Merge branch 'defenseunicorns:main' into main

zarf-dev · May 5, 2023 · a779d3e · a779d3e
2 parents 14fefc0 + 191e6f2
commit a779d3e
Show file tree

Hide file tree

Showing 56 changed files with 462 additions and 138 deletions.
diff --git a/.github/actions/aws-nightly-creds/action.yaml b/.github/actions/aws-nightly-creds/action.yaml
@@ -0,0 +1,11 @@
+name: aws-nightly-creds
+description: "Login to AWS for the nightly jobs"
+
+runs:
+  using: composite
+  steps:
+    - uses: aws-actions/configure-aws-credentials@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      with:
+        role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+        aws-region: us-east-1
+        role-duration-seconds: 14400
diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml
@@ -4,7 +4,7 @@ description: "Setup Go binary and caching"
 runs:
   using: composite
   steps:
-    - uses: actions/setup-go@v4
+    - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
       with:
         go-version: 1.19.x
         cache: true
diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
@@ -4,11 +4,11 @@ description: "Install pipeline tools"
 runs:
   using: composite
   steps:
-    - uses: sigstore/cosign-installer@v2.8.1
+    - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
 
-    - uses: anchore/sbom-action/download-syft@v0.14.1
+    - uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1
 
     - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
       shell: bash
 
-    - uses: docker/setup-buildx-action@v2
+    - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
diff --git a/.github/actions/node/action.yaml b/.github/actions/node/action.yaml
@@ -4,7 +4,7 @@ description: "Node cache"
 runs:
   using: composite
   steps:
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
       with:
         node-version: 18
         cache: "npm"

diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml
@@ -9,7 +9,7 @@ runs:
         sudo chown $USER /tmp/zarf-*.log
       shell: bash
 
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
       with:
         name: debug-log
         path: /tmp/zarf-*.log
diff --git a/.github/workflows/auto-assign-to-project.yml b/.github/workflows/auto-assign-to-project.yml
@@ -14,7 +14,7 @@ jobs:
     if: github.event_name == 'issues' && github.event.action == 'opened'
     steps:
       - name: Move issue to Zarf Project
-        uses: actions/add-to-project@v0.5.0
+        uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0
         with:
           project-url: https://github.com/orgs/defenseunicorns/projects/1
           github-token: ${{ secrets. ZARF_ORG_PROJECT_TOKEN }}
diff --git a/.github/workflows/build-rust-injector.yml b/.github/workflows/build-rust-injector.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repo"
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           ref: ${{ github.event.inputs.branchName }}
 
@@ -48,7 +48,7 @@ jobs:
           aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang
@@ -32,10 +32,7 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
-          aws-region: us-east-1
+        uses: ./.github/actions/aws-nightly-creds
 
       # NOTE: The aws cli will need to be explicitly installed on self-hosted runners
       - name: Login to the ECR Registry

diff --git a/.github/workflows/nightly-eks.yml b/.github/workflows/nightly-eks.yml
@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang
@@ -40,12 +40,7 @@ jobs:
         uses: ./.github/actions/packages
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
-        with:
-          role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
-          aws-region: us-east-1
-          role-duration-seconds: 14400
-
+        uses: ./.github/actions/aws-nightly-creds
 
       - name: Build the eks package
         run: ./build/zarf package create packages/distros/eks -o build --confirm

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0
 
@@ -35,7 +35,7 @@ jobs:
           make build-cli-linux-arm
 
       - name: "Zarf Agent: Login to GHCR"
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           registry: ghcr.io
           username: dummy
@@ -78,7 +78,7 @@ jobs:
 
       # Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
       - name: Set AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@023daa7fe5f7f817faa31fc0fc4a8d0fb6224ed0 # v1-node16
         with:
           aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
@@ -94,7 +94,7 @@ jobs:
 
       # Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
         with:
           distribution: goreleaser
           version: latest
@@ -104,7 +104,7 @@ jobs:
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}
 
       - name: Save CVE report
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: cve-report
           path: build/zarf-known-cves.csv
diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml
@@ -38,7 +38,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang
@@ -48,7 +48,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
         env:
           CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
         with:
@@ -59,6 +59,6 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/scan-docs-and-schema.yml b/.github/workflows/scan-docs-and-schema.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/scan-labels.yml b/.github/workflows/scan-labels.yml
@@ -10,6 +10,6 @@ jobs:
   enforce:
     runs-on: ubuntu-latest
     steps:
-      - uses: yogevbd/enforce-label-action@2.2.2
+      - uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2
         with:
           BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off,needs-tutorial"
diff --git a/.github/workflows/scan-lint.yml b/.github/workflows/scan-lint.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Run Revive Action by pulling pre-built image
         uses: docker://morphy/revive-action:v2

diff --git a/.github/workflows/test-bigbang.yml b/.github/workflows/test-bigbang.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang
@@ -41,7 +41,7 @@ jobs:
         uses: ./.github/actions/k3d
 
       - name: "Login to Iron Bank"
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         if: ${{ env.IRONBANK_USERNAME != '' }}
         env:
           IRONBANK_USERNAME: ${{ secrets.IRONBANK_USERNAME }}

diff --git a/.github/workflows/test-external.yml b/.github/workflows/test-external.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-k3d.yml b/.github/workflows/test-k3d.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-k3s.yml b/.github/workflows/test-k3s.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-kind.yml b/.github/workflows/test-kind.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-minikube.yml b/.github/workflows/test-minikube.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-ui.yml b/.github/workflows/test-ui.yml
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       # Have to run early for now since UI tests are a little brittle around cluster state
       - name: Setup K3d

diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Setup golang
         uses: ./.github/actions/golang

diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Optimize caching
         run: echo C:\Program Files\Git\usr\bin>>"%GITHUB_PATH%"

diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ Zarf eliminates the [complexity of air gap software delivery](https://www.itopst
 - Builtin [K9s Dashboard](https://k9scli.io/) for managing a cluster from the terminal
 - [Mutating Webhook](adr/0005-mutating-webhook.md) to automatically update Kubernetes pod's image path and pull secrets as well as [Flux Git Repository](https://fluxcd.io/docs/components/source/gitrepositories/) URLs and secret references
 - Builtin [command to find images](https://docs.zarf.dev/docs/user-guide/the-zarf-cli/cli-commands/zarf_prepare_find-images) and resources from a Helm chart
-- Tunneling capability to [connect to Kuberenetes resources](https://docs.zarf.dev/docs/user-guide/the-zarf-cli/cli-commands/zarf_connect) without network routing, DNS, TLS or Ingress configuration required
+- Tunneling capability to [connect to Kubernetes resources](https://docs.zarf.dev/docs/user-guide/the-zarf-cli/cli-commands/zarf_connect) without network routing, DNS, TLS or Ingress configuration required
 
 ## 🛠️ Configurable Features
 

diff --git a/docs/1-getting-started/1-core-concepts.md b/docs/1-getting-started/1-core-concepts.md
@@ -6,4 +6,4 @@ Now, assuming you're familiar with Kubernetes, AirGap, and GitOps from [Understa
 
 - [**Zarf Package**](../3-create-a-zarf-package/1-zarf-packages.md) - A binary file that contains the instructions and dependencies necessary to install an application on a system.
 - [**Zarf Component**](../3-create-a-zarf-package/2-zarf-components.md) - A set of defined functionality and resources that build up a package.
-- [**Zarf Init Package**](../3-create-a-zarf-package/3-the-zarf-init-package.md) - The initial package that lays the groundwork for other packages.
+- [**Zarf Init Package**](../3-create-a-zarf-package/3-zarf-init-package.md) - The initial package that lays the groundwork for other packages.
diff --git a/docs/1-getting-started/2-set-up-and-install.md b/docs/1-getting-started/2-set-up-and-install.md
@@ -40,17 +40,17 @@ Depending on the permissions of your user, if you are installing K3s through the
 
 <!-- TODO: Link to a support matrix of k8 distros -->
 
-Zarf offers the flexibility of deploying to a wide range of clusters beyond the K3s cluster included in the [init package](../3-create-a-zarf-package/3-the-zarf-init-package.md). This means that you can utilize various options, including local dockerized K8s clusters such as [k3d](https://k3d.io/v5.4.1/) or [Kind](https://kind.sigs.k8s.io/), Rancher's next-generation K8s distribution [RKE2](https://docs.rke2.io/), or cloud-provided clusters such as [eks](https://aws.amazon.com/eks/). Such a diverse set of deployment choices frees you from being tethered to a single cluster option, allowing you to select the best-suited cluster environment for your specific needs.
+Zarf offers the flexibility of deploying to a wide range of clusters beyond the K3s cluster included in the [init package](../3-create-a-zarf-package/3-zarf-init-package.md). This means that you can utilize various options, including local dockerized K8s clusters such as [k3d](https://k3d.io/v5.4.1/) or [Kind](https://kind.sigs.k8s.io/), Rancher's next-generation K8s distribution [RKE2](https://docs.rke2.io/), or cloud-provided clusters such as [eks](https://aws.amazon.com/eks/). Such a diverse set of deployment choices frees you from being tethered to a single cluster option, allowing you to select the best-suited cluster environment for your specific needs.
 
 ## Initializing a Cluster
 
 <!-- TODO: Some duplicated information from the 'Common CLI Uses' page incoming... -->
 
 After installing the CLI and setting up a cluster, the next step is to initialize the cluster to enable the deployment of application packages.
 
-Initializing a cluster is necessary since most K8 clusters do not come pre-installed with a container registry. This presents a challenging situation since pushing container images into a registry requires a registry to exist in the first place. For more information, please see the [init package](./../3-create-a-zarf-package/3-the-zarf-init-package.md) page.
+Initializing a cluster is necessary since most K8 clusters do not come pre-installed with a container registry. This presents a challenging situation since pushing container images into a registry requires a registry to exist in the first place. For more information, please see the [init package](./../3-create-a-zarf-package/3-zarf-init-package.md) page.
 
-As part of the initialization process, Zarf creates a dedicated namespace called `zarf` and deploys several essential components within the cluster. These include an in-cluster Docker registry (serves as the container image host for future packages), a `zarf agent` mutating webhook (to redirect outgoing requests to the internally hosted resources), and a set of secrets. Additionally, users can optionally deploy a gitea server that hosts the Git repositories needed for future packages. For more information regarding package components, see the [init package](./../3-create-a-zarf-package/3-the-zarf-init-package.md) page.
+As part of the initialization process, Zarf creates a dedicated namespace called `zarf` and deploys several essential components within the cluster. These include an in-cluster Docker registry (serves as the container image host for future packages), a `zarf agent` mutating webhook (to redirect outgoing requests to the internally hosted resources), and a set of secrets. Additionally, users can optionally deploy a gitea server that hosts the Git repositories needed for future packages. For more information regarding package components, see the [init package](./../3-create-a-zarf-package/3-zarf-init-package.md) page.
 
 To access the relevant init package release, visit the [GitHub releases](https://github.com/defenseunicorns/zarf/releases) page. Once downloaded, navigate to the directory containing the init package and execute the command [`zarf init`](../2-the-zarf-cli/100-cli-commands/zarf_init.md) to install it. Zarf will prompt you to confirm whether you wish to deploy the optional component. You can type 'y' or 'n' depending on your specific use case.
 

diff --git a/docs/2-the-zarf-cli/1-cli-common-uses.md b/docs/2-the-zarf-cli/1-cli-common-uses.md
@@ -15,7 +15,7 @@ Before deploying a package to a cluster, you must initialize the cluster using t
 
 For Windows and macOS environments, a cluster must already exist before initializing it using Zarf. You can use [Kind](https://kind.sigs.k8s.io/), [K3d](https://k3d.io/), [Docker Desktop](https://docs.docker.com/desktop/kubernetes/), or any other local or remote Kubernetes cluster.
 
-For Linux environments, Zarf can, itself, create and update a local K3s cluster, in addition to using any other local or remote Kubernetes cluster. The init package used by `zarf init` contains all the resources necessary to create a local [K3s](https://k3s.io/) cluster on your machine. This package may be located in your current working directory, the directory where the Zarf CLI binary is located, or downloaded from GitHub releases during command execution. Further details on the initialization process can be found on the [init package](../3-create-a-zarf-package/3-the-zarf-init-package.md) page.
+For Linux environments, Zarf can, itself, create and update a local K3s cluster, in addition to using any other local or remote Kubernetes cluster. The init package used by `zarf init` contains all the resources necessary to create a local [K3s](https://k3s.io/) cluster on your machine. This package may be located in your current working directory, the directory where the Zarf CLI binary is located, or downloaded from GitHub releases during command execution. Further details on the initialization process can be found on the [init package](../3-create-a-zarf-package/3-zarf-init-package.md) page.
 
 :::note
 Depending on the permissions of your user, if you are installing K3s with `zarf init`, you may need to run it as a privileged user. This can be done by either:

diff --git a/docs/2-the-zarf-cli/100-cli-commands/zarf_package_create.md b/docs/2-the-zarf-cli/100-cli-commands/zarf_package_create.md
@@ -17,6 +17,7 @@ zarf package create [DIRECTORY] [flags]
 
 ```
       --confirm                   Confirm package creation without prompting
+      --differential string       Build a package that only contains the differential changes from local resources and differing remote resources from the specified previously built package
   -h, --help                      help for create
   -k, --key string                Path to private key file for signing packages
       --key-pass string           Password to the private key file used for signing packages