86 lines
2.6 KiB
YAML
86 lines
2.6 KiB
YAML
# =============================================================================
|
|
# pieced-threema-gateway Helm values
|
|
# =============================================================================
|
|
|
|
namespace: threema-gateway
|
|
|
|
image:
|
|
repository: registry.c5ai.ch/pieced/pieced-threema-gateway
|
|
tag: "0.1.3"
|
|
pullPolicy: IfNotPresent
|
|
|
|
# Pull from registry.c5ai.ch — matches operator + portal pattern.
|
|
# The Secret must already exist in the namespace (one-shot copy from
|
|
# pieced-system on initial bootstrap; see README).
|
|
imagePullSecrets:
|
|
- name: registry-creds
|
|
|
|
replicas: 1
|
|
|
|
service:
|
|
port: 8080
|
|
metricsPort: 9090
|
|
|
|
# Internet-facing ingress so Threema's CDN can POST webhooks.
|
|
# DNS must resolve threemaGw.host to your cluster's LB IP.
|
|
ingress:
|
|
enabled: true
|
|
className: nginx
|
|
host: threema-gw.pieced.ch
|
|
tls:
|
|
enabled: true
|
|
# cert-manager ClusterIssuer name — matches the rest of pieced-gitops
|
|
issuer: letsencrypt-production
|
|
secretName: threema-gw-tls
|
|
|
|
# CloudNativePG cluster created in-chart, mirrors portal-db pattern.
|
|
postgres:
|
|
enabled: true
|
|
instances: 1
|
|
storage:
|
|
size: 5Gi
|
|
storageClass: longhorn-luks2
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
|
|
# Secrets sourced from OpenBao via External Secrets Operator.
|
|
# Paths use the same convention as apps/portal/external-secrets.yaml:
|
|
# full key path starting with the KV v2 mount name (`secret/`), no
|
|
# `/data/` segment — ESO with the openbao-backend ClusterSecretStore
|
|
# rewrites that automatically for KV v2 paths.
|
|
secrets:
|
|
# Threema Gateway credentials — PieCed-wide, one identity for the platform.
|
|
threemaPath: secret/threema-gateway/credentials
|
|
# Admin token shared with pieced-portal.
|
|
adminTokenPath: secret/threema-gateway/admin
|
|
|
|
# Template for inbound delivery to tenant OpenClaw instances. Verify your
|
|
# OpenClaw operator's Service naming before deploy.
|
|
openclawUrlTemplate: http://openclaw.tenant-{tenant}.svc.cluster.local:18789/webhooks/threema-relay
|
|
|
|
forwardTimeoutMs: 8000
|
|
|
|
logLevel: info
|
|
|
|
# Resources for the relay pod
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
# CiliumNetworkPolicy — restricts who can talk in and out.
|
|
networkPolicy:
|
|
enabled: true
|
|
# Tenant namespaces are matched by label set by the operator.
|
|
# Cedric's pieced-operator sets pieced.ch/managed-by=pieced-operator
|
|
# on every tenant namespace it provisions.
|
|
tenantNamespaceLabel: "k8s:io.cilium.k8s.namespace.labels.pieced.ch/managed-by"
|
|
tenantNamespaceLabelValue: "pieced-operator"
|
|
# The portal pod runs in this namespace (per apps/portal in pieced-gitops).
|
|
portalNamespace: pieced-system
|