πŸ“šBook Signing at KubeCon EU 2026Meet us at Booking.com HQ (Mon 18:30-21:00) & vCluster booth #521 (Tue 24 Mar, 12:30-1:30pm) β€” free book giveaway!RSVP Booking.com Event
KubernetesRecipes
Deployments advanced ⏱ 25 minutes K8s 1.28+

OpenClaw GitOps Deployment with ArgoCD

Deploy OpenClaw on Kubernetes using ArgoCD for GitOps automation. Application definition, sync policies, drift detection, and secrets.

By Luca Berton β€’ β€’ πŸ“– 5 min read

πŸ’‘ Quick Answer: Create an ArgoCD Application pointing to your OpenClaw Kustomize overlay directory in Git. ArgoCD syncs manifests automatically, detects config drift, and handles rollback β€” while secrets stay out of Git via External Secrets or SealedSecrets.

The Problem

Manual kubectl apply for OpenClaw updates doesn’t scale. You need version-controlled deployments with automatic drift detection, rollback history, and multi-environment management β€” without storing secrets in Git.

The Solution

Step 1: Store Manifests in Git

openclaw-gitops/
β”œβ”€β”€ base/
β”‚   β”œβ”€β”€ kustomization.yaml
β”‚   β”œβ”€β”€ deployment.yaml
β”‚   β”œβ”€β”€ service.yaml
β”‚   β”œβ”€β”€ pvc.yaml
β”‚   └── configmap.yaml
β”œβ”€β”€ overlays/
β”‚   β”œβ”€β”€ dev/
β”‚   β”‚   β”œβ”€β”€ kustomization.yaml
β”‚   β”‚   └── patches/
β”‚   └── production/
β”‚       β”œβ”€β”€ kustomization.yaml
β”‚       β”œβ”€β”€ patches/
β”‚       └── external-secret.yaml
└── argocd/
    β”œβ”€β”€ app-dev.yaml
    └── app-production.yaml

Step 2: ArgoCD Application for Production

# argocd/app-production.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openclaw-production
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: https://github.com/your-org/openclaw-gitops.git
    targetRevision: main
    path: overlays/production
  destination:
    server: https://kubernetes.default.svc
    namespace: openclaw-prod
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
    retry:
      limit: 3
      backoff:
        duration: 5s
        maxDuration: 3m
        factor: 2

Step 3: Secrets via SealedSecrets

# Encrypt secrets client-side
kubeseal --format yaml < secret.yaml > sealed-secret.yaml

# sealed-secret.yaml is safe to commit to Git
git add sealed-secret.yaml && git commit -m "Update OpenClaw API keys"
# sealed-secret.yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: openclaw-secrets
  namespace: openclaw-prod
spec:
  encryptedData:
    OPENCLAW_GATEWAY_TOKEN: AgBy8h...
    ANTHROPIC_API_KEY: AgCx9k...
graph LR
    A[Git Repository] -->|Push| B[ArgoCD]
    B -->|Sync| C[Kubernetes Cluster]
    B -->|Detect Drift| D[Self-Heal]
    C --> E[openclaw-dev namespace]
    C --> F[openclaw-prod namespace]
    G[SealedSecret in Git] -->|Decrypt| H[K8s Secret]
    H --> F

Step 4: Config Updates via Git

To update AGENTS.md or openclaw.json:

# Edit the ConfigMap in Git
vim overlays/production/configmap-patch.yaml

# Commit and push β€” ArgoCD handles the rest
git add -A && git commit -m "Update agent instructions" && git push

ArgoCD detects the change, syncs the ConfigMap, and the pod picks it up on next restart.

Sync Waves for Ordered Deployment

# Ensure secrets sync before deployment
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: openclaw-secrets
  annotations:
    argocd.argoproj.io/sync-wave: "-1"

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: openclaw
  annotations:
    argocd.argoproj.io/sync-wave: "0"

Common Issues

ArgoCD Shows β€œOutOfSync” for PVC

PVCs are immutable after creation. Ignore with:

spec:
  ignoreDifferences:
    - group: ""
      kind: PersistentVolumeClaim
      jsonPointers:
        - /spec/resources/requests/storage

Secret Drift Detection

ArgoCD detects when someone manually patches a secret. selfHeal: true reverts it from Git source (SealedSecret).

Pod Not Restarting After ConfigMap Change

Add a hash annotation to force rollout:

# In kustomization.yaml
configMapGenerator:
  - name: openclaw-config
    behavior: replace
    files:
      - openclaw.json
      - AGENTS.md

Kustomize appends a hash suffix β€” ConfigMap name changes trigger pod restart.

Best Practices

  • Automated sync with self-heal β€” detect and fix drift automatically
  • SealedSecrets or External Secrets β€” never plain secrets in Git
  • Sync waves β€” secrets before deployments
  • Ignore PVC diffs β€” they’re immutable after creation
  • Separate repos for config vs app β€” OpenClaw manifests in infra repo, agent content can be in separate repo
  • PR-based changes β€” require review before production config changes

Key Takeaways

  • ArgoCD watches Git and syncs OpenClaw manifests automatically
  • Use SealedSecrets or External Secrets Operator for secret management
  • Self-heal and prune keep the cluster matching Git state
  • Sync waves ensure secrets exist before the deployment starts
  • Config changes via Git PR β†’ merge β†’ ArgoCD auto-deploys
#openclaw #argocd #gitops #continuous-deployment #automation
Luca Berton
Written by Luca Berton

Principal Solutions Architect specializing in Kubernetes, AI/GPU infrastructure, and cloud-native platforms. Author of Kubernetes Recipes and creator of CopyPasteLearn courses.

🌐 πŸ’Ό πŸ’»

πŸŽ“ Deepen Your Skills β€” Hands-on Courses

πŸ€–
OpenClaw Agent Mastery

Build and deploy AI agents with OpenClaw β€” hands-on course with real-world projects.

Start Learning β†’
⚑
Ansible Quickstart

Automate Kubernetes node configuration and cluster bootstrapping with Ansible.

Start Learning β†’

Courses by CopyPasteLearn.com β€” Learn IT by Doing

Kubernetes Recipes book cover

Want More Kubernetes Recipes?

This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.

Get the Book β†’ ← More Deployments Recipes
← Back to All Recipes
Luca Berton Ansible Pilot Ansible by Example Open Empower K8s Recipes Terraform Pilot CopyPasteLearn ProteinLens