Network isolation for deployments (edge + workspace networks)

[zbal]

Why

Today all runner containers share a single devpush_runner network, which allows lateral movement between deployments. This change introduces per‑deployment and per‑workspace networks so each deployment is only reachable via its own edge network (for Traefik) and a workspace‑scoped private network (for same‑team traffic).

Summary

This introduces a two‑tier network model: an edge network per deployment for Traefik routing and probes, and a workspace network per team for east/west traffic between a team’s deployments. Monitoring attaches to workspace networks on demand, while Traefik attachment is reconciled via a dedicated ARQ task to survive container restarts.

Changes

• Network topology:

  • New per‑deployment edge networks devpush_edge_<deployment-id>
  • New per‑team workspace networks devpush_workspace_<team-id>

• Runner container wiring:

  • Runner containers attach to both edge + workspace networks
  • Traefik label traefik.docker.network points to the edge network
  • Runner labels now include devpush.edge_network and devpush.workspace_network

• Monitoring:

  • Monitor attaches to workspace networks only when needed to probe
  • Probe detaches when a workspace no longer has deployment containers
  • Legacy fallback remains for devpush_runner where labels are missing

• Traefik resiliency:

  • New ARQ job reconcile_edge_network (scoped by deployment id)
  • Runs after deployment start and once on worker startup

• Ops tooling:

  • New network-reconcile.sh to enqueue reconcile manually

Testing

• Not run (manual)