From e6ebd23442574666fb8bf5ff4c59b3ae30ac6a6f Mon Sep 17 00:00:00 2001 From: pieced-ci Date: Sat, 16 May 2026 20:01:05 +0000 Subject: [PATCH] Sync chart from pieced-operator 0.1.47 --- deploy/helm/pieced-operator/Chart.yaml | 4 +- .../pieced-operator/templates/catalog-cm.yaml | 56 +++++++++++++++++++ deploy/helm/pieced-operator/values.yaml | 2 +- 3 files changed, 59 insertions(+), 3 deletions(-) diff --git a/deploy/helm/pieced-operator/Chart.yaml b/deploy/helm/pieced-operator/Chart.yaml index 17bcdbc..7c8c101 100644 --- a/deploy/helm/pieced-operator/Chart.yaml +++ b/deploy/helm/pieced-operator/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: pieced-operator description: PieCed IT tenant lifecycle operator -version: 0.1.46 -appVersion: "0.1.46" +version: 0.1.47 +appVersion: "0.1.47" type: application diff --git a/deploy/helm/pieced-operator/templates/catalog-cm.yaml b/deploy/helm/pieced-operator/templates/catalog-cm.yaml index db8cc4f..ce5af67 100644 --- a/deploy/helm/pieced-operator/templates/catalog-cm.yaml +++ b/deploy/helm/pieced-operator/templates/catalog-cm.yaml @@ -254,6 +254,62 @@ data: 2. Create app, add bot, copy token and app ID 3. Invite bot to server with messages scope + # Threema via the central PieCed gateway (pieced-threema-gateway in + # `threema-gateway` namespace). Differs from a typical channel + # package in two important ways: + # + # 1. No customer-supplied secret. The token + HMAC secret used + # by the openclaw-channel-threema-relay plugin are minted by + # the relay's /admin/tokens endpoint when the portal enables + # the package, then written to the same vault path suffix + # below. So `secret_key` here lists the keys the plugin reads; + # the WRITER is the portal (POST /api/tenants/:name/threema), + # not a customer wizard step. + # + # 2. Cross-namespace egress to `threema-gateway:8080`. The new + # `namespace` field on egress_rules emits a Cilium toEndpoints + # rule scoped to that namespace; in-cluster traffic to a + # sibling namespace would otherwise be blocked by the + # cluster-wide tenant isolation policy. + # + # The matching cross-namespace INGRESS rule (relay → OpenClaw 18789) + # is added by the builder when it sees `channels: { threema: ... }` + # in any enabled package. + threema: + name: Threema + category: channel + description: Threema messaging via the PieCed central gateway + channels: + threema: + enabled: true + env_vars: + - name: THREEMA_RELAY_URL + default: "http://pieced-threema-gateway.threema-gateway.svc:8080" + - name: THREEMA_RELAY_TOKEN + secret_key: token + vault_path_suffix: threema-relay + - name: THREEMA_RELAY_HMAC_SECRET + secret_key: hmac-secret + vault_path_suffix: threema-relay + bindings: + - match: + channel: threema + egress_rules: + - namespace: threema-gateway + port: 8080 + customer_instructions: | + 1. Once enabled, register the Threema IDs you want to receive + messages from under "Authorized Users → threema". + 2. PieCed will route messages between those Threema IDs and + your assistant via the central gateway — no Gateway account + of your own required. + 3. Each Threema ID can only belong to one PieCed tenant. If a + registration fails, that ID is already claimed elsewhere. + disclaimer: > + Messages are end-to-end encrypted at the Threema boundary by + the PieCed central gateway. Inbound and outbound message + counts are logged per tenant for billing. + # ===================================================================== # SKILLS — ClawHub skill installs. Operator passes each entry through # to spec.skills on the OpenClawInstance. diff --git a/deploy/helm/pieced-operator/values.yaml b/deploy/helm/pieced-operator/values.yaml index 205b65f..80005a4 100644 --- a/deploy/helm/pieced-operator/values.yaml +++ b/deploy/helm/pieced-operator/values.yaml @@ -1,6 +1,6 @@ image: repository: registry.c5ai.ch/pieced/pieced-operator - tag: "0.1.46" + tag: "0.1.47" pullPolicy: IfNotPresent imagePullSecrets: