Provision a JWT client declaratively via OpenZaak setup_configuration (infra/openzaak/setup_configuration/data.yaml: JWTSecret + Applicatie with all authorizations), and seed the BIG catalogus + a lean BIG-REGISTRATIE zaaktype (concept) + a bsn eigenschap via the ZTC API with an idempotent stdlib seed (infra/openzaak/seed_catalogus.py, `make openzaak-seed`). Disable outbound notifications until NRC lands (S-01-c) so ZTC writes don't 500. Bind-mount the config with :z (SELinux) for rootless Podman. Record the design in ADR-0002; document seeding + the dev JWT client in the OpenZaak runbook. Verified clean-slate: down --volumes -> up -> `make openzaak-seed` creates the catalogus/zaaktype/eigenschap and the JWT client lists BIG-REGISTRATIE; re-runs are all-skip (idempotent). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
75 lines
2.9 KiB
Markdown
75 lines
2.9 KiB
Markdown
# OpenZaak runbook
|
|
|
|
The OpenZaak stack (`infra/openzaak/docker-compose.yml`) is a lean adaptation of the
|
|
upstream open-zaak dev compose: PostGIS db, redis, a one-shot init that runs
|
|
migrations, the OpenZaak API, and a celery worker.
|
|
|
|
## Quick test (`make`)
|
|
|
|
```bash
|
|
make openzaak-up # start the stack (first run pulls images + migrates: 1-3 min)
|
|
make openzaak-smoke # start + assert it's up with auth enforced (403/302/200)
|
|
make openzaak-seed # start + seed the BIG catalogus (idempotent)
|
|
make openzaak-down # stop and wipe data
|
|
```
|
|
|
|
## Seed the BIG catalogus
|
|
|
|
`make openzaak-seed` brings the stack up and runs `infra/openzaak/seed_catalogus.py`,
|
|
which creates (idempotently, via the ZTC API):
|
|
|
|
- catalogus **BIG**
|
|
- a lean **BIG-REGISTRATIE** zaaktype (concept; only schema-mandatory fields)
|
|
- a **bsn** eigenschap on it
|
|
|
|
then confirms the JWT client can list it. See **ADR-0002** for the design (why the
|
|
zaaktype stays a concept, why notifications are disabled, why the API not a fixture).
|
|
|
|
**JWT client** (provisioned declaratively by `setup_configuration/data.yaml`, **dev only**):
|
|
|
|
| | |
|
|
|---|---|
|
|
| client_id | `big-reference-seed` |
|
|
| secret | `insecure-dev-secret-change-me` |
|
|
| authorizations | `heeft_alle_autorisaties` (all) |
|
|
|
|
The seed mints a ZGW JWT (HS256) from these and calls `/catalogi/api/v1/...`.
|
|
|
|
`make openzaak-smoke` polls until the API responds, then asserts:
|
|
|
|
| Check | Expected |
|
|
|---|---|
|
|
| `GET /zaken/api/v1/zaken` (no JWT) | **403** — `PermissionDenied` ZGW fout (auth enforced) |
|
|
| `GET /admin/` | **302** — admin login redirect |
|
|
| `GET /zaken/api/v1/` | **200** — ZGW API schema root |
|
|
|
|
> **403, not 401.** OpenZaak's ZGW APIs return `403 PermissionDenied` for a missing
|
|
> or invalid JWT. The S-01 acceptance text says "401" — that's inaccurate; 403 is the
|
|
> correct auth-enforced response.
|
|
|
|
The admin UI is at <http://localhost:8000/admin/>; the dev superuser is **admin /
|
|
admin** (from the compose env — dev only).
|
|
|
|
## Prerequisites (rootless Podman)
|
|
|
|
Same setup as the rest of the repo (see [ci.md](ci.md)):
|
|
|
|
```bash
|
|
systemctl --user start podman.socket # the Docker-API socket the shim talks to
|
|
```
|
|
|
|
The Makefile auto-points `DOCKER_HOST` at the Podman socket when it exists, so the
|
|
`make openzaak-*` targets work without extra env.
|
|
|
|
## Notes
|
|
|
|
- **Not in `make ci`.** The OpenZaak smoke is a separate, heavier check (large image
|
|
pull + migrations); it is intentionally kept out of `make ci` so the core gate
|
|
stays fast. Run `make openzaak-smoke` when you touch the OpenZaak stack.
|
|
- **Notifications disabled.** `NOTIFICATIONS_DISABLED=true` until Open Notificaties
|
|
(NRC) lands in S-01-c — otherwise ZTC writes 500 trying to notify. Re-enable then.
|
|
- **Zaaktype is a concept**, not published (publishing needs roltypen/statustypen/
|
|
resultaattypen — beyond the lean seed). List with `?status=alles`.
|
|
- **Image tag.** Currently `openzaak/open-zaak:latest` via `${OPENZAAK_TAG}`; pin to
|
|
a known-good tag (ADR-0002 follow-up).
|