bird-house · mishaschwartz · Jan 22, 2026 · Jan 23, 2026 · Jan 24, 2026 · Jan 27, 2026
@@ -15,7 +15,26 @@
 [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
 ------------------------------------------------------------------------------------------------------------------
 
-[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
+## Changes
+
+- Update `magpie` to version 5.0.0
+
+  This update to Magpie introduces 
+  [network mode](https://pavics-magpie.readthedocs.io/en/latest/authentication.html#network-mode).
+
+  This is disabled by default to ensure backwards compatibility but can be enabled by setting
+  `MAGPIE_NETWORK_ENABLED=true` in your local environment file.
+  Note that enabling network mode also requires setting `MAGPIE_NETWORK_INSTANCE_NAME` to a unique
+  name within the network.
+
+  Upgrading to this version does not require any database migration and is fully backwards compatible
+  with previous versions.
+
+  This change also introduces the ability to set 
+  [all configuration options](https://pavics-magpie.readthedocs.io/en/latest/configuration.html#network-mode-settings) 
+  for Magpie's network mode as environment variables in the local environment file.
+  Note that all of these configuration options will be ignored if `MAGPIE_NETWORK_ENABLED` is `false`.
+
 
 [2.21.0](https://github.com/bird-house/birdhouse-deploy/tree/2.21.0) (2026-01-27)
 ------------------------------------------------------------------------------------------------------------------

@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 # Tag version that will be used to update Magpie API, Magpie CLI, and matching Twitcher with Magpie Adapter
-export MAGPIE_VERSION=4.2.0
+export MAGPIE_VERSION=5.0.0
 export MAGPIE_IMAGE='pavics/magpie:${MAGPIE_VERSION}'
 export MAGPIE_IMAGE_URI='registry.hub.docker.com/${MAGPIE_IMAGE}'
 
@@ -34,11 +34,40 @@ export MAGPIE_PROVIDERS_CONFIG_PATH="/opt/local/src/magpie/config/providers"
 export MAGPIE_PERMISSIONS_CONFIG_PATH="/opt/local/src/magpie/config/permissions"
 export MAGPIE_WEBHOOKS_CONFIG_PATH="/opt/local/src/magpie/config/webhooks"
 
+# Network mode settings. See for details: 
+# https://pavics-magpie.readthedocs.io/en/latest/configuration.html#network-mode-settings
+#
+# All of these are ignored unless MAGPIE_NETWORK_ENABLED is true
+# MAGPIE_NETWORK_INSTANCE_NAME must be a unique name in the network (default is not set)
+# MAGPIE_NETWORK_DEFAULT_TOKEN_EXPIRY and MAGPIE_NETWORK_INTERNAL_TOKEN_EXPIRY values are in seconds
+# MAGPIE_NETWORK_PEM_FILES is a : separated list of files that are relative paths inside the MAGPIE_NETWORK_PEM_DIR directory
+# MAGPIE_NETWORK_PEM_PASSWORDS is empty if no PEM files require passwords
+# If at least one pem file requires a password then MAGPIE_NETWORK_PEM_PASSWORDS is a : separated list that is the same length
+# as MAGPIE_NETWORK_PEM_FILES. For example if there are 4 files and only the first and third require passwords then this could
+# be set to 'password1::password2:'
+export MAGPIE_NETWORK_PEM_DIR='${BIRDHOUSE_DATA_PERSIST_ROOT}/magpie_pem'
+export MAGPIE_NETWORK_ENABLED=false
+export MAGPIE_NETWORK_INSTANCE_NAME=
+export MAGPIE_NETWORK_DEFAULT_TOKEN_EXPIRY=86400
+export MAGPIE_NETWORK_INTERNAL_TOKEN_EXPIRY=30
+export MAGPIE_NETWORK_TOKEN_NAME=magpie_token
+export MAGPIE_NETWORK_PROVIDER=magpie_network
+export MAGPIE_NETWORK_NAME_PREFIX=magpie_network_
+export MAGPIE_NETWORK_GROUP_NAME=magpie_network
+export MAGPIE_NETWORK_PEM_FILES=key.pem
+export MAGPIE_NETWORK_PEM_PASSWORDS=
+export MAGPIE_NETWORK_CREATE_MISSING_PEM_FILE=true
+
+# translate MAGPIE_NETWORK_PEM_FILES to the location of the files on the magpie container
+export MAGPIE_NETWORK_PEM_FILES_ON_CONTAINER='$(echo "/magpie-pem/${MAGPIE_NETWORK_PEM_FILES#:}" | sed "s|:|:/magpie-pem/|g" )'
+
 export DELAYED_EVAL="
   $DELAYED_EVAL
   MAGPIE_PERSIST_DIR
   MAGPIE_IMAGE
   MAGPIE_IMAGE_URI
+  MAGPIE_NETWORK_PEM_DIR
+  MAGPIE_NETWORK_PEM_FILES_ON_CONTAINER
   MAGPIE_POSTGRES_IMAGE
 "
 
@@ -81,4 +110,15 @@ OPTIONAL_VARS="
   \$MAGPIE_VERSION
   \$MAGPIE_IMAGE
   \$MAGPIE_IMAGE_URI
+  \$MAGPIE_NETWORK_ENABLED
+  \$MAGPIE_NETWORK_INSTANCE_NAME
+  \$MAGPIE_NETWORK_DEFAULT_TOKEN_EXPIRY
+  \$MAGPIE_NETWORK_INTERNAL_TOKEN_EXPIRY
+  \$MAGPIE_NETWORK_TOKEN_NAME
+  \$MAGPIE_NETWORK_PROVIDER
+  \$MAGPIE_NETWORK_NAME_PREFIX
+  \$MAGPIE_NETWORK_GROUP_NAME
+  \$MAGPIE_NETWORK_PEM_FILES_ON_CONTAINER
+  \$MAGPIE_NETWORK_PEM_PASSWORDS
+  \$MAGPIE_NETWORK_CREATE_MISSING_PEM_FILE
 "
@@ -24,6 +24,7 @@ services:
       - ./components/magpie/providers.cfg:${MAGPIE_PROVIDERS_CONFIG_PATH}/providers.cfg
       - ./components/magpie/permissions.cfg:${MAGPIE_PERMISSIONS_CONFIG_PATH}/permissions.cfg
       - ./components/magpie/magpie.ini:/opt/local/src/magpie/config/magpie.ini
+      - ${MAGPIE_NETWORK_PEM_DIR}:/magpie-pem
     restart: always
     healthcheck:
       test: ["CMD", "wget", "-qO-", "http://0.0.0.0:2001"]

@@ -81,6 +81,19 @@ magpie.smtp_port = ${MAGPIE_SMTP_PORT}
 magpie.smtp_ssl = ${MAGPIE_SMTP_SSL}
 magpie.smtp_password = ${MAGPIE_SMTP_PASSWORD}
 
+# network mode configuration
+magpie.network_enabled = ${MAGPIE_NETWORK_ENABLED}
+magpie.network_instance_name = ${MAGPIE_NETWORK_INSTANCE_NAME}
+magpie.network_default_token_expiry = ${MAGPIE_NETWORK_DEFAULT_TOKEN_EXPIRY}
+magpie.network_internal_token_expiry = ${MAGPIE_NETWORK_INTERNAL_TOKEN_EXPIRY}
+magpie.network_token_name = ${MAGPIE_NETWORK_TOKEN_NAME}
+magpie.network_provider = ${MAGPIE_NETWORK_PROVIDER}
+magpie.network_name_prefix = ${MAGPIE_NETWORK_NAME_PREFIX}
+magpie.network_group_name = ${MAGPIE_NETWORK_GROUP_NAME}
+magpie.network_pem_files = ${MAGPIE_NETWORK_PEM_FILES_ON_CONTAINER}
+magpie.network_pem_passwords = ${MAGPIE_NETWORK_PEM_PASSWORDS}
+magpie.network_create_missing_pem_file = ${MAGPIE_NETWORK_CREATE_MISSING_PEM_FILE}
+
 # See https://pavics-magpie.readthedocs.io/en/latest/configuration.html#envvar-MAGPIE_USER_NAME_EXTRA_REGEX for details
 # User names must match the regular expression defined here as well (whether this variable is set or not):
 #    https://github.com/Ouranosinc/Magpie/blob/595602/magpie/api/management/user/user_utils.py#L66

@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+
+if [ "$(echo "${MAGPIE_NETWORK_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
+    if [ -z "${MAGPIE_NETWORK_INSTANCE_NAME}" ]; then
+        log ERROR "MAGPIE_NETWORK_INSTANCE_NAME must be set when MAGPIE_NETWORK_ENABLED is true"
+        exit 1
+    fi
+    if [ -z "${MAGPIE_NETWORK_PEM_FILES}" ]; then
+        log ERROR "MAGPIE_NETWORK_PEM_FILES must be set when MAGPIE_NETWORK_ENABLED is true"
+        exit 1
+    fi
+fi
@@ -612,6 +612,25 @@ export THREDDS_ADDITIONAL_CATALOG=''
 #export MAGPIE_SMTP_SSL=true
 #export MAGPIE_SMTP_PASSWORD=""
 
+# Network mode settings. See for details: 
+# https://pavics-magpie.readthedocs.io/en/latest/configuration.html#network-mode-settings
+# Note: if MAGPIE_NETWORK_CREATE_MISSING_PEM_FILE is false you can manually create a private key
+# by running:
+#       bin/birdhouse compose run --rm magpie magpie_create_private_key 
+# For usage options, run the command above with the `--help` flag at the end.
+
+#export MAGPIE_NETWORK_ENABLED=true  # Note: by default network mode is off (false)
+#export MAGPIE_NETWORK_INSTANCE_NAME=thisinstance  # Note: this must be a unique name in the network so no default is set
+#export MAGPIE_NETWORK_DEFAULT_TOKEN_EXPIRY=86400
+#export MAGPIE_NETWORK_INTERNAL_TOKEN_EXPIRY=30
+#export MAGPIE_NETWORK_TOKEN_NAME=magpie_token
+#export MAGPIE_NETWORK_PROVIDER=magpie_network
+#export MAGPIE_NETWORK_NAME_PREFIX=magpie_network_
+#export MAGPIE_NETWORK_GROUP_NAME=magpie_network
+#export MAGPIE_NETWORK_PEM_FILES=key.pem  # These files must be relative paths from the MAGPIE_NETWORK_PEM_DIR directory
+#export MAGPIE_NETWORK_PEM_PASSWORDS=
+#export MAGPIE_NETWORK_CREATE_MISSING_PEM_FILE=true
+
 # Set to 'false' if using self-signed SSL certificate
 #export BIRDHOUSE_VERIFY_SSL="true"