# ============================================================================= # pieced-threema-gateway Helm values # ============================================================================= namespace: threema-gateway image: repository: registry.c5ai.ch/pieced/pieced-threema-gateway tag: "0.1.8" pullPolicy: IfNotPresent # Pull from registry.c5ai.ch — matches operator + portal pattern. # The Secret must already exist in the namespace (one-shot copy from # pieced-system on initial bootstrap; see README). imagePullSecrets: - name: registry-creds replicas: 1 service: port: 8080 metricsPort: 9090 # Internet-facing ingress so Threema's CDN can POST webhooks. # DNS must resolve threemaGw.host to your cluster's LB IP. ingress: enabled: true className: nginx host: threema-gw.pieced.ch tls: enabled: true # cert-manager ClusterIssuer name — matches the rest of pieced-gitops issuer: letsencrypt-production secretName: threema-gw-tls # CloudNativePG cluster created in-chart, mirrors portal-db pattern. postgres: enabled: true instances: 1 storage: size: 5Gi # Matches portal-db, litellm-pg, zitadel-pg, twenty-pg in pieced-gitops. # The relay's `messages` log row payload is small (no message bodies, # ~80 B per row), so 5Gi covers ~50 M messages — far beyond what a # single tenant's billing window will need. storageClass: longhorn resources: requests: cpu: 100m memory: 256Mi # --------------------------------------------------------------------------- # Daily backup to in-cluster MinIO via barmanObjectStore. # # When enabled, the chart renders: # - spec.backup on the CNPG Cluster (templates/database.yaml) # - ExternalSecret "cnpg-s3-credentials" pulling MinIO root creds # from OpenBao (templates/database-backup.yaml) # - ScheduledBackup "pieced-threema-gateway-db-daily" (templates/database-backup.yaml) # - CronJob "pieced-threema-gateway-db-backup-cleanup" that prunes # old Backup CRs so the ArgoCD resource tree stays tidy # (templates/database-backup-cleanup.yaml) # # Note on Cilium: this chart's CiliumNetworkPolicy only restricts the # relay pod (endpointSelector matches app.kubernetes.io/name= # pieced-threema-gateway). The CNPG postgres pod is NOT covered by # that policy, so its egress to MinIO works freely as long as there # is no namespace-level default-deny CNP in threema-gateway. If you # later add one, you'll also need to allow egress to # minio.minio-pieced.svc:80 from pods labelled cnpg.io/cluster= # pieced-threema-gateway-db. backup: enabled: true # Where backups land. The destinationPath is hard-coded to use the # cluster name so per-cluster paths don't collide in the shared # cnpg-backups bucket (matches portal-db, litellm-pg, etc.). s3: bucket: cnpg-backups endpointURL: http://minio.minio-pieced.svc:80 # OpenBao path containing MinIO root_user / root_password. # ESO's openbao-backend ClusterSecretStore rewrites KV v2 paths # automatically, so no `/data/` segment is needed (matches the # convention used by the chart's other ExternalSecrets above). credentialsPath: secret/platform/minio-pieced accessKeyProperty: root_user secretKeyProperty: root_password wal: compression: gzip maxParallel: 2 data: compression: gzip # Barman retains backup *data* in S3 for this many days. The Backup # CR cleanup CronJob below independently keeps roughly twice this # many Backup CRs in Kubernetes so we never delete a CR whose data # is still on disk. retentionPolicy: "7d" schedule: # CNPG ScheduledBackup uses a SIX-field Go-style cron expression # (sec min hour dom mon dow), NOT the 5-field Unix crontab format. # See https://github.com/cloudnative-pg/cloudnative-pg/issues/5380 # for the silent-misinterpretation footgun. # Slot: 02:45:00 daily — between litellm-pg (02:30) and portal-db # (03:00) so the daily snapshot wave is staggered. cron: "0 45 2 * * *" # Trigger an immediate backup when the ScheduledBackup is created. # Useful on first deploy so the `cnpg_collector_last_available_backup_timestamp` # metric ticks immediately and PieCedCNPGBackupFailed clears. immediate: true # Backup CR cleanup CronJob. Same shape as # apps/litellm-pg-backup-cleanup.yaml in pieced-gitops. cleanup: enabled: true # Daily at 04:45 — runs ~2h after the ScheduledBackup so the day's # new CR exists and is preserved in the "newest N" window. schedule: "45 4 * * *" keep: 14 image: bitnami/kubectl:1.31.6 # Secrets sourced from OpenBao via External Secrets Operator. # Paths use the same convention as apps/portal/external-secrets.yaml: # full key path starting with the KV v2 mount name (`secret/`), no # `/data/` segment — ESO with the openbao-backend ClusterSecretStore # rewrites that automatically for KV v2 paths. secrets: # Threema Gateway credentials — PieCed-wide, one identity for the platform. threemaPath: secret/threema-gateway/credentials # Admin token shared with pieced-portal. adminTokenPath: secret/threema-gateway/admin # Template for inbound delivery to tenant OpenClaw instances. Verify your # OpenClaw operator's Service naming before deploy. openclawUrlTemplate: http://openclaw.tenant-{tenant}.svc.cluster.local:18789/webhooks/threema-relay forwardTimeoutMs: 8000 logLevel: info # Resources for the relay pod resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi # CiliumNetworkPolicy — restricts who can talk in and out. networkPolicy: enabled: true # Tenant namespaces are matched by label set by the operator. # Cedric's pieced-operator sets pieced.ch/managed-by=pieced-operator # on every tenant namespace it provisions. tenantNamespaceLabel: "k8s:io.cilium.k8s.namespace.labels.pieced.ch/managed-by" tenantNamespaceLabelValue: "pieced-operator" # The portal pod runs in this namespace (per apps/portal in pieced-gitops). portalNamespace: pieced-system