Add `make openzaak-up`, `make openzaak-smoke`, and `make openzaak-down` so the OpenZaak stack is testable in one command, matching the `make ci` pattern. openzaak-smoke polls until the API responds, then asserts auth is enforced (403) and the admin/schema endpoints are reachable (302/200). Document it in docs/runbooks/openzaak.md (kept out of `make ci` — it's a heavier, separate check). Verified: `make openzaak-smoke` is green end-to-end. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2.0 KiB
OpenZaak runbook
The OpenZaak stack (infra/openzaak/docker-compose.yml) is a lean adaptation of the
upstream open-zaak dev compose: PostGIS db, redis, a one-shot init that runs
migrations, the OpenZaak API, and a celery worker.
Quick test (make)
make openzaak-up # start the stack (first run pulls images + migrates: 1-3 min)
make openzaak-smoke # start + assert it's up with auth enforced (403/302/200)
make openzaak-down # stop and wipe data
make openzaak-smoke polls until the API responds, then asserts:
| Check | Expected |
|---|---|
GET /zaken/api/v1/zaken (no JWT) |
403 — PermissionDenied ZGW fout (auth enforced) |
GET /admin/ |
302 — admin login redirect |
GET /zaken/api/v1/ |
200 — ZGW API schema root |
403, not 401. OpenZaak's ZGW APIs return
403 PermissionDeniedfor a missing or invalid JWT. The S-01 acceptance text says "401" — that's inaccurate; 403 is the correct auth-enforced response.
The admin UI is at http://localhost:8000/admin/; the dev superuser is admin / admin (from the compose env — dev only).
Prerequisites (rootless Podman)
Same setup as the rest of the repo (see ci.md):
systemctl --user start podman.socket # the Docker-API socket the shim talks to
The Makefile auto-points DOCKER_HOST at the Podman socket when it exists, so the
make openzaak-* targets work without extra env.
Notes
- Not in
make ci. The OpenZaak smoke is a separate, heavier check (large image pull + migrations); it is intentionally kept out ofmake ciso the core gate stays fast. Runmake openzaak-smokewhen you touch the OpenZaak stack. - No catalogus/zaaktypen yet. Seeding the
BIGcatalogus +BIG-registratiezaaktype and a JWT client is the next slice (S-01-b); authenticated zaaktype listing isn't testable until then. - Image tag. Currently
openzaak/open-zaak:latestvia${OPENZAAK_TAG}; pin to a known-good tag as part of the catalogus-design ADR.