cameleer/cameleer-server
1
0
Fork 0
Code Issues 45 Pull Requests Actions Packages Projects Releases Wiki Activity

docs: correct loader-network reachability claim; refresh HOWTO env vars
All checks were successful
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 4m32s
Details
CI / docker (push) Successful in 2m55s
Details
CI / deploy-feature (push) Has been skipped
Details
CI / deploy (push) Successful in 55s
Details

Browse Source 
Final-review must-fixes:
- HOWTO.md: drop CAMELEER_SERVER_RUNTIME_JARDOCKERVOLUME; add the three new
  artifact env vars (loaderimage / artifacttokenttlseconds / artifactbaseurl).
- DeploymentExecutor @PostConstruct WARN, handoff doc, and docker-orchestration
  rule no longer claim the loader uses cameleer-traefik. The loader runs on
  the PRIMARY Docker network only — additional networks are attached after
  startContainer returns, by which time the loader has exited. SaaS still
  works because the tenant's primary network hosts the tenant server.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-27 17:13:56 +02:00
parent c970120b9f
commit f772e868e6
4 changed files with 25 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.claude/rules/docker-orchestration.md
View File

@@ -48,13 +48,15 @@ When deployed via the cameleer-saas platform, this server orchestrates customer
`DeploymentExecutor` generates the signed URL via `ArtifactDownloadTokenSigner.sign(appVersion.id(), Duration.ofSeconds(artifactTokenTtlSeconds))` and passes `appVersion.id()`, the URL, `appVersion.jarSizeBytes()`, and the loader image into `ContainerRequest`. The host filesystem is no longer involved at deploy time.
**Loader → server reachability**: the loader container hits the Cameleer server over HTTP from inside its
own Docker network. The signed URL is built from `cameleer.server.runtime.artifactbaseurl` (preferred), falling
back to `cameleer.server.runtime.serverurl`, falling back to `http://cameleer-server:8081`. The default works
in SaaS mode because `DockerNetworkManager` adds `cameleer-traefik` as an additional network for tenant
containers, and the server is reachable on that network via the `cameleer-server` DNS alias. For non-SaaS
topologies (server on a different network than tenants), set `CAMELEER_SERVER_RUNTIME_ARTIFACTBASEURL`
explicitly to a URL the loader can reach.
**Loader → server reachability**: the loader hits the Cameleer server from its **primary** Docker
network only (`request.network()`, set from `CAMELEER_SERVER_RUNTIME_DOCKERNETWORK`). Additional networks
(`cameleer-traefik`, per-env) are attached by `DockerNetworkManager.connectContainer` AFTER `startContainer`
returns — by which time the loader has already exited. The loader cannot use them. The signed URL is built
from `cameleer.server.runtime.artifactbaseurl` (preferred), falling back to `cameleer.server.runtime.serverurl`,
falling back to `http://cameleer-server:8081`. The default works in SaaS mode because the tenant's primary
network (`cameleer-tenant-{slug}`) hosts the tenant's own server — same `CAMELEER_SERVER_RUNTIME_DOCKERNETWORK`
on both. For non-SaaS topologies, set `CAMELEER_SERVER_RUNTIME_ARTIFACTBASEURL` to a URL the loader can reach
on its primary network.
## DeploymentExecutor Details