Continuous Delivery for PE architecture

Continuous Delivery for Puppet Enterprise (PE) communicates with your PE installation, your source control system, and the servers you've designated as job hardware, as well as with the browser you use to connect to the web UI and Puppet Application Manager.

The following diagram shows the architecture and port requirements of a Continuous Delivery for PE 4.x installation.

Important: Continuous Delivery for PE uses TCP (Transmission Control Protocol) connections.

See the system requirements for additional information on each Continuous Delivery for PE port's source and destination.

TLS configuration

There are several TLS configurations options to choose from when installing Continuous Delivery for PE. Select the installation architecture that best meets your security needs and limitations.

Basic installation - Default configuration

This installation architecture works for both single-node clusters and multi-node clusters that utilize automatic load balancing or are set up for Ingress load balancing, such as with Google Kubernetes Engine (GKE). The webhook callback listens on port 8000. In this architecture, it's common to use TLS configured at the Ingress, whether in manual entry, self-signed, or certificate manager form.

Installation with a proxy or load balancer using enhanced TLS

This installation architecture uses public certificates for external proxy TLS termination, plus internal certificates for machine-to-machine communication. The Ingress is used for routing rules to the various services within Continuous Delivery for PE. Note that the backend and web UI endpoints must be configured separately from Ingress hostnames.