# =============================================================================
# pieced-threema-gateway Helm values
# =============================================================================

namespace: threema-gateway

image:
  repository: registry.c5ai.ch/pieced/pieced-threema-gateway
  tag: "0.1.2"
  pullPolicy: IfNotPresent

replicas: 1

service:
  port: 8080
  metricsPort: 9090

# Internet-facing ingress so Threema's CDN can POST webhooks.
# DNS must resolve threemaGw.host to your cluster's LB IP.
ingress:
  enabled: true
  className: nginx
  host: threema-gw.pieced.ch
  tls:
    enabled: true
    # cert-manager ClusterIssuer name — matches the rest of pieced-gitops
    issuer: letsencrypt-production
    secretName: threema-gw-tls

# CloudNativePG cluster created in-chart, mirrors portal-db pattern.
postgres:
  enabled: true
  instances: 1
  storage:
    size: 5Gi
    storageClass: longhorn-luks2
  resources:
    requests:
      cpu: 100m
      memory: 256Mi

# Secrets sourced from OpenBao via External Secrets Operator.
# Paths use the same convention as apps/portal/external-secrets.yaml:
# full key path starting with the KV v2 mount name (`secret/`), no
# `/data/` segment — ESO with the openbao-backend ClusterSecretStore
# rewrites that automatically for KV v2 paths.
secrets:
  # Threema Gateway credentials — PieCed-wide, one identity for the platform.
  threemaPath: secret/threema-gateway/credentials
  # Admin token shared with pieced-portal.
  adminTokenPath: secret/threema-gateway/admin

# Template for inbound delivery to tenant OpenClaw instances. Verify your
# OpenClaw operator's Service naming before deploy.
openclawUrlTemplate: http://openclaw.tenant-{tenant}.svc.cluster.local:18789/webhooks/threema-relay

forwardTimeoutMs: 8000

logLevel: info

# Resources for the relay pod
resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

# CiliumNetworkPolicy — restricts who can talk in and out.
networkPolicy:
  enabled: true
  # Tenant namespaces are matched by label set by the operator.
  # Cedric's pieced-operator sets pieced.ch/managed-by=pieced-operator
  # on every tenant namespace it provisions.
  tenantNamespaceLabel: "k8s:io.cilium.k8s.namespace.labels.pieced.ch/managed-by"
  tenantNamespaceLabelValue: "pieced-operator"
  # The portal pod runs in this namespace (per apps/portal in pieced-gitops).
  portalNamespace: pieced-system