fix: docker network

[Flo4604]

What does this PR do?

Fixes # (issue)

If there is not an issue for this, please create one first. This is used to tracking purposes and also helps use understand why this PR exists

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• Bug Fixes

  • Improved startup reliability by enforcing health-checked and explicit start-order dependencies for core services and the dashboard, reducing race conditions and boot failures.

• Chores

  • Standardized networking by introducing a default network for all services for consistent connectivity.
  • Harmonized Docker Compose dependency semantics to use conditional health/start gates for more robust orchestration.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f9c880e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Ready	Preview	Comment	Sep 15, 2025 3:19pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
engineering	Ignored	Preview		Sep 15, 2025 3:19pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates compose orchestration to add a default network and replace simple depends_on lists with conditional health/start gating and required flags; the Go Docker backend now attaches created containers to the compose network and adds compose labels. No public APIs changed.

Changes

Cohort / File(s)	Summary of Changes
Compose orchestration deployment/docker-compose.yaml	Added top-level networks: default. Added networks: - default to every service. Replaced simple depends_on lists with mapping forms using condition: service_healthy or condition: service_started and required: true for services (apiv2, gw, ctrl, dashboard) and removed otel from apiv2 deps.
Compose formatting go/deploy/ctrl/docker-compose.yml	Removed top-level version line, normalized healthcheck YAML to multi-line array, fixed whitespace and ensured newline at EOF; no semantic changes beyond formatting.
Deployment backend (Go) go/apps/ctrl/services/deployment/backends/docker.go	createContainer now supplies a Docker NetworkingConfig that attaches the container to the compose network endpoint "unkey_default" and adds Docker Compose labels (com.docker.compose.*) when creating containers; ContainerCreate call now receives networkingConfig. No exported signatures changed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant DC as docker-compose
  participant Dep as Dependencies (mysql, redis, clickhouse, s3, planetscale, agent)
  participant S as Services (apiv2, gw, ctrl, dashboard)

  Dev->>DC: docker compose up
  DC->>Dep: Start dependency containers
  Dep-->>DC: Report health/start (service_healthy / service_started)
  DC->>S: Start services when gated conditions satisfied (required: true)
  note over DC,S: Start-order enforced by health/start conditions

Loading

sequenceDiagram
  autonumber
  participant CTRL as ctrl (Go)
  participant DE as Docker Engine API

  CTRL->>DE: ContainerCreate(config, hostConfig, networkingConfig{EndpointsConfig: {"unkey_default": {...}}})
  DE-->>CTRL: Container ID
  CTRL->>DE: StartContainer(Container ID)
  DE-->>CTRL: Running
  note over CTRL,DE: Container created with compose labels and attached to "unkey_default" network

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: docker backend #3565 — touches Docker container creation/management and labeling; closely related to network/label changes.
• feat: e2e deploy with docker works #3567 — modifies createContainer and network/port/label handling; likely overlaps with this backend change.

Suggested reviewers

• imeyer
• perkinsjr
• mcstepp
• MichaelUnkey

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description is the unmodified template with placeholders and is incomplete: it does not link an issue, all change-type checkboxes are unchecked, the "How should this be tested?" section contains only "Test A" and "Test B", and none of the required checklist items are marked, so reviewers lack the information needed to validate and merge this change.	Please complete the template before merging: link or create the related issue, select the correct change-type box, replace testing placeholders with concrete, reproducible test steps (including commands, environment, and expected results), run and report pnpm build and pnpm fmt outcomes, complete the required checklist items, and add brief notes about behavioral or migration impacts and any screenshots or logs if relevant.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "fix: docker network" is concise and accurately reflects the primary change in this PR (adding/attaching services to a default Docker network and related compose/backend updates), so it meets the guideline for a short, focused one-line title.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

deployment/docker-compose.yaml (1)

311-316: Appropriate use of service_started; optionally add healthchecks and switch to service_healthy.

For planetscale/agent (no healthchecks), service_started is correct. If you add simple healthchecks later, consider switching to service_healthy for stronger readiness guarantees. (docs.docker.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b758cb6 and 2367963.

📒 Files selected for processing (2)

• deployment/docker-compose.yaml (4 hunks)
• go/apps/ctrl/services/deployment/backends/docker.go (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Test Go API Local / Test

🔇 Additional comments (4)

deployment/docker-compose.yaml (3)

64-69: Good: health‑gated startup for apiv2.

Using condition: service_healthy for mysql/redis/clickhouse ensures apiv2 starts after dependencies are ready. LGTM. (docs.docker.com)

---

258-263: Same note on required: true — redundant; remove it or require Compose ≥ v2.20.

The required key defaults to true and was introduced in Docker Compose v2.20.0; keeping it is only for clarity but imposes Compose ≥ v2.20 in dev/CI. (docs.docker.com)

Location: deployment/docker-compose.yaml (lines 258-263).

---

212-223: Drop redundant depends_on required: true (Compose ≥ v2.20.2)

depends_on.required defaults to true; support for the attribute was added in Docker Compose v2.20.2 — remove these required: true entries to reduce noise or keep them for explicitness. (github.com)

If you want the gw service to restart when a dependency is restarted via Compose operations, add restart: true under the dependency mapping. (github.com)

File: deployment/docker-compose.yaml lines 212–223

Couldn't verify locally here (docker: command not found). Run docker compose version locally and paste the output for confirmation.

go/apps/ctrl/services/deployment/backends/docker.go (1)

284-286: Don't hardcode the Docker network; make it configurable and validate it exists.

Setting NetworkMode: "unkey_default" ties runtime to a specific Compose project name and will fail if that network doesn’t exist. Inject the network name via config (env), store it on DockerBackend, and preflight-check with NetworkInspect; log a warning or return a clear error.

Apply within this hunk:

-        NetworkMode: "unkey_default",
+        NetworkMode: d.networkMode,

And add these changes outside this hunk to wire config + validation:

--- a/go/apps/ctrl/services/deployment/backends/docker.go
+++ b/go/apps/ctrl/services/deployment/backends/docker.go
@@
-import (
+import (
   "context"
   "fmt"
   "io"
   "strconv"
   "strings"
   "sync"
   "time"
+  "os"
 
   "github.com/docker/docker/api/types/container"
+  "github.com/docker/docker/api/types"
   "github.com/docker/docker/api/types/image"
   "github.com/docker/docker/client"
   "github.com/docker/docker/errdefs"
   "github.com/docker/go-connections/nat"
@@
 type DockerBackend struct {
   logger          logging.Logger
   dockerClient    *client.Client
   deployments     map[string]*dockerDeployment
   mutex           sync.RWMutex
   isRunningDocker bool // Whether this service is running in Docker
+  networkMode     container.NetworkMode
 }
@@
 func NewDockerBackend(logger logging.Logger, isRunningDocker bool) (*DockerBackend, error) {
@@
-  return &DockerBackend{
+  // Determine target network (configurable; default aligns with compose project "name: unkey")
+  network := os.Getenv("UNKEY_DOCKER_NETWORK")
+  if network == "" && isRunningDocker {
+    network = "unkey_default"
+  }
+
+  // Best‑effort validation: warn if the configured network is missing
+  if network != "" {
+    if _, err := dockerClient.NetworkInspect(ctx, network, types.NetworkInspectOptions{}); err != nil {
+      logger.Warn("configured Docker network not found; containers may not be reachable",
+        "network", network, "error", err)
+    }
+  }
+
+  return &DockerBackend{
     logger:          logger.With("backend", "docker"),
     dockerClient:    dockerClient,
     deployments:     make(map[string]*dockerDeployment),
     isRunningDocker: isRunningDocker,
+    networkMode:     container.NetworkMode(network),
   }, nil
 }

Verification: the provided script could not run here because the docker CLI is not available (docker: command not found). Run this locally or in CI to verify the configured network exists:

docker network ls --format '{{.Name}}' | grep -x 'unkey_default' || echo "warn: unkey_default not present"
docker info >/dev/null && echo "docker reachable"
docker compose version

[imeyer]

LGTM

[graphite-app]

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

go/deploy/ctrl/docker-compose.yml (1)

57-71: Healthcheck style is fine; confirm wget availability or switch to CMD-SHELL.

Current array form is valid. Ensure the image actually contains wget; if not, use CMD-SHELL with curl or wget.

Example (keeps wget, fewer layers to parse):

-    healthcheck:
-      test:
-        [
-          "CMD",
-          "wget",
-          "--no-verbose",
-          "--tries=1",
-          "--spider",
-          "http://localhost:8084/_/health",
-        ]
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --tries=1 --spider http://localhost:8084/_/health || exit 1"]
       interval: 30s
       timeout: 5s
       retries: 3
       start_period: 10s

go/apps/ctrl/services/deployment/backends/docker.go (1)

295-299: Avoid hard-coding the network name; make it configurable (ties to compose project name).

Hard-coding "unkey_default" couples this to a specific compose name. Derive from COMPOSE_PROJECT_NAME (default: unkey) so environments don’t break.

-    networkingConfig := &network.NetworkingConfig{
-        EndpointsConfig: map[string]*network.EndpointSettings{
-            "unkey_default": {},
-        },
-    }
+    // derive network from compose project name (e.g., "unkey" -> "unkey_default")
+    composeProjectName := getEnvDefault("COMPOSE_PROJECT_NAME", "unkey")
+    composeNetworkName := fmt.Sprintf("%s_default", composeProjectName)
+    networkingConfig := &network.NetworkingConfig{
+        EndpointsConfig: map[string]*network.EndpointSettings{
+            composeNetworkName: {},
+        },
+    }

Add helper (outside this hunk):

import "os"

func getEnvDefault(k, def string) string {
  if v := os.Getenv(k); v != "" {
    return v
  }
  return def
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2367963 and 95bbb6a.

📒 Files selected for processing (3)

• deployment/docker-compose.yaml (18 hunks)
• go/apps/ctrl/services/deployment/backends/docker.go (3 hunks)
• go/deploy/ctrl/docker-compose.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Test Go API Local / Test
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build

🔇 Additional comments (4)

go/apps/ctrl/services/deployment/backends/docker.go (1)

301-301: LGTM: attach to network at create-time.

Passing networkingConfig to ContainerCreate is the right call; avoids a second connect step.

deployment/docker-compose.yaml (3)

4-5: Default network wiring is a good improvement.

Consistently placing services on the default network and declaring it top-level matches the backend’s expectations.

Minor ask: keep the compose project name (“name: unkey”) stable so the network remains “unkey_default”, which the backend currently targets.

Also applies to: 30-31, 49-50, 62-63, 92-93, 106-107, 130-131, 164-165, 186-187, 219-220, 268-269, 307-308, 318-319, 330-331, 408-410

---

72-77: Good: health-gated dependencies for apiv2.

Switching to service_healthy improves startup determinism.

---

232-243: Incorrect — keep required: true under depends_on
Compose spec and Docker Compose v2.20.0+ support depends_on service entries with condition and required (default: true). Only remove required: true if you must support Compose versions older than v2.20.0.

Likely an incorrect or invalid review comment.

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (09/15/25)

1 gif was posted to this PR based on Andreas Thomas's automation.