You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This proposal seeks to define a normalized package structure for Zarf packages. In addition to providing signing without depending on cosign sget, it will also allow treating local or remote packages the same way. Additionally, this proposal discusses a new command, zarf package publish for allowing users to publish packages to a remote registry for deployment or reuse in other packages.
Using the new package structure detailed above, publishing to an OCI Distribution Registry will assume that the layers will be written/optimized for reuse which means that the OCI artifact will operate in lieu of a tarball. When the package is published to a registry, two different artifacts will be published: the package and a skeleton package. The skeleton package will be a copy of the package with all layers that can be pulled remotely removed. This is intended to be used to extend a package or in the case of zarf package create. The standard package will be published for directly deploying a package.
Publish a package will follow the convention <repo>/<package-name>:<version>-<arch> and <repo>/<package-name>:<version>-skeleton. Using the package example above:
Command:
zarf package publish defenseunicorns
Result:
Create and publish OCI artifacts:
- defenseunicorns/kafka-strimzi-demo:v0.1.0-arm64
- defenseunicorns/kafka-strimzi-demo:v0.1.0-skeleton
Skeleton Package
A skeleton package is a special package that is essentially a copy/paste of the local folder where the zarf.yaml is defined. Note, in this solution referencing files outside of the current zarf.yaml folder path will not work properly. One particular note is Kustomizations, they will not be processed or converted into manifests but will simply be copied into the OCI artifact for later composition if imported.
Deploying OCI Packages
Deploying will be very similar to prior sget behavior. Using the package example above:
Eventually the Zarf UI could include the ability to search a registry for packages and deploy or download them.
Importing OCI Packages/Components
It can be confusing, but you cannot directly import a package in Zarf. A component is an atomic unit imported/extended within a package. We refer to this as composable components. It is possible to import a package/component that is only a single component. The challenge with OCI imports of packages/components is that we will have to copy things locally before finishing the composition. Additionally, composable components today do not have a concept of special handling for remote assets already pulled into a package/local location. This is where the skeleton component proposal comes in. The skeleton package will be loaded into a temp directory and referenced like a local package/component. This will occur at the normal composition stage, before the confirm step on zarf package create.
This example would then call oci://defenseunicorns/terraform:1.3.7-skeleton and include it as a part of the package definition on zarf package create. As with local imports, this would be completely transparent on zarf package deploy.
Decision: I'm not sure if we should include a checksum or signature file for skeleton files as they will be incomplete and regenerated anyway during package create.
The text was updated successfully, but these errors were encountered:
## Description
maybe this time I wont blow up the whole branch... maybe...
## Related Issue
Relates to #1298Fixes#1319Fixes#1326Fixes#1324Fixes#1322Fixes#1325
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed
---------
Signed-off-by: Jon Perry <yrrepnoj@gmail.com>
Signed-off-by: razzle <harry@razzle.cloud>
Co-authored-by: Jonathan Perry <YrrepNoj@gmail.com>
Co-authored-by: Will C <wirewc@gmail.com>
Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Co-authored-by: Wayne Starr <me@racer159.com>
Discussed in #1298
Originally posted by jeff-mccoy January 30, 2023
New universal package structure
This proposal seeks to define a normalized package structure for Zarf packages. In addition to providing signing without depending on cosign sget, it will also allow treating local or remote packages the same way. Additionally, this proposal discusses a new command,
zarf package publish
for allowing users to publish packages to a remote registry for deployment or reuse in other packages.Related Issues (in priority order)
./images/
#1324metadata.uncompressed
now changes compression of./components/<name>.tar
. #1323Package Structure Changes
zarf.yaml
flagmetadata.uncompressed
now changes compression of./components/<name>.tar
../images/
./images/
dir exists, it will be used instead of./images.tar
./components/<name>.tar.?
exists, it will be used instead of the./components/<name>/
dir./checksums.txt
exists it will be processedmetadata.checksumSignature
is also not an empty string, it will used to verify the signature of the checksums file./sboms/.tar.zst
exists it will be used instead of the./sboms/
dir./zarf.yaml.sig
exists it will be used to verify the signature of./zarf.yaml
Top Level Structure
Old Package Structure
New Package Structure
Zarf Package Config (Kafka Strimzi Example)
Publishing Zarf Packages
Using the new package structure detailed above, publishing to an OCI Distribution Registry will assume that the layers will be written/optimized for reuse which means that the OCI artifact will operate in lieu of a tarball. When the package is published to a registry, two different artifacts will be published: the package and a skeleton package. The skeleton package will be a copy of the package with all layers that can be pulled remotely removed. This is intended to be used to extend a package or in the case of
zarf package create
. The standard package will be published for directly deploying a package.Publish a package will follow the convention
<repo>/<package-name>:<version>-<arch>
and<repo>/<package-name>:<version>-skeleton
. Using the package example above:Command:
Result:
Skeleton Package
A skeleton package is a special package that is essentially a copy/paste of the local folder where the
zarf.yaml
is defined. Note, in this solution referencing files outside of the currentzarf.yaml
folder path will not work properly. One particular note is Kustomizations, they will not be processed or converted into manifests but will simply be copied into the OCI artifact for later composition if imported.Deploying OCI Packages
Deploying will be very similar to prior
sget
behavior. Using the package example above:Alternatively, we could look at defining a new command:
Eventually the Zarf UI could include the ability to search a registry for packages and deploy or download them.
Importing OCI Packages/Components
It can be confusing, but you cannot directly import a package in Zarf. A component is an atomic unit imported/extended within a package. We refer to this as composable components. It is possible to import a package/component that is only a single component. The challenge with OCI imports of packages/components is that we will have to copy things locally before finishing the composition. Additionally, composable components today do not have a concept of special handling for remote assets already pulled into a package/local location. This is where the skeleton component proposal comes in. The skeleton package will be loaded into a temp directory and referenced like a local package/component. This will occur at the normal composition stage, before the confirm step on
zarf package create
.Example OCI import
This example would then call
oci://defenseunicorns/terraform:1.3.7-skeleton
and include it as a part of the package definition onzarf package create
. As with local imports, this would be completely transparent onzarf package deploy
.Decision: I'm not sure if we should include a checksum or signature file for skeleton files as they will be incomplete and regenerated anyway during package create.
The text was updated successfully, but these errors were encountered: