# Default values for openclaw.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: ghcr.io/openclaw/openclaw
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

# Optional: override the container name (defaults to chart name)
containerName: ""

# Optional: override command and args
command: []
args: []

# Deployment-specific labels and annotations
deploymentLabels: {}
deploymentAnnotations: {}

# Deployment spec configuration
revisionHistoryLimit: 5
terminationGracePeriodSeconds: 30

# OpenClaw gateway configuration (maps to openclaw.json in ConfigMap)
gateway:
  # "loopback" = only reachable via kubectl port-forward (safe default)
  # Change to "0.0.0.0" when using Ingress or LoadBalancer
  bind: "loopback"
  port: 18789
  # Enable token-based auth for the Control UI (strongly recommended)
  tokenAuth: true

# Agent system prompt — rendered as AGENTS.md in the ConfigMap
# Edit this to customize agent behavior and instructions
agentsConfig: |
  # OpenClaw Agents

  Default agent configuration. Edit this section to customize agent behavior,
  add skills, or configure model preferences for your deployment.

# Extra top-level keys merged into openclaw.json (merged with gateway config above)
# Example:
#   extraGatewayConfig:
#     logLevel: debug
#     maxConcurrentSessions: 10
extraGatewayConfig: {}

# Secret values for provider API keys and gateway authentication
# All fields are optional — only non-empty values are written into the Secret
secret:
  enabled: true

  # --- Gateway auth ---
  # Control UI authentication token (strongly recommended)
  gatewayToken: ""
  # Alternative: password-based auth (use token OR password, not both)
  gatewayPassword: ""

  # --- Model providers (core) ---
  anthropicApiKey: ""       # ANTHROPIC_API_KEY
  geminiApiKey: ""          # GEMINI_API_KEY
  openaiApiKey: ""          # OPENAI_API_KEY
  openrouterApiKey: ""      # OPENROUTER_API_KEY
  googleApiKey: ""          # GOOGLE_API_KEY

  # --- Model provider live keys (bypass caching/pooling) ---
  openaiLiveKey: ""         # OPENCLAW_LIVE_OPENAI_KEY
  anthropicLiveKey: ""      # OPENCLAW_LIVE_ANTHROPIC_KEY
  geminiLiveKey: ""         # OPENCLAW_LIVE_GEMINI_KEY

  # --- Numbered / pooled key variants ---
  openaiApiKey1: ""         # OPENAI_API_KEY_1
  anthropicApiKey1: ""      # ANTHROPIC_API_KEY_1
  geminiApiKey1: ""         # GEMINI_API_KEY_1
  openaiApiKeys: ""         # OPENAI_API_KEYS  (comma-separated pool)
  anthropicApiKeys: ""      # ANTHROPIC_API_KEYS
  geminiApiKeys: ""         # GEMINI_API_KEYS

  # --- Additional / specialty providers ---
  zaiApiKey: ""             # ZAI_API_KEY
  aiGatewayApiKey: ""       # AI_GATEWAY_API_KEY
  tokenhubApiKey: ""        # TOKENHUB_API_KEY
  lkeapApiKey: ""           # LKEAP_API_KEY
  minimaxApiKey: ""         # MINIMAX_API_KEY
  syntheticApiKey: ""       # SYNTHETIC_API_KEY

  # --- Channels ---
  telegramBotToken: ""      # TELEGRAM_BOT_TOKEN
  discordBotToken: ""       # DISCORD_BOT_TOKEN
  slackBotToken: ""         # SLACK_BOT_TOKEN
  slackAppToken: ""         # SLACK_APP_TOKEN
  mattermostBotToken: ""    # MATTERMOST_BOT_TOKEN
  mattermostUrl: ""         # MATTERMOST_URL
  zaloBotToken: ""          # ZALO_BOT_TOKEN
  twitchAccessToken: ""     # OPENCLAW_TWITCH_ACCESS_TOKEN

  # --- Tools / search ---
  braveApiKey: ""           # BRAVE_API_KEY
  perplexityApiKey: ""      # PERPLEXITY_API_KEY
  firecrawlApiKey: ""       # FIRECRAWL_API_KEY

  # --- Voice / media ---
  elevenlabsApiKey: ""      # ELEVENLABS_API_KEY
  xiApiKey: ""              # XI_API_KEY (ElevenLabs alias)
  inworldApiKey: ""         # INWORLD_API_KEY
  deepgramApiKey: ""        # DEEPGRAM_API_KEY

# Persistent storage for agent state, conversation memory, and config overrides
persistence:
  enabled: true
  # Storage class — leave empty to use the cluster default
  storageClass: ""
  accessMode: ReadWriteOnce
  size: 10Gi
  annotations: {}
  # Mount path inside the container for persistent agent data
  mountPath: /home/openclaw

serviceAccount:
  create: false
  automount: false
  annotations: {}
  labels: {}
  name: ""

env: []
envFrom: []

podAnnotations: {}
podLabels: {}

podSecurityContext:
  fsGroup: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false

service:
  type: ClusterIP
  port: 18789
  annotations: {}
  labels: {}
  # Optional: pin a specific cluster IP or use "None" for headless
  clusterIP: ""
  # Optional: specific node port for NodePort/LoadBalancer types
  # nodePort: 30789
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""
  ipFamilyPolicy: ""
  ipFamilies: []

ingress:
  enabled: false
  # IMPORTANT: ingress.enabled=true requires gateway.bind="0.0.0.0"
  # The default loopback bind is not reachable by Kubernetes services.
  className: traefik
  labels: {}
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: openclaw.local
      paths:
        - path: /
          pathType: Prefix
          backend: {}
  tls:
    - hosts:
        - openclaw.local
      secretName: openclaw-tls

resources: {}
  # Recommended starting point for production:
  # requests:
  #   cpu: 250m
  #   memory: 512Mi
  # limits:
  #   cpu: 1000m
  #   memory: 1Gi

livenessProbe:
  enabled: true
  httpGet:
    path: /health
    port: gateway
  initialDelaySeconds: 10
  periodSeconds: 15
  timeoutSeconds: 3
  successThreshold: 1
  failureThreshold: 3

readinessProbe:
  enabled: true
  httpGet:
    path: /health
    port: gateway
  initialDelaySeconds: 5
  periodSeconds: 10
  timeoutSeconds: 3
  successThreshold: 1
  failureThreshold: 3

startupProbe:
  enabled: true
  httpGet:
    path: /health
    port: gateway
  initialDelaySeconds: 5
  periodSeconds: 5
  timeoutSeconds: 3
  successThreshold: 1
  failureThreshold: 24  # up to 2 minutes total startup window

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 5
  targetCPUUtilizationPercentage: 80
  targetMemoryUtilizationPercentage: 80
  labels: {}
  annotations: {}
  # Custom metrics override CPU/Memory targets when set
  metrics: []
  # Scaling behavior (k8s 1.23+)
  behavior: {}
    # scaleDown:
    #   stabilizationWindowSeconds: 300
    # scaleUp:
    #   stabilizationWindowSeconds: 0

# Pod Disruption Budget — enable for HA deployments (requires replicaCount > 1)
podDisruptionBudget:
  enabled: false
  minAvailable: 1
  # maxUnavailable: 1  # Cannot set both minAvailable and maxUnavailable
  labels: {}
  annotations: {}
  unhealthyPodEvictionPolicy: ""  # IfHealthyBudget or AlwaysAllow

# Network Policy — enable to restrict traffic to/from the openclaw pod
networkPolicy:
  enabled: false
  labels: {}
  annotations: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector: {}
  egress:
    - to:
        - podSelector: {}

# Deployment strategy — zero-downtime rolling update by default
strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 1
    maxUnavailable: 0

# Lifecycle hooks
lifecycle:
  preStop:
    exec:
      command: ["/bin/sh", "-c", "sleep 5"]

# Additional volumes and mounts
volumes: []
volumeMounts: []

# Additional init containers (run before the openclaw container)
initContainers: []

# Sidecar containers (run alongside the openclaw container)
sidecars: []

# Advanced scheduling
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []

# DNS configuration
dnsPolicy: ""
dnsConfig: {}

# Pod scheduling
priorityClassName: ""
runtimeClassName: ""
schedulerName: ""
hostAliases: []