Sync chart from pieced-threema-gateway 0.1.7

deploy/helm/pieced-threema-gateway/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: pieced-threema-gateway
 description: PieCed IT central Threema Gateway relay
 type: application
-version: 0.1.6
+version: 0.1.7
-appVersion: "0.1.6"
+appVersion: "0.1.7"

deploy/helm/pieced-threema-gateway/templates/networkpolicy.yaml

@@ -96,12 +96,20 @@ spec:
         - ports:
             - port: "5432"
               protocol: TCP
-    # Tenant OpenClaw services — port 18789, any tenant namespace
+    # Tenant OpenClaw services — port 18790 (Service targetPort).
+    #
+    # Why 18790, not 18789:
+    # OpenClaw's per-tenant Service exposes the gateway as
+    # `port: 18789, targetPort: 18790`. Cilium's socket-LB rewrites
+    # `connect(svc-IP:18789)` to `pod-IP:18790` before the egress policy
+    # hook fires, so the rule must allow the targetPort (18790), not
+    # the Service port. The application's OPENCLAW_URL_TEMPLATE still
+    # uses :18789 (correct — application connects to the Service port).
     - toEndpoints:
         - matchLabels:
             {{ .Values.networkPolicy.tenantNamespaceLabel | quote }}: {{ .Values.networkPolicy.tenantNamespaceLabelValue | quote }}
       toPorts:
         - ports:
-            - port: "18789"
+            - port: "18790"
               protocol: TCP
 {{- end }}

deploy/helm/pieced-threema-gateway/values.yaml

@@ -6,7 +6,7 @@ namespace: threema-gateway
 
 image:
   repository: registry.c5ai.ch/pieced/pieced-threema-gateway
-  tag: "0.1.6"
+  tag: "0.1.7"
   pullPolicy: IfNotPresent
 
 # Pull from registry.c5ai.ch — matches operator + portal pattern.