A Zarf Package is meant to be a transparent "envelope" of what is packaged for secure software delivery. This is intentional such that they can transition organizational boundaries with provenance and trust.
You can inspect a Zarf Package in multiple locations:
- A tarball on your filesystem
- Published to an OCI Registry
- Deployed to your Kubernetes Cluster
Make sure you're in the same zarf-package directory you used in Parts 1 and 2.
You might be asking yourself — "What actually happened earlier when I packaged ArgoCD?"
Decompress the package tarball to take a look:
zarf tools archiver decompress zarf-package-argocd-amd64-9.4.4.tar.zst unarchived/ --unarchive-allNote
Replace the filename with the actual tarball name if your architecture differs (e.g., arm64 instead of amd64).
You should see a structure like the following:
unarchived
├── checksums.txt
├── components
│ └── argocd
│ ├── charts
│ │ └── argo-cd-9.4.4.tgz
│ └── values
│ └── argo-cd-9.4.4-0
├── images
│ ├── blobs
│ │ └── sha256
│ │ └── ...
│ ├── index.json
│ ├── ingest
│ └── oci-layout
├── sboms
│ ├── compare.html
│ ├── docker.io_library_redis_8.2.3-alpine.json
│ ├── quay.io_argoproj_argocd_v3.3.2.json
│ ├── sbom-viewer-docker.io_library_redis_8.2.3-alpine.html
│ └── sbom-viewer-quay.io_argoproj_argocd_v3.3.2.html
└── zarf.yaml
This expands as you add more components to the manifest in such a way that Zarf can deterministically deploy 1→N applications from a given manifest.
If you were to sign this Zarf Package, you would additionally see the signature included in the archive — creating more portable provenance for cryptographic integrity.
The zarf package inspect command provides further transparency into the package:
zarf package inspect --helpThis will output the following sub-commands:
definition Displays the 'zarf.yaml' definition for the specified package
documentation Extract documentation files from the package
images List all container images contained in the package
manifests Template and output all manifests and charts in a package
sbom Output the package SBOM (Software Bill Of Materials) to the specified directory
values-files Creates, templates, and outputs the values-files to be sent to each chart
Try a few of them:
View the zarf.yaml definition for the package:
zarf package inspect definition zarf-package-argocd-amd64-9.4.4.tar.zstSee all of the rendered manifests for the packaged Helm charts:
zarf package inspect manifests zarf-package-argocd-amd64-9.4.4.tar.zstView the values files that will be sent to each chart:
zarf package inspect values-files zarf-package-argocd-amd64-9.4.4.tar.zstOutput the package SBOMs to a local directory:
zarf package inspect sbom zarf-package-argocd-amd64-9.4.4.tar.zstList the images included in the package:
zarf package inspect images zarf-package-argocd-amd64-9.4.4.tar.zstZarf doesn't just package applications into deterministic archives — it also tracks state when deploying. This enables users to identify which versions of applications they have deployed, as well as inspect or remove them.
List deployed packages:
zarf package listInspect the definition of a deployed package:
zarf package inspect definition argocdView the images from a deployed package:
zarf package inspect images argocdNote
Currently Zarf does not store SBOMs or values-files for deployed packages.
Given that Zarf stores the deployed package state, you have the option to upgrade packages in-place or remove a package and all of its resources.
Confirm the argocd package is still deployed:
zarf package listRemove the argocd package from the cluster:
zarf package remove argocdThis will prompt you to confirm removal. You can also use the --confirm flag to auto-confirm.
Verify the package has been removed:
zarf tools kubectl get all -n argocdYou should see that the argocd namespace and its resources are gone.