OpenClaw - AI Agent Platform

This cluster runs OpenClaw 2026.5.4, deployed via the openclaw-operator (v0.30.0). A single OpenClawInstance custom resource manages the full deployment — StatefulSet, PVC, RBAC, service, and config — no custom Docker image required.

Endpoints

Interface	URL
Web UI	`https://claw.k8s.sudhanva.me`
Telegram	@CoochiepieBot

Architecture

flowchart TB
    subgraph Internet
        User((User))
        TG[Telegram]
        ChatGPT[ChatGPT Plus<br/>openai-codex/gpt-5.5]
        Gemini[Google Gemini<br/>gemini-3.1-flash-lite]
        DeepSeek[NVIDIA DeepSeek<br/>deepseek-v4-pro]
    end

    subgraph OKE["OKE Cluster"]
        Gateway[Envoy Gateway<br/>TLS Termination]

        subgraph OpenClawPod["openclaw-0 (StatefulSet)"]
            GW[OpenClaw Gateway<br/>:18789]
            Agent[AI Agent]
            TGChannel[Telegram Channel]
            Browser[Chromium Sidecar<br/>Headless CDP]
        end

        Operator[openclaw-operator<br/>v0.30.0]
        PVC[(PVC 180Gi<br/>openclaw-data)]
        ESO[External Secrets Operator]
    end

    subgraph OCI["OCI Vault"]
        Secrets[(API Keys + Tokens)]
    end

    User -->|HTTPS| Gateway
    Gateway --> GW
    User -->|DM| TG
    TG --> TGChannel
    TGChannel --> Agent
    Agent -->|Primary| ChatGPT
    Agent -->|Fallback 1| Gemini
    Agent -->|Fallback 2| DeepSeek
    Agent --> Browser
    Operator -->|Manages| OpenClawPod
    Operator -->|Manages| PVC
    Secrets --> ESO
    ESO -->|K8s Secrets| OpenClawPod

AI Models

Priority	Provider	Model	Auth
Primary	OpenAI Codex	`openai-codex/gpt-5.5`	ChatGPT Plus OAuth (stored on PVC)
Fallback 1	Google	`google/gemini-3.1-flash-lite-preview`	`GEMINI_API_KEY` env var
Fallback 2	NVIDIA	`nvidia/deepseek-ai/deepseek-v4-pro`	`NVIDIA_API_KEY` env var

ChatGPT Subscription Auth

After deployment, authenticate with your ChatGPT Plus subscription (requires a TTY):

kubectl exec -it -n default openclaw-0 -- openclaw models auth login --provider openai-codex

This opens an OAuth browser flow. The tokens are saved to the PVC and persist across restarts.

Operator Deployment

The operator is installed via ArgoCD as a Helm OCI chart:

# argocd/applications.yaml (sync-wave 4)
repoURL: ghcr.io/openclaw-rocks/charts
chart: openclaw-operator
targetRevision: "*"

The OpenClawInstance CR is deployed at sync-wave 5:

argocd/apps/openclaw/openclawinstance.yaml
argocd/apps/openclaw/httproute.yaml
argocd/apps/openclaw/kustomization.yaml

Key Configuration

The full config lives in argocd/apps/openclaw/openclawinstance.yaml. Key sections:

spec:
  image:
    repository: ghcr.io/openclaw/openclaw
    tag: "2026.5.4"

  config:
    raw:
      gateway:
        mode: local
        bind: lan          # required for 2026.5.4+; "0.0.0.0" no longer accepted
        port: 18789
      agents:
        defaults:
          model:
            primary: openai-codex/gpt-5.5
            fallbacks:
              - google/gemini-3.1-flash-lite-preview
              - nvidia/deepseek-ai/deepseek-v4-pro
      channels:
        telegram:
          enabled: true
          dmPolicy: pairing  # no botToken needed; uses TELEGRAM_BOT_TOKEN env var

  gateway:
    enabled: false  # Envoy Gateway handles TLS; operator's nginx proxy not needed

  storage:
    persistence:
      size: 180Gi       # 200Gi = 215GB exceeds OCI 200GB free tier
      storageClass: oci-bv

Features

Feature	Description
Telegram Bot	@CoochiepieBot — DM to chat, pairing-based access
Web UI	`claw.k8s.sudhanva.me` — gateway token auth
ChatGPT Plus	GPT-5.5 via OAuth subscription (no per-token billing)
Multi-model fallback	Auto-falls back to Gemini then DeepSeek if primary unavailable
Browser Control	Chromium sidecar via CDP for web automation
Memory + Dreaming	Persistent memory with background consolidation
Session Isolation	Per-sender sessions, 30 min idle auto-reset
Plugins	browser, device-pair, file-transfer, memory-core, phone-control, talk-voice, telegram, codex
Tools	gws (Google Workspace), gh (GitHub), bw (Bitwarden), uv/Python 3.14, Alpha Vantage

Secrets

All secrets are stored in OCI Vault and synced via External Secrets Operator.

Vault Secret	K8s Secret	Purpose
`telegram-bot-token`	`telegram-bot-token`	Telegram Bot API token
`gemini-api-key`	`gemini-api-key`	Google Gemini API
`nvidia-api-key`	`nvidia-api-key`	NVIDIA AI Catalog (DeepSeek)
`github-pat`	`github-pat`	GitHub CLI
`google-places-api-key`	`google-places-api-key`	Google Places API
`alphavantage-api-key`	`alphavantage-api-key`	Stock/financial data
`bw-credentials`	`bw-credentials`	Bitwarden CLI

The operator auto-generates the gateway token secret (openclaw-gateway-token) — no Vault entry needed.

Getting the Web UI Token

kubectl get secret openclaw-gateway-token -o jsonpath='{.data.token}' | base64 -d

Resource Allocation

Resource	Request	Limit
Memory	1 GB	4 GB
CPU	500m	2000m
Storage	180Gi PVC	—

Telegram Setup

Create a bot via @BotFather
Add the token to OCI Vault as telegram-bot-token
Deploy via ArgoCD — the operator reads TELEGRAM_BOT_TOKEN env var automatically
DM the bot, get the pairing code
Approve it:

kubectl exec -n default openclaw-0 -- openclaw pairing approve telegram <CODE>

Deployment from Scratch

1. Add Secrets to OCI Vault

telegram_bot_token = "your-botfather-token"
gemini_api_key     = "your-google-api-key"
nvidia_api_key     = "your-nvidia-api-key"

cd tf-oke
terraform apply -target=oci_vault_secret.telegram_bot_token \
  -target=oci_vault_secret.gemini_api_key \
  -target=oci_vault_secret.nvidia_api_key
git checkout -- ../argocd/

2. Deploy via ArgoCD

kubectl apply -f argocd/applications.yaml

Force sync (wave 4 → 5):

kubectl patch app openclaw-operator -n argocd --type merge \
  -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"hard"}}}'
kubectl patch app openclaw-app -n argocd --type merge \
  -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"hard"}}}'

3. Authenticate ChatGPT (optional, requires TTY)

kubectl exec -it -n default openclaw-0 -- openclaw models auth login --provider openai-codex

4. Pair Telegram

kubectl exec -n default openclaw-0 -- openclaw pairing approve telegram <CODE>

Upgrading OpenClaw

Update the image.tag in openclawinstance.yaml and push:

spec:
  image:
    tag: "2026.5.4"   # change to new version

ArgoCD detects the change, the operator rolls the StatefulSet, and the pod restarts with the new image. Always trigger a sync after pushing:

kubectl patch app openclaw-app -n argocd --type merge \
  -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"hard"}}}'

Troubleshooting

Bot Not Responding

kubectl logs openclaw-0 | grep telegram

Pairing not approved: kubectl exec -n default openclaw-0 -- openclaw pairing approve telegram <CODE>
Invalid token: kubectl get secret telegram-bot-token -o jsonpath='{.data.telegram-bot-token}' | base64 -d

Pod CrashLoopBackOff

kubectl logs openclaw-0 --previous | head -20

Common causes in 2026.5.4:

Invalid --bind — add bind: lan to spec.config.raw.gateway (raw IP addresses no longer accepted)
Config auto-restored from backup loop — delete the PVC to clear stale backup state: kubectl delete pvc openclaw-data
Gateway proxy port conflict — ensure spec.gateway.enabled: false is set

Check All Model Auth

kubectl exec -n default openclaw-0 -- openclaw models status

Stale PVC / Fresh Start

If config state is corrupted (repeated restarts, backup restore loops):

kubectl delete pvc openclaw-data -n default

The operator recreates the PVC fresh on the next reconcile. ChatGPT OAuth tokens will need to be re-authenticated.