Expand description
gtc op updates {enroll,status} — P1b update-channel client-certificate
enrollment (Phase 1 of the Greentic updater).
enroll mints a fresh key pair + CSR (via greentic-update), exchanges it
at the Cert-CA’s /v1/enroll endpoint for a signed client certificate, and
persists the cert + key + issuing CA (and the CA URL) into the env’s
configured secrets backend under the tls pack. Running it again overwrites
the stored material — so it is also the manual rotation path. status reads
the stored certificate back and reports its serial + validity window.
Enrollment happens before the client holds a certificate, so it cannot use
the mTLS update channel itself: this verb drives greentic-update::enroll
over a plain server-auth bootstrap client. Persistence lives here (the
caller), not in greentic-update, which stays free of any secrets
dependency — the crate returns raw PEM and the operator persists it.
Structs§
- Apply
Updates Payload - Payload for
op updates apply— apply a staged plan to its environment. - Recover
Updates Payload - Payload for
op updates recover— force a plan stranded inapplyingby a crashed applier tofailed, so a freshget+applycan proceed. The--forceattestation is a CLI-only argument (operator intent, not a replayable answers field), so it is threaded separately, not carried here. - Update
Config SetPayload - Payload for
op updates config-set— set the update-channel notification policy (update-channel.json). Every behavior field is optional; only those supplied are changed, the rest keep their stored value (same semantics asop config set). Enrollment/identity is unaffected — this is policy only. - Update
Config Show Filter - Filter for
op updates config-show— read-only view of the update-channel policy (stored fields + resolved effective values). - Updates
Enroll Payload - Payload for
op updates enroll. - Updates
GetPayload - Payload for
op updates get. Exactly one plan source is required:plan_url(fetched over the enrolled mTLS channel) or theplan_file+plan_sig_filepair (airgap import / local testing). - Updates
Status Payload - Payload for
op updates status.
Functions§
- apply_
updates op updates apply— apply a STAGED update plan to its environment (Phase 3 of the Greentic updater). Mutation.- config_
set op updates config-set— set the update-channel notification policy. Only the fields supplied are changed; the rest keep their stored value. An absentupdate-channel.jsonis seeded fromdisabled(deny-by-default), so the firstconfig-setis what turns the channel on.- config_
show op updates config-show— read the update-channel policy: the raw stored fields plus the resolved effective values. Read-only, not audited.- enroll
op updates enroll— enroll with the Cert-CA and persist the signed client certificate + key + issuing CA (and the CA URL) into the env secrets backend. Idempotent by overwrite: re-running mints a fresh identity (manual rotation).- get
op updates get— pull a signed update plan (over the enrolled mTLS channel or from a local file), verify it against the env trust root, run the downgrade + compatibility gates, and admit it to the update staging tree.- plan_
build op updates plan-build— build and DSSE-sign an [UpdatePlan] carrying a content target (--target-file), one or more binary artifacts (--binary), or both, writingplan.json+plan.json.sigto the output directory. The emitted pair round-trips throughgreentic_update::plan::verify_update_planagainst the env’s trust root.- recover_
updates op updates recover— force-fail a plan stranded inapplyingby a crashed applier (Phase 3.1 of the Greentic updater). Mutation.- status
op updates status— report whether the env holds an enrolled update-channel certificate and, if so, its serial + validity window. Read-only (not audited), so it never reveals the private key.