ b/src/pkg/layout/sbom.go @@ -26,7 +26,7 @@ type SBOMs struct { } // Unarchive unarchives the package's SBOMs. -func (s *SBOMs) Unarchive() (err error) { +func (s *SBOMs) Unarchive() error { if s.Path == "" || helpers.InvalidPath(s.Path) { return &fs.PathError{ Op: "stat", @@ -47,7 +47,7 @@ func (s *SBOMs) Unarchive() (err error) { } // Archive archives the package's SBOMs. -func (s *SBOMs) Archive() (err error) { +func (s *SBOMs) Archive() error { if s.Path == "" || helpers.InvalidPath(s.Path) { return &fs.PathError{ Op: "stat", @@ -68,18 +68,23 @@ func (s *SBOMs) Archive() (err error) { return os.RemoveAll(dir) } -// StageSBOMViewFiles copies SBOM viewer HTML files to the Zarf SBOM directory. -func (s *SBOMs) StageSBOMViewFiles() (sbomViewFiles, warnings []string, err error) { +// StageSBOMViewFiles copies SBOM viewer HTML files to the Zarf SBOM directory. Returns sbomViewFiles, warnings, and an +// error. +func (s *SBOMs) StageSBOMViewFiles() ([]string, []string, error) { + sbomViewFiles := make([]string, 0) + warnings := make([]string, 0) + if s.IsTarball() { return nil, nil, fmt.Errorf("unable to process the SBOM files for this package: %s is a tarball", s.Path) } // If SBOMs were loaded, temporarily place them in the deploy directory if !helpers.InvalidPath(s.Path) { - sbomViewFiles, err = filepath.Glob(filepath.Join(s.Path, "sbom-viewer-*")) + files, err := filepath.Glob(filepath.Join(s.Path, "sbom-viewer-*")) if err != nil { return nil, nil, err } + sbomViewFiles = files if _, err := s.OutputSBOMFiles(SBOMDir, ""); err != nil { // Don't stop the deployment, let the user decide if they want to continue the deployment @@ -107,6 +112,6 @@ func (s *SBOMs) OutputSBOMFiles(outputDir, packageName string) (string, error) { } // IsTarball returns true if the SBOMs are a tarball. -func (s SBOMs) IsTarball() bool { +func (s *SBOMs) IsTarball() bool { return !helpers.IsDir(s.Path) && filepath.Ext(s.Path) == ".tar" } diff --git a/src/pkg/lint/lint.go b/src/pkg/lint/lint.go index 344f3b9db0..dfffccc2f4 100644 --- a/src/pkg/lint/lint.go +++ b/src/pkg/lint/lint.go @@ -9,13 +9,14 @@ import ( "fmt" "os" + goyaml "github.com/goccy/go-yaml" + "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/config/lang" "github.com/zarf-dev/zarf/src/pkg/layout" "github.com/zarf-dev/zarf/src/pkg/packager/composer" "github.com/zarf-dev/zarf/src/pkg/utils" - "github.com/zarf-dev/zarf/src/types" ) // LintError represents an error containing lint findings. @@ -42,22 +43,28 @@ func (e *LintError) OnlyWarnings() bool { } // Validate lints the given Zarf package -func Validate(ctx context.Context, createOpts types.ZarfCreateOptions) error { - var findings []PackageFinding - if err := os.Chdir(createOpts.BaseDir); err != nil { - return fmt.Errorf("unable to access directory %q: %w", createOpts.BaseDir, err) +func Validate(ctx context.Context, baseDir, flavor string, setVariables map[string]string) error { + err := os.Chdir(baseDir) + if err != nil { + return fmt.Errorf("unable to access directory %q: %w", baseDir, err) + } + b, err := os.ReadFile(layout.ZarfYAML) + if err != nil { + return err } var pkg v1alpha1.ZarfPackage - if err := utils.ReadYaml(layout.ZarfYAML, &pkg); err != nil { + err = goyaml.Unmarshal(b, &pkg) + if err != nil { return err } - compFindings, err := lintComponents(ctx, pkg, createOpts) + findings := []PackageFinding{} + compFindings, err := lintComponents(ctx, pkg, flavor, setVariables) if err != nil { return err } findings = append(findings, compFindings...) - schemaFindings, err := ValidatePackageSchema(createOpts.SetVariables) + schemaFindings, err := ValidatePackageSchema(setVariables) if err != nil { return err } @@ -66,31 +73,27 @@ func Validate(ctx context.Context, createOpts types.ZarfCreateOptions) error { return nil } return &LintError{ - BaseDir: createOpts.BaseDir, + BaseDir: baseDir, PackageName: pkg.Metadata.Name, Findings: findings, } } -func lintComponents(ctx context.Context, pkg v1alpha1.ZarfPackage, createOpts types.ZarfCreateOptions) ([]PackageFinding, error) { - var findings []PackageFinding - +func lintComponents(ctx context.Context, pkg v1alpha1.ZarfPackage, flavor string, setVariables map[string]string) ([]PackageFinding, error) { + findings := []PackageFinding{} for i, component := range pkg.Components { arch := config.GetArch(pkg.Metadata.Architecture) - if !composer.CompatibleComponent(component, arch, createOpts.Flavor) { + if !composer.CompatibleComponent(component, arch, flavor) { continue } - - chain, err := composer.NewImportChain(ctx, component, i, pkg.Metadata.Name, arch, createOpts.Flavor) - + chain, err := composer.NewImportChain(ctx, component, i, pkg.Metadata.Name, arch, flavor) if err != nil { return nil, err } - node := chain.Head() for node != nil { component := node.ZarfComponent - compFindings, err := templateZarfObj(&component, createOpts.SetVariables) + compFindings, err := templateZarfObj(&component, setVariables) if err != nil { return nil, err } diff --git a/src/pkg/lint/lint_test.go b/src/pkg/lint/lint_test.go index 84ea5e4cd2..e2e5493734 100644 --- a/src/pkg/lint/lint_test.go +++ b/src/pkg/lint/lint_test.go @@ -12,7 +12,6 @@ import ( "github.com/stretchr/testify/require" "github.com/zarf-dev/zarf/src/api/v1alpha1" "github.com/zarf-dev/zarf/src/config/lang" - "github.com/zarf-dev/zarf/src/types" ) func TestLintError(t *testing.T) { @@ -54,8 +53,7 @@ func TestLintComponents(t *testing.T) { Metadata: v1alpha1.ZarfMetadata{Name: "test-zarf-package"}, } - createOpts := types.ZarfCreateOptions{Flavor: "", BaseDir: "."} - _, err := lintComponents(context.Background(), zarfPackage, createOpts) + _, err := lintComponents(context.Background(), zarfPackage, "", nil) require.Error(t, err) }) } diff --git a/src/pkg/lint/schema.go b/src/pkg/lint/schema.go index adf41e935b..b6cb5f6e3e 100644 --- a/src/pkg/lint/schema.go +++ b/src/pkg/lint/schema.go @@ -23,17 +23,14 @@ func ValidatePackageSchema(setVariables map[string]string) ([]PackageFinding, er if err := utils.ReadYaml(layout.ZarfYAML, &untypedZarfPackage); err != nil { return nil, err } - jsonSchema, err := ZarfSchema.ReadFile("zarf.schema.json") if err != nil { return nil, err } - _, err = templateZarfObj(&untypedZarfPackage, setVariables) if err != nil { return nil, err } - return getSchemaFindings(jsonSchema, untypedZarfPackage) } diff --git a/src/pkg/lint/validate.go b/src/pkg/lint/validate.go index 2de0ba8e91..0083c8a6b7 100644 --- a/src/pkg/lint/validate.go +++ b/src/pkg/lint/validate.go @@ -234,7 +234,7 @@ func validateAction(action v1alpha1.ZarfComponentAction) error { // validateReleaseName validates a release name against DNS 1035 spec, using chartName as fallback. // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#rfc-1035-label-names -func validateReleaseName(chartName, releaseName string) (err error) { +func validateReleaseName(chartName, releaseName string) error { // Fallback to chartName if releaseName is empty // NOTE: Similar fallback mechanism happens in src/internal/packager/helm/chart.go:InstallOrUpgradeChart if releaseName == "" { @@ -243,16 +243,15 @@ func validateReleaseName(chartName, releaseName string) (err error) { // Check if the final releaseName is empty and return an error if so if releaseName == "" { - err = errors.New(errChartReleaseNameEmpty) - return + return errors.New(errChartReleaseNameEmpty) } // Validate the releaseName against DNS 1035 label spec if errs := validation.IsDNS1035Label(releaseName); len(errs) > 0 { - err = fmt.Errorf("invalid release name '%s': %s", releaseName, strings.Join(errs, "; ")) + return fmt.Errorf("invalid release name '%s': %s", releaseName, strings.Join(errs, "; ")) } - return + return nil } // validateChart runs all validation checks on a chart. diff --git a/src/pkg/message/pausable.go b/src/pkg/message/pausable.go index b9e8fae1c7..3a61f3cb59 100644 --- a/src/pkg/message/pausable.go +++ b/src/pkg/message/pausable.go @@ -29,6 +29,6 @@ func (pw *PausableWriter) Resume() { } // Write writes the data to the underlying output writer -func (pw *PausableWriter) Write(p []byte) (n int, err error) { +func (pw *PausableWriter) Write(p []byte) (int, error) { return pw.out.Write(p) } diff --git a/src/pkg/packager/creator/normal.go b/src/pkg/packager/creator/normal.go index 847a22003e..8766bfb8d3 100644 --- a/src/pkg/packager/creator/normal.go +++ b/src/pkg/packager/creator/normal.go @@ -281,14 +281,17 @@ func (pc *PackageCreator) Output(ctx context.Context, dst *layout.PackagePaths, return fmt.Errorf("unable to publish package: %w", err) } message.HorizontalRule() - flags := "" - if config.CommonOptions.Insecure { - flags = "--insecure" + flags := []string{} + if config.CommonOptions.PlainHTTP { + flags = append(flags, "--plain-http") + } + if config.CommonOptions.InsecureSkipTLSVerify { + flags = append(flags, "--insecure-skip-tls-verify") } message.Title("To inspect/deploy/pull:", "") - message.ZarfCommand("package inspect %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), flags) - message.ZarfCommand("package deploy %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), flags) - message.ZarfCommand("package pull %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), flags) + message.ZarfCommand("package inspect %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) + message.ZarfCommand("package deploy %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) + message.ZarfCommand("package pull %s %s", helpers.OCIURLPrefix+remote.Repo().Reference.String(), strings.Join(flags, " ")) } else { // Use the output path if the user specified it. packageName := fmt.Sprintf("%s%s", sources.NameFromMetadata(pkg, pc.createOpts.IsSkeleton), sources.PkgSuffix(pkg.Metadata.Uncompressed)) diff --git a/src/pkg/packager/sources/new_test.go b/src/pkg/packager/sources/new_test.go index 9ae3147168..17d1481192 100644 --- a/src/pkg/packager/sources/new_test.go +++ b/src/pkg/packager/sources/new_test.go @@ -155,7 +155,7 @@ func TestPackageSource(t *testing.T) { { name: "http-insecure", src: fmt.Sprintf("%s/zarf-package-wordpress-amd64-16.0.4.tar.zst", ts.URL), - expectedErr: "remote package provided without a shasum, use --insecure to ignore, or provide one w/ --shasum", + expectedErr: "remote package provided without a shasum, please provide one with --shasum", }, } for _, tt := range tests { diff --git a/src/pkg/packager/sources/oci.go b/src/pkg/packager/sources/oci.go index 8bf6d6d1a6..b86d3797d3 100644 --- a/src/pkg/packager/sources/oci.go +++ b/src/pkg/packager/sources/oci.go @@ -79,8 +79,10 @@ func (s *OCISource) LoadPackage(ctx context.Context, dst *layout.PackagePaths, f spinner.Success() - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + return pkg, nil, err + } } } @@ -141,11 +143,13 @@ func (s *OCISource) LoadPackageMetadata(ctx context.Context, dst *layout.Package spinner.Success() } - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { - message.Warn("The package was signed but no public key was provided, skipping signature validation") - } else { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { + message.Warn("The package was signed but no public key was provided, skipping signature validation") + } else { + return pkg, nil, err + } } } } diff --git a/src/pkg/packager/sources/tarball.go b/src/pkg/packager/sources/tarball.go index db1b2ed01a..5b556f78e1 100644 --- a/src/pkg/packager/sources/tarball.go +++ b/src/pkg/packager/sources/tarball.go @@ -107,8 +107,10 @@ func (s *TarballSource) LoadPackage(ctx context.Context, dst *layout.PackagePath spinner.Success() - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + return pkg, nil, err + } } } @@ -185,11 +187,13 @@ func (s *TarballSource) LoadPackageMetadata(ctx context.Context, dst *layout.Pac spinner.Success() } - if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { - if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { - message.Warn("The package was signed but no public key was provided, skipping signature validation") - } else { - return pkg, nil, err + if !s.SkipSignatureValidation { + if err := ValidatePackageSignature(ctx, dst, s.PublicKeyPath); err != nil { + if errors.Is(err, ErrPkgSigButNoKey) && skipValidation { + message.Warn("The package was signed but no public key was provided, skipping signature validation") + } else { + return pkg, nil, err + } } } } diff --git a/src/pkg/packager/sources/url.go b/src/pkg/packager/sources/url.go index dd4aa05ff5..3e51aa611e 100644 --- a/src/pkg/packager/sources/url.go +++ b/src/pkg/packager/sources/url.go @@ -32,8 +32,8 @@ type URLSource struct { // Collect downloads a package from the source URL. func (s *URLSource) Collect(ctx context.Context, dir string) (string, error) { - if !config.CommonOptions.Insecure && s.Shasum == "" && !strings.HasPrefix(s.PackageSource, helpers.SGETURLPrefix) { - return "", fmt.Errorf("remote package provided without a shasum, use --insecure to ignore, or provide one w/ --shasum") + if s.Shasum == "" && !strings.HasPrefix(s.PackageSource, helpers.SGETURLPrefix) { + return "", fmt.Errorf("remote package provided without a shasum, please provide one with --shasum") } var packageURL string if s.Shasum != "" { diff --git a/src/pkg/packager/sources/validate.go b/src/pkg/packager/sources/validate.go index 1c7914ea69..baf958a699 100644 --- a/src/pkg/packager/sources/validate.go +++ b/src/pkg/packager/sources/validate.go @@ -15,7 +15,6 @@ import ( "strings" "github.com/defenseunicorns/pkg/helpers/v2" - "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/pkg/layout" "github.com/zarf-dev/zarf/src/pkg/message" "github.com/zarf-dev/zarf/src/pkg/utils" @@ -25,16 +24,11 @@ var ( // ErrPkgKeyButNoSig is returned when a key was provided but the package is not signed ErrPkgKeyButNoSig = errors.New("a key was provided but the package is not signed - the package may be corrupted or the --key flag was erroneously specified") // ErrPkgSigButNoKey is returned when a package is signed but no key was provided - ErrPkgSigButNoKey = errors.New("package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + ErrPkgSigButNoKey = errors.New("package is signed but no key was provided - add a key with the --key flag or use the --skip-signature-validation flag and run the command again") ) // ValidatePackageSignature validates the signature of a package func ValidatePackageSignature(ctx context.Context, paths *layout.PackagePaths, publicKeyPath string) error { - // If the insecure flag was provided ignore the signature validation - if config.CommonOptions.Insecure { - return nil - } - if publicKeyPath != "" { message.Debugf("Using public key %q for signature validation", publicKeyPath) } diff --git a/src/pkg/transform/artifact.go b/src/pkg/transform/artifact.go index 0aed7a46ea..2c78dac233 100644 --- a/src/pkg/transform/artifact.go +++ b/src/pkg/transform/artifact.go @@ -87,16 +87,16 @@ func GenTransformURL(targetBaseURL string, sourceURL string) (*url.URL, error) { // Rebuild the generic URL transformedURL := fmt.Sprintf("%s/generic/%s/%s/%s", targetBaseURL, packageNameGlobal, version, fileName) - url, err := url.Parse(transformedURL) + parsedURL, err := url.Parse(transformedURL) if err != nil { - return url, err + return &url.URL{}, err } // Drop the RawQuery and Fragment to avoid them being interpreted for generic packages - url.RawQuery = "" - url.Fragment = "" + parsedURL.RawQuery = "" + parsedURL.Fragment = "" - return url, err + return parsedURL, nil } // transformRegistryPath transforms a given request path using a new base URL and regex. diff --git a/src/pkg/transform/image.go b/src/pkg/transform/image.go index ca6fcdc820..c12bb1d232 100644 --- a/src/pkg/transform/image.go +++ b/src/pkg/transform/image.go @@ -62,32 +62,36 @@ func ImageTransformHostWithoutChecksum(targetHost, srcReference string) (string, } // ParseImageRef parses a source reference into an Image struct -func ParseImageRef(srcReference string) (out Image, err error) { +func ParseImageRef(srcReference string) (Image, error) { srcReference = strings.TrimPrefix(srcReference, helpers.OCIURLPrefix) ref, err := reference.ParseAnyReference(srcReference) if err != nil { - return out, err + return Image{}, err } // Parse the reference into its components - if named, ok := ref.(reference.Named); ok { - out.Name = named.Name() - out.Path = reference.Path(named) - out.Host = reference.Domain(named) - out.Reference = ref.String() - } else { - return out, fmt.Errorf("unable to parse image name from %s", srcReference) + named, ok := ref.(reference.Named) + if !ok { + return Image{}, fmt.Errorf("unable to parse image name from %s", srcReference) } + out := Image{ + Name: named.Name(), + Path: reference.Path(named), + Host: reference.Domain(named), + Reference: ref.String(), + } + + // TODO(mkcp): This rewriting tag and digest code could probably be consolidated with types // Parse the tag and add it to digestOrReference - if tagged, ok := ref.(reference.Tagged); ok { + if tagged, tagOK := ref.(reference.Tagged); tagOK { out.Tag = tagged.Tag() out.TagOrDigest = fmt.Sprintf(":%s", tagged.Tag()) } // Parse the digest and override digestOrReference - if digested, ok := ref.(reference.Digested); ok { + if digested, digOK := ref.(reference.Digested); digOK { out.Digest = digested.Digest().String() out.TagOrDigest = fmt.Sprintf("@%s", digested.Digest().String()) } diff --git a/src/pkg/utils/bytes.go b/src/pkg/utils/bytes.go index 7dd159b91f..22b3322614 100644 --- a/src/pkg/utils/bytes.go +++ b/src/pkg/utils/bytes.go @@ -16,45 +16,69 @@ import ( "github.com/zarf-dev/zarf/src/pkg/message" ) +type unit struct { + name string + size float64 +} + +var ( + gigabyte = unit{ + name: "GB", + size: 1000000000, + } + megabyte = unit{ + name: "MB", + size: 1000000, + } + kilobyte = unit{ + name: "KB", + size: 1000, + } + unitByte = unit{ + name: "Byte", + } +) + // RoundUp rounds a float64 to the given number of decimal places. -func RoundUp(input float64, places int) (newVal float64) { - var round float64 +func RoundUp(input float64, places int) float64 { pow := math.Pow(10, float64(places)) digit := pow * input - round = math.Ceil(digit) - newVal = round / pow - return + round := math.Ceil(digit) + return round / pow } -// ByteFormat formats a number of bytes into a human readable string. -func ByteFormat(inputNum float64, precision int) string { +// ByteFormat formats a number of bytes into a human-readable string. +func ByteFormat(in float64, precision int) string { if precision <= 0 { precision = 1 } - var unit string - var returnVal float64 + var v float64 + var u string // https://www.techtarget.com/searchstorage/definition/mebibyte-MiB - if inputNum >= 1000000000 { - returnVal = RoundUp(inputNum/1000000000, precision) - unit = " GB" // gigabyte - } else if inputNum >= 1000000 { - returnVal = RoundUp(inputNum/1000000, precision) - unit = " MB" // megabyte - } else if inputNum >= 1000 { - returnVal = RoundUp(inputNum/1000, precision) - unit = " KB" // kilobyte - } else { - returnVal = inputNum - unit = " Byte" // byte + switch { + case gigabyte.size <= in: + v = RoundUp(in/gigabyte.size, precision) + u = gigabyte.name + case megabyte.size <= in: + v = RoundUp(in/megabyte.size, precision) + u = megabyte.name + case kilobyte.size <= in: + v = RoundUp(in/kilobyte.size, precision) + u = kilobyte.name + default: + v = in + u = unitByte.name } - if returnVal > 1 { - unit += "s" + // NOTE(mkcp): Negative bytes are nonsense, but it's more robust for inputs without erroring. + if v < -1 || 1 < v { + u += "s" } - return strconv.FormatFloat(returnVal, 'f', precision, 64) + unit + vFmt := strconv.FormatFloat(v, 'f', precision, 64) + return vFmt + " " + u } // RenderProgressBarForLocalDirWrite creates a progress bar that continuously tracks the progress of writing files to a local directory and all of its subdirectories. diff --git a/src/pkg/utils/bytes_test.go b/src/pkg/utils/bytes_test.go new file mode 100644 index 0000000000..492048f788 --- /dev/null +++ b/src/pkg/utils/bytes_test.go @@ -0,0 +1,78 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2021-Present The Zarf Authors + +// Package utils provides generic utility functions. +package utils + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestByteFormat(t *testing.T) { + t.Parallel() + tt := []struct { + name string + in float64 + precision int + expect string + }{ + { + name: "accepts empty", + expect: "0.0 Byte", + }, + { + name: "accepts empty bytes with precision", + precision: 1, + expect: "0.0 Byte", + }, + { + name: "accepts empty bytes with meaningful precision", + precision: 3, + expect: "0.000 Byte", + }, + { + name: "formats negative byte with empty precision", + in: -1, + expect: "-1.0 Byte", + }, + { + name: "formats negative bytes with empty precision", + in: -2, + expect: "-2.0 Bytes", + }, + { + name: "formats kilobyte", + in: 1000, + expect: "1.0 KB", + }, + { + name: "formats kilobytes", + in: 1100, + expect: "1.1 KBs", + }, + { + name: "formats megabytes", + in: 10000000, + expect: "10.0 MBs", + }, + { + name: "formats gigabytes", + in: 100000000000, + expect: "100.0 GBs", + }, + { + name: "formats arbitrary in", + in: 4238970784923, + precision: 99, + expect: "4238.970784922999882837757468223571777343750000000000000000000000000000000000000000000000000000000000000 GBs", + }, + } + for _, tc := range tt { + t.Run(tc.name, func(t *testing.T) { + actual := ByteFormat(tc.in, tc.precision) + require.Equal(t, tc.expect, actual) + }) + } +} diff --git a/src/pkg/utils/cosign.go b/src/pkg/utils/cosign.go index 21bfc282bd..f81183741a 100644 --- a/src/pkg/utils/cosign.go +++ b/src/pkg/utils/cosign.go @@ -33,6 +33,12 @@ import ( "github.com/zarf-dev/zarf/src/pkg/message" ) +const ( + cosignB64Enabled = true + cosignOutputCertificate = "" + cosignTLogUpload = false +) + // Sget performs a cosign signature verification on a given image using the specified public key. // // Forked from https://github.com/sigstore/cosign/blob/v1.7.1/pkg/sget/sget.go @@ -171,7 +177,7 @@ func Sget(ctx context.Context, image, key string, out io.Writer) error { } // CosignVerifyBlob verifies the zarf.yaml.sig was signed with the key provided by the flag -func CosignVerifyBlob(ctx context.Context, blobRef string, sigRef string, keyPath string) error { +func CosignVerifyBlob(ctx context.Context, blobRef, sigRef, keyPath string) error { keyOptions := options.KeyOpts{KeyRef: keyPath} cmd := &verify.VerifyBlobCmd{ KeyOpts: keyOptions, @@ -181,74 +187,83 @@ func CosignVerifyBlob(ctx context.Context, blobRef string, sigRef string, keyPat IgnoreTlog: true, } err := cmd.Exec(ctx, blobRef) - if err == nil { - message.Successf("Package signature validated!") + if err != nil { + return err } - return err + message.Successf("Package signature validated!") + return nil } // CosignSignBlob signs the provide binary and returns the signature -func CosignSignBlob(blobPath string, outputSigPath string, keyPath string, passwordFunc func(bool) ([]byte, error)) ([]byte, error) { - rootOptions := &options.RootOptions{Verbose: false, Timeout: options.DefaultTimeout} +func CosignSignBlob(blobPath, outputSigPath, keyPath string, passFn cosign.PassFunc) ([]byte, error) { + rootOptions := &options.RootOptions{ + Verbose: false, + Timeout: options.DefaultTimeout, + } - keyOptions := options.KeyOpts{KeyRef: keyPath, - PassFunc: passwordFunc} - b64 := true - outputCertificate := "" - tlogUpload := false + keyOptions := options.KeyOpts{ + KeyRef: keyPath, + PassFunc: passFn, + } - sig, err := sign.SignBlobCmd(rootOptions, + sig, err := sign.SignBlobCmd( + rootOptions, keyOptions, blobPath, - b64, + cosignB64Enabled, outputSigPath, - outputCertificate, - tlogUpload) + cosignOutputCertificate, + cosignTLogUpload) + if err != nil { + return []byte{}, err + } - return sig, err + return sig, nil } // GetCosignArtifacts returns signatures and attestations for the given image -func GetCosignArtifacts(image string) (cosignList []string, err error) { - var cosignArtifactList []string +func GetCosignArtifacts(image string) ([]string, error) { var nameOpts []name.Option - ref, err := name.ParseReference(image, nameOpts...) + ref, err := name.ParseReference(image, nameOpts...) if err != nil { - return cosignArtifactList, err + return []string{}, err } var remoteOpts []ociremote.Option simg, _ := ociremote.SignedEntity(ref, remoteOpts...) if simg == nil { - return cosignArtifactList, nil + return []string{}, nil } + // Errors are dogsled because these functions always return a name.Tag which we can check for layers sigRef, _ := ociremote.SignatureTag(ref, remoteOpts...) attRef, _ := ociremote.AttestationTag(ref, remoteOpts...) - sigs, err := simg.Signatures() + ss, err := simg.Signatures() if err != nil { - return cosignArtifactList, err + return []string{}, err } - layers, err := sigs.Layers() + ssLayers, err := ss.Layers() if err != nil { - return cosignArtifactList, err + return []string{}, err } - if len(layers) > 0 { + + var cosignArtifactList = make([]string, 0) + if 0 < len(ssLayers) { cosignArtifactList = append(cosignArtifactList, sigRef.String()) } atts, err := simg.Attestations() if err != nil { - return cosignArtifactList, err + return []string{}, err } - layers, err = atts.Layers() + aLayers, err := atts.Layers() if err != nil { - return cosignArtifactList, err + return []string{}, err } - if len(layers) > 0 { + if 0 < len(aLayers) { cosignArtifactList = append(cosignArtifactList, attRef.String()) } return cosignArtifactList, nil diff --git a/src/pkg/utils/io.go b/src/pkg/utils/io.go index 7edee56422..f4ec9b07ab 100755 --- a/src/pkg/utils/io.go +++ b/src/pkg/utils/io.go @@ -40,7 +40,10 @@ func GetFinalExecutablePath() (string, error) { // In case the binary is symlinked somewhere else, get the final destination linkedPath, err := filepath.EvalSymlinks(binaryPath) - return linkedPath, err + if err != nil { + return "", err + } + return linkedPath, nil } // GetFinalExecutableCommand returns the final path to the Zarf executable including and library prefixes and overrides. @@ -48,7 +51,7 @@ func GetFinalExecutableCommand() (string, error) { // In case the binary is symlinked somewhere else, get the final destination zarfCommand, err := GetFinalExecutablePath() if err != nil { - return zarfCommand, err + return "", err } if config.ActionsCommandZarfPrefix != "" { @@ -60,5 +63,5 @@ func GetFinalExecutableCommand() (string, error) { zarfCommand = "zarf" } - return zarfCommand, err + return zarfCommand, nil } diff --git a/src/pkg/utils/network.go b/src/pkg/utils/network.go index be0b80a2ed..ffe5490600 100644 --- a/src/pkg/utils/network.go +++ b/src/pkg/utils/network.go @@ -39,7 +39,7 @@ func parseChecksum(src string) (string, string, error) { } // DownloadToFile downloads a given URL to the target filepath (including the cosign key if necessary). -func DownloadToFile(ctx context.Context, src string, dst string, cosignKeyPath string) (err error) { +func DownloadToFile(ctx context.Context, src, dst, cosignKeyPath string) error { // check if the parsed URL has a checksum // if so, remove it and use the checksum to validate the file src, checksum, err := parseChecksum(src) @@ -69,9 +69,6 @@ func DownloadToFile(ctx context.Context, src string, dst string, cosignKeyPath s if err != nil { return fmt.Errorf("unable to download file with sget: %s: %w", src, err) } - if err != nil { - return err - } } else { err = httpGetFile(src, file) if err != nil { @@ -80,7 +77,7 @@ func DownloadToFile(ctx context.Context, src string, dst string, cosignKeyPath s } // If the file has a checksum, validate it - if len(checksum) > 0 { + if 0 < len(checksum) { received, err := helpers.GetSHA256OfFile(dst) if err != nil { return err diff --git a/src/pkg/utils/yaml.go b/src/pkg/utils/yaml.go index f3fdaa53b7..641c219977 100644 --- a/src/pkg/utils/yaml.go +++ b/src/pkg/utils/yaml.go @@ -192,12 +192,12 @@ func SplitYAML(yamlData []byte) ([]*unstructured.Unstructured, error) { var objs []*unstructured.Unstructured ymls, err := SplitYAMLToString(yamlData) if err != nil { - return nil, err + return []*unstructured.Unstructured{}, err } for _, yml := range ymls { u := &unstructured.Unstructured{} if err := k8syaml.Unmarshal([]byte(yml), u); err != nil { - return objs, fmt.Errorf("failed to unmarshal manifest: %w", err) + return []*unstructured.Unstructured{}, fmt.Errorf("failed to unmarshal manifest: %w", err) } objs = append(objs, u) } @@ -220,7 +220,7 @@ func SplitYAMLToString(yamlData []byte) ([]string, error) { if errors.Is(err, io.EOF) { break } - return objs, fmt.Errorf("failed to unmarshal manifest: %w", err) + return []string{}, fmt.Errorf("failed to unmarshal manifest: %w", err) } ext.Raw = bytes.TrimSpace(ext.Raw) if len(ext.Raw) == 0 || bytes.Equal(ext.Raw, []byte("null")) { diff --git a/src/pkg/variables/variables.go b/src/pkg/variables/variables.go index 929cb13182..353040eab4 100644 --- a/src/pkg/variables/variables.go +++ b/src/pkg/variables/variables.go @@ -15,8 +15,8 @@ import ( type SetVariableMap map[string]*v1alpha1.SetVariable // GetSetVariable gets a variable set within a VariableConfig by its name -func (vc *VariableConfig) GetSetVariable(name string) (variable *v1alpha1.SetVariable, ok bool) { - variable, ok = vc.setVariableMap[name] +func (vc *VariableConfig) GetSetVariable(name string) (*v1alpha1.SetVariable, bool) { + variable, ok := vc.setVariableMap[name] return variable, ok } diff --git a/src/pkg/variables/variables_test.go b/src/pkg/variables/variables_test.go index 07442e97f5..f0aeea78c5 100644 --- a/src/pkg/variables/variables_test.go +++ b/src/pkg/variables/variables_test.go @@ -20,7 +20,7 @@ func TestPopulateVariables(t *testing.T) { wantVars SetVariableMap } - prompt := func(_ v1alpha1.InteractiveVariable) (value string, err error) { return "Prompt", nil } + prompt := func(_ v1alpha1.InteractiveVariable) (string, error) { return "Prompt", nil } tests := []test{ { diff --git a/src/pkg/zoci/common.go b/src/pkg/zoci/common.go index 41cf415d1b..29e9f34564 100644 --- a/src/pkg/zoci/common.go +++ b/src/pkg/zoci/common.go @@ -32,8 +32,8 @@ type Remote struct { func NewRemote(url string, platform ocispec.Platform, mods ...oci.Modifier) (*Remote, error) { logger := slog.New(message.ZarfHandler{}) modifiers := append([]oci.Modifier{ - oci.WithPlainHTTP(config.CommonOptions.Insecure), - oci.WithInsecureSkipVerify(config.CommonOptions.Insecure), + oci.WithPlainHTTP(config.CommonOptions.PlainHTTP), + oci.WithInsecureSkipVerify(config.CommonOptions.InsecureSkipTLSVerify), oci.WithLogger(logger), oci.WithUserAgent("zarf/" + config.CLIVersion), }, mods...) diff --git a/src/pkg/zoci/fetch.go b/src/pkg/zoci/fetch.go index 923e3d7c24..ca46d8e996 100644 --- a/src/pkg/zoci/fetch.go +++ b/src/pkg/zoci/fetch.go @@ -14,19 +14,27 @@ import ( ) // FetchZarfYAML fetches the zarf.yaml file from the remote repository. -func (r *Remote) FetchZarfYAML(ctx context.Context) (pkg v1alpha1.ZarfPackage, err error) { +func (r *Remote) FetchZarfYAML(ctx context.Context) (v1alpha1.ZarfPackage, error) { manifest, err := r.FetchRoot(ctx) if err != nil { - return pkg, err + return v1alpha1.ZarfPackage{}, err } - return oci.FetchYAMLFile[v1alpha1.ZarfPackage](ctx, r.FetchLayer, manifest, layout.ZarfYAML) + result, err := oci.FetchYAMLFile[v1alpha1.ZarfPackage](ctx, r.FetchLayer, manifest, layout.ZarfYAML) + if err != nil { + return v1alpha1.ZarfPackage{}, err + } + return result, nil } // FetchImagesIndex fetches the images/index.json file from the remote repository. -func (r *Remote) FetchImagesIndex(ctx context.Context) (index *ocispec.Index, err error) { +func (r *Remote) FetchImagesIndex(ctx context.Context) (*ocispec.Index, error) { manifest, err := r.FetchRoot(ctx) if err != nil { return nil, err } - return oci.FetchJSONFile[*ocispec.Index](ctx, r.FetchLayer, manifest, layout.IndexPath) + result, err := oci.FetchJSONFile[*ocispec.Index](ctx, r.FetchLayer, manifest, layout.IndexPath) + if err != nil { + return nil, err + } + return result, nil } diff --git a/src/pkg/zoci/pull.go b/src/pkg/zoci/pull.go index 9fd76e9ccc..d8ba73775e 100644 --- a/src/pkg/zoci/pull.go +++ b/src/pkg/zoci/pull.go @@ -70,13 +70,18 @@ func (r *Remote) PullPackage(ctx context.Context, destinationDir string, concurr err = r.CopyToTarget(ctx, layersToPull, dst, copyOpts) doneSaving <- err <-doneSaving - return layersToPull, err + if err != nil { + return nil, err + } + return layersToPull, nil } // LayersFromRequestedComponents returns the descriptors for the given components from the root manifest. // // It also retrieves the descriptors for all image layers that are required by the components. -func (r *Remote) LayersFromRequestedComponents(ctx context.Context, requestedComponents []v1alpha1.ZarfComponent) (layers []ocispec.Descriptor, err error) { +func (r *Remote) LayersFromRequestedComponents(ctx context.Context, requestedComponents []v1alpha1.ZarfComponent) ([]ocispec.Descriptor, error) { + layers := make([]ocispec.Descriptor, 0) + root, err := r.FetchRoot(ctx) if err != nil { return nil, err @@ -98,7 +103,8 @@ func (r *Remote) LayersFromRequestedComponents(ctx context.Context, requestedCom for _, image := range component.Images { images[image] = true } - layers = append(layers, root.Locate(filepath.Join(layout.ComponentsDir, fmt.Sprintf(tarballFormat, component.Name)))) + desc := root.Locate(filepath.Join(layout.ComponentsDir, fmt.Sprintf(tarballFormat, component.Name))) + layers = append(layers, desc) } // Append the sboms.tar layer if it exists // diff --git a/src/test/e2e/00_use_cli_test.go b/src/test/e2e/00_use_cli_test.go index de0c5a7a51..9071a114b7 100644 --- a/src/test/e2e/00_use_cli_test.go +++ b/src/test/e2e/00_use_cli_test.go @@ -50,6 +50,17 @@ func TestUseCLI(t *testing.T) { require.Contains(t, stdOut, expectedShasum, "The expected SHASUM should equal the actual SHASUM") }) + t.Run("zarf package pull https", func(t *testing.T) { + t.Parallel() + packageShasum := "690799dbe8414238e11d4488754eee52ec264c1584cd0265e3b91e3e251e8b1a" + packageName := "zarf-init-amd64-v0.39.0.tar.zst" + _, _, err := e2e.Zarf(t, "package", "pull", fmt.Sprintf("https://github.com/zarf-dev/zarf/releases/download/v0.39.0/%s", packageName), "--shasum", packageShasum) + require.NoError(t, err) + require.FileExists(t, packageName) + err = os.Remove(packageName) + require.NoError(t, err) + }) + t.Run("zarf version", func(t *testing.T) { t.Parallel() // Test `zarf version` diff --git a/src/test/e2e/11_oci_pull_inspect_test.go b/src/test/e2e/11_oci_pull_inspect_test.go index cd045ae0a6..52be7ab127 100644 --- a/src/test/e2e/11_oci_pull_inspect_test.go +++ b/src/test/e2e/11_oci_pull_inspect_test.go @@ -47,9 +47,6 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { // Pull the package via OCI. stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "pull", ref) suite.NoError(err, stdOut, stdErr) - suite.Contains(stdErr, fmt.Sprintf("Pulling %q", ref)) - suite.Contains(stdErr, "Validating full package checksums") - suite.NotContains(stdErr, "Package signature validated!") sbomTmp := suite.T().TempDir() @@ -57,11 +54,9 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { suite.FileExists(out) stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--sbom-out", sbomTmp) suite.NoError(err, stdOut, stdErr) - suite.Contains(stdErr, "Validating SBOM checksums") - suite.Contains(stdErr, "Package signature validated!") // Test pull w/ bad ref. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+badPullInspectRef.String(), "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+badPullInspectRef.String(), "--plain-http") suite.Error(err, stdOut, stdErr) } @@ -69,7 +64,7 @@ func (suite *PullInspectTestSuite) Test_1_Remote_Inspect() { suite.T().Log("E2E: Package Inspect oci://") // Test inspect w/ bad ref. - _, stdErr, err := e2e.Zarf(suite.T(), "package", "inspect", "oci://"+badPullInspectRef.String(), "--insecure") + _, stdErr, err := e2e.Zarf(suite.T(), "package", "inspect", "oci://"+badPullInspectRef.String(), "--plain-http") suite.Error(err, stdErr) // Test inspect on a public package. diff --git a/src/test/e2e/14_oci_compose_test.go b/src/test/e2e/14_oci_compose_test.go index ef060af819..7159394107 100644 --- a/src/test/e2e/14_oci_compose_test.go +++ b/src/test/e2e/14_oci_compose_test.go @@ -65,47 +65,47 @@ func (suite *PublishCopySkeletonSuite) Test_0_Publish_Skeletons() { ref := suite.Reference.String() helmCharts := filepath.Join("examples", "helm-charts") - _, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", helmCharts, "oci://"+ref, "--insecure") + _, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", helmCharts, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) bigBang := filepath.Join("src", "test", "packages", "14-import-everything", "big-bang-min") - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", bigBang, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", bigBang, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) composable := filepath.Join("src", "test", "packages", "09-composable-packages") - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", composable, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", composable, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", importEverything, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", importEverything, "oci://"+ref, "--plain-http") suite.NoError(err) suite.Contains(stdErr, "Published "+ref) - _, _, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/import-everything:0.0.1", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/import-everything:0.0.1", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/import-everything:0.0.1", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/import-everything:0.0.1", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/big-bang-min:2.10.0", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/big-bang-min:2.10.0", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/test-compose-package:0.0.1", "-o", "build", "--insecure", "-a", "skeleton") + _, _, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/test-compose-package:0.0.1", "-o", "build", "--plain-http", "-a", "skeleton") suite.NoError(err) } func (suite *PublishCopySkeletonSuite) Test_1_Compose_Everything_Inception() { suite.T().Log("E2E: Skeleton Package Compose oci://") - _, _, err := e2e.Zarf(suite.T(), "package", "create", importEverything, "-o", "build", "--insecure", "--confirm") + _, _, err := e2e.Zarf(suite.T(), "package", "create", importEverything, "-o", "build", "--plain-http", "--confirm") suite.NoError(err) - _, _, err = e2e.Zarf(suite.T(), "package", "create", importception, "-o", "build", "--insecure", "--confirm") + _, _, err = e2e.Zarf(suite.T(), "package", "create", importception, "-o", "build", "--plain-http", "--confirm") suite.NoError(err) _, stdErr, err := e2e.Zarf(suite.T(), "package", "inspect", importEverythingPath) @@ -183,7 +183,7 @@ func (suite *PublishCopySkeletonSuite) Test_3_Copy() { t := suite.T() example := filepath.Join("build", fmt.Sprintf("zarf-package-helm-charts-%s-0.0.1.tar.zst", e2e.Arch)) - stdOut, stdErr, err := e2e.Zarf(t, "package", "publish", example, "oci://"+suite.Reference.Registry, "--insecure") + stdOut, stdErr, err := e2e.Zarf(t, "package", "publish", example, "oci://"+suite.Reference.Registry, "--plain-http") suite.NoError(err, stdOut, stdErr) suite.Reference.Repository = "helm-charts" diff --git a/src/test/e2e/28_wait_test.go b/src/test/e2e/28_wait_test.go index e150d163fd..e67b60d178 100644 --- a/src/test/e2e/28_wait_test.go +++ b/src/test/e2e/28_wait_test.go @@ -20,7 +20,8 @@ type zarfCommandResult struct { err error } -func zarfCommandWStruct(t *testing.T, e2e test.ZarfE2ETest, path string) (result zarfCommandResult) { +func zarfCommandWStruct(t *testing.T, e2e test.ZarfE2ETest, path string) zarfCommandResult { + result := zarfCommandResult{} result.stdOut, result.stdErr, result.err = e2e.Zarf(t, "package", "deploy", path, "--confirm") return result } diff --git a/src/test/e2e/29_config_file_test.go b/src/test/e2e/29_config_file_test.go index e947621518..0cea0b4dd9 100644 --- a/src/test/e2e/29_config_file_test.go +++ b/src/test/e2e/29_config_file_test.go @@ -103,7 +103,8 @@ func configFileDefaultTests(t *testing.T) { "Disable log file creation (default true)", "Disable fancy UI progress bars, spinners, logos, etc (default true)", "zarf_cache: 978499a5", - "Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture.", + "Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.", + "Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.", "tmp_dir: c457359e", } diff --git a/src/test/e2e/31_checksum_and_signature_test.go b/src/test/e2e/31_checksum_and_signature_test.go index c83888fe00..0c50817099 100644 --- a/src/test/e2e/31_checksum_and_signature_test.go +++ b/src/test/e2e/31_checksum_and_signature_test.go @@ -37,7 +37,7 @@ func TestChecksumAndSignature(t *testing.T) { // Test that we get an error when trying to deploy a package without providing the public key stdOut, stdErr, err = e2e.Zarf(t, "package", "deploy", pkgName, "--confirm") require.Error(t, err, stdOut, stdErr) - require.Contains(t, e2e.StripMessageFormatting(stdErr), "failed to deploy package: unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + require.Contains(t, e2e.StripMessageFormatting(stdErr), "failed to deploy package: unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --skip-signature-validation flag and run the command again") // Test that we don't get an error when we remember to provide the public key stdOut, stdErr, err = e2e.Zarf(t, "package", "deploy", pkgName, publicKeyFlag, "--confirm") diff --git a/src/test/e2e/34_custom_init_package_test.go b/src/test/e2e/34_custom_init_package_test.go index e4d3307fc4..d63226a9c8 100644 --- a/src/test/e2e/34_custom_init_package_test.go +++ b/src/test/e2e/34_custom_init_package_test.go @@ -38,7 +38,7 @@ func TestCustomInit(t *testing.T) { // Test that we get an error when trying to deploy a package without providing the public key stdOut, stdErr, err = e2e.Zarf(t, "init", "--confirm") require.Error(t, err, stdOut, stdErr) - require.Contains(t, e2e.StripMessageFormatting(stdErr), "unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again") + require.Contains(t, e2e.StripMessageFormatting(stdErr), "unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --skip-signature-validation flag and run the command again") /* Test operations during package deploy */ // Test that we can deploy the package with the public key diff --git a/src/test/e2e/50_oci_publish_deploy_test.go b/src/test/e2e/50_oci_publish_deploy_test.go index 75f5937179..88ea94fcf0 100644 --- a/src/test/e2e/50_oci_publish_deploy_test.go +++ b/src/test/e2e/50_oci_publish_deploy_test.go @@ -46,35 +46,35 @@ func (suite *PublishDeploySuiteTestSuite) Test_0_Publish() { // Publish package. example := filepath.Join(suite.PackagesDir, fmt.Sprintf("zarf-package-helm-charts-%s-0.0.1.tar.zst", e2e.Arch)) ref := suite.Reference.String() - stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--insecure") + stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--plain-http") suite.NoError(err, stdOut, stdErr) suite.Contains(stdErr, "Published "+ref) // Pull the package via OCI. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "pull", "oci://"+ref+"/helm-charts:0.0.1", "--plain-http") suite.NoError(err, stdOut, stdErr) // Publish w/ package missing `metadata.version` field. example = filepath.Join(suite.PackagesDir, fmt.Sprintf("zarf-package-component-actions-%s.tar.zst", e2e.Arch)) - _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--insecure") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "publish", example, "oci://"+ref, "--plain-http") suite.Error(err, stdErr) // Inline publish package. dir := filepath.Join("examples", "helm-charts") - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--insecure", "--oci-concurrency=5", "--confirm") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--plain-http", "--oci-concurrency=5", "--confirm") suite.NoError(err, stdOut, stdErr) // Inline publish flavor. dir = filepath.Join("examples", "package-flavors") - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--flavor", "oracle-cookie-crunch", "--insecure", "--confirm") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "create", dir, "-o", "oci://"+ref, "--flavor", "oracle-cookie-crunch", "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) // Inspect published flavor. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/package-flavors:1.0.0-oracle-cookie-crunch", "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/package-flavors:1.0.0-oracle-cookie-crunch", "--plain-http") suite.NoError(err, stdOut, stdErr) // Inspect the published package. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/helm-charts:0.0.1", "--insecure") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", "oci://"+ref+"/helm-charts:0.0.1", "--plain-http") suite.NoError(err, stdOut, stdErr) } @@ -87,15 +87,15 @@ func (suite *PublishDeploySuiteTestSuite) Test_1_Deploy() { ref := suite.Reference.String() // Deploy the package via OCI. - stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "deploy", "oci://"+ref, "--insecure", "--confirm") + stdOut, stdErr, err := e2e.Zarf(suite.T(), "package", "deploy", "oci://"+ref, "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) // Remove the package via OCI. - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "remove", "oci://"+ref, "--insecure", "--confirm") + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "remove", "oci://"+ref, "--plain-http", "--confirm") suite.NoError(err, stdOut, stdErr) // Test deploy w/ bad ref. - _, stdErr, err = e2e.Zarf(suite.T(), "package", "deploy", "oci://"+badDeployRef.String(), "--insecure", "--confirm") + _, stdErr, err = e2e.Zarf(suite.T(), "package", "deploy", "oci://"+badDeployRef.String(), "--plain-http", "--confirm") suite.Error(err, stdErr) } diff --git a/src/test/external/ext_in_cluster_test.go b/src/test/external/ext_in_cluster_test.go index ffe5a08b73..ad1e338935 100644 --- a/src/test/external/ext_in_cluster_test.go +++ b/src/test/external/ext_in_cluster_test.go @@ -24,13 +24,23 @@ import ( "sigs.k8s.io/cli-utils/pkg/object" ) -var inClusterCredentialArgs = []string{ +var inClusterMirrorCredentialArgs = []string{ "--git-push-username=git-user", "--git-push-password=superSecurePassword", "--git-url=http://gitea-http.git-server.svc.cluster.local:3000", "--registry-push-username=push-user", "--registry-push-password=superSecurePassword", - "--registry-url=127.0.0.1:31999"} + "--registry-url=http://external-registry-docker-registry.external-registry.svc.cluster.local:5000", +} + +var inClusterInitCredentialArgs = []string{ + "--git-push-username=git-user", + "--git-push-password=superSecurePassword", + "--git-url=http://gitea-http.git-server.svc.cluster.local:3000", + "--registry-push-username=push-user", + "--registry-push-password=superSecurePassword", + "--registry-url=127.0.0.1:31999", +} type ExtInClusterTestSuite struct { suite.Suite @@ -97,7 +107,7 @@ func (suite *ExtInClusterTestSuite) TearDownSuite() { func (suite *ExtInClusterTestSuite) Test_0_Mirror() { // Use Zarf to mirror a package to the services (do this as test 0 so that the registry is unpolluted) mirrorArgs := []string{"package", "mirror-resources", "../../../build/zarf-package-argocd-amd64.tar.zst", "--confirm"} - mirrorArgs = append(mirrorArgs, inClusterCredentialArgs...) + mirrorArgs = append(mirrorArgs, inClusterMirrorCredentialArgs...) err := exec.CmdWithPrint(zarfBinPath, mirrorArgs...) suite.NoError(err, "unable to mirror the package with zarf") @@ -143,7 +153,7 @@ func (suite *ExtInClusterTestSuite) Test_0_Mirror() { func (suite *ExtInClusterTestSuite) Test_1_Deploy() { // Use Zarf to initialize the cluster initArgs := []string{"init", "--confirm"} - initArgs = append(initArgs, inClusterCredentialArgs...) + initArgs = append(initArgs, inClusterInitCredentialArgs...) err := exec.CmdWithPrint(zarfBinPath, initArgs...) suite.NoError(err, "unable to initialize the k8s server with zarf") temp := suite.T().TempDir() diff --git a/src/types/runtime.go b/src/types/runtime.go index 0faed8c9e6..8f9ef51996 100644 --- a/src/types/runtime.go +++ b/src/types/runtime.go @@ -14,6 +14,10 @@ type ZarfCommonOptions struct { Confirm bool // Allow insecure connections for remote packages Insecure bool + // Disable checking the server TLS certificate for validity + InsecureSkipTLSVerify bool + // Force connections to be over http instead of https + PlainHTTP bool // Path to use to cache images and git repos on package create CachePath string // Location Zarf should use as a staging ground when managing files and images for package creation and deployment @@ -38,6 +42,8 @@ type ZarfPackageOptions struct { PublicKeyPath string // The number of retries to perform for Zarf deploy operations like image pushes or Helm installs Retries int + // Skip validating the signature of the Zarf package + SkipSignatureValidation bool } // ZarfInspectOptions tracks the user-defined preferences during a package inspection.