Sync chart from pieced-operator 0.1.47

2026-05-16 20:01:05 +00:00
parent d3d0c2d8e9
commit e6ebd23442
3 changed files with 59 additions and 3 deletions
--- a/deploy/helm/pieced-operator/templates/catalog-cm.yaml
+++ b/deploy/helm/pieced-operator/templates/catalog-cm.yaml
@@ -254,6 +254,62 @@ data:
          2. Create app, add bot, copy token and app ID
          3. Invite bot to server with messages scope

+      # Threema via the central PieCed gateway (pieced-threema-gateway in
+      # `threema-gateway` namespace). Differs from a typical channel
+      # package in two important ways:
+      #
+      #   1. No customer-supplied secret. The token + HMAC secret used
+      #      by the openclaw-channel-threema-relay plugin are minted by
+      #      the relay's /admin/tokens endpoint when the portal enables
+      #      the package, then written to the same vault path suffix
+      #      below. So `secret_key` here lists the keys the plugin reads;
+      #      the WRITER is the portal (POST /api/tenants/:name/threema),
+      #      not a customer wizard step.
+      #
+      #   2. Cross-namespace egress to `threema-gateway:8080`. The new
+      #      `namespace` field on egress_rules emits a Cilium toEndpoints
+      #      rule scoped to that namespace; in-cluster traffic to a
+      #      sibling namespace would otherwise be blocked by the
+      #      cluster-wide tenant isolation policy.
+      #
+      # The matching cross-namespace INGRESS rule (relay → OpenClaw 18789)
+      # is added by the builder when it sees `channels: { threema: ... }`
+      # in any enabled package.
+      threema:
+        name: Threema
+        category: channel
+        description: Threema messaging via the PieCed central gateway
+        channels:
+          threema:
+            enabled: true
+        env_vars:
+          - name: THREEMA_RELAY_URL
+            default: "http://pieced-threema-gateway.threema-gateway.svc:8080"
+          - name: THREEMA_RELAY_TOKEN
+            secret_key: token
+            vault_path_suffix: threema-relay
+          - name: THREEMA_RELAY_HMAC_SECRET
+            secret_key: hmac-secret
+            vault_path_suffix: threema-relay
+        bindings:
+          - match:
+              channel: threema
+        egress_rules:
+          - namespace: threema-gateway
+            port: 8080
+        customer_instructions: |
+          1. Once enabled, register the Threema IDs you want to receive
+             messages from under "Authorized Users → threema".
+          2. PieCed will route messages between those Threema IDs and
+             your assistant via the central gateway — no Gateway account
+             of your own required.
+          3. Each Threema ID can only belong to one PieCed tenant. If a
+             registration fails, that ID is already claimed elsewhere.
+        disclaimer: >
+          Messages are end-to-end encrypted at the Threema boundary by
+          the PieCed central gateway. Inbound and outbound message
+          counts are logged per tenant for billing.
+
      # =====================================================================
      # SKILLS — ClawHub skill installs. Operator passes each entry through
      # to spec.skills on the OpenClawInstance.