Skip to main content

Package Sources

Zarf currently supports consuming packages from the following sources:

Local Tarball Path (.tar and .tar.zst)

A local tarball is the default output of zarf package create and is a package contained within a tarball with or without Zstandard compression. Compression is determined by a given package's metadata.uncompressed key within it's zarf.yaml package definition

Split Tarball Path (.part...)

A split tarball is a local tarball that has been split into multiple parts so that it can fit on smaller media when traveling to a disconnected environment (i.e. on DVDs). These packages are created by specifying a maximum number of megabytes with --max-package-size on zarf package create and if the resulting tarball is larger than that size it will be split into chunks.

Remote Tarball URL (http:// and https:// )

A remote tarball is a Zarf package tarball that is hosted on a web server that is accessible to the current machine. By default Zarf does not provide a mechanism to place a package on a web server, but this is easy to orchestrate with other tooling such as uploading a package to a continuous integration system's artifact storage or to a repository's release page.

Remote OCI Reference (oci://)

An OCI package is one that has been published to an OCI compatible registry using zarf package publish or the -o option on zarf package create. These packages live within a given registry and you can learn more about them in our Publish & Deploy Packages w/OCI Tutorial.

Commands with Sources

A source can be used with the following commands as their first argument:

  • zarf package deploy <source>
  • zarf package inspect <source>
  • zarf package remove <source>
  • zarf package publish <source>
  • zarf package pull <source>
  • zarf package mirror-resources <source>
note

In addition to the traditional sources outlined above, there is also a special "Cluster" source available on inspect and remove that allows for referencing a deployed package via its name:

  • zarf package inspect <package name>
  • zarf package remove <package name>

Additionally, inspecting a package deployed to a cluster will not be able to show the package's SBOMs, as they are not currently persisted to the cluster.