Initial OpenClaw GitOps skeleton

manifests/maintenance/README.md

@@ -0,0 +1,9 @@
+Maintenance notes
+
+We intentionally avoid assumptions about UID/GID/FSGroup under OpenShift restricted SCC.
+
+If PVC permissions ever wedge, prefer:
+- designing the container entrypoint to `umask 0002` and create needed dirs/files with group-writable perms, OR
+- use an initContainer that only does `chmod -R g+rwX` (no chown) if your cluster policy allows.
+
+Avoid hardcoding specific numeric UIDs/GIDs.

manifests/maintenance/fix-openclaw-pvc-perms-job.yaml

@@ -0,0 +1,33 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: openclaw-fix-pvc-perms
+  namespace: openclaw
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: openclaw
+      containers:
+        - name: fix
+          image: registry.access.redhat.com/ubi9/ubi-minimal:9.5
+          command:
+            - /bin/sh
+            - -lc
+            - |
+              set -eu
+              echo "Fixing group permissions under /data (PVC)"
+              echo "NOTE: This job intentionally avoids chown or any hardcoded UID/GID assumptions."
+
+              chmod -R g+rwX /data
+              find /data -type d -exec chmod 2775 {} \;
+
+              echo "Done"
+              ls -la /data | head -n 100 || true
+          volumeMounts:
+            - name: config
+              mountPath: /data
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: openclaw-config