Rugged is designed to be deployed in a distributed set of environments that are isolated from each other, for security purposes. The following pages describe the system requirements and setup for each of the environments.
You will already have a Packaging pipeline where the packages you are securing with TUF are being built. At the scale Rugged is being designed for, this is likely to be an automated process (eg. CI pipeline). At a smaller scale, this could scale down to a single maintainer’s laptop, for a very small set of packages.
You will need to arrange for Rugged to be notified at the end of this packaging process, as described in the Packaging environment reference page.
The TUF workers are responsible for generating and signing metadata. Each contains a separate online keypair, so we aim to minimize access to these environments as much as possible. Rugged’s security model relies on these environments being isolated, having limited access, and being minimally accessible.
To further isolate the Packaging environment from the Rugged system, you can optionally provision a Monitor worker, which allows us to remove any Rugged credentials from the Packaging environment.
This also simplifies what the packaging process needs to do. Instead of
invoking Rugged CLI to add-targets, you need simply upload packaged targets
to a shared filesystem from which the Monitor worker can handle adding them
into the TUF repo.
The monitor worker will also handle recurring tasks like refreshing metadata expiry times.
The Admin environment is used to initialize the TUF repository, as well as generate and rotate keys. It has privileged access to all of the online keys (at least). Because of this privileged access, the Admin environment is not intended to be active or running at all times. When not in use, it should be shutdown or destroyed.