cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

docs: revert ICC-disabled, use shared traefik network with app-level auth
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m26s
Details
CI / docker (push) Successful in 26s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 39s
Details

Browse Source 
ICC=false breaks Traefik routing and agent-server communication.
Switched to shared traefik network (ICC enabled) with app-level
security boundaries. Per-env Traefik networks noted as future option.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-08 20:00:12 +02:00
parent dd4442329c
commit b196918e70
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/superpowers/specs/2026-04-08-docker-orchestration-design.md
View File

@@ -33,13 +33,15 @@ App containers reach the server for SSE/heartbeats via the `cameleer-traefik` ne
### Network isolation
The `cameleer-traefik` network is created with **inter-container communication (ICC) disabled** (`--opt com.docker.network.bridge.enable_icc=false`). This means containers on the traefik network cannot communicate directly with each other — they can only be reached through Traefik's published ports. This prevents a compromised app in one environment from reaching apps in other environments via the shared routing network.
The `cameleer-traefik` network has ICC enabled (required for Traefik routing and agent-server communication). All app containers are technically reachable from each other on this network. The security boundary is at the application level (auth tokens, environment-specific credentials).
The `cameleer-env-{slug}` networks keep ICC enabled so apps within the same environment can discover and communicate with each other freely.
The `cameleer-env-{slug}` networks provide **intentional service discovery isolation** — apps only discover and communicate with services in their own environment via Docker DNS. Cross-environment communication requires knowing the target container's IP, which apps have no reason to discover.
> **Future option:** Per-environment Traefik networks (each env gets its own network with Traefik and server attached) would provide full network-level isolation. This can be added based on customer security requirements without changing the orchestrator interface.
### Network Manager
Wraps Docker network operations. `ensureNetwork(name, iccEnabled)` creates a bridge network if it doesn't exist (idempotent). The traefik network is created with `iccEnabled=false`, environment networks with `iccEnabled=true`. `connectContainer(containerId, networkName)` attaches a container to a second network. Called by `DeploymentExecutor` before container creation.
Wraps Docker network operations. `ensureNetwork(name)` creates a bridge network if it doesn't exist (idempotent). `connectContainer(containerId, networkName)` attaches a container to a second network. Called by `DeploymentExecutor` before container creation.
---