From 834bed88e00ffd5b2d52f0ce57ab4b9e6421ba47 Mon Sep 17 00:00:00 2001
From: pieced-ci <ci@pieced.ch>
Date: Sun, 17 May 2026 11:27:41 +0000
Subject: [PATCH] Sync chart from pieced-threema-gateway 0.1.7

---
 deploy/helm/pieced-threema-gateway/Chart.yaml        |  4 ++--
 .../templates/networkpolicy.yaml                     | 12 ++++++++++--
 deploy/helm/pieced-threema-gateway/values.yaml       |  2 +-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/deploy/helm/pieced-threema-gateway/Chart.yaml b/deploy/helm/pieced-threema-gateway/Chart.yaml
index fe238c4..1477b2c 100644
--- a/deploy/helm/pieced-threema-gateway/Chart.yaml
+++ b/deploy/helm/pieced-threema-gateway/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: pieced-threema-gateway
 description: PieCed IT central Threema Gateway relay
 type: application
-version: 0.1.6
-appVersion: "0.1.6"
+version: 0.1.7
+appVersion: "0.1.7"
diff --git a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
index a27d169..1592175 100644
--- a/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
+++ b/deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
@@ -96,12 +96,20 @@ spec:
         - ports:
             - port: "5432"
               protocol: TCP
-    # Tenant OpenClaw services — port 18789, any tenant namespace
+    # Tenant OpenClaw services — port 18790 (Service targetPort).
+    #
+    # Why 18790, not 18789:
+    # OpenClaw's per-tenant Service exposes the gateway as
+    # `port: 18789, targetPort: 18790`. Cilium's socket-LB rewrites
+    # `connect(svc-IP:18789)` to `pod-IP:18790` before the egress policy
+    # hook fires, so the rule must allow the targetPort (18790), not
+    # the Service port. The application's OPENCLAW_URL_TEMPLATE still
+    # uses :18789 (correct — application connects to the Service port).
     - toEndpoints:
         - matchLabels:
             {{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
       toPorts:
         - ports:
-            - port: "18789"
+            - port: "18790"
               protocol: TCP
 {{- end }}
diff --git a/deploy/helm/pieced-threema-gateway/values.yaml b/deploy/helm/pieced-threema-gateway/values.yaml
index d3ca52b..0014982 100644
--- a/deploy/helm/pieced-threema-gateway/values.yaml
+++ b/deploy/helm/pieced-threema-gateway/values.yaml
@@ -6,7 +6,7 @@ namespace: threema-gateway
 
 image:
   repository: registry.c5ai.ch/pieced/pieced-threema-gateway
-  tag: "0.1.6"
+  tag: "0.1.7"
   pullPolicy: IfNotPresent
 
 # Pull from registry.c5ai.ch — matches operator + portal pattern.