openclaw/manifests/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: openclaw
  namespace: openclaw
  labels:
    app.kubernetes.io/name: openclaw
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: openclaw
  template:
    metadata:
      labels:
        app.kubernetes.io/name: openclaw
    spec:
      serviceAccountName: openclaw

      containers:
        - name: openclaw
          image: default-route-openshift-image-registry.apps.lab.apilab.us/openclaw/openclaw:latest
          imagePullPolicy: Always
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -e
              if [ ! -f ~/.openclaw/openclaw.json ]; then
                node /app/openclaw.mjs onboard --non-interactive --accept-risk \
                  --gateway-port 18789 --gateway-bind lan \
                  --skip-daemon --skip-channels --skip-skills --skip-health --skip-ui
              fi
              # Patch tokens from OCP secrets into openclaw.json if not already set (idempotent)
              node -e "
                const fs = require('fs');
                const d = JSON.parse(fs.readFileSync(process.env.HOME + '/.openclaw/openclaw.json', 'utf8'));

                // Gateway token — must be in openclaw.json for channel auth to work
                if (!d.gateway) d.gateway = {};
                if (!d.gateway.token) d.gateway.token = process.env.OPENCLAW_GATEWAY_TOKEN;

                // Hooks token
                if (!d.hooks) d.hooks = {};
                if (!d.hooks.token) {
                  d.hooks.token = process.env.HOOKS_TOKEN;
                  d.hooks.enabled = true;
                  d.hooks.path = '/hooks';
                  d.hooks.allowRequestSessionKey = false;
                  d.hooks.mappings = d.hooks.mappings || [];
                  if (!d.hooks.mappings.find(m => m.id === 'ocp-alerts')) {
                    d.hooks.mappings.push({
                      id: 'ocp-alerts',
                      match: { path: '/ocp-alerts' },
                      action: 'agent',
                      name: 'OCP Alerts',
                      sessionKey: 'hook:ocp-alerts',
                      messageTemplate: 'You are an OCP cluster alert analyst for a Single Node OpenShift lab. An alert has fired. Compose a brief narrative notification and reply with ONLY the notification text \u2014 no preamble, no markdown, no tool calls.\n\nAlert details:\n- Name: {{groupLabels.alertname}}\n- Namespace: {{commonLabels.namespace}}\n- Severity: {{commonLabels.severity}}\n- Status: {{status}}\n- Summary: {{commonAnnotations.summary}}\n\nRules:\n1. If alertname contains \'Watchdog\': reply NO_REPLY and nothing else.\n2. Classify and write one of:\n  - ACTIONABLE firing: \"\ud83d\udfe1 [pod/component] is [what\'s wrong] in [namespace]. [One sentence likely cause]. Would you like me to take action?\"\n  - RESOLVED: \"\u2705 Good news \u2014 [what] in [namespace] has resolved.\"\n  - INFORMATIONAL: \"\u2139\ufe0f Heads up \u2014 [brief narrative].\"\n3. Plain text only. No bullet points. No markdown. Under 3 sentences.',
                      deliver: true,
                      allowUnsafeExternalContent: true,
                      channel: 'telegram',
                      to: '6479169830',
                      model: 'haiku',
                      timeoutSeconds: 60
                    });
                  }
                }

                // Telegram bot token
                d.channels = d.channels || {};
                d.channels.telegram = d.channels.telegram || {};
                if (!d.channels.telegram.botToken) {
                  d.channels.telegram.botToken = process.env.TELEGRAM_BOT_TOKEN;
                }

                fs.writeFileSync(process.env.HOME + '/.openclaw/openclaw.json', JSON.stringify(d, null, 2));
                console.log('Tokens patched from OCP env vars');
              "
              exec node /app/openclaw.mjs gateway --port 18789 --bind lan
          ports:
            - name: gateway
              containerPort: 18789
              protocol: TCP
          env:
            - name: PATH
              value: /home/node/.openclaw/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
            - name: HOME
              value: /home/node
            - name: NPM_CONFIG_CACHE
              value: /tmp/npm-cache
            - name: XDG_CACHE_HOME
              value: /tmp
            - name: TZ
              value: "Australia/Sydney"
            - name: NODE_OPTIONS
              value: "--dns-result-order=ipv4first --no-network-family-autoselection --import /home/node/canvas-patch.mjs"
            - name: OPENCLAW_GATEWAY_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gateway-token
                  key: token
            - name: GITHUB_TOKEN
              valueFrom:
                secretKeyRef:
                  name: github
                  key: pat
            - name: DISCORD_BOT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: discord
                  key: token
            - name: MINIMAX_TOKEN
              valueFrom:
                secretKeyRef:
                  name: minimax
                  key: token
            - name: HOOKS_TOKEN
              valueFrom:
                secretKeyRef:
                  name: hooks-token
                  key: token
            - name: TELEGRAM_BOT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: telegram-bot-token
                  key: token
          volumeMounts:
            - name: home
              mountPath: /home/node
            - name: tmp
              mountPath: /tmp

      volumes:
        - name: home
          persistentVolumeClaim:
            claimName: openclaw-home
        - name: tmp
          emptyDir: {}