The CloudBees CD/RO server is a member of the default
zone, created during CloudBees CD/RO installation. To ensure that the CloudBees CD/RO server can reach remote zones, you must establish a gateway or a gateway chain to reach each one either directly or indirectly. Also, to preserve this reachability, do not rename the default
zone.
Gateway objects
To communicate with a resource, workspace, or artifact repository server in another zone, a gateway must be created. A gateway object contains two resource (agent) machines, for example, GatewayResource1
and GatewayResource2
—each configured to communicate with the other. One gateway resource resides in the source zone and the other in the target zone. A gateway is bidirectional and informs the CloudBees CD/RO server that each gateway machine is configured to communicate with its other gateway machine (in another zone).
If your company requires the added security of a firewall between zones, gateway agents can be configured to communicate with/through the firewall. Gateway agents can be trusted or untrusted (meaning that they just use HTTPS).
-
A firewall between zones— A gateway resource can be configured to communicate with an intermediary firewall in its path as a proxy to communicate with its peer on the other side of the gateway.
If the actual gateway agents are behind a load balancer, do not register resources for them in CloudBees CD/RO. The actual gateway agents should be pinged by CloudBees CD/RO only via the load balancer. -
Each gateway records the host/port combination each gateway agent/resource must use to communication with its peer on the other side of the gateway.
-
Multiple gateways can be defined for a zone if required. For example, you may have multiple resources in
zoneA
that need to communicate with each other, but some of those resources also need to communicate withzoneB
, while others need to communicate withzoneC
only. In this scenario,zoneA
would require two gateways—one tozoneB
and one tozoneC
. -
One resource can participate in multiple gateways. For example, assume we have 3 zones,
zone1
,zone2
, andzone3
, each created to contain agent/resource machines for a different, specific purpose (production, testing), but we want to share or pass data from a resource inzone1
to another resource inzone2
orzone3
. We need two gateways:-
Gateway1
connectsResourceA
inzone1
toResourceC
inzone3
-
Gateway2
connectsResourceA
inzone1
toResourceB
inzone2
With this gateway-resource configuration,
ResourceA
can communicate directly withzone2
orzone3
. -
For gateway agents v10.1 and higher, you must configure the CloudBees CD/RO server IP address.
|
The gateway object list
To view all gateways currently defined in CloudBees CD/RO, navigate to Actions
icon for the entry.
A gateway inherits privileges from the ZonesAndGateways ACL. See Access Control for more information.
|
Creating a gateway
To create a new gateway, select New+ and enter the following information:
Field Name | Description / Action |
---|---|
Details tab |
|
Name |
Name of your choice for this gateway. The name must be unique among other gateway names. |
Description |
(Optional) Plain text or HTML description for this object. If using HTML, you must surround your text with For example, the following HTML: <p> <span style="font-family: Arial;"> <i>Note:</i> For more information about the <b>abc</b> object, see <a href="https://www.google.com/">\https://www.google.com</a>. </span> </p> renders as follows:
|
Enabled |
Check box the gateway. |
Configuration tab |
|
Resource 1 |
Name of your choice for the first of two required gateway resources. Do not include spaces in a resource name. For actual gateway agents that are behind a load balancer, specify the resource for the inbound or outbound load balancer (not the actual agent). |
Host 1 |
Agent host name where Resource 1 resides. This external host name is used by Resource 2 to communicate with Resource 1. Specify only the host name or IP address of Resource 1. To use the host name from Resource 1’s definition, leave this field blank. |
Port 1 |
Port number used by Resource 1. The default is the port number used by the resource. |
Resource 2 |
Name of your choice for the second of two required gateway resources. Do not include spaces in a resource name. For actual gateway agents that are behind a load balancer, specify the resource for the inbound or outbound load balancer (not the actual agent). |
Host 2 |
Agent host name where Resource 2 resides. This external host name is used by Resource 1 to communicate with Resource 2. Specify only the host name or IP address of Resource 2. To use the host name from Resource 2’s definition, leave this field blank. |
Port 2 |
Port number used by Resource 2. The default is the port number used by the resource. |
Select OK to see your new gateway displayed in the list.
Zone management
A zone is a way to partition a collection of agents to secure them from use by other groups. For example, you might choose to create a developer’s zone, a production zone, and a test zone—agents in one zone cannot directly communicate with agents in another zone.
-
A default zone is created during the CloudBees CD/RO installation. The server implicitly belongs to the default zone, which means all agents in this zone can communicate with the server directly without the use of a gateway.
-
Each zone can have one or more gateway agents, which you define. Gateway agents are used for communication from one zone to another zone. For more information, see Gateways.
-
Every agent, and all resources defined on that agent, can belong to one zone only.
-
Within a zone, agents can be either trusted or untrusted.
-
Trusted:The CloudBees CD/RO server verifies the agent’s identity using SSL certificate verification.
-
Untrusted: The CloudBees CD/RO server does not verify agent identity. Potentially, an untrusted agent is a security risk.
-
The zone object list
To view all zones currently defined in CloudBees CD/RO, navigate to Actions
icon for the desired zone object.
A zone inherits privileges from the ZonesAndGateways ACL. See Access Control for more information. Resource and Resource Pool inherit their privileges from Resources privileges. To create a resource, you must have modify privileges on Resources, and you must have modify privileges on the zone. In addition, to move a resource from one zone to another, you must have modify privileges on both zones and the resource you want to move. |
Creating a new zone
To create a new zone, select New+ and enter the following information:
Field Name | Description |
---|---|
Name |
Enter a name of your choice for this zone. The name must be unique among other zone names. |
Description |
(Optional) Plain text or HTML description for this object. If using HTML, you must surround your text with For example, the following HTML: <p> <span style="font-family: Arial;"> <i>Note:</i> For more information about the <b>abc</b> object, see <a href="https://www.google.com/">\https://www.google.com</a>. </span> </p> renders as follows:
|
Click OK to see your new zone displayed in the table. To add resources to this zone, select Resources from the action menu for the zone object.