Sync chart from pieced-threema-gateway 0.1.1

2026-05-16 20:52:10 +00:00
commit 1d88033575
8 changed files with 380 additions and 0 deletions
--- a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
+++ b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
@@ -0,0 +1,87 @@
+{{- if .Values.networkPolicy.enabled }}
+# =============================================================================
+# Ingress: who can talk to the relay
+# =============================================================================
+# Three sources:
+#   1. The cluster Ingress controller (nginx-ingress) — for Threema webhooks
+#      hitting us through the LB.
+#   2. The portal namespace — calls /admin and reads /metrics.
+#   3. Tenant namespaces (managed by pieced-operator) — call /api/send.
+#
+# Egress:
+#   - DNS (kube-system)
+#   - Threema Gateway: msgapi.threema.ch:443 (FQDN-pinned)
+#   - Postgres in same namespace
+#   - HTTPS to tenant OpenClaw services in tenant namespaces (port 18789)
+# =============================================================================
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: pieced-threema-gateway
+  namespace: {{ .Values.namespace }}
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: pieced-threema-gateway
+  ingress:
+    # nginx-ingress
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "ingress-nginx"
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+    # Portal
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": {{ .Values.networkPolicy.portalNamespace | quote }}
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+            - port: "9090"
+              protocol: TCP
+    # Tenant namespaces (pieced-operator-managed)
+    - fromEndpoints:
+        - matchLabels:
+            {{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+  egress:
+    # DNS
+    - toEndpoints:
+        - matchLabels:
+            "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system"
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+    # Threema Gateway public API
+    - toFQDNs:
+        - matchName: "msgapi.threema.ch"
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+    # Postgres (same namespace)
+    - toEndpoints:
+        - matchLabels:
+            "cnpg.io/cluster": "pieced-threema-gateway-db"
+      toPorts:
+        - ports:
+            - port: "5432"
+              protocol: TCP
+    # Tenant OpenClaw services — port 18789, any tenant namespace
+    - toEndpoints:
+        - matchLabels:
+            {{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
+      toPorts:
+        - ports:
+            - port: "18789"
+              protocol: TCP
+{{- end }}