diff --git a/charts/openab/templates/gateway-secret.yaml b/charts/openab/templates/gateway-secret.yaml new file mode 100644 index 00000000..f70de93b --- /dev/null +++ b/charts/openab/templates/gateway-secret.yaml @@ -0,0 +1,21 @@ +{{- range $name, $cfg := .Values.agents }} +{{- if and (ne (include "openab.agentEnabled" $cfg) "false") ($cfg.gateway).enabled }} +{{- $gwCfg := omit $cfg "nameOverride" }} +{{- $d := dict "ctx" $ "agent" (printf "%s-gateway" $name) "cfg" $gwCfg }} +{{- $hasTeams := and (($cfg.gateway).teams).appId (($cfg.gateway).teams).appSecret }} +{{- if $hasTeams }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "openab.agentFullname" $d }} + labels: + {{- include "openab.labels" $d | nindent 4 }} + annotations: + "helm.sh/resource-policy": keep +type: Opaque +data: + teams-app-secret: {{ ($cfg.gateway).teams.appSecret | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/openab/templates/gateway.yaml b/charts/openab/templates/gateway.yaml new file mode 100644 index 00000000..39672c05 --- /dev/null +++ b/charts/openab/templates/gateway.yaml @@ -0,0 +1,113 @@ +{{- range $name, $cfg := .Values.agents }} +{{- if and (ne (include "openab.agentEnabled" $cfg) "false") ($cfg.gateway).enabled }} +{{- $gwCfg := omit $cfg "nameOverride" }} +{{- $d := dict "ctx" $ "agent" (printf "%s-gateway" $name) "cfg" $gwCfg }} +{{- $agentD := dict "ctx" $ "agent" $name "cfg" $cfg }} +{{- $hasTeams := and (($cfg.gateway).teams).appId (($cfg.gateway).teams).appSecret }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "openab.agentFullname" $d }} + labels: + {{- include "openab.labels" $d | nindent 4 }} +spec: + replicas: 1 + strategy: + type: {{ (($cfg.gateway).strategy) | default "Recreate" }} + selector: + matchLabels: + {{- include "openab.selectorLabels" $d | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ $cfg.gateway | toJson | sha256sum }} + labels: + {{- include "openab.selectorLabels" $d | nindent 8 }} + spec: + {{- with $.Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: gateway + image: {{ printf "%s:%s" (($cfg.gateway).image | default "ghcr.io/openabdev/openab-gateway") (($cfg.gateway).tag | default $.Chart.AppVersion) }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + {{- with $.Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + env: + {{- if ($cfg.gateway).token }} + {{- $agentD := dict "ctx" $ "agent" $name "cfg" $cfg }} + - name: GATEWAY_WS_TOKEN + valueFrom: + secretKeyRef: + name: {{ include "openab.agentFullname" $agentD }} + key: gateway-ws-token + {{- end }} + {{- if $hasTeams }} + - name: TEAMS_APP_ID + value: {{ ($cfg.gateway).teams.appId | quote }} + - name: TEAMS_APP_SECRET + valueFrom: + secretKeyRef: + name: {{ include "openab.agentFullname" $d }} + key: teams-app-secret + {{- if ($cfg.gateway).teams.oauthEndpoint }} + - name: TEAMS_OAUTH_ENDPOINT + value: {{ ($cfg.gateway).teams.oauthEndpoint | quote }} + {{- end }} + {{- if ($cfg.gateway).teams.openidMetadata }} + - name: TEAMS_OPENID_METADATA + value: {{ ($cfg.gateway).teams.openidMetadata | quote }} + {{- end }} + {{- if ($cfg.gateway).teams.allowedTenants }} + - name: TEAMS_ALLOWED_TENANTS + value: {{ ($cfg.gateway).teams.allowedTenants | join "," | quote }} + {{- end }} + {{- if ($cfg.gateway).teams.webhookPath }} + - name: TEAMS_WEBHOOK_PATH + value: {{ ($cfg.gateway).teams.webhookPath | quote }} + {{- end }} + {{- end }} + - name: RUST_LOG + value: {{ ($cfg.gateway).rustLog | default "info" | quote }} + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 5 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 3 + periodSeconds: 10 + {{- with ($cfg.gateway).resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "openab.agentFullname" $d }} + labels: + {{- include "openab.labels" $d | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http + selector: + {{- include "openab.selectorLabels" $d | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/openab/values.yaml b/charts/openab/values.yaml index 54661a38..0eddf16e 100644 --- a/charts/openab/values.yaml +++ b/charts/openab/values.yaml @@ -199,6 +199,21 @@ agents: platform: "telegram" # default platform when gateway is enabled token: "" # optional shared secret (injected via GATEWAY_WS_TOKEN env var) botUsername: "" # optional, for @mention gating + image: "ghcr.io/openabdev/openab-gateway" # gateway container image + tag: "" # defaults to Chart.AppVersion + strategy: "Recreate" # Recreate (default, prevents concurrent WS conflicts) or RollingUpdate + resources: {} # e.g. { requests: { cpu: 50m, memory: 64Mi }, limits: { memory: 128Mi } } + rustLog: "info" # RUST_LOG for gateway container (e.g. "openab_gateway=debug") + # MS Teams adapter config (gateway-side env vars) + # See docs/msteams-enterprise.md for full setup guide + teams: + appId: "" # Azure Entra ID application (client) ID → TEAMS_APP_ID + appSecret: "" # Azure Entra ID client secret → TEAMS_APP_SECRET (use --set-literal or external secret mgmt) + # ⚠️ Required for Single Tenant bots — use tenant-specific endpoint + oauthEndpoint: "" # → TEAMS_OAUTH_ENDPOINT + openidMetadata: "" # Override for sovereign clouds → TEAMS_OPENID_METADATA + allowedTenants: [] # List of tenant IDs → TEAMS_ALLOWED_TENANTS + webhookPath: "" # Gateway default: /webhook/teams → TEAMS_WEBHOOK_PATH # Scheduled messages — config-driven cron (ADR: basic-cronjob) # Each entry sends a message to the agent at the specified schedule. # Example: