pieced/pieced-threema-gateway-public
Public Access
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
342f5728f4ffb7f54c1404a1ce15853b63151520
pieced-threema-gateway-public/deploy/helm/pieced-threema-gateway/values.yaml

162 lines
6.1 KiB
YAML
Raw Blame History

# =============================================================================
# pieced-threema-gateway Helm values
# =============================================================================
namespace: threema-gateway
image:
repository: registry.c5ai.ch/pieced/pieced-threema-gateway
tag: "0.1.8"
pullPolicy: IfNotPresent
# Pull from registry.c5ai.ch — matches operator + portal pattern.
# The Secret must already exist in the namespace (one-shot copy from
# pieced-system on initial bootstrap; see README).
imagePullSecrets:
- name: registry-creds
replicas: 1
service:
port: 8080
metricsPort: 9090
# Internet-facing ingress so Threema's CDN can POST webhooks.
# DNS must resolve threemaGw.host to your cluster's LB IP.
ingress:
enabled: true
className: nginx
host: threema-gw.pieced.ch
tls:
enabled: true
# cert-manager ClusterIssuer name — matches the rest of pieced-gitops
issuer: letsencrypt-production
secretName: threema-gw-tls
# CloudNativePG cluster created in-chart, mirrors portal-db pattern.
postgres:
enabled: true
instances: 1
storage:
size: 5Gi
# Matches portal-db, litellm-pg, zitadel-pg, twenty-pg in pieced-gitops.
# The relay's `messages` log row payload is small (no message bodies,
# ~80 B per row), so 5Gi covers ~50 M messages — far beyond what a
# single tenant's billing window will need.
storageClass: longhorn
resources:
requests:
cpu: 100m
memory: 256Mi
# ---------------------------------------------------------------------------
# Daily backup to in-cluster MinIO via barmanObjectStore.
#
# When enabled, the chart renders:
# - spec.backup on the CNPG Cluster (templates/database.yaml)
# - ExternalSecret "cnpg-s3-credentials" pulling MinIO root creds
# from OpenBao (templates/database-backup.yaml)
# - ScheduledBackup "pieced-threema-gateway-db-daily" (templates/database-backup.yaml)
# - CronJob "pieced-threema-gateway-db-backup-cleanup" that prunes
# old Backup CRs so the ArgoCD resource tree stays tidy
# (templates/database-backup-cleanup.yaml)
#
# Note on Cilium: this chart's CiliumNetworkPolicy only restricts the
# relay pod (endpointSelector matches app.kubernetes.io/name=
# pieced-threema-gateway). The CNPG postgres pod is NOT covered by
# that policy, so its egress to MinIO works freely as long as there
# is no namespace-level default-deny CNP in threema-gateway. If you
# later add one, you'll also need to allow egress to
# minio.minio-pieced.svc:80 from pods labelled cnpg.io/cluster=
# pieced-threema-gateway-db.
backup:
enabled: true
# Where backups land. The destinationPath is hard-coded to use the
# cluster name so per-cluster paths don't collide in the shared
# cnpg-backups bucket (matches portal-db, litellm-pg, etc.).
s3:
bucket: cnpg-backups
endpointURL: http://minio.minio-pieced.svc:80
# OpenBao path containing MinIO root_user / root_password.
# ESO's openbao-backend ClusterSecretStore rewrites KV v2 paths
# automatically, so no `/data/` segment is needed (matches the
# convention used by the chart's other ExternalSecrets above).
credentialsPath: secret/platform/minio-pieced
accessKeyProperty: root_user
secretKeyProperty: root_password
wal:
compression: gzip
maxParallel: 2
data:
compression: gzip
# Barman retains backup *data* in S3 for this many days. The Backup
# CR cleanup CronJob below independently keeps roughly twice this
# many Backup CRs in Kubernetes so we never delete a CR whose data
# is still on disk.
retentionPolicy: "7d"
schedule:
# CNPG ScheduledBackup uses a SIX-field Go-style cron expression
# (sec min hour dom mon dow), NOT the 5-field Unix crontab format.
# See https://github.com/cloudnative-pg/cloudnative-pg/issues/5380
# for the silent-misinterpretation footgun.
# Slot: 02:45:00 daily — between litellm-pg (02:30) and portal-db
# (03:00) so the daily snapshot wave is staggered.
cron: "0 45 2 * * *"
# Trigger an immediate backup when the ScheduledBackup is created.
# Useful on first deploy so the `cnpg_collector_last_available_backup_timestamp`
# metric ticks immediately and PieCedCNPGBackupFailed clears.
immediate: true
# Backup CR cleanup CronJob. Same shape as
# apps/litellm-pg-backup-cleanup.yaml in pieced-gitops.
cleanup:
enabled: true
# Daily at 04:45 — runs ~2h after the ScheduledBackup so the day's
# new CR exists and is preserved in the "newest N" window.
schedule: "45 4 * * *"
keep: 14
image: bitnami/kubectl:1.31.6
# Secrets sourced from OpenBao via External Secrets Operator.
# Paths use the same convention as apps/portal/external-secrets.yaml:
# full key path starting with the KV v2 mount name (`secret/`), no
# `/data/` segment — ESO with the openbao-backend ClusterSecretStore
# rewrites that automatically for KV v2 paths.
secrets:
# Threema Gateway credentials — PieCed-wide, one identity for the platform.
threemaPath: secret/threema-gateway/credentials
# Admin token shared with pieced-portal.
adminTokenPath: secret/threema-gateway/admin
# Template for inbound delivery to tenant OpenClaw instances. Verify your
# OpenClaw operator's Service naming before deploy.
openclawUrlTemplate: http://openclaw.tenant-{tenant}.svc.cluster.local:18789/webhooks/threema-relay
forwardTimeoutMs: 8000
logLevel: info
# Resources for the relay pod
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# CiliumNetworkPolicy — restricts who can talk in and out.
networkPolicy:
enabled: true
# Tenant namespaces are matched by label set by the operator.
# Cedric's pieced-operator sets pieced.ch/managed-by=pieced-operator
# on every tenant namespace it provisions.
tenantNamespaceLabel: "k8s:io.cilium.k8s.namespace.labels.pieced.ch/managed-by"
tenantNamespaceLabelValue: "pieced-operator"
# The portal pod runs in this namespace (per apps/portal in pieced-gitops).
portalNamespace: pieced-system
Reference in New Issue View Git Blame Copy Permalink