Sync chart from pieced-threema-gateway 0.1.7

deploy/helm/pieced-threema-gateway/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: pieced-threema-gateway
 description: PieCed IT central Threema Gateway relay
 type: application
-version: 0.1.3
+version: 0.1.7
-appVersion: "0.1.3"
+appVersion: "0.1.7"

deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml

@@ -51,7 +51,17 @@ spec:
             - port: "8080"
               protocol: TCP
   egress:
-    # DNS
+    # DNS — with the proxy interceptor on so toFQDNs rules below
+    # actually work.
+    #
+    # Cilium `toFQDNs` matches against a per-pod identity that is
+    # populated only when the Cilium DNS proxy observes a resolution
+    # for that name. The proxy is enabled per-policy by a `rules.dns`
+    # clause on the DNS egress: without it, DNS resolution still
+    # succeeds (we allow port 53 to kube-system) but Cilium never
+    # learns the resolved IP, so the subsequent TCP connect to
+    # msgapi.threema.ch is denied at egress and the relay logs
+    # "fetch failed" with no further detail.
     - toEndpoints:
         - matchLabels:
             "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system"
@@ -61,6 +71,9 @@ spec:
               protocol: UDP
             - port: "53"
               protocol: TCP
+          rules:
+            dns:
+              - matchPattern: "*"
     # Threema Gateway public API
     - toFQDNs:
         - matchName: "msgapi.threema.ch"
@@ -68,20 +81,35 @@ spec:
         - ports:
             - port: "443"
               protocol: TCP
-    # Postgres (same namespace)
+    # Postgres (same namespace).
+    #
+    # We match on the namespace label rather than `cnpg.io/cluster`
+    # because that CNPG label is not in Cilium's default identity-relevant
+    # label set in most installations — pods labelled that way still get a
+    # generic Cilium identity, so a matchLabels on it won't match anything.
+    # Restricting to port 5432 + same namespace is safe: the only thing
+    # listening on 5432 in this namespace is CNPG.
     - toEndpoints:
         - matchLabels:
-            "cnpg.io/cluster": "pieced-threema-gateway-db"
+            "k8s:io.kubernetes.pod.namespace": {{ .Values.namespace | quote }}
       toPorts:
         - ports:
             - port: "5432"
               protocol: TCP
-    # Tenant OpenClaw services — port 18789, any tenant namespace
+    # Tenant OpenClaw services — port 18790 (Service targetPort).
+    #
+    # Why 18790, not 18789:
+    # OpenClaw's per-tenant Service exposes the gateway as
+    # `port: 18789, targetPort: 18790`. Cilium's socket-LB rewrites
+    # `connect(svc-IP:18789)` to `pod-IP:18790` before the egress policy
+    # hook fires, so the rule must allow the targetPort (18790), not
+    # the Service port. The application's OPENCLAW_URL_TEMPLATE still
+    # uses :18789 (correct — application connects to the Service port).
     - toEndpoints:
         - matchLabels:
             {{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
       toPorts:
         - ports:
-            - port: "18789"
+            - port: "18790"
               protocol: TCP
 {{- end }}

deploy/helm/pieced-threema-gateway/values.yaml

@@ -6,7 +6,7 @@ namespace: threema-gateway
 
 image:
   repository: registry.c5ai.ch/pieced/pieced-threema-gateway
-  tag: "0.1.3"
+  tag: "0.1.7"
   pullPolicy: IfNotPresent
 
 # Pull from registry.c5ai.ch — matches operator + portal pattern.
@@ -39,7 +39,11 @@ postgres:
   instances: 1
   storage:
     size: 5Gi
-    storageClass: longhorn-luks2
+    # Matches portal-db, litellm-pg, zitadel-pg, twenty-pg in pieced-gitops.
+    # The relay's `messages` log row payload is small (no message bodies,
+    # ~80 B per row), so 5Gi covers ~50 M messages — far beyond what a
+    # single tenant's billing window will need.
+    storageClass: longhorn
   resources:
     requests:
       cpu: 100m