Update zarf-managed secrets in all namespaces on a reinit (#1898)

## Description

This updates the secret handling logic to update image pull secrets and
git pull secrets in the event of a reinit.

## Related Issue

Relates to #1715

## Type of change

- [X] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [X] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Co-authored-by: Case Wylie <[email protected]>
Co-authored-by: razzle <[email protected]>

.github/workflows/release.yml

@@ -102,7 +102,6 @@ jobs:
       - name: Build examples and run tests
         run: |
           sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
-          sudo chown $USER /tmp/zarf-*.log
 
       - name: Save logs
         if: always()

.github/workflows/test-e2e.yml

@@ -96,11 +96,9 @@ jobs:
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of go installed
         #       in a previous step. This test run will use Zarf to create a K3s cluster, and a brand new cluster will be
         #       used for each test
-        # chown the logs since they were originally created as root
         run: |
           chmod +x build/zarf
           sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
-          sudo chown $USER /tmp/zarf-*.log
 
       - name: Save logs
         if: always()

.github/workflows/test-upgrade.yml

@@ -73,9 +73,8 @@ jobs:
       - name: Initialize the cluster with the release version
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of zarf installed
         #       in a previous step. This test run will the current release to create a K3s cluster.
-        # chown the logs since they were originally created as root
         run: |
-          sudo env "PATH=$PATH" CI=true zarf init --components k3s,git-server,logging --confirm
+          sudo env "PATH=$PATH" CI=true zarf init --components k3s,git-server,logging --nodeport 31337 --confirm
 
       # Before we run the regular tests we need to aggressively cleanup files to reduce disk pressure
       - name: Cleanup files
@@ -84,7 +83,6 @@ jobs:
       - name: Create and deploy the upgrade test packages
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of zarf installed
         #       in a previous step. This test run will the current release to create a K3s cluster.
-        # chown the logs since they were originally created as root
         run: |
           zarf package create src/test/upgrade --set PODINFO_VERSION=6.3.3 --confirm
           sudo env "PATH=$PATH" CI=true zarf package deploy zarf-package-test-upgrade-package-amd64-6.3.3.tar.zst --confirm
@@ -94,7 +92,6 @@ jobs:
       - name: Run tests
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of go installed
         #       in a previous step. This test run will use this PR's Zarf to create a K3s cluster.
-        # chown the logs since they were originally created as root
         run: |
           sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true APPLIANCE_MODE_KEEP=true make test-e2e ARCH=amd64
 
@@ -112,7 +109,6 @@ jobs:
       - name: Run the upgrade tests
         # NOTE: "PATH=$PATH" preserves the default user $PATH. This is needed to maintain the version of zarf installed
         #       in a previous step. This test run will the current release to create a K3s cluster.
-        # chown the logs since they were originally created as root
         run: |
           sudo env "PATH=$PATH" CI=true zarf tools kubectl describe nodes
 

Makefile

@@ -170,7 +170,6 @@ test-external: ## Run the Zarf CLI E2E tests for an external registry and cluste
 	@test -s $(ZARF_BIN) || $(MAKE) build-cli
 	@test -s ./build/zarf-init-$(ARCH)-$(CLI_VERSION).tar.zst || $(MAKE) init-package
 	@test -s ./build/zarf-package-podinfo-flux-$(ARCH).tar.zst || $(ZARF_BIN) package create examples/podinfo-flux -o build -a $(ARCH) --confirm
-	@test -s ./build/zarf-package-argocd-$(ARCH).tar.zst || $(ZARF_BIN) package create examples/argocd -o build -a $(ARCH) --confirm
 	cd src/test/external && go test -failfast -v -timeout 30m
 
 ## NOTE: Requires an existing cluster and

docs/2-the-zarf-cli/100-cli-commands/zarf_init.md

@@ -40,6 +40,11 @@ zarf init [flags]
 	# Initializing w/ an external git server:
 	zarf init --git-push-password={PASSWORD} --git-push-username={USERNAME} --git-url={URL}
 
+	# Initializing w/ an external artifact server:
+	zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNAME} --artifact-url={URL}
+
+	# NOTE: Not specifying a pull username/password will use the push user for pulling as well.
+
 ```
 
 ## Options

docs/2-the-zarf-cli/100-cli-commands/zarf_package_deploy.md

@@ -21,7 +21,6 @@ zarf package deploy [ PACKAGE ] [flags]
   -h, --help                       help for deploy
   -k, --key string                 Path to public key file for validating signed packages
       --set stringToString         Specify deployment variables to set on the command line (KEY=value) (default [])
-      --sget string                [Deprecated] Path to public sget key file for remote packages signed via cosign. This flag will be removed in v0.31.0 please use the --key flag instead.
       --shasum string              Shasum of the package to deploy. Required if deploying a remote package and "--insecure" is not provided
 ```
 

docs/2-the-zarf-cli/100-cli-commands/zarf_tools.md

@@ -30,9 +30,10 @@ Collection of additional tools to make airgap easier
 * [zarf tools download-init](zarf_tools_download-init.md)	 - Downloads the init package for the current Zarf version into the specified directory
 * [zarf tools gen-key](zarf_tools_gen-key.md)	 - Generates a cosign public/private keypair that can be used to sign packages
 * [zarf tools gen-pki](zarf_tools_gen-pki.md)	 - Generates a Certificate Authority and PKI chain of trust for the given host
-* [zarf tools get-creds](zarf_tools_get-creds.md)	 - Displays a Table of credentials for deployed components. Pass a component name to get a single credential
+* [zarf tools get-creds](zarf_tools_get-creds.md)	 - Displays a table of credentials for deployed Zarf services. Pass a service key to get a single credential
 * [zarf tools kubectl](zarf_tools_kubectl.md)	 - Kubectl command. See https://kubernetes.io/docs/reference/kubectl/overview/ for more information.
 * [zarf tools monitor](zarf_tools_monitor.md)	 - Launches a terminal UI to monitor the connected cluster using K9s.
 * [zarf tools registry](zarf_tools_registry.md)	 - Tools for working with container registries using go-containertools
 * [zarf tools sbom](zarf_tools_sbom.md)	 - Generates a Software Bill of Materials (SBOM) for the given package
+* [zarf tools update-creds](zarf_tools_update-creds.md)	 - Updates the credentials for deployed Zarf services. Pass a service key to update credentials for a single service
 * [zarf tools wait-for](zarf_tools_wait-for.md)	 - Waits for a given Kubernetes resource to be ready

docs/2-the-zarf-cli/100-cli-commands/zarf_tools_get-creds.md

@@ -1,16 +1,33 @@
 # zarf tools get-creds
 <!-- Auto-generated by hack/gen-cli-docs.sh -->
 
-Displays a Table of credentials for deployed components. Pass a component name to get a single credential
+Displays a table of credentials for deployed Zarf services. Pass a service key to get a single credential
 
 ## Synopsis
 
-Display a Table of credentials for deployed components. Pass a component name to get a single credential. i.e. 'zarf tools get-creds registry'
+Display a table of credentials for deployed Zarf services. Pass a service key to get a single credential. i.e. 'zarf tools get-creds registry'
 
 ```
 zarf tools get-creds [flags]
 ```
 
+## Examples
+
+```
+
+	# Print all Zarf credentials:
+	zarf tools get-creds
+
+	# Get specific Zarf credentials:
+	zarf tools get-creds registry
+	zarf tools get-creds registry-readonly
+	zarf tools get-creds git
+	zarf tools get-creds git-readonly
+	zarf tools get-creds artifact
+	zarf tools get-creds logging
+
+```
+
 ## Options
 
 ```

docs/2-the-zarf-cli/100-cli-commands/zarf_tools_update-creds.md

@@ -0,0 +1,80 @@
+# zarf tools update-creds
+<!-- Auto-generated by hack/gen-cli-docs.sh -->
+
+Updates the credentials for deployed Zarf services. Pass a service key to update credentials for a single service
+
+## Synopsis
+
+Updates the credentials for deployed Zarf services. Pass a service key to update credentials for a single service. i.e. 'zarf tools update-creds registry'
+
+```
+zarf tools update-creds [flags]
+```
+
+## Examples
+
+```
+
+	# Autogenerate all Zarf credentials at once:
+	zarf tools update-creds
+
+	# Autogenerate specific Zarf service credentials:
+	zarf tools update-creds registry
+	zarf tools update-creds git
+	zarf tools update-creds artifact
+	zarf tools update-creds logging
+
+	# Update all Zarf credentials w/external services at once:
+	zarf tools update-creds \
+		--registry-push-username={USERNAME} --registry-push-password={PASSWORD} \
+		--git-push-username={USERNAME} --git-push-password={PASSWORD} \
+		--artifact-push-username={USERNAME} --artifact-push-token={PASSWORD}
+
+	# NOTE: Any credentials omitted from flags without a service key specified will be autogenerated - URLs will only change if specified.
+	# Config options can also be set with the 'init' section of a Zarf config file.
+
+	# Update specific Zarf credentials w/external services:
+	zarf tools update-creds registry --registry-push-username={USERNAME} --registry-push-password={PASSWORD}
+	zarf tools update-creds git --git-push-username={USERNAME} --git-push-password={PASSWORD}
+	zarf tools update-creds artifact --artifact-push-username={USERNAME} --artifact-push-token={PASSWORD}
+
+	# NOTE: Not specifying a pull username/password will keep the previous pull username/password.
+
+```
+
+## Options
+
+```
+      --artifact-push-token string      [alpha] API Token for the push-user to access the artifact registry
+      --artifact-push-username string   [alpha] Username to access to the artifact registry Zarf is configured to use. User must be able to upload package artifacts.
+      --artifact-url string             [alpha] External artifact registry url to use for this Zarf cluster
+      --confirm                         Confirm updating credentials without prompting
+      --git-pull-password string        Password for the pull-only user to access the git server
+      --git-pull-username string        Username for pull-only access to the git server
+      --git-push-password string        Password for the push-user to access the git server
+      --git-push-username string        Username to access to the git server Zarf is configured to use. User must be able to create repositories via 'git push'
+      --git-url string                  External git server url to use for this Zarf cluster
+  -h, --help                            help for update-creds
+      --registry-pull-password string   Password for the pull-only user to access the registry
+      --registry-pull-username string   Username for pull-only access to the registry
+      --registry-push-password string   Password for the push-user to connect to the registry
+      --registry-push-username string   Username to access to the registry Zarf is configured to use
+      --registry-url string             External registry url address to use for this Zarf cluster
+```
+
+## Options inherited from parent commands
+
+```
+  -a, --architecture string   Architecture for OCI images and Zarf packages
+      --insecure              Allow access to insecure registries and disable other recommended security enforcements such as package checksum and signature validation. This flag should only be used if you have a specific reason and accept the reduced security posture.
+  -l, --log-level string      Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info")
+      --no-color              Disable colors in output
+      --no-log-file           Disable log file creation
+      --no-progress           Disable fancy UI progress bars, spinners, logos, etc
+      --tmpdir string         Specify the temporary directory to use for intermediate files
+      --zarf-cache string     Specify the location of the Zarf cache directory (default "~/.zarf-cache")
+```
+
+## SEE ALSO
+
+* [zarf tools](zarf_tools.md)	 - Collection of additional tools to make airgap easier

docs/2-the-zarf-cli/100-cli-commands/zarf_tools_wait-for.md

@@ -19,22 +19,22 @@ zarf tools wait-for { KIND | PROTOCOL } { NAME | SELECTOR | URI } { CONDITION |
 
 ```
 
-	Wait for Kubernetes resources:
-		zarf tools wait-for pod my-pod-name ready -n default                  #  wait for pod my-pod-name in namespace default to be ready
-		zarf tools wait-for p cool-pod-name ready -n cool                     #  wait for pod (using p alias) cool-pod-name in namespace cool to be ready
-		zarf tools wait-for deployment podinfo available -n podinfo           #  wait for deployment podinfo in namespace podinfo to be available
-		zarf tools wait-for pod app=podinfo ready -n podinfo                  #  wait for pod with label app=podinfo in namespace podinfo to be ready
-		zarf tools wait-for svc zarf-docker-registry exists -n zarf           #  wait for service zarf-docker-registry in namespace zarf to exist
-		zarf tools wait-for svc zarf-docker-registry -n zarf                  #  same as above, except exists is the default condition
-		zarf tools wait-for crd addons.k3s.cattle.io                          #  wait for crd addons.k3s.cattle.io to exist
-		zarf tools wait-for sts test-sts '{.status.availableReplicas}'=23     #  wait for statefulset test-sts to have 23 available replicas
-
-	Wait for network endpoints:
-		zarf tools wait-for http localhost:8080 200                           #  wait for a 200 response from http://localhost:8080
-		zarf tools wait-for tcp localhost:8080                                #  wait for a connection to be established on localhost:8080
-		zarf tools wait-for https 1.1.1.1 200                                 #  wait for a 200 response from https://1.1.1.1
-		zarf tools wait-for http google.com                                   #  wait for any 2xx response from http://google.com
-		zarf tools wait-for http google.com success                           #  wait for any 2xx response from http://google.com
+	# Wait for Kubernetes resources:
+	zarf tools wait-for pod my-pod-name ready -n default                  #  wait for pod my-pod-name in namespace default to be ready
+	zarf tools wait-for p cool-pod-name ready -n cool                     #  wait for pod (using p alias) cool-pod-name in namespace cool to be ready
+	zarf tools wait-for deployment podinfo available -n podinfo           #  wait for deployment podinfo in namespace podinfo to be available
+	zarf tools wait-for pod app=podinfo ready -n podinfo                  #  wait for pod with label app=podinfo in namespace podinfo to be ready
+	zarf tools wait-for svc zarf-docker-registry exists -n zarf           #  wait for service zarf-docker-registry in namespace zarf to exist
+	zarf tools wait-for svc zarf-docker-registry -n zarf                  #  same as above, except exists is the default condition
+	zarf tools wait-for crd addons.k3s.cattle.io                          #  wait for crd addons.k3s.cattle.io to exist
+	zarf tools wait-for sts test-sts '{.status.availableReplicas}'=23     #  wait for statefulset test-sts to have 23 available replicas
+
+	# Wait for network endpoints:
+	zarf tools wait-for http localhost:8080 200                           #  wait for a 200 response from http://localhost:8080
+	zarf tools wait-for tcp localhost:8080                                #  wait for a connection to be established on localhost:8080
+	zarf tools wait-for https 1.1.1.1 200                                 #  wait for a 200 response from https://1.1.1.1
+	zarf tools wait-for http google.com                                   #  wait for any 2xx response from http://google.com
+	zarf tools wait-for http google.com success                           #  wait for any 2xx response from http://google.com
 
 ```
 

examples/git-data/zarf.yaml

@@ -11,7 +11,7 @@ components:
       # The following performs a full Git Repo Mirror with `go-git` (internal to Zarf)
       - https://github.com/defenseunicorns/zarf-public-test.git
       # The following performs a full Git Repo Mirror forcing a fallback to host `git`
-      - https://racer159.visualstudio.com/zarf-public-test/_git/zarf-public-test
+      - https://dev.azure.com/defenseunicorns/zarf-public-test/_git/zarf-public-test
 
   - name: specific-tag
     required: true
@@ -21,21 +21,21 @@ components:
       # The following performs a refspec tag Git Repo Mirror with `go-git`
       - https://github.com/defenseunicorns/zarf-public-test.git@refs/tags/v0.0.1
       # The following performs a tag Git Repo Mirror forcing a fallback to host `git`
-      - https://racer159.visualstudio.com/zarf-public-test/_git/[email protected]
+      - https://dev.azure.com/defenseunicorns/zarf-public-test/_git/[email protected]
 
   - name: specific-branch
     required: true
     repos:
       # The following performs a branch Git Repo Mirror with `go-git` (internal to Zarf)
       - https://github.com/defenseunicorns/zarf-public-test.git@refs/heads/dragons
       # The following performs a branch Git Repo Mirror forcing a fallback to host `git`
-      - https://racer159.visualstudio.com/zarf-public-test/_git/zarf-public-test@refs/heads/dragons
+      - https://dev.azure.com/defenseunicorns/zarf-public-test/_git/zarf-public-test@refs/heads/dragons
 
   - name: specific-hash
     required: true
     repos:
       # The following performs a SHA Git Repo Mirror with `go-git` (internal to Zarf)
       - https://github.com/defenseunicorns/zarf-public-test.git@01a23218923f24194133b5eb11268cf8d73ff1bb
       # The following performs a SHA Git Repo Mirror forcing a fallback to host `git`
-      - https://racer159.visualstudio.com/zarf-public-test/_git/zarf-public-test@01a23218923f24194133b5eb11268cf8d73ff1bb
+      - https://dev.azure.com/defenseunicorns/zarf-public-test/_git/zarf-public-test@01a23218923f24194133b5eb11268cf8d73ff1bb
 

packages/gitea/gitea-values.yaml

@@ -2,6 +2,10 @@ persistence:
   storageClass: "###ZARF_STORAGE_CLASS###"
   existingClaim: "###ZARF_VAR_GIT_SERVER_EXISTING_PVC###"
   size: "###ZARF_VAR_GIT_SERVER_PVC_SIZE###"
+  accessModes:
+    - "###ZARF_VAR_GIT_SERVER_PVC_ACCESS_MODE###"
+
+replicaCount: "###ZARF_VAR_GIT_SERVER_REPLICA_COUNT###"
 
 gitea:
   admin:

packages/gitea/zarf.yaml

@@ -8,9 +8,13 @@ variables:
     default: ""
 
   - name: GIT_SERVER_PVC_SIZE
-    description: The size of the persistent volume claim for git server
+    description: The size of the persistent volume claim for the git server
     default: 10Gi
 
+  - name: GIT_SERVER_PVC_ACCESS_MODE
+    description: The access mode of the persistent volume claim for the git server
+    default: ReadWriteOnce
+
   - name: GIT_SERVER_CPU_REQ
     description: The CPU request for git server
     default: 200m
@@ -27,6 +31,10 @@ variables:
     description: The memory limit for git server
     default: 2Gi
 
+  - name: GIT_SERVER_REPLICA_COUNT
+    description: The number of git server replicas to deploy
+    default: "1"
+
 components:
   - name: git-server
     description: |

packages/zarf-registry/chart/templates/deployment.yaml

@@ -73,7 +73,11 @@ spec:
             - name: config
               mountPath: "/etc/docker/registry"
       affinity:
+{{- if (eq "ReadWriteMany" .Values.persistence.accessMode) }}
+        podAntiAffinity:
+{{- else }}
         podAffinity:
+{{- end }}
           preferredDuringSchedulingIgnoredDuringExecution:
             - weight: 100
               podAffinityTerm:

src/cmd/common/setup.go

@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+// Package common handles command configuration across all commands
+package common
+
+import (
+	"os"
+
+	"github.com/defenseunicorns/zarf/src/config"
+	"github.com/defenseunicorns/zarf/src/config/lang"
+	"github.com/defenseunicorns/zarf/src/pkg/message"
+	"github.com/defenseunicorns/zarf/src/pkg/utils/exec"
+)
+
+// LogLevelCLI holds the log level as input from a command
+var LogLevelCLI string
+
+// SetupCLI sets up the CLI logging, interrupt functions, and more
+func SetupCLI() {
+	exec.ExitOnInterrupt()
+
+	match := map[string]message.LogLevel{
+		"warn":  message.WarnLevel,
+		"info":  message.InfoLevel,
+		"debug": message.DebugLevel,
+		"trace": message.TraceLevel,
+	}
+
+	if config.NoColor {
+		message.DisableColor()
+	}
+
+	printViperConfigUsed()
+
+	// No log level set, so use the default
+	if LogLevelCLI != "" {
+		if lvl, ok := match[LogLevelCLI]; ok {
+			message.SetLogLevel(lvl)
+			message.Debug("Log level set to " + LogLevelCLI)
+		} else {
+			message.Warn(lang.RootCmdErrInvalidLogLevel)
+		}
+	}
+
+	// Disable progress bars for CI envs
+	if os.Getenv("CI") == "true" {
+		message.Debug("CI environment detected, disabling progress bars")
+		message.NoProgress = true
+	}
+
+	if !config.SkipLogFile {
+		message.UseLogFile()
+	}
+}