Sync chart from pieced-threema-gateway 0.1.1

2026-05-16 20:52:10 +00:00
commit 1d88033575
8 changed files with 380 additions and 0 deletions
--- a/deploy/helm/pieced-threema-gateway/values.yaml
+++ b/deploy/helm/pieced-threema-gateway/values.yaml
@@ -0,0 +1,79 @@
+# =============================================================================
+# pieced-threema-gateway Helm values
+# =============================================================================
+
+namespace: threema-gateway
+
+image:
+  repository: git.c5ai.ch/pieced/pieced-threema-gateway
+  tag: "0.1.1"
+  pullPolicy: IfNotPresent
+
+replicas: 1
+
+service:
+  port: 8080
+  metricsPort: 9090
+
+# Internet-facing ingress so Threema's CDN can POST webhooks.
+# DNS must resolve threemaGw.host to your cluster's LB IP.
+ingress:
+  enabled: true
+  className: nginx
+  host: threema-gw.pieced.ch
+  tls:
+    enabled: true
+    # cert-manager ClusterIssuer name — matches the rest of pieced-gitops
+    issuer: letsencrypt-production
+    secretName: threema-gw-tls
+
+# CloudNativePG cluster created in-chart, mirrors portal-db pattern.
+postgres:
+  enabled: true
+  instances: 1
+  storage:
+    size: 5Gi
+    storageClass: longhorn-luks2
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+
+# Secrets sourced from OpenBao via External Secrets Operator.
+# Paths use the same convention as apps/portal/external-secrets.yaml:
+# full key path starting with the KV v2 mount name (`secret/`), no
+# `/data/` segment — ESO with the openbao-backend ClusterSecretStore
+# rewrites that automatically for KV v2 paths.
+secrets:
+  # Threema Gateway credentials — PieCed-wide, one identity for the platform.
+  threemaPath: secret/threema-gateway/credentials
+  # Admin token shared with pieced-portal.
+  adminTokenPath: secret/threema-gateway/admin
+
+# Template for inbound delivery to tenant OpenClaw instances. Verify your
+# OpenClaw operator's Service naming before deploy.
+openclawUrlTemplate: http://openclaw.tenant-{tenant}.svc.cluster.local:18789/webhooks/threema-relay
+
+forwardTimeoutMs: 8000
+
+logLevel: info
+
+# Resources for the relay pod
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+# CiliumNetworkPolicy — restricts who can talk in and out.
+networkPolicy:
+  enabled: true
+  # Tenant namespaces are matched by label set by the operator.
+  # Cedric's pieced-operator sets pieced.ch/managed-by=pieced-operator
+  # on every tenant namespace it provisions.
+  tenantNamespaceLabel: "k8s:io.cilium.k8s.namespace.labels.pieced.ch/managed-by"
+  tenantNamespaceLabelValue: "pieced-operator"
+  # The portal pod runs in this namespace (per apps/portal in pieced-gitops).
+  portalNamespace: pieced-system