oasisprotocol · kostko · Feb 12, 2025 · Feb 12, 2025 · Feb 12, 2025
diff --git a/build/rofl/artifacts.go b/build/rofl/artifacts.go
@@ -13,7 +13,7 @@ var LatestContainerArtifacts = ArtifactsConfig{
 	Kernel:   "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.3.3/stage1.bin#539f25c66a27b2ca3c6b4d3333b88c64e531fcc96776c37a12c9ce06dd7fbac9",
 	Stage2:   "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.3.3/stage2-podman.tar.bz2#827531546f3db6b0945ece7ddab4e10d648eaa3ba1c146b7889d7cb9cbf0b507",
 	Container: ContainerArtifactsConfig{
-		Runtime: "https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.3.4/rofl-containers#d6a055b2e88e1f321e3ab1f73046444e24df9d8925d13cc6b8230de9a81e5c41",
+		Runtime: "https://github.com/oasisprotocol/oasis-sdk/releases/download/rofl-containers%2Fv0.4.1/rofl-containers#bdd2735af9ff10c9b1c1e8db535f4751739bd3707600c57b81e80195e6207673",
 		Compose: "compose.yaml",
 	},
 }
diff --git a/cmd/rofl/build/build.go b/cmd/rofl/build/build.go
@@ -46,7 +46,10 @@ var (
 		Run: func(_ *cobra.Command, _ []string) {
 			cfg := cliConfig.Global()
 			npa := common.GetNPASelection(cfg)
-			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
+			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+				NeedAppID: true,
+				NeedAdmin: false,
+			})
 
 			if doVerify && doUpdate {
 				cobra.CheckErr("only one of --verify and --update-manifest may be passed")

diff --git a/cmd/rofl/common/manifest.go b/cmd/rofl/common/manifest.go
@@ -10,14 +10,23 @@ import (
 	"github.com/oasisprotocol/cli/config"
 )
 
+// ManifestOptions configures the manifest options.
+type ManifestOptions struct {
+	// NeedAppID specifies whether a configured app ID is required in the manifest.
+	NeedAppID bool
+	// NeedAdmin specifies whether a valid admin is required in the manifest. In case this is set to
+	// false and the admin account does not exist, the account will not be modified.
+	NeedAdmin bool
+}
+
 // LoadManifestAndSetNPA loads the ROFL app manifest and reconfigures the network/paratime/account
 // selection.
 //
 // In case there is an error in loading the manifest, it aborts the application.
-func LoadManifestAndSetNPA(cfg *config.Config, npa *common.NPASelection, deployment string, needAppID bool) (*rofl.Manifest, *rofl.Deployment) {
-	manifest, d, err := MaybeLoadManifestAndSetNPA(cfg, npa, deployment)
+func LoadManifestAndSetNPA(cfg *config.Config, npa *common.NPASelection, deployment string, opts *ManifestOptions) (*rofl.Manifest, *rofl.Deployment) {
+	manifest, d, err := MaybeLoadManifestAndSetNPA(cfg, npa, deployment, opts)
 	cobra.CheckErr(err)
-	if needAppID && !d.HasAppID() {
+	if opts != nil && opts.NeedAppID && !d.HasAppID() {
 		cobra.CheckErr(fmt.Errorf("deployment '%s' does not have an app ID set, maybe you need to run `oasis rofl create`", deployment))
 	}
 	return manifest, d
@@ -27,7 +36,7 @@ func LoadManifestAndSetNPA(cfg *config.Config, npa *common.NPASelection, deploym
 // network/paratime/account selection.
 //
 // In case there is an error in loading the manifest, it is returned.
-func MaybeLoadManifestAndSetNPA(cfg *config.Config, npa *common.NPASelection, deployment string) (*rofl.Manifest, *rofl.Deployment, error) {
+func MaybeLoadManifestAndSetNPA(cfg *config.Config, npa *common.NPASelection, deployment string, opts *ManifestOptions) (*rofl.Manifest, *rofl.Deployment, error) {
 	manifest, err := rofl.LoadManifest()
 	if err != nil {
 		return nil, nil, err
@@ -66,11 +75,15 @@ func MaybeLoadManifestAndSetNPA(cfg *config.Config, npa *common.NPASelection, de
 	case "":
 	default:
 		accCfg, err := common.LoadAccountConfig(cfg, d.Admin)
-		if err != nil {
+		switch {
+		case err == nil:
+			npa.Account = accCfg
+			npa.AccountName = d.Admin
+		case opts != nil && opts.NeedAdmin:
 			return nil, nil, err
+		default:
+			// Admin account is not valid, but it is also not required, so do not override.
 		}
-		npa.Account = accCfg
-		npa.AccountName = d.Admin
 	}
 	return manifest, d, nil
 }
diff --git a/cmd/rofl/mgmt.go b/cmd/rofl/mgmt.go
@@ -202,7 +202,10 @@ var (
 			if len(args) > 0 {
 				policy = loadPolicy(args[0])
 			} else {
-				manifest, deployment = roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, false)
+				manifest, deployment = roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+					NeedAppID: false,
+					NeedAdmin: true,
+				})
 				policy = deployment.Policy
 			}
 
@@ -293,7 +296,10 @@ var (
 				rawAppID = args[0]
 				policy = loadPolicy(policyFn)
 			} else {
-				_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
+				_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+					NeedAppID: true,
+					NeedAdmin: true,
+				})
 				rawAppID = deployment.AppID
 
 				if adminAddress == "" && deployment.Admin != "" {
@@ -374,7 +380,10 @@ var (
 			if len(args) > 0 {
 				rawAppID = args[0]
 			} else {
-				_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
+				_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+					NeedAppID: true,
+					NeedAdmin: true,
+				})
 				rawAppID = deployment.AppID
 			}
 			var appID rofl.AppID
@@ -423,7 +432,10 @@ var (
 			if len(args) > 0 {
 				rawAppID = args[0]
 			} else {
-				_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
+				_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+					NeedAppID: true,
+					NeedAdmin: false,
+				})
 				rawAppID = deployment.AppID
 			}
 			var appID rofl.AppID
@@ -494,7 +506,10 @@ var (
 			cfg := cliConfig.Global()
 			npa := common.GetNPASelection(cfg)
 
-			manifest, _ := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, false)
+			manifest, _ := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+				NeedAppID: false,
+				NeedAdmin: false,
+			})
 
 			switch manifest.TEE {
 			case buildRofl.TEETypeTDX:
@@ -532,7 +547,10 @@ var (
 			secretName := args[0]
 			secretFn := args[1]
 
-			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
+			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+				NeedAppID: true,
+				NeedAdmin: false,
+			})
 			var appID rofl.AppID
 			if err := appID.UnmarshalText([]byte(deployment.AppID)); err != nil {
 				cobra.CheckErr(fmt.Errorf("malformed ROFL app ID: %w", err))
@@ -598,7 +616,10 @@ var (
 			npa := common.GetNPASelection(cfg)
 			secretName := args[0]
 
-			_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
+			_, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+				NeedAppID: false,
+				NeedAdmin: false,
+			})
 			var secret *buildRofl.SecretConfig
 			for _, sc := range deployment.Secrets {
 				if sc.Name != secretName {
@@ -629,11 +650,10 @@ var (
 			npa := common.GetNPASelection(cfg)
 			secretName := args[0]
 
-			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, true)
-			var appID rofl.AppID
-			if err := appID.UnmarshalText([]byte(deployment.AppID)); err != nil {
-				cobra.CheckErr(fmt.Errorf("malformed ROFL app ID: %w", err))
-			}
+			manifest, deployment := roflCommon.LoadManifestAndSetNPA(cfg, npa, deploymentName, &roflCommon.ManifestOptions{
+				NeedAppID: false,
+				NeedAdmin: false,
+			})
 
 			var (
 				newSecrets []*buildRofl.SecretConfig