Continuous Delivery for PE architecture
Continuous Delivery for Puppet Enterprise (PE) communicates with your PE installation, your source control system, the servers you've designated as job hardware, and the browser you use to connect to the web UI and Puppet Application Manager (PAM).
This diagram shows the architecture and port requirements for a Continuous Delivery for PE 4.x installation.
Important: Continuous Delivery for PE uses TCP (Transmission Control Protocol)
connections.
| Port | Use |
|---|---|
| * (variable) | On this port, Continuous Delivery for PE makes API requests to, and clones from, source control over HTTPS or SSH. The specific port number depends on your source control integration. |
| 443 | On this port, Continuous Delivery for PE job hardware servers communicate with the Continuous Delivery for PE application, and users access the Continuous Delivery for PE application's web UI over HTTPS. |
| 4433 | The Continuous Delivery for PE application uses this PE port to communicate with the node classifier and the PE console (for authentication). |
| 8000 | This is the default port where source control provider webhooks send traffic to Continuous Delivery for PE. You can change this port in PAM under Optional configuration. |
| 8081 | The Continuous Delivery for PE application uses this PE port to send queries to PuppetDB. |
| 8140 | The Continuous Delivery for PE application and Continuous Delivery for PE job hardware servers use this PE port to communicate with Puppet Server. |
| 8142 | Continuous Delivery for PE job hardware servers and PE communicate through Puppet Agent on this port. |
| 8143 | The Continuous Delivery for PE application uses this PE port to communicate with Puppet Orchestrator. |
| 8170 | The Continuous Delivery for PE application uses this PE port to communicate with Code Manager. |
| 8800 | PAM's web UI accepts HTTPS traffic from users on this port. |
You can configure ports 4433, 8081, 8140, 8143, and 8170 in the PE integration settings.
For additional information about each Continuous Delivery for PE port's source and destination, refer to the PAM system requirements. For more information about PE ports, refer to PE documentation, such as the PE Firewall configuration diagrams.
TLS configuration
You can choose from several TLS configuration options when installing Continuous Delivery for Puppet Enterprise (PE). Select the installation architecture that best meets your security needs and limitations.
Basic installation (default configuration)
This installation architecture works for single-node clusters and multi-node clusters
that utilize automatic load balancing or are set up for Ingress load balancing, such as with Google Kubernetes Engine (GKE). The webhook callback listens
on port 8000. This architecture uses public certificates for machine-to-machine
communication, and it's common to use TLS configured at the Ingress, whether in manual-entry, self-signed, or
certificate manager form.
| Port | Use |
|---|---|
| 443 | Continuous Delivery for PE job hardware servers communicate with the Continuous Delivery for PE application over this port, and users access the Continuous Delivery for PE web UI over HTTPS on this port. |
| 5000 | In offline installations, NodePort communicates with the registry on this port. |
| 8000 | This is the default port where source control provider webhooks send traffic to Continuous Delivery for PE. You can change this port in Puppet Application Manager (PAM) under Optional configuration. |
| 8080 |
Ingress forwards traffic to
the Continuous Delivery for PE web UI and communicates
with query-service on this
port. |
| 9001 | Continuous Delivery for PE job hardware servers communicate with NodePort on this port. |
Installation with a proxy or load balancer using enhanced TLS
This installation architecture uses public certificates for external proxy TLS
termination and internal certificates for machine-to-machine communication. The Ingress is used for routing rules to the various
services within Continuous Delivery for PE. You must configure the backend
and web UI endpoints separately from the Ingress
hostnames.
| Port | Use |
|---|---|
| 443 | On this port, Continuous Delivery for PE job hardware servers communicate with the Continuous Delivery for PE application, and users access the Continuous Delivery for PE web UI over HTTPS. |
| 5000 | In offline installations, NodePort communicates with the registry on this port. |
| 8000 | This is the default port where source control provider webhooks send traffic to Continuous Delivery for PE. You can change this port in Puppet Application Manager (PAM) under Optional configuration. |
| 8080 |
Ingress forwards traffic to
the Continuous Delivery for PE web UI and communicates
with query-service on this
port. |
| 9001 | Continuous Delivery for PE job hardware servers communicate with the proxy/load balancer registry and NodePort on this port. |