Continuous Delivery for Puppet Enterprise (PE) supports the use of Secure Sockets Layer (SSL) for enhanced security when using the software.
Before enabling SSL on your system, review the following important information.
- Enabling SSL requires super user permissions.
After configuring SSL, you must reinstall the Continuous Delivery agent on all job hardware. For instructions, see Configure job hardware.
Enabling SSL requires a restart of the Continuous Delivery for PE Docker container.
Setting up a new SSL configuration
Configure your Continuous Delivery for PE instance to use SSL by entering the relevant certificates in the root console and then updating your web UI endpoint to reflect the new DNS host and SSL port.
- Log into the root console by selecting Root Console from the workspaces menu at the top of the Continuous Delivery for PE navigation bar or signing in as the root user.
- Click Settings and make sure you're viewing the Endpoints tab.
- In the Configure SSL area, paste in the CA certificate, server certificate, and server private key for your Continuous Delivery for PE host.
- Optional: Click the toggle to Enable SSL. Note: You can leave your SSL configuration disabled and save the information you've entered. If SSL information is entered and saved but not enabled, your certificates are saved and the private key is saved in an encrypted format until you're ready to enable SSL.
- Click Save SSL Settings. If you've enabled SSL, proceed to the next step.
- Stop the Continuous Delivery for PE container by running
docker stop <CONTAINER NAME>.
- Restart Continuous Delivery for PE with the command appropriate to your database infrastructure, replacing the options with the appropriate values, as per the instructions below. For MySQL:
For Amazon DynamoDB:
docker run --rm --name cd4pe -v cd4pe:/disk -e SSL_PORT=8443 -e DB_ENDPOINT=<MY_DATABASE_ENDPOINT> -e DB_USER=<MY_DB_USERNAME> -e DB_PASS=<MY_DB_PASS> -e DB_PREFIX=<OPTINAL_PREFIX_TO_DB_TABLES> -e DUMP_URI=<DUMP_URI> -e PFI_SECRET_KEY=<KEY_FOR_DB_SECRETS_ENCRYPTION> -p 8443:8443 -p 8000:8000 -p 7000:7000 puppet/continuous-delivery-for-puppet-enterprise:latest
docker run --rm --name cd4pe -v cd4pe:/disk -e SSL_PORT=8443 -e DB_ENDPOINT=ddb://<AWS_REGION> -e DB_USER=<AWS_ACCESS_KEY> -e DB_PASS=<AWS_SECRET_KEY> -e DUMP_URI=<DUMP_URI> -e PFI_SECRET_KEY=<KEY_FOR_DB_SECRETS_ENCRYPTION> -p 8443:8443 -p 8000:8000 -p 7000:7000 puppet/continuous-delivery-for-puppet-enterprise:latest
- A friendly name you give to the running image. We used
cd4pein the example above.
- Creates a new Docker volume called
cd4pefor the user, which will be used for storing logs, job manifests, and artifacts. To learn more about this Docker volume, use the command
docker volume inspect cd4pe. To learn more about Docker volumes in general, see the Docker documentation.Important: If you wish to use Amazon S3 or Artifactory as an external storage provider, do not include this option in your
- Sets the SSL port. By default, Continuous Delivery for PE uses port 8443 for SSL.
ddb://endpoint used to connect to your database. For example,
- For MySQL: Login credentials for your MySQL user. For security purposes, select a database user who can connect to only this database.
- For Amazon DynamoDB: Access and secret keys for your DynamoDB user. Important: Make sure you generate credentials with full create, read, update, and delete permissions for DynamoDB resources.For security purposes, select a database user who can connect to only this database.
- When starting up, Continuous Delivery for PE creates tables in MySQL or DynamoDB. If you'd like the tables to share a prefix, such as
cdpe-, enter it here.Tip: If you wish to simulate a fresh installation of a given version of Continuous Delivery for PE, entering a new database table prefix causes all the database tables to regenerate.
- How to address port 7000 of this container, which is the endpoint used by the Continuous Delivery for PE web UI to connect to the correct instance of the Continuous Delivery agent service. In a typical installation, this value is
- A 16-byte secret key used for AES encryption of secrets (such as PE access tokens) supplied to Continuous Delivery for PE.
- If you're a *nix user, generate this key by running:
If you're a Windows user, generate this key by running:
dd bs=1 if=/dev/urandom count=16 2>/dev/null | base64
$randomBytes = New-Object Byte(16) [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($randomBytes) $encodedBytes = [System.Convert]::ToBase64String($randomBytes)
-p 8443:8443 -p 8000:8000 -p 7000:7000
- The three ports used by Continuous Delivery for PE for the web UI over SSL (8443 by default), the backend service (8000), and the agent service (7000). You can map these ports to any port of your choosing.
- In the root console, update the WebUI endpoint in the Configure
Endpoints area. The format for the new WebUI endpoint is
- Azure DevOps users: Update the backend service endpoint to use
https. This change allows Azure DevOps webhooks to function correctly.
Now that SSL is configured on your system, you must reinstall the Continuous Delivery agent on all job hardware. For instructions, see Configure job hardware.