Prerequisites

Hint

Some of the examples and templates are containing Jinja2-like variables notations {{ variable_name }} - you need to replace them appropriately if not used with a deployment or template engine (i.e. ansible with Jinja2).

Docker

To deploy b3lb you need a running Docker environment:

  • Docker Engine

  • Docker Swarm

  • Kubernetes

This documentation expects to use Docker Compose for container deployment.

DNS

B3LB uses the following domain scheme:

api.bbbconf.de

Base domain used for admin and global metrics access, only.

tenant1.api.bbbconf.de

BBB API domain for the tenant tentant1

tenant1-001.api.bbbconf.de

BBB API domain for a additional secret for the tenant tentant1

It is recommended to add corresponding DNS RR using a wildcard to your zone file:

; address records of reverse proxy instances
{{ api_base_domain }}.    A       192.0.2.1
                          A       192.0.2.2
                          A       192.0.2.3
                          AAAA    2001:db8::1
                          AAAA    2001:db8::2
                          AAAA    2001:db8::3
; wildcard used by tenants
*.{{ api_base_domain }}.  CNAME   api

You need to support dynamic zone updates to use wildcard certificates from Let’s’Encrypt. The following example could be used with bind9 to create a TSIG update key and allow zone updates.

The TSIG key can be created using the tsig-keygen binary:

root@ns:~# tsig-keygen -a hmac-sha512 "{{ tsig_key }}" > /etc/bind/traefik.key

Hint

  • {{ tsig_key }} is the name of the TSIG key

  • {{ tsig_secret }} the secret value from the key file

Example zone definition:

include "/etc/bind/traefik.key";

zone "{{ api_base_domain }}" {
    type master;
    file "{{ api_base_domain }}.zone";

    allow-update { key "{{ tsig_key }}"; };
};

Reverse Proxy

A reverse proxy with the following features is required:

  • to get a wildcard certificate from Let’s’Encrypt the use of the ACME DNS-01 challenge is required (recommended)

  • access ACLs to protect b3lb admin & metrics urls

traefik has proven to work very well for b3lb.

PostgreSQL Database

b3lb requires a database backend supported by Django. It needs to be accessible by all b3lb frontend and worker instances.

Hint

Using PostgreSQL 9.5+ is highly recommended.