cameleer/cameleer-server
1
0
Fork 0
Code Issues 45 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: use configured DOCKER_NETWORK as primary for deployed apps
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m13s
Details
CI / docker (push) Successful in 1m9s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 36s
Details

Browse Source 
Instead of hardcoding cameleer-traefik as the primary network for
deployed app containers, use CAMELEER_DOCKER_NETWORK (env var). In
SaaS mode this is the tenant-isolated network (cameleer-tenant-{slug}).
Apps still connect to cameleer-traefik (for routing) and cameleer-env-
{slug} (for intra-environment discovery) as additional networks.

This enables per-tenant network isolation: apps deployed by tenant A
cannot reach apps deployed by tenant B since they share no network.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-10 08:08:33 +02:00
parent 995d3ca00d
commit 50e3f1ade6
1 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
cameleer3-server-app/src/main/java/com/cameleer3/server/app/runtime/DeploymentExecutor.java
View File

@@ -107,13 +107,19 @@ public class DeploymentExecutor {
// === CREATE NETWORKS === // === CREATE NETWORKS ===
updateStage(deployment.id(), DeployStage.CREATE_NETWORK); updateStage(deployment.id(), DeployStage.CREATE_NETWORK);
// Primary network: use configured CAMELEER_DOCKER_NETWORK (tenant-isolated in SaaS mode)
String primaryNetwork = dockerNetwork; String primaryNetwork = dockerNetwork;
String envNet = null; String envNet = null;
List<String> additionalNets = new ArrayList<>();
if (networkManager != null) { if (networkManager != null) {
primaryNetwork = DockerNetworkManager.TRAEFIK_NETWORK;
networkManager.ensureNetwork(primaryNetwork); networkManager.ensureNetwork(primaryNetwork);
// Traefik network for routing (apps need to be reachable by Traefik)
networkManager.ensureNetwork(DockerNetworkManager.TRAEFIK_NETWORK);
additionalNets.add(DockerNetworkManager.TRAEFIK_NETWORK);
// Per-environment network for intra-environment service discovery
envNet = DockerNetworkManager.envNetworkName(env.slug()); envNet = DockerNetworkManager.envNetworkName(env.slug());
networkManager.ensureNetwork(envNet); networkManager.ensureNetwork(envNet);
additionalNets.add(envNet);
} }
// === START REPLICAS === // === START REPLICAS ===
@@ -133,7 +139,7 @@ public class DeploymentExecutor {
containerName, baseImage, jarPath, containerName, baseImage, jarPath,
volumeName, jarStoragePath, volumeName, jarStoragePath,
primaryNetwork, primaryNetwork,
envNet != null ? List.of(envNet) : List.of(), additionalNets,
baseEnvVars, labels, baseEnvVars, labels,
config.memoryLimitBytes(), config.memoryReserveBytes(), config.memoryLimitBytes(), config.memoryReserveBytes(),
config.dockerCpuShares(), config.dockerCpuQuota(), config.dockerCpuShares(), config.dockerCpuQuota(),
@@ -144,9 +150,11 @@ public class DeploymentExecutor {
String containerId = orchestrator.startContainer(request); String containerId = orchestrator.startContainer(request);
newContainerIds.add(containerId); newContainerIds.add(containerId);
// Connect to environment network after container is started // Connect to additional networks after container is started
if (networkManager != null && envNet != null) { for (String net : additionalNets) {
networkManager.connectContainer(containerId, envNet); if (networkManager != null) {
networkManager.connectContainer(containerId, net);
}
} }
replicaStates.add(Map.of( replicaStates.add(Map.of(