Zarf: Delivering Software in Restricted Environments - A Beginners Guide!

What is Zarf?

Zarf is a powerful continuous delivery tool, developed by Defense Unicorns, specifically for air gap and semi-disconnected environments.

Zarf’s story began with a crucial task: installing software on submarines.

During missions, these submarines are entirely cut off from the internet and they only regain partial connectivity when they return to port.

Submarines aren’t known for their spacious interiors! Its a tight squeeze for all inside — let alone adding tons of software. That’s where Zarf comes in!! Zarf makes sure software updates and installations happen seamlessly in the most challenging of environments.

Let’s chat about what ‘air gap’ and ‘semi-disconnected environments’ mean. Let’s dive-in and break things down a bit further:

*Dive* was my excuse to use Taylor Swift in this article! #notSorry

1. Air Gap: Imagine your computer as a locked vault. An “air gap” is like sealing that vault in a concrete bunker miles away from anything living. It’s the ultimate level of isolation for your computer — No internet bridges, no secret passages — just maximum protection. But here’s the kicker: air gaps have not proven to be 100% secure. Folks are researching new ways all the time to attempt to exfiltrate data. One method involved using SATA cables as antennas & using a gyroscope in a smartphone. None of this means that systems shouldn’t be air-gapped. It only means that the presence of an air gap alone does not negate the need for any other security measures. Even the strongest fortresses have clever invaders to contend with!
2. Semi-Disconnected Environments: Semi-Disconnected Environments are like ‘air gap’ with a twist. They’re the occasional internet users — think of it as having a pet door to the online world. You might have a hugeeee cat but a very tiny pet door. Semi-Disconnected Environments come with restrictions!

Back to Zarf! Let’s talk about the Key Features and Benefits:

1. Zarf is your guide for delivering software updates in places where the internet is off-limits.
2. Submarines are notorious for being completely cut off from the internet during missions. But once they dock at port, there’s a need for software updates. Zarf steps in, even in the tightest of spaces, ensuring software flows smoothly.
3. Zarf simplifies the process of getting software across the air gap. It works with a zarf.yaml file, allowing you to specify what needs to cross, whether it’s container images, helm charts, or binary objects.
4. Zarf acknowledges that the person packaging the software might not be the same as the one deploying it. It’s like turning submariners into software deployers.
5. Zarf transforms the package into functional software. It follows your defined order in the zarf.yaml, all while maintaining local artifact repositories.
6. Zarf ensures that your software stays safe and secure, even in the most challenging disconnected environments.

Getting started with Zarf:

1. The installation for Zarf is documented here. For Mac users, its extremely simple via homebrew:

$ brew tap defenseunicorns/tap &&
brew install zarf

Verify the installation by running the zarf version command in your terminal:

$ zarf version

If the output shows a version, consider it your “Monopoly moment” — you’re all set, pass go, and collect your $200. 🎩💰

‘Zarf’s User Interface Overview:

Once Zarf is installed, you can familiarize yourself with its user interface by following these steps:

1. Open a terminal and launch the Zarf user interface, type the following command and press Enter:

$ zarf ui

The following commands are available:

• completion: Generates autocompletion scripts for the specified shell.
• connect: Provides access to services or pods deployed in the cluster.
• destroy: Tears down the Zarf deployment.
• help: Provides help information for any command.
• init: Prepares a Kubernetes cluster for Zarf package deployment.
• package: Commands for creating, deploying, and inspecting Zarf packages.
• prepare: Tools to assist in preparing assets for packaging.
• tools: Additional tools to facilitate air gap operations.
• version: Displays the version of the Zarf binary.

Setting Up Zarf: The Power of Init

The first step in interacting Zarf’s capabilities is to run the “zarf init” command. This command installs the essential “init package,” serving as your gateway to Zarf’s functions. Just like any other software, this package needs to be transported across the air gap. It’s located at the root of the Zarf repository, and you can find its zarf.yaml configuration here.

You can either download the init package directly from the Zarf repository or create it by cloning the repository and using the “init-package” make target. This is as simple as running the following command from the repository’s root:

$ make init-package

The init package bundles several components, each with its unique role:

1. K3s (Optional):

• K3s is an optional component used when there’s a Linux server on the other side of the air gap but no Kubernetes cluster. It enables you to establish a Kubernetes cluster — note: this process requires root access to the Linux server for installation.

2. Zarf Injector:

• The “Zarf injector” is a tiny & efficient program made in the Rust language, and it’s used to kickstart the “seed registry,” which is important when you can’t rely on external software storage in your target environment.

3. Zarf Seed Registry:

• Temporary registry to bootstrap the permanent registry. Once the permanent registry is up and running, the seed registry is retired.

4. Zarf Registry:

• Permanent Zarf registry lives in the same package as the seed registry. It serves as the container registry for any Zarf package deployed to the cluster that requires containers.

5. Git Server:

• Zarf includes Gitea, a lightweight Git server written in Golang. The purpose of this component is to allow Gitops style operations to happen in an air gap environment.

6. Zarf Agent:

• After executing the “zarf init” command, Zarf packages may still be pointing to internet-based repositories and images. The Zarf agent intercepts these requests, rerouting them to in-cluster locations, making sure that all resources are available locally.

With “zarf init,” you establish the foundation for Zarf’s capabilities!!

The Art of Zarf Destruction

When the time comes to say g’bye to Zarf within your cluster, you can execute the “zarf destroy” command.

$ zarf destroy --confirm

But, what if you wish to part ways with everything Zarf brought along, such as components from a deployed package?

• Complete Farewell with Components: In that case, you can achieve this by appending the “ — remove-components” flag to the “zarf destroy — confirm” command. This will ensure the removal of any components or elements it introduced to your cluster.

$ zarf destroy --confirm --remove-components

With Zarf’s capabilities, you can confidently manage packaging, deployment, and inspection of software in air gap and semi-connected environments, knowing that you have the power to bid adieu when the time is right.

Zarf is your bestie for delivering software updates where the internet is off-limits, empowers you to navigate the most challenging, disconnected environments with ease and efficiency.

Happy Zarf-ing y’all!