chore(infra): make openzaak-* targets + runbook (refs #10)
Add `make openzaak-up`, `make openzaak-smoke`, and `make openzaak-down` so the OpenZaak stack is testable in one command, matching the `make ci` pattern. openzaak-smoke polls until the API responds, then asserts auth is enforced (403) and the admin/schema endpoints are reachable (302/200). Document it in docs/runbooks/openzaak.md (kept out of `make ci` — it's a heavier, separate check). Verified: `make openzaak-smoke` is green end-to-end. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
50
docs/runbooks/openzaak.md
Normal file
50
docs/runbooks/openzaak.md
Normal file
@@ -0,0 +1,50 @@
|
||||
# OpenZaak runbook
|
||||
|
||||
The OpenZaak stack (`infra/openzaak/docker-compose.yml`) is a lean adaptation of the
|
||||
upstream open-zaak dev compose: PostGIS db, redis, a one-shot init that runs
|
||||
migrations, the OpenZaak API, and a celery worker.
|
||||
|
||||
## Quick test (`make`)
|
||||
|
||||
```bash
|
||||
make openzaak-up # start the stack (first run pulls images + migrates: 1-3 min)
|
||||
make openzaak-smoke # start + assert it's up with auth enforced (403/302/200)
|
||||
make openzaak-down # stop and wipe data
|
||||
```
|
||||
|
||||
`make openzaak-smoke` polls until the API responds, then asserts:
|
||||
|
||||
| Check | Expected |
|
||||
|---|---|
|
||||
| `GET /zaken/api/v1/zaken` (no JWT) | **403** — `PermissionDenied` ZGW fout (auth enforced) |
|
||||
| `GET /admin/` | **302** — admin login redirect |
|
||||
| `GET /zaken/api/v1/` | **200** — ZGW API schema root |
|
||||
|
||||
> **403, not 401.** OpenZaak's ZGW APIs return `403 PermissionDenied` for a missing
|
||||
> or invalid JWT. The S-01 acceptance text says "401" — that's inaccurate; 403 is the
|
||||
> correct auth-enforced response.
|
||||
|
||||
The admin UI is at <http://localhost:8000/admin/>; the dev superuser is **admin /
|
||||
admin** (from the compose env — dev only).
|
||||
|
||||
## Prerequisites (rootless Podman)
|
||||
|
||||
Same setup as the rest of the repo (see [ci.md](ci.md)):
|
||||
|
||||
```bash
|
||||
systemctl --user start podman.socket # the Docker-API socket the shim talks to
|
||||
```
|
||||
|
||||
The Makefile auto-points `DOCKER_HOST` at the Podman socket when it exists, so the
|
||||
`make openzaak-*` targets work without extra env.
|
||||
|
||||
## Notes
|
||||
|
||||
- **Not in `make ci`.** The OpenZaak smoke is a separate, heavier check (large image
|
||||
pull + migrations); it is intentionally kept out of `make ci` so the core gate
|
||||
stays fast. Run `make openzaak-smoke` when you touch the OpenZaak stack.
|
||||
- **No catalogus/zaaktypen yet.** Seeding the `BIG` catalogus + `BIG-registratie`
|
||||
zaaktype and a JWT client is the next slice (**S-01-b**); authenticated zaaktype
|
||||
listing isn't testable until then.
|
||||
- **Image tag.** Currently `openzaak/open-zaak:latest` via `${OPENZAAK_TAG}`; pin to
|
||||
a known-good tag as part of the catalogus-design ADR.
|
||||
Reference in New Issue
Block a user