From 50e3f1ade69ec6bfd2bdea4620778e4054d9d9c1 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 10 Apr 2026 08:08:33 +0200
Subject: [PATCH] feat: use configured DOCKER_NETWORK as primary for deployed
 apps

Instead of hardcoding cameleer-traefik as the primary network for
deployed app containers, use CAMELEER_DOCKER_NETWORK (env var). In
SaaS mode this is the tenant-isolated network (cameleer-tenant-{slug}).
Apps still connect to cameleer-traefik (for routing) and cameleer-env-
{slug} (for intra-environment discovery) as additional networks.

This enables per-tenant network isolation: apps deployed by tenant A
cannot reach apps deployed by tenant B since they share no network.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../server/app/runtime/DeploymentExecutor.java | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/runtime/DeploymentExecutor.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/runtime/DeploymentExecutor.java
index 059accd4..a890d4a8 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/runtime/DeploymentExecutor.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/runtime/DeploymentExecutor.java
@@ -107,13 +107,19 @@ public class DeploymentExecutor {
 
             // === CREATE NETWORKS ===
             updateStage(deployment.id(), DeployStage.CREATE_NETWORK);
+            // Primary network: use configured CAMELEER_DOCKER_NETWORK (tenant-isolated in SaaS mode)
             String primaryNetwork = dockerNetwork;
             String envNet = null;
+            List<String> additionalNets = new ArrayList<>();
             if (networkManager != null) {
-                primaryNetwork = DockerNetworkManager.TRAEFIK_NETWORK;
                 networkManager.ensureNetwork(primaryNetwork);
+                // Traefik network for routing (apps need to be reachable by Traefik)
+                networkManager.ensureNetwork(DockerNetworkManager.TRAEFIK_NETWORK);
+                additionalNets.add(DockerNetworkManager.TRAEFIK_NETWORK);
+                // Per-environment network for intra-environment service discovery
                 envNet = DockerNetworkManager.envNetworkName(env.slug());
                 networkManager.ensureNetwork(envNet);
+                additionalNets.add(envNet);
             }
 
             // === START REPLICAS ===
@@ -133,7 +139,7 @@ public class DeploymentExecutor {
                         containerName, baseImage, jarPath,
                         volumeName, jarStoragePath,
                         primaryNetwork,
-                        envNet != null ? List.of(envNet) : List.of(),
+                        additionalNets,
                         baseEnvVars, labels,
                         config.memoryLimitBytes(), config.memoryReserveBytes(),
                         config.dockerCpuShares(), config.dockerCpuQuota(),
@@ -144,9 +150,11 @@ public class DeploymentExecutor {
                 String containerId = orchestrator.startContainer(request);
                 newContainerIds.add(containerId);
 
-                // Connect to environment network after container is started
-                if (networkManager != null && envNet != null) {
-                    networkManager.connectContainer(containerId, envNet);
+                // Connect to additional networks after container is started
+                for (String net : additionalNets) {
+                    if (networkManager != null) {
+                        networkManager.connectContainer(containerId, net);
+                    }
                 }
 
                 replicaStates.add(Map.of(