Simplify network topology: replace foreman-db, foreman-cache, foreman-app with foreman-internal

All backend services (PostgreSQL, Redis, Candlepin, Pulp, Foreman,
Dynflow) now share a single isolated internal network. This addresses
the feedback in PR theforeman#403:

- ehelms: start with a single network model to reduce complexity
- ekohl: merge foreman-db and foreman-cache since all services need both

foreman-proxy-net is kept separate as it serves a distinct purpose
(Foreman Proxy <-> Foreman communication).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: pablomh

src/playbooks/deploy/deploy.yaml

@@ -24,17 +24,9 @@
         certificate_checks_ca: "{{ ca_certificate }}"
     - role: deploy_network
       vars:
-        deploy_network_name: foreman-db
+        deploy_network_name: foreman-internal
         deploy_network_internal: true
         deploy_network_isolate: true
-    - role: deploy_network
-      vars:
-        deploy_network_name: foreman-cache
-        deploy_network_internal: true
-        deploy_network_isolate: true
-    - role: deploy_network
-      vars:
-        deploy_network_name: foreman-app
     - role: deploy_network
       vars:
         deploy_network_name: foreman-proxy-net

src/roles/candlepin/defaults/main.yml

@@ -15,7 +15,7 @@ candlepin_ciphers:
 candlepin_container_image: quay.io/foreman/candlepin
 candlepin_container_tag: "4.4.14"
 candlepin_registry_auth_file: /etc/foreman/registry-auth.json
-candlepin_networks: "{{ (['foreman-db'] if database_mode == 'internal' else []) + ['foreman-app'] }}"
+candlepin_networks: foreman-internal
 
 candlepin_database_host: postgresql
 candlepin_database_port: 5432

src/roles/foreman/tasks/main.yaml

@@ -93,9 +93,7 @@
     state: quadlet
     sdnotify: true
     network:
-      - foreman-db
-      - foreman-cache
-      - foreman-app
+      - foreman-internal
       - foreman-proxy-net
     ports:
       - "127.0.0.1:3000:3000"
@@ -132,9 +130,7 @@
     state: quadlet
     sdnotify: true
     network:
-      - foreman-db
-      - foreman-cache
-      - foreman-app
+      - foreman-internal
     hostname: "{{ ansible_facts['fqdn'] }}"
     volume:
       - 'foreman-data-run:/var/run/foreman:z'
@@ -186,9 +182,7 @@
     image: "{{ foreman_container_image }}:{{ foreman_container_tag }}"
     sdnotify: false
     network:
-      - foreman-db
-      - foreman-cache
-      - foreman-app
+      - foreman-internal
     hostname: "{{ ansible_facts['fqdn'] }}"
     command: "foreman-rake {{ item.rake }}"
     volume:
@@ -238,7 +232,7 @@
       - bin/rails db:migrate && bin/rails db:seed
     detach: false
     rm: true
-    network: "{{ ['foreman-db'] if database_mode == 'internal' else ['foreman-app'] }}"
+    network: foreman-internal
     env:
       FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
     secrets:

src/roles/postgresql/defaults/main.yml

@@ -3,7 +3,7 @@ postgresql_container_image: quay.io/sclorg/postgresql-13-c9s
 postgresql_container_tag: "latest"
 postgresql_registry_auth_file: /etc/foreman/registry-auth.json
 postgresql_container_name: postgresql
-postgresql_network: foreman-db
+postgresql_network: foreman-internal
 postgresql_socket_dir: /var/run/postgresql
 postgresql_restart_policy: always
 

src/roles/pulp/defaults/main.yaml

@@ -36,14 +36,13 @@ pulp_database_user: pulp
 pulp_database_host: postgresql
 pulp_redis_url: "redis://redis:6379/8"
 pulp_networks:
-  - foreman-db
-  - foreman-cache
-  - foreman-app
+  - foreman-internal
 pulp_api_ports:
   - "127.0.0.1:24817:24817"
 pulp_content_ports:
   - "127.0.0.1:24816:24816"
-pulp_migration_networks: "{{ ['foreman-db'] if database_mode == 'internal' else ['foreman-app'] }}"
+pulp_migration_networks:
+  - foreman-internal
 pulp_database_port: 5432
 pulp_database_ssl_mode: disabled
 pulp_database_ssl_ca: None

src/roles/redis/defaults/main.yml

@@ -2,4 +2,4 @@
 redis_container_image: quay.io/sclorg/redis-6-c9s
 redis_container_tag: "latest"
 redis_registry_auth_file: /etc/foreman/registry-auth.json
-redis_network: foreman-cache
+redis_network: foreman-internal