burble.dn42 / Services / Internal Services

Internal Services

This page provides some documenation on other services used within burble.dn42 that are not directly available for public use.

traefik / traefik-eu / traefik-na

burble.dn42 runs a global traefik cluster which acts as a reverse proxy and load balancer for burble.dn42 web services.

The traefik instances are anycast globally (traefik.burble.dn42), but also have regional load balancing groups for Europe (traefik-eu.burble.dn42) and North America (traefik-na.burble.dn42). This regional split helps to direct users to local services where possible.

vault.burble.dn42

Hashicorp Vault is used to handle secrets across the burble.dn42 network.
Vault is deployed as a 3 node cluster across the Europe core nodes and uses the internal raft database as a back end.

TLS Certificate Authority

Vault acts as the main certificate authority for burble.dn42 PKI.

Vault allows for regular, automated renewal of certificates on short timeframes (typically a rolling week or monthly basis).

SSH Certificate Authority

Vault also acts as an SSH certificate authority, verifying both users and servers within the network.

Server certificates are generated during deployment, whilst user (or role) certificates are short lived and generated on demand.

Deployment Secrets

Vault holds secrets used during node and service deployments.

Most burble.dn42 are built as stateless container images and secrets are pushed from vault in to the live containers at runtime. This ensures the container images do not contain secrets and that secrets can be applied per instance even when using a common image.

Vault also manages database credentials (using the mysql/mariadb integration), and these are also automatically generated and pushed in to container instances on deployment.

The authority to access deployment secrets is inherited, on demand, from the user token during the deployment process. This ensures that even if access was gained to the deployment server, secrets could still not be accessed without also having access to a live user token.

nomad.burble.dn42

burble.dn42 runs a global HashiCorp Nomad cluster that is used primarily for web application workloads. Nomad integrates with containerd, vault and traefik to provide resilient, globally available applications.

nats.burble.dn42

burble.dn42 operates a nats.io cluster as a distributed, network wide, broadcast and RPC solution.

The cluster uses decentralised JWT tokens for authentication.

ci.burble.dn42

The burble.dn42 git has an associated CI/CD service based on drone.

The CI/CD service is used to manage DNS, build and publish applications and the burble.dn42 website.