The Monitor worker provides a mechanism to trigger TUF signing without requiring any credentials (or the CLI) to be present in the packaging environment.
The Monitor Worker acts as a bridge between the Packaging
Pipeline and the rest of the
Rugged workers. It mounts two remote filesystems: the incoming-targets
directory on a network filesystem shared with the rest of the Rugged
components, and a second “post-to-TUF” directory. The latter is where the
packaging pipeline will write specially named sub-directories containing the
targets to be signed.
Also, see the Workflow diagram that illustrates the Monitor worker’s functionality withing the Rugged system.
The Monitor worker performs the following tasks:
post-to-tuf directory.monitor-worker has proper filesystem permissions.As with the other Rugger workers, the Monitor Worker is implemented using the Celery distributed task queue.
However, unlike the TUF workers (timestamp-worker, etc.), the monitor-worker is not responsible for generating or signing any metadata itself. As such, it does not have any keypairs associated with it.
To operate effectively, this worker requires:
rugged system user/var/rugged/incoming_targets)/var/rugged/post_to_tuf)/etc/rugged/config.yaml)Docker image: registry.gitlab.com/rugged/rugged/monitor-worker
Unlike the TUF workers and Admin environment, the Monitor worker does not require access to any keys, nor the TUF repository. Instead, it needs to mount the ‘post-to-TUF’ and inbound targets directories.
All worker environments will need a PID directory provisioned and a worker
script deployed. See build/ansible/roles/rugged.workers/default/main.yml
for the definition of these directories, and see build/ansible/roles/rugged.workers/tasks/worker.yml
for details on configuring ownership and permissions on the PID directory, and placing the worker.py script in the rugged bin directory.
See build/ansible/roles/rugged.workers/tasks/monitor-worker.yml for setup of the ‘post-to-TUF’ and inbound targets directories.