openabdev · thepagent · May 1, 2026 · May 1, 2026 · May 1, 2026 · May 1, 2026
@@ -0,0 +1,21 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if and (ne (include "openab.agentEnabled" $cfg) "false") ($cfg.gateway).enabled }}
+{{- $gwCfg := omit $cfg "nameOverride" }}
+{{- $d := dict "ctx" $ "agent" (printf "%s-gateway" $name) "cfg" $gwCfg }}
+{{- $hasTeams := and (($cfg.gateway).teams).appId (($cfg.gateway).teams).appSecret }}
+{{- if $hasTeams }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
+type: Opaque
+data:
+  teams-app-secret: {{ ($cfg.gateway).teams.appSecret | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,113 @@
+{{- range $name, $cfg := .Values.agents }}
+{{- if and (ne (include "openab.agentEnabled" $cfg) "false") ($cfg.gateway).enabled }}
+{{- $gwCfg := omit $cfg "nameOverride" }}
+{{- $d := dict "ctx" $ "agent" (printf "%s-gateway" $name) "cfg" $gwCfg }}
+{{- $agentD := dict "ctx" $ "agent" $name "cfg" $cfg }}
+{{- $hasTeams := and (($cfg.gateway).teams).appId (($cfg.gateway).teams).appSecret }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+spec:
+  replicas: 1
+  strategy:
+    type: {{ (($cfg.gateway).strategy) | default "Recreate" }}
+  selector:
+    matchLabels:
+      {{- include "openab.selectorLabels" $d | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ $cfg.gateway | toJson | sha256sum }}
+      labels:
+        {{- include "openab.selectorLabels" $d | nindent 8 }}
+    spec:
+      {{- with $.Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: gateway
+          image: {{ printf "%s:%s" (($cfg.gateway).image | default "ghcr.io/openabdev/openab-gateway") (($cfg.gateway).tag | default $.Chart.AppVersion) }}
+          imagePullPolicy: {{ $.Values.image.pullPolicy }}
+          {{- with $.Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          env:
+            {{- if ($cfg.gateway).token }}
+            {{- $agentD := dict "ctx" $ "agent" $name "cfg" $cfg }}
+            - name: GATEWAY_WS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "openab.agentFullname" $agentD }}
+                  key: gateway-ws-token
+            {{- end }}
+            {{- if $hasTeams }}
+            - name: TEAMS_APP_ID
+              value: {{ ($cfg.gateway).teams.appId | quote }}
+            - name: TEAMS_APP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "openab.agentFullname" $d }}
+                  key: teams-app-secret
+            {{- if ($cfg.gateway).teams.oauthEndpoint }}
+            - name: TEAMS_OAUTH_ENDPOINT
+              value: {{ ($cfg.gateway).teams.oauthEndpoint | quote }}
+            {{- end }}
+            {{- if ($cfg.gateway).teams.openidMetadata }}
+            - name: TEAMS_OPENID_METADATA
+              value: {{ ($cfg.gateway).teams.openidMetadata | quote }}
+            {{- end }}
+            {{- if ($cfg.gateway).teams.allowedTenants }}
+            - name: TEAMS_ALLOWED_TENANTS
+              value: {{ ($cfg.gateway).teams.allowedTenants | join "," | quote }}
+            {{- end }}
+            {{- if ($cfg.gateway).teams.webhookPath }}
+            - name: TEAMS_WEBHOOK_PATH
+              value: {{ ($cfg.gateway).teams.webhookPath | quote }}
+            {{- end }}
+            {{- end }}
+            - name: RUST_LOG
+              value: {{ ($cfg.gateway).rustLog | default "info" | quote }}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          {{- with ($cfg.gateway).resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "openab.agentFullname" $d }}
+  labels:
+    {{- include "openab.labels" $d | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "openab.selectorLabels" $d | nindent 4 }}
+{{- end }}
+{{- end }}
@@ -199,6 +199,21 @@ agents:
       platform: "telegram"  # default platform when gateway is enabled
       token: ""         # optional shared secret (injected via GATEWAY_WS_TOKEN env var)
       botUsername: ""   # optional, for @mention gating
+      image: "ghcr.io/openabdev/openab-gateway"  # gateway container image
+      tag: ""           # defaults to Chart.AppVersion
+      strategy: "Recreate"  # Recreate (default, prevents concurrent WS conflicts) or RollingUpdate
+      resources: {}     # e.g. { requests: { cpu: 50m, memory: 64Mi }, limits: { memory: 128Mi } }
+      rustLog: "info"  # RUST_LOG for gateway container (e.g. "openab_gateway=debug")
+      # MS Teams adapter config (gateway-side env vars)
+      # See docs/msteams-enterprise.md for full setup guide
+      teams:
+        appId: ""              # Azure Entra ID application (client) ID → TEAMS_APP_ID
+        appSecret: ""          # Azure Entra ID client secret → TEAMS_APP_SECRET (use --set-literal or external secret mgmt)
+        # ⚠️ Required for Single Tenant bots — use tenant-specific endpoint
+        oauthEndpoint: ""      # → TEAMS_OAUTH_ENDPOINT
+        openidMetadata: ""     # Override for sovereign clouds → TEAMS_OPENID_METADATA
+        allowedTenants: []     # List of tenant IDs → TEAMS_ALLOWED_TENANTS
+        webhookPath: ""        # Gateway default: /webhook/teams → TEAMS_WEBHOOK_PATH
     # Scheduled messages — config-driven cron (ADR: basic-cronjob)
     # Each entry sends a message to the agent at the specified schedule.
     # Example: