Gabriel Radureau
07115e3162
Some checks failed
Docker Build / build-and-push-image (push) Failing after 18s
Adds an authentication layer in front of the bot handlers : - Auth handler on the principal bot (@arcodange_factory_bot, slug factory) parses /start, /auth <code>, /whoami, /logout. On a successful /auth, the message containing the code is best-effort deleted from the user's chat (replay defense). - Redis-backed sessions (key tg-gw:auth:<from.id>, TTL 24h, configurable via AUTH_SESSION_TTL). Constant-time secret compare via crypto/subtle. - ALLOWED_USERS env (CSV of Telegram user IDs) — silent-drops anyone not in the list before the auth gate runs. - New per-bot field 'requireAuth' (pointer-bool). Default = true (secure by default). Auto-forced to false for handler=auth (chicken-and-egg). - Server gates: allowlist first, then requireAuth before handler dispatch. - Fail-at-startup if a bot is configured with handler=auth or requireAuth: true while AUTH_SECRET is unset. Design: factory/docs/adr/20260509-telegram-gateway-auth.md (in factory PR). User docs: AUTH.md (new), HOWTO_ADD_BOT.md (Cas 2 updated for default true and gated flow). New deps: github.com/redis/go-redis/v9. Refs ~/.claude/plans/pour-les-notifications-on-inherited-seal.md § Phase 1.5.
128 lines
3.2 KiB
YAML
128 lines
3.2 KiB
YAML
replicaCount: 1
|
|
|
|
image:
|
|
repository: gitea.arcodange.lab/arcodange/telegram-gateway
|
|
pullPolicy: Always
|
|
# Le registry ne produit que :latest et la branch ref (:main) via le
|
|
# workflow Gitea Actions ; appVersion (0.1.0) n'existe pas comme tag.
|
|
# Image Updater écrira ensuite le digest réel dans le manifest in-cluster.
|
|
tag: "latest"
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
create: true
|
|
automount: true
|
|
annotations: {}
|
|
name: ""
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
runAsGroup: 65532
|
|
fsGroup: 65532
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
|
|
# Public exposure via Traefik. Cloudflare routes *.arcodange.fr to the home lab
|
|
# already, so we just declare the hostname here. CF terminates TLS, Traefik
|
|
# receives plain HTTP on entrypoint `web`.
|
|
ingress:
|
|
enabled: true
|
|
className: ""
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: web
|
|
traefik.ingress.kubernetes.io/router.middlewares: kube-system-crowdsec@kubernetescrd
|
|
hosts:
|
|
- host: tg.arcodange.fr
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 200m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: http
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: http
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 3
|
|
targetCPUUtilizationPercentage: 80
|
|
|
|
# Bot routing config — non-secret, becomes the bots.yaml ConfigMap entry.
|
|
# Tokens & secret_token values live in a k8s Secret named `secret.name`.
|
|
#
|
|
# Auth gate (Phase 1.5, ADR factory/docs/adr/20260509-telegram-gateway-auth.md):
|
|
# - `requireAuth` defaults to **true** (secure by default). Add
|
|
# `requireAuth: false` only for bots you want to expose publicly.
|
|
# - For `handler: auth`, requireAuth is auto-forced to false (the auth bot
|
|
# can't gate itself or no one could ever authenticate).
|
|
bots:
|
|
factory:
|
|
handler: auth # principal bot — gère /auth, /whoami, /logout
|
|
# Exemple d'un bot gated (défaut) :
|
|
# pingbot:
|
|
# handler: echo
|
|
#
|
|
# Exemple d'un bot public (opt-out explicite) :
|
|
# statusbot:
|
|
# handler: echo
|
|
# requireAuth: false
|
|
|
|
# Auth layer (Phase 1.5). REDIS_URL est passé en env clair (non secret).
|
|
# AUTH_SECRET et ALLOWED_USERS doivent vivre dans le Secret k8s `secret.name`.
|
|
auth:
|
|
redisURL: "redis://redis.tools.svc.cluster.local:6379/0"
|
|
sessionTTL: "24h"
|
|
|
|
# k8s Secret consumed by `envFrom`. Phase 1: create it manually with kubectl.
|
|
# kubectl -n telegram-gateway create secret generic telegram-gateway-bots \
|
|
# --from-literal=BOT_FACTORY_TOKEN=… --from-literal=BOT_FACTORY_SECRET=…
|
|
secret:
|
|
name: telegram-gateway-bots
|
|
|
|
# Vault Secrets Operator integration (Phase 2+). When enabled, VSO writes the
|
|
# secret named `secret.name` automatically from `kvv2/telegram-gateway/config`.
|
|
vault:
|
|
enabled: false
|
|
role: telegram-gateway
|
|
mount: kvv2
|
|
path: telegram-gateway/config
|
|
refreshAfter: 30s
|
|
|
|
nodeSelector:
|
|
kubernetes.io/hostname: pi1
|
|
|
|
tolerations: []
|
|
affinity: {}
|