Sync chart from pieced-operator 0.1.51

deploy/helm/pieced-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pieced-operator
 description: PieCed IT tenant lifecycle operator
-version: 0.1.46
+version: 0.1.51
-appVersion: "0.1.46"
+appVersion: "0.1.51"
 type: application

deploy/helm/pieced-operator/templates/catalog-cm.yaml

@@ -254,6 +254,86 @@ data:
           2. Create app, add bot, copy token and app ID
           3. Invite bot to server with messages scope
 
+      # Threema via the central PieCed gateway (pieced-threema-gateway in
+      # `threema-gateway` namespace). Differs from a typical channel
+      # package in two important ways:
+      #
+      #   1. No customer-supplied secret. The token + HMAC secret used
+      #      by the openclaw-channel-threema-relay plugin are minted by
+      #      the relay's /admin/tokens endpoint when the portal enables
+      #      the package, then written to the same vault path suffix
+      #      below. So `secret_key` here lists the keys the plugin reads;
+      #      the WRITER is the portal (POST /api/tenants/:name/threema),
+      #      not a customer wizard step.
+      #
+      #   2. Cross-namespace egress to `threema-gateway:8080`. The new
+      #      `namespace` field on egress_rules emits a Cilium toEndpoints
+      #      rule scoped to that namespace; in-cluster traffic to a
+      #      sibling namespace would otherwise be blocked by the
+      #      cluster-wide tenant isolation policy.
+      #
+      # The matching cross-namespace INGRESS rule (relay → OpenClaw 18789)
+      # is added by the builder when it sees `channels: { threema: ... }`
+      # in any enabled package.
+      threema:
+        name: Threema
+        category: channel
+        description: Threema messaging via the PieCed central gateway
+        channels:
+          threema:
+            enabled: true
+        env_vars:
+          - name: THREEMA_RELAY_URL
+            default: "http://pieced-threema-gateway.threema-gateway.svc:8080"
+          - name: THREEMA_RELAY_TOKEN
+            secret_key: token
+            vault_path_suffix: threema-relay
+          - name: THREEMA_RELAY_HMAC_SECRET
+            secret_key: hmac-secret
+            vault_path_suffix: threema-relay
+        bindings:
+          - match:
+              channel: threema
+        egress_rules:
+          - namespace: threema-gateway
+            port: 8080
+        # OpenClaw 2026.5.x loads external plugins from
+        # /data/extensions/<dir>/openclaw.plugin.json. Three gates must
+        # be open for the runtime to register an external plugin:
+        #   1. plugins.enabled: true             — feature flag
+        #   2. plugins.allow contains the id     — security allowlist
+        #   3. plugins.entries.<id>.enabled: true — per-plugin toggle
+        # Cedric's personal instance.yaml hand-codes the same three gates
+        # for his direct `openclaw-channel-threema` plugin; this patch
+        # generates them automatically for every tenant that enables
+        # threema. The init container that copies the plugin onto the
+        # PVC is emitted by the operator (plugin_image below).
+        config_patch:
+          plugins:
+            enabled: true
+            allow:
+              - "threema"
+            entries:
+              threema:
+                enabled: true
+                config: {}
+        plugin_image:
+          repository: registry.c5ai.ch/pieced/openclaw-channel-threema-relay
+          tag: "0.1.1"
+          target_dir: openclaw-channel-threema-relay
+        customer_instructions: |
+          1. Once enabled, register the Threema IDs you want to receive
+             messages from under "Authorized Users → threema".
+          2. PieCed will route messages between those Threema IDs and
+             your assistant via the central gateway — no Gateway account
+             of your own required.
+          3. Each Threema ID can only belong to one PieCed tenant. If a
+             registration fails, that ID is already claimed elsewhere.
+        disclaimer: >
+          Messages are end-to-end encrypted at the Threema boundary by
+          the PieCed central gateway. Inbound and outbound message
+          counts are logged per tenant for billing.
+
       # =====================================================================
       # SKILLS — ClawHub skill installs. Operator passes each entry through
       # to spec.skills on the OpenClawInstance.

deploy/helm/pieced-operator/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: registry.c5ai.ch/pieced/pieced-operator
-  tag: "0.1.46"
+  tag: "0.1.51"
   pullPolicy: IfNotPresent
 
 imagePullSecrets: