This commit is contained in:
70
deploy/README-threema.md
Normal file
70
deploy/README-threema.md
Normal file
@@ -0,0 +1,70 @@
|
||||
# Wiring Threema relay into the portal
|
||||
|
||||
Drop-in files in this archive:
|
||||
|
||||
```
|
||||
src/lib/packages.ts # add 'threema' to catalog + customProvisioning flag
|
||||
src/lib/threema-relay.ts # new — admin API client
|
||||
src/app/api/tenants/[name]/threema/route.ts # new — POST provision / DELETE deprovision
|
||||
src/app/api/tenants/[name]/threema/routes/route.ts # new — atomic add/remove of a single Threema ID
|
||||
src/components/channel-users/channel-users.tsx # branch threema through relay-managed endpoint
|
||||
src/components/packages/package-card.tsx # handle customProvisioning enable/disable
|
||||
deploy/patch-i18n-threema.mjs # idempotent i18n key injection
|
||||
```
|
||||
|
||||
## Manual steps after dropping in
|
||||
|
||||
1. `.env` (and `.env.example`) — add:
|
||||
```
|
||||
THREEMA_RELAY_URL=http://pieced-threema-gateway.threema-gateway.svc:8080
|
||||
THREEMA_RELAY_ADMIN_TOKEN=__from_openbao__
|
||||
```
|
||||
The portal pod's OpenBao client should also read `secret/data/threema-gateway/admin` and surface `token` as this env var (existing ESO pattern in the portal's Helm chart).
|
||||
|
||||
2. Patch the message files (one-time):
|
||||
```bash
|
||||
node deploy/patch-i18n-threema.mjs
|
||||
```
|
||||
|
||||
3. Re-export `CHANNEL_PACKAGE_IDS` is unchanged in source; verify
|
||||
`tenants/[name]/page.tsx` still derives the enabled-channels list
|
||||
from it — it should now include `threema` automatically once a
|
||||
tenant has it in `spec.packages`.
|
||||
|
||||
4. Type-check:
|
||||
```bash
|
||||
npx tsc --noEmit
|
||||
```
|
||||
|
||||
## Flow summary
|
||||
|
||||
### Enabling Threema for a tenant
|
||||
1. Customer toggles the threema package card.
|
||||
2. PackageCard sees `customProvisioning: true` → POSTs `/api/tenants/<name>/threema`.
|
||||
3. Handler calls relay `POST /admin/tokens` → gets `{token, hmacSecret}`.
|
||||
4. Handler writes them to OpenBao at `secret/data/tenants/tenant-<name>/threema-relay`.
|
||||
5. PackageCard then PATCHes `tenant.spec.packages` to include `threema`.
|
||||
6. Operator reconciles: ExternalSecret syncs OpenBao → Secret; OpenClaw pod restarts with `THREEMA_RELAY_*` env vars; plugin registers `threema` channel.
|
||||
|
||||
### Customer adds a Threema ID
|
||||
1. UI calls `POST /api/tenants/<name>/threema/routes` with `{threemaId}`.
|
||||
2. Handler calls relay `POST /admin/routes` (uniqueness enforced at PK).
|
||||
3. On 201 or 409-from-same-tenant: handler patches K8s `spec.channelUsers.threema`.
|
||||
4. On 409-from-other-tenant: 409 to client with explanation.
|
||||
5. On K8s patch failure after relay success: handler compensates by `DELETE /admin/routes/...` at the relay.
|
||||
|
||||
### Customer removes a Threema ID
|
||||
1. UI calls `DELETE /api/tenants/<name>/threema/routes?threemaId=...`.
|
||||
2. Handler patches K8s `spec.channelUsers.threema` to drop the ID.
|
||||
3. Handler calls relay `DELETE /admin/routes/...` (404 = idempotent OK).
|
||||
4. If relay drop fails: K8s already updated, surface warning but treat as success — relay deletes are idempotent on retry.
|
||||
|
||||
### Disabling Threema for a tenant
|
||||
1. Customer disables the threema card.
|
||||
2. PackageCard DELETEs `/api/tenants/<name>/threema`.
|
||||
3. Handler calls relay `DELETE /admin/tokens/<name>` (cascades to all routes for this tenant).
|
||||
4. Handler deletes OpenBao secret at `secret/data/tenants/tenant-<name>/threema-relay`.
|
||||
5. PackageCard then PATCHes `tenant.spec.packages` to drop `threema`.
|
||||
6. Operator reconciles: ExternalSecret targets a missing OpenBao path → Secret deleted → OpenClaw pod restarts without `threema` channel.
|
||||
|
||||
There's a small window (between step 4 and the operator's reconcile) where the pod still thinks it has a relay token but the relay has revoked it. Outbound during that window returns 401 from the relay; inbound is blackholed at the relay because routes are gone. Both are graceful failures.
|
||||
80
deploy/patch-i18n-threema.mjs
Normal file
80
deploy/patch-i18n-threema.mjs
Normal file
@@ -0,0 +1,80 @@
|
||||
#!/usr/bin/env node
|
||||
/**
|
||||
* Run: node deploy/patch-i18n-threema.mjs
|
||||
*
|
||||
* Idempotently injects:
|
||||
* - packages.threema.{description, instructions, disclaimer}
|
||||
* - channelUsers.threemaIdHelp
|
||||
*
|
||||
* into all four message files. Run from the pieced-portal repo root.
|
||||
*/
|
||||
import { readFileSync, writeFileSync } from "fs";
|
||||
|
||||
const i18n = {
|
||||
en: {
|
||||
pkg: {
|
||||
description:
|
||||
"Threema messaging routed through the PieCed central gateway. No Gateway account of your own required — PieCed mints credentials when you enable this package.",
|
||||
instructions:
|
||||
"1. Enable this package — PieCed provisions a central-gateway slot for your tenant.\n2. Add the Threema IDs you want to talk to under Authorized Users → threema.\n3. Each Threema ID can only belong to one PieCed tenant; if a registration fails, that ID is already in use elsewhere.",
|
||||
disclaimer:
|
||||
"Messages are end-to-end encrypted at the Threema boundary by the PieCed central gateway. Inbound and outbound message counts are logged per tenant for billing.",
|
||||
},
|
||||
channelHelp:
|
||||
"Enter the 8-character Threema ID (uppercase letters and digits, no asterisk) of the person you want to talk to. The * prefix is for Gateway accounts, which PieCed manages on your behalf.",
|
||||
},
|
||||
de: {
|
||||
pkg: {
|
||||
description:
|
||||
"Threema-Messaging über das zentrale PieCed-Gateway. Sie benötigen kein eigenes Gateway-Konto — PieCed stellt die Anmeldedaten beim Aktivieren dieses Pakets bereit.",
|
||||
instructions:
|
||||
"1. Aktivieren Sie dieses Paket — PieCed richtet einen zentralen Gateway-Slot für Ihren Tenant ein.\n2. Fügen Sie die Threema-IDs, mit denen Sie kommunizieren wollen, unter Autorisierte Benutzer → threema hinzu.\n3. Jede Threema-ID kann nur einem PieCed-Tenant zugeordnet sein; wenn die Registrierung fehlschlägt, ist die ID bereits anderweitig vergeben.",
|
||||
disclaimer:
|
||||
"Die Nachrichten werden am Threema-Übergang vom zentralen PieCed-Gateway Ende-zu-Ende verschlüsselt. Eingehende und ausgehende Nachrichten werden pro Tenant für die Abrechnung gezählt.",
|
||||
},
|
||||
channelHelp:
|
||||
"Geben Sie die 8-stellige Threema-ID (Großbuchstaben und Ziffern, ohne Sternchen) der Person ein, mit der Sie kommunizieren möchten. Das *-Präfix gehört zu Gateway-Konten, die PieCed für Sie verwaltet.",
|
||||
},
|
||||
fr: {
|
||||
pkg: {
|
||||
description:
|
||||
"Messagerie Threema via la passerelle centrale PieCed. Aucun compte Gateway personnel requis — PieCed génère les identifiants à l'activation du package.",
|
||||
instructions:
|
||||
"1. Activez ce package — PieCed approvisionne un slot de passerelle centrale pour votre tenant.\n2. Ajoutez les identifiants Threema avec lesquels vous souhaitez échanger sous Utilisateurs autorisés → threema.\n3. Chaque identifiant Threema ne peut appartenir qu'à un seul tenant PieCed ; si l'enregistrement échoue, l'identifiant est déjà utilisé ailleurs.",
|
||||
disclaimer:
|
||||
"Les messages sont chiffrés de bout en bout côté Threema par la passerelle centrale PieCed. Les volumes entrant et sortant sont consignés par tenant pour la facturation.",
|
||||
},
|
||||
channelHelp:
|
||||
"Saisissez l'identifiant Threema à 8 caractères (lettres majuscules et chiffres, sans astérisque) de la personne avec qui vous souhaitez communiquer. Le préfixe * concerne les comptes Gateway, gérés par PieCed pour vous.",
|
||||
},
|
||||
it: {
|
||||
pkg: {
|
||||
description:
|
||||
"Messaggistica Threema instradata tramite il gateway centrale PieCed. Non è necessario un account Gateway proprio — PieCed crea le credenziali quando attivi il pacchetto.",
|
||||
instructions:
|
||||
"1. Attiva questo pacchetto — PieCed predispone uno slot del gateway centrale per il tuo tenant.\n2. Aggiungi gli ID Threema con cui vuoi comunicare sotto Utenti autorizzati → threema.\n3. Ogni ID Threema può appartenere a un solo tenant PieCed; se la registrazione fallisce, l'ID è già usato altrove.",
|
||||
disclaimer:
|
||||
"I messaggi sono cifrati end-to-end al confine con Threema dal gateway centrale PieCed. I conteggi di messaggi in ingresso e uscita vengono registrati per tenant ai fini della fatturazione.",
|
||||
},
|
||||
channelHelp:
|
||||
"Inserisci l'ID Threema di 8 caratteri (lettere maiuscole e cifre, senza asterisco) della persona con cui vuoi comunicare. Il prefisso * appartiene agli account Gateway, gestiti da PieCed per te.",
|
||||
},
|
||||
};
|
||||
|
||||
for (const [lang, entries] of Object.entries(i18n)) {
|
||||
const path = `src/messages/${lang}.json`;
|
||||
const json = JSON.parse(readFileSync(path, "utf8"));
|
||||
|
||||
json.packages = json.packages ?? {};
|
||||
json.packages.threema = {
|
||||
description: entries.pkg.description,
|
||||
instructions: entries.pkg.instructions,
|
||||
disclaimer: entries.pkg.disclaimer,
|
||||
};
|
||||
|
||||
json.channelUsers = json.channelUsers ?? {};
|
||||
json.channelUsers.threemaIdHelp = entries.channelHelp;
|
||||
|
||||
writeFileSync(path, JSON.stringify(json, null, 2) + "\n");
|
||||
console.log(`Patched ${path} — added packages.threema and channelUsers.threemaIdHelp`);
|
||||
}
|
||||
Reference in New Issue
Block a user