Skip to main content

Module updates

Module updates 

Source
Expand description

gtc op updates {enroll,status} — P1b update-channel client-certificate enrollment (Phase 1 of the Greentic updater).

enroll mints a fresh key pair + CSR (via greentic-update), exchanges it at the Cert-CA’s /v1/enroll endpoint for a signed client certificate, and persists the cert + key + issuing CA (and the CA URL) into the env’s configured secrets backend under the tls pack. Running it again overwrites the stored material — so it is also the manual rotation path. status reads the stored certificate back and reports its serial + validity window.

Enrollment happens before the client holds a certificate, so it cannot use the mTLS update channel itself: this verb drives greentic-update::enroll over a plain server-auth bootstrap client. Persistence lives here (the caller), not in greentic-update, which stays free of any secrets dependency — the crate returns raw PEM and the operator persists it.

Structs§

ApplyUpdatesPayload
Payload for op updates apply — apply a staged plan to its environment.
RecoverUpdatesPayload
Payload for op updates recover — force a plan stranded in applying by a crashed applier to failed, so a fresh get + apply can proceed. The --force attestation is a CLI-only argument (operator intent, not a replayable answers field), so it is threaded separately, not carried here.
UpdateConfigSetPayload
Payload for op updates config-set — set the update-channel notification policy (update-channel.json). Every behavior field is optional; only those supplied are changed, the rest keep their stored value (same semantics as op config set). Enrollment/identity is unaffected — this is policy only.
UpdateConfigShowFilter
Filter for op updates config-show — read-only view of the update-channel policy (stored fields + resolved effective values).
UpdatesEnrollPayload
Payload for op updates enroll.
UpdatesGetPayload
Payload for op updates get. Exactly one plan source is required: plan_url (fetched over the enrolled mTLS channel) or the plan_file + plan_sig_file pair (airgap import / local testing).
UpdatesStatusPayload
Payload for op updates status.

Functions§

apply_updates
op updates apply — apply a STAGED update plan to its environment (Phase 3 of the Greentic updater). Mutation.
config_set
op updates config-set — set the update-channel notification policy. Only the fields supplied are changed; the rest keep their stored value. An absent update-channel.json is seeded from disabled (deny-by-default), so the first config-set is what turns the channel on.
config_show
op updates config-show — read the update-channel policy: the raw stored fields plus the resolved effective values. Read-only, not audited.
enroll
op updates enroll — enroll with the Cert-CA and persist the signed client certificate + key + issuing CA (and the CA URL) into the env secrets backend. Idempotent by overwrite: re-running mints a fresh identity (manual rotation).
get
op updates get — pull a signed update plan (over the enrolled mTLS channel or from a local file), verify it against the env trust root, run the downgrade + compatibility gates, and admit it to the update staging tree.
plan_build
op updates plan-build — build and DSSE-sign an [UpdatePlan] carrying a content target (--target-file), one or more binary artifacts (--binary), or both, writing plan.json + plan.json.sig to the output directory. The emitted pair round-trips through greentic_update::plan::verify_update_plan against the env’s trust root.
recover_updates
op updates recover — force-fail a plan stranded in applying by a crashed applier (Phase 3.1 of the Greentic updater). Mutation.
status
op updates status — report whether the env holds an enrolled update-channel certificate and, if so, its serial + validity window. Read-only (not audited), so it never reveals the private key.