burble.dn42/www
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
master
www/content/services/internal.md
Simon Marsh 0a0158eccc
All checks were successful
continuous-integration/drone/push Build is passing
Details
node updates and tidying
2024-02-17 23:32:30 +00:00

84 lines
3.0 KiB
Markdown
Raw Permalink Blame History

---
title: "Internal Services"
geekdocDescription: "Documentation for Non-public applications"
weight: 30
---
This page provides some documenation on other services used within burble.dn42
that are not directly available for public use.
## traefik / traefik-eu / traefik-na
burble.dn42 runs a global [traefik](https://traefik.io/traefik/) cluster which
acts as a reverse proxy and load balancer for burble.dn42 web services.
The traefik instances are anycast globally (traefik.burble.dn42), but also
have regional load balancing groups for Europe (traefik-eu.burble.dn42) and
North America (traefik-na.burble.dn42). This regional split helps to direct
users to local services where possible.
## vault.burble.dn42
[Hashicorp Vault](https://www.vaultproject.io/) is used to handle secrets
across the burble.dn42 network.<br/>
Vault is deployed as a 3 node cluster across the Europe core nodes
and uses the internal raft database as a back end.
### TLS Certificate Authority
Vault acts as the main [certificate authority](/services/ca/) for burble.dn42
PKI.
Vault allows for regular, automated renewal of certificates on short timeframes
(typically a rolling week or monthly basis).
### SSH Certificate Authority
Vault also acts as an SSH certificate authority, verifying both users and servers
within the network.
Server certificates are generated during deployment, whilst user (or role)
certificates are short lived and generated on demand.
### Deployment Secrets
Vault holds secrets used during node and service deployments.
Most burble.dn42 are built as stateless container images and secrets are
pushed from vault in to the live containers at runtime. This ensures the
container images do not contain secrets and that secrets can be applied per
instance even when using a common image.
Vault also manages database credentials (using the mysql/mariadb integration),
and these are also automatically generated and pushed in to container
instances on deployment.
The authority to access deployment secrets is inherited, on demand, from the
user token during the deployment process. This ensures that even if access was
gained to the deployment server, secrets could still not be accessed without
also having access to a live user token.
## nomad.burble.dn42
burble.dn42 runs a global [HashiCorp Nomad](https://www.nomadproject.io/) cluster
that is used primarily for web application workloads. Nomad integrates with
[containerd](https://containerd.io/),
[vault](/services/internal/#vaultburbledn42and) and
[traefik](/services/internal/#traefik--traefik-eu--traefik-na)
to provide resilient, globally available applications.
## nats.burble.dn42
burble.dn42 operates a [nats.io](https://nats.io/) cluster as a distributed,
network wide, broadcast and RPC solution.
The cluster uses decentralised JWT tokens for authentication.
## ci.burble.dn42
The burble.dn42 [git](/services/public#git) has an associated CI/CD service
based on [drone](https://www.drone.io/).
The CI/CD service is used to manage DNS, build and publish applications and
the burble.dn42 website.
Reference in New Issue View Git Blame Copy Permalink