pieced/pieced-threema-gateway-public
Public Access
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync chart from pieced-threema-gateway 0.1.1

Browse Source
This commit is contained in:
pieced-ci
2026-05-16 20:52:10 +00:00
commit 1d88033575
8 changed files with 380 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
deploy/helm/pieced-threema-gateway/templates/database.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.postgres.enabled }}
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: pieced-threema-gateway-db
namespace: {{ .Values.namespace }}
spec:
instances: {{ .Values.postgres.instances }}
bootstrap:
initdb:
database: relay
owner: relay
storage:
size: {{ .Values.postgres.storage.size }}
storageClass: {{ .Values.postgres.storage.storageClass }}
resources:
{{- toYaml .Values.postgres.resources | nindent 4 }}
monitoring:
enablePodMonitor: true
{{- end }}

80
deploy/helm/pieced-threema-gateway/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: pieced-threema-gateway
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: pieced-threema-gateway
app.kubernetes.io/managed-by: helm
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app.kubernetes.io/name: pieced-threema-gateway
template:
metadata:
labels:
app.kubernetes.io/name: pieced-threema-gateway
spec:
serviceAccountName: pieced-threema-gateway
containers:
- name: relay
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 8080
- name: metrics
containerPort: 9090
env:
- name: LISTEN_HOST
value: "0.0.0.0"
- name: LISTEN_PORT
value: "8080"
- name: METRICS_PORT
value: "9090"
- name: LOG_LEVEL
value: {{ .Values.logLevel | quote }}
- name: OPENCLAW_URL_TEMPLATE
value: {{ .Values.openclawUrlTemplate | quote }}
- name: FORWARD_TIMEOUT_MS
value: {{ .Values.forwardTimeoutMs | quote }}
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: pieced-threema-gateway-db-app
key: uri
- name: THREEMA_API_IDENTITY
valueFrom:
secretKeyRef:
name: threema-credentials
key: api-identity
- name: THREEMA_API_SECRET
valueFrom:
secretKeyRef:
name: threema-credentials
key: api-secret
- name: THREEMA_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: threema-credentials
key: private-key
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: threema-admin-token
key: token
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /readyz
port: http
initialDelaySeconds: 3
periodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}

45
deploy/helm/pieced-threema-gateway/templates/externalsecret.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: threema-credentials
namespace: {{ .Values.namespace }}
spec:
refreshInterval: 1h
secretStoreRef:
name: openbao-backend
kind: ClusterSecretStore
target:
name: threema-credentials
creationPolicy: Owner
data:
- secretKey: api-identity
remoteRef:
key: {{ .Values.secrets.threemaPath }}
property: api-identity
- secretKey: api-secret
remoteRef:
key: {{ .Values.secrets.threemaPath }}
property: api-secret
- secretKey: private-key
remoteRef:
key: {{ .Values.secrets.threemaPath }}
property: private-key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: threema-admin-token
namespace: {{ .Values.namespace }}
spec:
refreshInterval: 1h
secretStoreRef:
name: openbao-backend
kind: ClusterSecretStore
target:
name: threema-admin-token
creationPolicy: Owner
data:
- secretKey: token
remoteRef:
key: {{ .Values.secrets.adminTokenPath }}
property: token

37
deploy/helm/pieced-threema-gateway/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pieced-threema-gateway
namespace: {{ .Values.namespace }}
annotations:
{{- if .Values.ingress.tls.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.issuer | quote }}
{{- end }}
# Threema's outbound webhook IPs are publicly documented as the
# standard Threema infrastructure. Lock down if you want to be strict;
# otherwise leave open since the MAC check is the real security gate.
nginx.ingress.kubernetes.io/proxy-body-size: "128k"
nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
spec:
ingressClassName: {{ .Values.ingress.className }}
{{- if .Values.ingress.tls.enabled }}
tls:
- hosts:
- {{ .Values.ingress.host }}
secretName: {{ .Values.ingress.tls.secretName }}
{{- end }}
rules:
- host: {{ .Values.ingress.host }}
http:
paths:
# Threema's CDN only ever hits /webhooks/threema. Don't expose
# /admin or /api from the internet — those go cluster-internal only.
- path: /webhooks/threema
pathType: Exact
backend:
service:
name: pieced-threema-gateway
port:
number: {{ .Values.service.port }}
{{- end }}

87
deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,87 @@
{{- if .Values.networkPolicy.enabled }}
# =============================================================================
# Ingress: who can talk to the relay
# =============================================================================
# Three sources:
# 1. The cluster Ingress controller (nginx-ingress) — for Threema webhooks
# hitting us through the LB.
# 2. The portal namespace — calls /admin and reads /metrics.
# 3. Tenant namespaces (managed by pieced-operator) — call /api/send.
#
# Egress:
# - DNS (kube-system)
# - Threema Gateway: msgapi.threema.ch:443 (FQDN-pinned)
# - Postgres in same namespace
# - HTTPS to tenant OpenClaw services in tenant namespaces (port 18789)
# =============================================================================
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: pieced-threema-gateway
namespace: {{ .Values.namespace }}
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: pieced-threema-gateway
ingress:
# nginx-ingress
- fromEndpoints:
- matchLabels:
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "ingress-nginx"
toPorts:
- ports:
- port: "8080"
protocol: TCP
# Portal
- fromEndpoints:
- matchLabels:
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": {{ .Values.networkPolicy.portalNamespace | quote }}
toPorts:
- ports:
- port: "8080"
protocol: TCP
- port: "9090"
protocol: TCP
# Tenant namespaces (pieced-operator-managed)
- fromEndpoints:
- matchLabels:
{{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
toPorts:
- ports:
- port: "8080"
protocol: TCP
egress:
# DNS
- toEndpoints:
- matchLabels:
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system"
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
# Threema Gateway public API
- toFQDNs:
- matchName: "msgapi.threema.ch"
toPorts:
- ports:
- port: "443"
protocol: TCP
# Postgres (same namespace)
- toEndpoints:
- matchLabels:
"cnpg.io/cluster": "pieced-threema-gateway-db"
toPorts:
- ports:
- port: "5432"
protocol: TCP
# Tenant OpenClaw services — port 18789, any tenant namespace
- toEndpoints:
- matchLabels:
{{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
toPorts:
- ports:
- port: "18789"
protocol: TCP
{{- end }}

26
deploy/helm/pieced-threema-gateway/templates/service.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: pieced-threema-gateway
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: pieced-threema-gateway
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: pieced-threema-gateway
ports:
- name: http
port: {{ .Values.service.port }}
targetPort: 8080
protocol: TCP
- name: metrics
port: {{ .Values.service.metricsPort }}
targetPort: 9090
protocol: TCP
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pieced-threema-gateway
namespace: {{ .Values.namespace }}