refactor(openclaw): migrate to bjw-s-labs app-template chart

[hobroker]

Summary

Migrates the openclaw deployment off the archived serhanekicii/openclaw-helm chart (archived 2026-05-25) onto the maintained bjw-s-labs/app-template chart (v4.6.2), and reimplements the behaviour the old chart provided internally:

• Init containers now seed/merge openclaw.json onto the PVC (merge mode preserves runtime-written config across restarts) and install the configured skills, all running non-root with a read-only root filesystem and dropped capabilities.
• Trims the migrated values: collapses the three identical container securityContext blocks into a single YAML anchor, drops the redundant TCP startup probe on the main container, and removes an unused bash_aliases configmap entry plus a stale runtime-dependency comment block.

Verified with helm template openclaw bjw-s-labs/app-template --version 4.6.2 -f apps/automation/openclaw/values.yaml: renders cleanly (ConfigMap/Deployment/PVC/Service, liveness + readiness probes, readOnlyRootFilesystem on all containers, no bash_aliases).

Type

• App update (version bump / config change)

Summary by CodeRabbit

• Chores
  • Updated deployment to include container liveness/readiness checks, resource requests/limits, and a single-replica restart strategy.
  • Added init routines to bootstrap and merge existing configuration with provided defaults, and to install skills automatically with retry/backoff.
  • Introduced shared securityContext for containers.
  • Enabled persistent storage for app data and cache plus ephemeral tmp/npm mounts.
  • Expanded chart values to fully configure the application.

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrates OpenClaw to the bjw-s-labs app-template (v4.6.2), adds init scripts for config merging and skill installation, defines pod/container and optional chromium sidecar settings, embeds runtime openclaw.json, and provisions persistence plus advanced mounts.

Changes

OpenClaw App-Template Migration

Layer / File(s)	Summary
Helm chart source migration apps/automation/openclaw/application.yaml	Argo CD Application switches Helm source to bjw-s-labs.github.io/helm-charts app-template chart (targetRevision 4.6.2) with helm.releaseName: openclaw.
Pod & container architecture apps/automation/openclaw/values.yaml	Adds top-level values (configMode, skills), shared container securityContext, defines main controller (replicas/strategy, init containers, command/args, resources, TCP liveness/readiness probes) and optional chromium sidecar.
Init scripts: config merge & skill install apps/automation/openclaw/values.yaml	Adds configMaps.scripts.init-config.sh (strip JSON5-style comments, deep-merge Helm config into existing /home/node/.openclaw/openclaw.json in merge mode with fallback) and init-skills.sh (install SKILLS_TO_INSTALL with retry/backoff and per-skill failure tolerance).
Runtime config & service apps/automation/openclaw/values.yaml	Embeds configMaps.config.openclaw.json payload (gateway/browser/agents/session/logging/tools) and configures service.main to listen on port 18789 with IP family settings.
Persistence and mount wiring apps/automation/openclaw/values.yaml	Mounts scripts/config into init containers, creates 5Gi PVC for /home/node/.openclaw, and wires emptyDir mounts for /tmp and npm cache (/home/node/.npm) across init and main (and chromium) containers.

Sequence Diagram(s)

sequenceDiagram
  participant PodStartup as Pod Startup
  participant InitConfig as init-config.sh
  participant InitSkills as init-skills.sh
  participant Persist as Persistent Storage
  participant Main as Main Container

  PodStartup->>InitConfig: run with `configMode` & Helm-provided /config/openclaw.json
  InitConfig->>Persist: read existing /home/node/.openclaw/openclaw.json
  InitConfig->>InitConfig: strip JSON5 comments, deep-merge Helm config
  InitConfig->>Persist: write merged or fallback openclaw.json
  PodStartup->>InitSkills: run with SKILLS_TO_INSTALL
  InitSkills->>InitSkills: loop install with retry/backoff + jitter
  InitSkills->>Persist: write installed skills to .openclaw
  PodStartup->>Main: start main after inits complete
  Main->>Persist: load openclaw.json and installed skills

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• hobroker/selfhosted#240: Related Openclaw Helm/ArgoCD config changes affecting application.yaml and values.yaml.
• hobroker/selfhosted#242: Related persistence/PV-PVC adjustments for Openclaw PVC binding and storage settings.
• hobroker/selfhosted#316: Closely related migration to app-template and values.yaml restructuring for controllers and persistence.

"Pizza Party Friday for charts! 🍕
A repo retires, a template arrives — hooray!
Init scripts hum, the skills install true,
PVCs guard the secrets, mounts dance in queue,
OpenClaw wakes up, ready to play!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor(openclaw): migrate to bjw-s-labs app-template chart' directly and accurately summarizes the main change—a migration from an archived Helm chart to the maintained app-template chart.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch migrate-deprecated-openclaw-helm-chart

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/automation/openclaw/values.yaml`:
- Around line 107-115: The Chromium container repeats the same securityContext
as the existing YAML anchor &containerSecurityContext; replace the duplicated
block in the Chromium container's securityContext with a reference to the anchor
(use the anchor name containerSecurityContext) so the container reads
securityContext: *containerSecurityContext instead of duplicating fields; locate
the Chromium container spec (the securityContext block shown) and swap it for
the anchor reference to collapse duplication and keep consistency.
- Around line 252-257: The jitter calculation using non-POSIX $RANDOM in the
init-skills script is always 0 under sh; replace the line that sets jitter (used
by the log, sleep and delay logic in init-skills.sh) with a POSIX-safe approach:
read a single byte from /dev/urandom (e.g., via dd/od or dd + od -An -tu1),
compute modulo 5 to get 0-4, and assign that to jitter; ensure the method works
under /bin/sh, redirects errors to /dev/null, and falls back to 0 if the random
read fails so the subsequent log "WARNING... retrying in $((delay +
jitter))s..." and sleep call behave correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c7888c9b-1fcd-4b9b-b6da-91b9967027a4

📥 Commits

Reviewing files that changed from the base of the PR and between 776b769 and 62736df.

📒 Files selected for processing (2)

• apps/automation/openclaw/application.yaml
• apps/automation/openclaw/values.yaml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/automation/openclaw/values.yaml (2)

363-376: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Quick note on storage strategy, boss!

The coding guidelines mention using "default host paths /var/local/<app> for config/database storage." This config uses a PVC with empty storageClass (cluster default) instead.

PVCs are more portable and Kubernetes-native, which is totally valid! But if you want to follow the established pattern for easier local backups and inspection on this homelab setup, you could switch to a hostPath:

🗂️ Alternative using host path (if preferred)

  data:
    enabled: true
    type: hostPath
    hostPath: /var/local/openclaw
    advancedMounts:
      main:
        init-config:
          - path: /home/node/.openclaw
        init-skills:
          - path: /home/node/.openclaw
        main:
          - path: /home/node/.openclaw

If PVC is the intentional choice for this app (maybe for easier migration or cluster portability), consider documenting the rationale.

As per coding guidelines: "Use default host paths /var/local/<app> for config/database storage"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/automation/openclaw/values.yaml` around lines 363 - 376, The storage
config currently sets data.type to persistentVolumeClaim with an empty
storageClass which diverges from the project's guideline to use host paths;
update the manifest so data.type is hostPath and set data.hostPath to
/var/local/openclaw (and keep advancedMounts entries as-is) OR if you
intentionally prefer PVCs, add a short comment/documentation near the data block
explaining why persistentVolumeClaim (empty storageClass) is chosen; look for
the data, type, storageClass, hostPath and advancedMounts keys to make the
change.

---

329-337: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

OpenClaw is missing Traefik ingress for openclaw.hobroker.me

Service config is totally boss (HTTP port 18789), but this apps/automation/openclaw/values.yaml has no ingress configuration at all—so there are no Traefik routes/invitations for openclaw.hobroker.me per the <app>.hobroker.me guideline. Add a ingress block mapping openclaw.hobroker.me → service.main/http, or add a comment stating it’s intentionally internal-only.

service:
  main:
    controller: main
    ipFamilyPolicy: SingleStack
    ipFamilies:
      - IPv4
    ports:
      http:
        port: 18789

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/automation/openclaw/values.yaml` around lines 329 - 337, Add an ingress
block for OpenClaw mapping the hostname openclaw.hobroker.me to the existing
service.main HTTP port (service.main → ports.http port 18789), or explicitly add
a comment stating the service is internal-only; specifically update
apps/automation/openclaw/values.yaml to include an ingress entry that targets
service: main and port: http (host: openclaw.hobroker.me) so Traefik will route
external traffic, or add the internal-only comment next to service.main to make
the intent explicit.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@apps/automation/openclaw/values.yaml`:
- Around line 363-376: The storage config currently sets data.type to
persistentVolumeClaim with an empty storageClass which diverges from the
project's guideline to use host paths; update the manifest so data.type is
hostPath and set data.hostPath to /var/local/openclaw (and keep advancedMounts
entries as-is) OR if you intentionally prefer PVCs, add a short
comment/documentation near the data block explaining why persistentVolumeClaim
(empty storageClass) is chosen; look for the data, type, storageClass, hostPath
and advancedMounts keys to make the change.
- Around line 329-337: Add an ingress block for OpenClaw mapping the hostname
openclaw.hobroker.me to the existing service.main HTTP port (service.main →
ports.http port 18789), or explicitly add a comment stating the service is
internal-only; specifically update apps/automation/openclaw/values.yaml to
include an ingress entry that targets service: main and port: http (host:
openclaw.hobroker.me) so Traefik will route external traffic, or add the
internal-only comment next to service.main to make the intent explicit.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5c2bbc6b-8086-40d3-ac69-ea05f2b8cc97

📥 Commits

Reviewing files that changed from the base of the PR and between 62736df and c28f214.

📒 Files selected for processing (1)

• apps/automation/openclaw/values.yaml