feat: add openab-telegram chart#873
Merged
Merged
Conversation
github-actions
Bot
added
pending-screening
closing-soon
|
All PRs must reference a prior Discord discussion to ensure community alignment before implementation. Please edit the PR description to include a link like: This PR will be automatically closed in 3 days if the link is not added. |
This was referenced May 20, 2026
thepagent
removed
the
closing-soon
Single-pod Helm chart for Telegram deployments: - OAB agent, gateway, and cloudflared tunnel as colocated containers - Shared emptyDir for /tmp, PVC for agent persistence - Only 2 required --set flags: telegramBotToken, cloudflareTunnelToken - Follows the reference architecture from docs/refarch/telegram-cloudflare-tunnel.md Closes #872
- channel: stable (default) strips -beta.* from appVersion for both images - channel: beta uses appVersion as-is for core, strips prerelease for gateway (gateway has no beta tags) - Explicit image.tag / gateway.tag override still takes precedence
Gateway has independent release cadence from core — no appVersion derivation. Just use the pinned tag directly.
…ment README - existingSecret: reference a pre-created K8s Secret (skips chart Secret creation) - README documents 3 credential options: --set, --from-literal, --from-env-file - Secrets from external managers (AWS SM) can flow to K8s without touching disk
- Pin cloudflared to 2026.5.0 (was 'latest') - Change agent.command default to 'openab' (generic, not kiro-specific) - Fix NOTES.txt webhook curl to respect existingSecret
Gateway needs write access to ~/.openab/media/inbound/ for media proxy colocate mode (PR #858). Both core and gateway now share the PVC.
- Cloudflare tunnel setup via API token (no browser) - Ingress config via local config.yml - Webhook setup moved to Prerequisites (before helm install) - Post-install only has agent auth (device flow) - Fixed agent command to 'openab'
Instead of regex-stripping beta suffix from appVersion, resolve image tag directly from channel value (stable/beta). Requires PR #878 to publish the floating tags.
chaodu-agent
force-pushed
the
feat/openab-telegram-chart
branch
from
c460ba3 to
bf73f06
Compare
github-actions
Bot
added
the
closing-soon
Agent auth credentials and state live in the PVC. Without this, uninstall+reinstall requires re-authentication.
chaodu-agent
force-pushed
the
feat/openab-telegram-chart
branch
from
099dbab to
322169c
Compare
chaodu-agent
force-pushed
the
feat/openab-telegram-chart
branch
from
322169c to
3c8c28b
Compare
chaodu-agent
force-pushed
the
feat/openab-telegram-chart
branch
from
b2e8b09 to
c351ad9
Compare
added 2 commits
May 20, 2026 19:59
Optional third key in the K8s Secret enables AI agents to configure tunnel ingress via the Cloudflare API without external credentials. NOTES.txt extracts all needed values from the secret itself.
thepagent
approved these changes
May 21, 2026
This was referenced May 22, 2026
thepagent
pushed a commit
that referenced
this pull request
May 22, 2026
…901) * feat(openab): add existingSecret support for Slack agent credentials Add `agents.<name>.slack.existingSecret` to the openab chart. When set, the chart references the named Kubernetes Secret for SLACK_BOT_TOKEN and SLACK_APP_TOKEN instead of creating a chart-managed Secret from values. Adapts the existingSecret pattern from the openab-telegram chart (#873) to the multi-agent structure of openab, scoped per-agent. Enables ESO/Vault/SealedSecrets workflows where Slack tokens rotate without requiring a Helm re-apply. Behavior: - existingSecret unset: chart creates Secret with slack tokens (unchanged) - existingSecret set, slack-only agent: no chart-managed Secret created - existingSecret set + discord/stt/gateway: chart Secret omits slack keys; deployment references existingSecret for slack envs only (dual-secret) Closes #900 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(helm): address review nits — trim existingSecret, add mixed-adapter and multi-agent tests - Pipe existingSecret through | trim in openab.slackSecretName helper to handle whitespace-only values gracefully - Add mixed-adapter deployment test verifying Discord refs chart-managed Secret while Slack refs existingSecret in the same Deployment - Add multi-agent scoping test confirming agent A's existingSecret does not affect agent B's inline token resolution --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: 超渡法師 <noreply@openab.dev>
This was referenced May 24, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
charts/openab-telegram/— a standalone Helm chart that deploys OAB + Gateway + Cloudflare Tunnel in a single pod, following the reference architecture.Install
Only 2 required flags. Everything else has sane defaults.
Credential Management
Three options from simplest to most secure:
--set telegramBotToken=Xhelm get valueskubectl create secret --from-literal+--set existingSecret=namekubectl create secret --from-env-file=<(aws sm ...)+--set existingSecret=nameOption 3 example (AWS Secrets Manager → K8s Secret, no disk/shell exposure):
Release Channel
Users can switch between
stableandbetafor the core image:channelstable(default)0.8.3v0.5.0(pinned)beta0.8.3-beta.12v0.5.0(pinned)Gateway is pinned independently since it has its own release cadence (
gateway-v*tags).What it does
openab(agent),gateway(Telegram adapter),cloudflared(tunnel)localhost— no Services neededexistingSecretsupport — reference a pre-created K8s Secret, chart skips Secret creationDesign Decision
This is a standalone chart (not a subchart wrapper) because:
extraContainersvaluesFuture platform charts (
openab-line,openab-feishu, etc.) can follow the same pattern.Tested
helm lint✅helm templaterenders correctly ✅existingSecretmode (skips Secret, references external) ✅allowAllUsers=false) ✅stable/beta) resolves correct tags ✅Closes #872