Description
Summary
Chart 0.8.2 introduces templates/gateway.yaml which auto-renders a per-agent
openab-<agent>-gateway Deployment+Service whenever agents.<name>.gateway.enabled: true.
The template wires GATEWAY_WS_TOKEN, TEAMS_*, and RUST_LOG env vars — but no
LINE env vars (LINE_CHANNEL_SECRET, LINE_CHANNEL_ACCESS_TOKEN), and there is no
generic gateway.env / gateway.envFrom / gateway.extraEnv passthrough.
Net effect for LINE users: the chart silently provisions an unconfigurable, useless
gateway pod alongside their standalone (kubectl-applied) gateway, which is
documented as the official LINE setup pattern in docs/line.md.
Reference
Standalone-gateway setup that works today (matches docs/line.md):
kubectl create secret generic openab-gateway-line \
--from-literal=channel-secret=... \
--from-literal=channel-access-token=...
# Deployment with LINE_CHANNEL_SECRET/LINE_CHANNEL_ACCESS_TOKEN env from secretKeyRef
# Service openab-gateway:8080 (consumed by agent's gateway.url)
Proposed fixes (any one would resolve)
1. Add gateway.line values block (preferred — matches gateway.teams shape):
agents:
lineclaude:
gateway:
enabled: true
line:
channelSecret: "" # → LINE_CHANNEL_SECRET
channelAccessToken: "" # → LINE_CHANNEL_ACCESS_TOKEN
# OR existingSecret: openab-gateway-line (channel-secret / channel-access-token keys)Render the env vars conditionally in templates/gateway.yaml, mirroring the existing
Teams pattern. Optionally add a gateway-secret.yaml LINE branch.
2. Add a generic gateway.env / gateway.envFrom passthrough:
gateway:
envFrom:
- secretRef: { name: openab-gateway-line }Lower-effort but pushes secret-shape knowledge to the user.
3. Add gateway.deployServer: false (decouple flags):
Render only the [gateway] block in the agent's config.toml (so the agent connects
out via WS), without the chart-managed Deployment/Service. Lets LINE users keep their
standalone gateway as the upstream docs/line.md instructs, with no chart-side
duplicate.
4. Pin gateway.tag default to a published version, not Chart.AppVersion:
Even fixed, this only addresses the ImagePullBackOff; doesn't solve the no-LINE-env
issue. Useful as a separate fix.
Workaround
Suppress the chart-rendered duplicate by scaling to 0 after each helm upgrade:
kubectl scale deployment/openab-<agent>-gateway -n <ns> --replicas=0
(Idempotent post-helm step; needs to repeat after every upgrade since the chart
templates back to replicas: 1.)
Related
Steps to Reproduce
Reproduction
values.yaml:
agents:
lineclaude:
enabled: true
image: ghcr.io/openabdev/openab-claude:0.8.2
gateway:
enabled: true
url: "ws://openab-gateway:8080/ws" # standalone gateway for LINE webhooks
platform: "line"helm upgrade openab openab/openab --version 0.8.2 -f values.yaml
Result:
- Chart creates
openab-lineclaude-gateway Deployment + Service.
- Pod tries to pull
ghcr.io/openabdev/openab-gateway:{Chart.AppVersion} (e.g. :0.8.2)
which doesn't exist on ghcr.io (latest published gateway image is :0.3.0) →
ImagePullBackOff.
- Even if the image issue is worked around by setting
gateway.tag: "0.3.0", the new
gateway pod has no LINE_CHANNEL_SECRET / LINE_CHANNEL_ACCESS_TOKEN, so it can't
process LINE webhooks.
Expected Behavior
docs/line.md instructs LINE users to deploy a standalone gateway and inject LINE
secrets via kubectl set env. With chart 0.8.2, anyone who follows the official LINE
docs AND enables agents.<name>.gateway to get the WS-adapter config in the agent
ConfigMap will end up with a duplicate, non-functional gateway pod. The two flags that
should be independent — "agent talks to gateway via WS" and "chart provisions a gateway
server pod" — are coupled to the single gateway.enabled: true.
Environment
Environment
- Chart:
openab/openab 0.8.2
- App version: 0.8.2
- Gateway image in use:
ghcr.io/openabdev/openab-gateway:0.3.0 (standalone, kubectl-managed)
- Platform: LINE
- k8s: any (reproduces on k3s + amd64)
Screenshots / Logs
No response
Description
Summary
Chart
0.8.2introducestemplates/gateway.yamlwhich auto-renders a per-agentopenab-<agent>-gatewayDeployment+Service wheneveragents.<name>.gateway.enabled: true.The template wires
GATEWAY_WS_TOKEN,TEAMS_*, andRUST_LOGenv vars — but noLINE env vars (
LINE_CHANNEL_SECRET,LINE_CHANNEL_ACCESS_TOKEN), and there is nogeneric
gateway.env/gateway.envFrom/gateway.extraEnvpassthrough.Net effect for LINE users: the chart silently provisions an unconfigurable, useless
gateway pod alongside their standalone (kubectl-applied) gateway, which is
documented as the official LINE setup pattern in
docs/line.md.Reference
Standalone-gateway setup that works today (matches
docs/line.md):Proposed fixes (any one would resolve)
1. Add
gateway.linevalues block (preferred — matchesgateway.teamsshape):Render the env vars conditionally in
templates/gateway.yaml, mirroring the existingTeams pattern. Optionally add a
gateway-secret.yamlLINE branch.2. Add a generic
gateway.env/gateway.envFrompassthrough:Lower-effort but pushes secret-shape knowledge to the user.
3. Add
gateway.deployServer: false(decouple flags):Render only the
[gateway]block in the agent's config.toml (so the agent connectsout via WS), without the chart-managed Deployment/Service. Lets LINE users keep their
standalone gateway as the upstream
docs/line.mdinstructs, with no chart-sideduplicate.
4. Pin
gateway.tagdefault to a published version, notChart.AppVersion:Even fixed, this only addresses the ImagePullBackOff; doesn't solve the no-LINE-env
issue. Useful as a separate fix.
Workaround
Suppress the chart-rendered duplicate by scaling to 0 after each helm upgrade:
(Idempotent post-helm step; needs to repeat after every upgrade since the chart
templates back to
replicas: 1.)Related
docs/line.md— current LINE deployment guidance (standalone, kubectl-based)templates/gateway.yaml(PR feat(helm): add Gateway Deployment + Service templates #677) — the chart template that introduced this gapSteps to Reproduce
Reproduction
values.yaml:helm upgrade openab openab/openab --version 0.8.2 -f values.yamlResult:
openab-lineclaude-gatewayDeployment + Service.ghcr.io/openabdev/openab-gateway:{Chart.AppVersion}(e.g.:0.8.2)which doesn't exist on ghcr.io (latest published gateway image is
:0.3.0) →ImagePullBackOff.gateway.tag: "0.3.0", the newgateway pod has no
LINE_CHANNEL_SECRET/LINE_CHANNEL_ACCESS_TOKEN, so it can'tprocess LINE webhooks.
Expected Behavior
docs/line.mdinstructs LINE users to deploy a standalone gateway and inject LINEsecrets via
kubectl set env. With chart 0.8.2, anyone who follows the official LINEdocs AND enables
agents.<name>.gatewayto get the WS-adapter config in the agentConfigMap will end up with a duplicate, non-functional gateway pod. The two flags that
should be independent — "agent talks to gateway via WS" and "chart provisions a gateway
server pod" — are coupled to the single
gateway.enabled: true.Environment
Environment
openab/openab0.8.2ghcr.io/openabdev/openab-gateway:0.3.0(standalone, kubectl-managed)Screenshots / Logs
No response