From 819e90c16cd90eac989db0522537a5bd38c8955a Mon Sep 17 00:00:00 2001
From: pieced-ci <ci@pieced.ch>
Date: Sun, 17 May 2026 08:35:58 +0000
Subject: [PATCH] Sync chart from pieced-threema-gateway 0.1.6

---
 deploy/helm/pieced-threema-gateway/Chart.yaml     |  4 ++--
 .../templates/networkpolicy.yaml                  | 15 ++++++++++++++-
 deploy/helm/pieced-threema-gateway/values.yaml    |  2 +-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/deploy/helm/pieced-threema-gateway/Chart.yaml b/deploy/helm/pieced-threema-gateway/Chart.yaml
index 8dff039..fe238c4 100644
--- a/deploy/helm/pieced-threema-gateway/Chart.yaml
+++ b/deploy/helm/pieced-threema-gateway/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: pieced-threema-gateway
 description: PieCed IT central Threema Gateway relay
 type: application
-version: 0.1.5
-appVersion: "0.1.5"
+version: 0.1.6
+appVersion: "0.1.6"
diff --git a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
index 37442d1..a27d169 100644
--- a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
+++ b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
@@ -51,7 +51,17 @@ spec:
             - port: "8080"
               protocol: TCP
   egress:
-    # DNS
+    # DNS — with the proxy interceptor on so toFQDNs rules below
+    # actually work.
+    #
+    # Cilium `toFQDNs` matches against a per-pod identity that is
+    # populated only when the Cilium DNS proxy observes a resolution
+    # for that name. The proxy is enabled per-policy by a `rules.dns`
+    # clause on the DNS egress: without it, DNS resolution still
+    # succeeds (we allow port 53 to kube-system) but Cilium never
+    # learns the resolved IP, so the subsequent TCP connect to
+    # msgapi.threema.ch is denied at egress and the relay logs
+    # "fetch failed" with no further detail.
     - toEndpoints:
         - matchLabels:
             "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system"
@@ -61,6 +71,9 @@ spec:
               protocol: UDP
             - port: "53"
               protocol: TCP
+          rules:
+            dns:
+              - matchPattern: "*"
     # Threema Gateway public API
     - toFQDNs:
         - matchName: "msgapi.threema.ch"
diff --git a/deploy/helm/pieced-threema-gateway/values.yaml b/deploy/helm/pieced-threema-gateway/values.yaml
index 9143cf7..d3ca52b 100644
--- a/deploy/helm/pieced-threema-gateway/values.yaml
+++ b/deploy/helm/pieced-threema-gateway/values.yaml
@@ -6,7 +6,7 @@ namespace: threema-gateway
 
 image:
   repository: registry.c5ai.ch/pieced/pieced-threema-gateway
-  tag: "0.1.5"
+  tag: "0.1.6"
   pullPolicy: IfNotPresent
 
 # Pull from registry.c5ai.ch — matches operator + portal pattern.