pieced/pieced-threema-gateway-public
Public Access
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pieced:v0.1.5
Branches Tags
pieced:main
pieced:v0.1.8 pieced:v0.1.7 pieced:v0.1.6 pieced:v0.1.5 pieced:v0.1.4 pieced:v0.1.3 pieced:v0.1.2 pieced:v0.1.1
...
compare: pieced:v0.1.7
Branches Tags
pieced:main
pieced:v0.1.8 pieced:v0.1.7 pieced:v0.1.6 pieced:v0.1.5 pieced:v0.1.4 pieced:v0.1.3 pieced:v0.1.2 pieced:v0.1.1

2 Commits
v0.1.5 ... v0.1.7

Author SHA1 Message Date
pieced-ci
834bed88e0 Sync chart from pieced-threema-gateway 0.1.7 2026-05-17 11:27:41 +00:00
pieced-ci
819e90c16c Sync chart from pieced-threema-gateway 0.1.6 2026-05-17 08:35:58 +00:00
3 changed files with 27 additions and 6 deletions
Expand all files Collapse all files

4
deploy/helm/pieced-threema-gateway/Chart.yaml
View File

@@ -2,5 +2,5 @@ apiVersion: v2
name: pieced-threema-gateway name: pieced-threema-gateway
description: PieCed IT central Threema Gateway relay description: PieCed IT central Threema Gateway relay
type: application type: application
version: 0.1.5 version: 0.1.7
appVersion: "0.1.5" appVersion: "0.1.7"

27
deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml
View File

@@ -51,7 +51,17 @@ spec:
- port: "8080" - port: "8080"
protocol: TCP protocol: TCP
egress: egress:
# DNS # DNS — with the proxy interceptor on so toFQDNs rules below
# actually work.
#
# Cilium `toFQDNs` matches against a per-pod identity that is
# populated only when the Cilium DNS proxy observes a resolution
# for that name. The proxy is enabled per-policy by a `rules.dns`
# clause on the DNS egress: without it, DNS resolution still
# succeeds (we allow port 53 to kube-system) but Cilium never
# learns the resolved IP, so the subsequent TCP connect to
# msgapi.threema.ch is denied at egress and the relay logs
# "fetch failed" with no further detail.
- toEndpoints: - toEndpoints:
- matchLabels: - matchLabels:
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system" "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name": "kube-system"
@@ -61,6 +71,9 @@ spec:
protocol: UDP protocol: UDP
- port: "53" - port: "53"
protocol: TCP protocol: TCP
rules:
dns:
- matchPattern: "*"
# Threema Gateway public API # Threema Gateway public API
- toFQDNs: - toFQDNs:
- matchName: "msgapi.threema.ch" - matchName: "msgapi.threema.ch"
@@ -83,12 +96,20 @@ spec:
- ports: - ports:
- port: "5432" - port: "5432"
protocol: TCP protocol: TCP
# Tenant OpenClaw services — port 18789, any tenant namespace # Tenant OpenClaw services — port 18790 (Service targetPort).
#
# Why 18790, not 18789:
# OpenClaw's per-tenant Service exposes the gateway as
# `port: 18789, targetPort: 18790`. Cilium's socket-LB rewrites
# `connect(svc-IP:18789)` to `pod-IP:18790` before the egress policy
# hook fires, so the rule must allow the targetPort (18790), not
# the Service port. The application's OPENCLAW_URL_TEMPLATE still
# uses :18789 (correct — application connects to the Service port).
- toEndpoints: - toEndpoints:
- matchLabels: - matchLabels:
{{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }} {{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
toPorts: toPorts:
- ports: - ports:
- port: "18789" - port: "18790"
protocol: TCP protocol: TCP
{{- end }} {{- end }}

2
deploy/helm/pieced-threema-gateway/values.yaml
View File

@@ -6,7 +6,7 @@ namespace: threema-gateway
image: image:
repository: registry.c5ai.ch/pieced/pieced-threema-gateway repository: registry.c5ai.ch/pieced/pieced-threema-gateway
tag: "0.1.5" tag: "0.1.7"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# Pull from registry.c5ai.ch — matches operator + portal pattern. # Pull from registry.c5ai.ch — matches operator + portal pattern.