zarf-dev · Racer159 · May 22, 2023 · May 16, 2023 · May 17, 2023 · May 17, 2023
@@ -9,3 +9,6 @@ ignore:
 
   # From go-git - Zarf does not use go-git (or its imported crypto libraries) to generate secrets
   - vulnerability: GHSA-2q89-485c-9j2x
+
+  # From go-git - Zarf does not use go-git (or its imported crypto libraries) to generate secrets
+  - vulnerability: CVE-2023-1732
@@ -4,7 +4,7 @@
 List the repos in a registry
 
 ```
-zarf tools registry catalog [REGISTRY] [flags]
+zarf tools registry catalog REGISTRY [flags]
 ```
 
 ## Examples
@@ -20,7 +20,8 @@ zarf tools registry catalog [REGISTRY] [flags]
 ## Options
 
 ```
-  -h, --help   help for catalog
+      --full-ref   (Optional) if true, print the full image reference
+  -h, --help       help for catalog
 ```
 
 ## Options inherited from parent commands

@@ -10,7 +10,10 @@ zarf tools registry copy SRC DST [flags]
 ## Options
 
 ```
-  -h, --help   help for copy
+      --all-tags     (Optional) if true, copy all tags from SRC to DST
+  -h, --help         help for copy
+  -j, --jobs int     (Optional) The maximum number of concurrent copies, defaults to GOMAXPROCS
+  -n, --no-clobber   (Optional) if true, avoid overwriting existing tags in DST
 ```
 
 ## Options inherited from parent commands

@@ -22,10 +22,10 @@ require (
 	github.com/go-git/go-git/v5 v5.6.1
 	github.com/go-logr/logr v1.2.4
 	github.com/goccy/go-yaml v1.11.0
-	github.com/google/go-containerregistry v0.14.0
+	github.com/google/go-containerregistry v0.15.2
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/moby/moby v23.0.6+incompatible
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
+	github.com/opencontainers/image-spec v1.1.0-rc3
 	github.com/otiai10/copy v1.11.0
 	github.com/pkg/errors v0.9.1
 	github.com/pterm/pterm v0.12.59

@@ -2,7 +2,6 @@ apiVersion: v1
 description: Zarf internal registry
 name: docker-registry
 version: 1.0.0
-appVersion: 2.8.1
 
 maintainers:
   - name: The Zarf Authors

@@ -4,7 +4,7 @@ podLabels: {}
 
 image:
   repository: registry
-  tag: 2.8.1
+  tag: 2.8.2
 
 service:
   name: registry

@@ -40,6 +40,9 @@ func CheckVendorOnly() bool {
 		"wait-for",
 		"wait",
 		"w",
+		"crane",
+		"registry",
+		"r",
 	}
 
 	// Check for "zarf tools|t <cmd>" where <cmd> is in the vendorCmd list

@@ -17,22 +17,29 @@ func init() {
 	// No package information is available so do not pass in a list of architectures
 	cranePlatformOptions := config.GetCraneOptions(false)
 
-	craneLogin := craneCmd.NewCmdAuthLogin()
-	craneLogin.Example = ""
-
 	registryCmd := &cobra.Command{
 		Use:     "registry",
 		Aliases: []string{"r", "crane"},
 		Short:   lang.CmdToolsRegistryShort,
 	}
 
-	toolsCmd.AddCommand(registryCmd)
+	craneLogin := craneCmd.NewCmdAuthLogin()
+	craneLogin.Example = ""
 
 	registryCmd.AddCommand(craneLogin)
 	registryCmd.AddCommand(craneCmd.NewCmdPull(&cranePlatformOptions))
 	registryCmd.AddCommand(craneCmd.NewCmdPush(&cranePlatformOptions))
-	registryCmd.AddCommand(craneCmd.NewCmdCopy(&cranePlatformOptions))
+
+	craneCopy := craneCmd.NewCmdCopy(&cranePlatformOptions)
+	copyFlags := craneCopy.Flags()
+	copyFlags.Lookup("all-tags").Shorthand = ""
+	craneCopy.ResetFlags()
+	craneCopy.Flags().AddFlagSet(copyFlags)
+
+	registryCmd.AddCommand(craneCopy)
 	registryCmd.AddCommand(zarfCraneCatalog(&cranePlatformOptions))
+
+	toolsCmd.AddCommand(registryCmd)
 }
 
 // Wrap the original crane catalog with a zarf specific version

@@ -135,6 +135,9 @@ func GetCraneOptions(insecure bool, archs ...string) []crane.Option {
 			Architecture: GetArch(archs...),
 		}),
 		crane.WithUserAgent("zarf"),
+		// TODO: (@WSTARR) this is set to limit pushes to registry pods and reduce the likelihood that crane will get stuck.
+		// We should investigate this further in the future to dig into more of what is happening (see https://github.com/defenseunicorns/zarf/issues/1568)
+		crane.WithJobs(1),
 	)
 
 	return options

@@ -4,3 +4,6 @@ twistlock:
   values:
     init:
       enabled: false
+
+    console:
+      volumeUpgrade: false
@@ -188,7 +188,7 @@ func (i *ImgConfig) PullImage(src string, spinner *message.Spinner) (img v1.Imag
 
 		// Warn the user if the image is large.
 		if rawImg.Size > 750*1000*1000 {
-			warn := pterm.DefaultParagraph.WithMaxWidth(80).Sprintf("%s is %s and may take a very long time to load via docker. "+
+			warn := pterm.DefaultParagraph.WithMaxWidth(message.TermWidth).Sprintf("%s is %s and may take a very long time to load via docker. "+
 				"See https://docs.zarf.dev/docs/faq for suggestions on how to improve large local image loading operations.",
 				src, utils.ByteFormat(float64(rawImg.Size), 2))
 			spinner.Warnf(warn)

@@ -57,42 +57,44 @@ func (i *ImgConfig) PushToZarfRegistry() error {
 	pushOptions = append(pushOptions, crane.WithTransport(craneTransport))
 	message.Debugf("crane pushOptions = %#v", pushOptions)
 
-	for src, img := range imageMap {
-		progressBar.UpdateTitle(fmt.Sprintf("Pushing %s", src))
-
-		var (
-			err         error
-			tunnel      *cluster.Tunnel
-			registryURL string
-			target      string
-		)
-
-		if i.RegInfo.InternalRegistry {
-			// Establish a registry tunnel to send the images to the zarf registry
-			if tunnel, err = cluster.NewZarfTunnel(); err != nil {
-				return err
-			}
-			target = cluster.ZarfRegistry
-		} else {
-			svcInfo, err := cluster.ServiceInfoFromNodePortURL(i.RegInfo.Address)
-
-			// If this is a service (no error getting svcInfo), create a port-forward tunnel to that resource
-			if err == nil {
-				if tunnel, err = cluster.NewTunnel(svcInfo.Namespace, cluster.SvcResource, svcInfo.Name, 0, svcInfo.Port); err != nil {
-					return err
-				}
-			}
+	var (
+		err         error
+		tunnel      *cluster.Tunnel
+		registryURL string
+		target      string
+	)
+
+	if i.RegInfo.InternalRegistry {
+		// Establish a registry tunnel to send the images to the zarf registry
+		if tunnel, err = cluster.NewZarfTunnel(); err != nil {
+			return err
 		}
+		target = cluster.ZarfRegistry
+	} else {
+		svcInfo, err := cluster.ServiceInfoFromNodePortURL(i.RegInfo.Address)
 
-		if tunnel != nil {
-			err = tunnel.Connect(target, false)
-			if err != nil {
+		// If this is a service (no error getting svcInfo), create a port-forward tunnel to that resource
+		if err == nil {
+			if tunnel, err = cluster.NewTunnel(svcInfo.Namespace, cluster.SvcResource, svcInfo.Name, 0, svcInfo.Port); err != nil {
 				return err
 			}
-			registryURL = tunnel.Endpoint()
-		} else {
-			registryURL = i.RegInfo.Address
 		}
+	}
+
+	if tunnel != nil {
+		err = tunnel.Connect(target, false)
+		if err != nil {
+			return err
+		}
+		registryURL = tunnel.Endpoint()
+		defer tunnel.Close()
+	} else {
+		registryURL = i.RegInfo.Address
+	}
+
+	for src, img := range imageMap {
+		srcTruncated := message.Truncate(src, 55, true)
+		progressBar.UpdateTitle(fmt.Sprintf("Pushing %s", srcTruncated))
 
 		// If this is not a no checksum image push it for use with the Zarf agent
 		if !i.NoChecksum {
@@ -120,10 +122,6 @@ func (i *ImgConfig) PushToZarfRegistry() error {
 		if err = crane.Push(img, offlineName, pushOptions...); err != nil {
 			return err
 		}
-
-		if tunnel != nil {
-			tunnel.Close()
-		}
 	}
 
 	progressBar.Successf("Pushed %d images to the zarf registry", len(i.ImgList))

@@ -32,8 +32,8 @@ const (
 	// TraceLevel level. Designates finer-grained informational events than the Debug.
 	TraceLevel
 
-	// termWidth sets the width of full width elements like progressbars and headers
-	termWidth = 85
+	// TermWidth sets the width of full width elements like progressbars and headers
+	TermWidth = 85
 )
 
 // NoProgress tracks whether spinner/progress bars show updates.
@@ -69,7 +69,6 @@ func init() {
 		Text: " •",
 	}
 
-	pterm.DefaultProgressbar.MaxWidth = termWidth
 	pterm.SetDefaultOutput(os.Stderr)
 }
 
@@ -211,9 +210,9 @@ func Notef(format string, a ...any) {
 
 // HeaderInfof prints a large header with a formatted message.
 func HeaderInfof(format string, a ...any) {
-	message := Truncate(fmt.Sprintf(format, a...), termWidth)
+	message := Truncate(fmt.Sprintf(format, a...), TermWidth, false)
 	// Ensure the text is consistent for the header width
-	padding := termWidth - len(message)
+	padding := TermWidth - len(message)
 	pterm.Println()
 	pterm.DefaultHeader.
 		WithBackgroundStyle(pterm.NewStyle(pterm.BgDarkGray)).
@@ -265,12 +264,18 @@ func PrintDiff(textA, textB string) {
 }
 
 // Truncate truncates provided text to the requested length
-func Truncate(text string, length int) string {
+func Truncate(text string, length int, invert bool) string {
 	// Remove newlines and replace with semicolons
 	textEscaped := strings.ReplaceAll(text, "\n", "; ")
 	// Truncate the text if it is longer than length so it isn't too long.
 	if len(textEscaped) > length {
-		textEscaped = textEscaped[:length-3] + "..."
+		if invert {
+			start := len(textEscaped) - length + 3
+			textEscaped = "..." + textEscaped[start:]
+		} else {
+			end := length - 3
+			textEscaped = textEscaped[:end] + "..."
+		}
 	}
 	return textEscaped
 }

@@ -8,6 +8,8 @@ import (
 	"github.com/pterm/pterm"
 )
 
+const padding = "    "
+
 // ProgressBar is a struct used to drive a pterm ProgressbarPrinter.
 type ProgressBar struct {
 	progress  *pterm.ProgressbarPrinter
@@ -23,8 +25,9 @@ func NewProgressBar(total int64, text string) *ProgressBar {
 		progress, _ = pterm.DefaultProgressbar.
 			WithTotal(int(total)).
 			WithShowCount(false).
-			WithTitle(text).
+			WithTitle(padding + text).
 			WithRemoveWhenDone(true).
+			WithMaxWidth(TermWidth).
 			Start()
 	}
 
@@ -40,7 +43,7 @@ func (p *ProgressBar) Update(complete int64, text string) {
 		Debug(text)
 		return
 	}
-	p.progress.UpdateTitle("     " + text)
+	p.progress.UpdateTitle(padding + text)
 	chunk := int(complete) - p.progress.Current
 	p.Add(chunk)
 }
@@ -51,7 +54,7 @@ func (p *ProgressBar) UpdateTitle(text string) {
 		Debug(text)
 		return
 	}
-	p.progress.UpdateTitle("     " + text)
+	p.progress.UpdateTitle(padding + text)
 }
 
 // Add updates the ProgressBar with completed progress.

@@ -73,7 +73,7 @@ func (p *Packager) runAction(defaultCfg types.ZarfComponentActionDefaults, actio
 	if action.Description != "" {
 		cmdEscaped = action.Description
 	} else {
-		cmdEscaped = message.Truncate(cmd, 60)
+		cmdEscaped = message.Truncate(cmd, 60, false)
 	}
 
 	spinner := message.NewProgressSpinner("Running \"%s\"", cmdEscaped)

@@ -217,6 +217,7 @@ func getOCIPackageSize(src *utils.OrasRemote, layers ...string) (int64, error) {
 	if err != nil {
 		return 0, err
 	}
+
 	manifestLayers := manifest.Layers
 
 	processedLayers := make(map[string]bool)

@@ -222,15 +222,11 @@ func (p *Packager) publishImage(dst *utils.OrasRemote, src *file.Store, descs []
 	return root, nil
 }
 
-func (p *Packager) generateAnnotations(artifactType string) map[string]string {
+func (p *Packager) generateAnnotations() map[string]string {
 	annotations := map[string]string{
 		ocispec.AnnotationDescription: p.cfg.Pkg.Metadata.Description,
 	}
 
-	if artifactType == ocispec.MediaTypeArtifactManifest {
-		annotations[ocispec.AnnotationTitle] = p.cfg.Pkg.Metadata.Name
-	}
-
 	if url := p.cfg.Pkg.Metadata.URL; url != "" {
 		annotations[ocispec.AnnotationURL] = url
 	}
@@ -321,7 +317,7 @@ func (p *Packager) loadSkeleton() error {
 
 // pack creates an artifact/image manifest from the provided descriptors and pushes it to the store
 func (p *Packager) pack(ctx context.Context, artifactType string, descs []ocispec.Descriptor, src *file.Store, packOpts oras.PackOptions) (ocispec.Descriptor, error) {
-	packOpts.ManifestAnnotations = p.generateAnnotations(artifactType)
+	packOpts.ManifestAnnotations = p.generateAnnotations()
 	root, err := oras.Pack(ctx, src, artifactType, descs, packOpts)
 	if err != nil {
 		return ocispec.Descriptor{}, err