Module manifest_poll

nixfleet_control_plane::runtime::workers

Module manifest_poll 

Source
Expand description

Manifest poll worker: verifies channel-refs (fleet.resolved) + per-channel rollout manifests on a 30s tick. Two side effects per successful tick:

  1. Emits super::super::ReducerInput::ManifestSetUpdated so the reducer task refreshes its cached SignedManifestSet and re-runs plan_next.
  2. Writes the verified crate::server::VerifiedFleetSnapshot into state.verified_fleet. The fleet manifest exists in two homes because the legacy operator-API routes (channel_status, whoami, the rollouts proxy) still read from state.verified_fleet synchronously; consolidating onto the runtime cache is a separate effort. Both writes happen in this worker so the two views stay in lock-step.

Failure semantics:

  • Fleet verify fails → skip this tick entirely; the reducer keeps using its prior cache and state.verified_fleet retains the prior snapshot.
  • Per-channel rollout-manifest verify fails → log + skip that channel only. The emitted SignedManifestSet is partial; plan_next simply doesn’t act on missing channels until next poll.
  • Reducer channel send fails (closed/full) → log + skip the emit. Full is unusual at 30s cadence; closed means CP is shutting down.

Structs§

ChannelRefsSource
Forge URLs + trust path the manifest-poll worker reads on every tick. CLI builds this from --channel-refs-{artifact,signature}-url, --channel-refs-token-file, --trust-file, --freshness-window-secs.

Constants§

POLL_INTERVAL 🔒
Poll cadence.

Functions§

check_rollout_id_discriminator 🔒
CP-side storage invariant: a signed rollout manifest may only be stored under the canonical RolloutId (RFC-0008 §6.3 {channel}@{channel_ref}) it claims via its own (channel, channel_ref) fields. Defends against a bytes-vs-url-claim substitution where the CP receives a manifest for channel B while the request is for channel A’s rollout id. Mandated by the verify_rollout_manifest docstring; mirrors the agent’s assert_rollout_id_matches on the consumer side.
fetch_and_verify_channel_manifest 🔒
poll_once 🔒
prime_blocking
Synchronous startup prime. Called by server::serve before the listener opens so routes that read state.verified_fleet (e.g. channel_status, the enrollment route’s freshness check) see a populated snapshot on the first request.
publish_verified_fleet 🔒
spawn