GitOps Deployment

2 min read

NClaw’s Helm chart can be deployed declaratively using GitOps tools. Below are ready-to-use manifests for FluxCD and ArgoCD.

FluxCD

apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: nclaw
  namespace: flux-system
spec:
  type: oci
  interval: 10m
  url: oci://ghcr.io/nickalie/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: nclaw
  namespace: nclaw
spec:
  interval: 10m
  chart:
    spec:
      chart: nclaw
      sourceRef:
        kind: HelmRepository
        name: nclaw
        namespace: flux-system
  values:
    env:
      whitelistChatIds: "123456789"
      webhookBaseDomain: "example.com"
    existingSecret: nclaw-secrets
    claudeCredentialsSecret: claude-credentials
    persistence:
      size: 5Gi

The existingSecret should contain the Telegram bot token under the key telegram-bot-token. Create it separately:

kubectl create secret generic nclaw-secrets \
  --namespace nclaw \
  --from-literal=telegram-bot-token=your-token

ArgoCD

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: nclaw
  namespace: argocd
spec:
  project: default
  source:
    chart: nclaw
    repoURL: ghcr.io/nickalie/charts
    targetRevision: "*"
    helm:
      valuesObject:
        env:
          whitelistChatIds: "123456789"
          webhookBaseDomain: "example.com"
        existingSecret: nclaw-secrets
        claudeCredentialsSecret: claude-credentials
        persistence:
          size: 5Gi
  destination:
    server: https://kubernetes.default.svc
    namespace: nclaw
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

targetRevision: "*" tracks the latest chart version. Pin to a specific version (e.g. "0.1.0") for stricter control over upgrades.

Secrets Setup

Create the credential secret for your chosen CLI agent before deploying:

# Claude
kubectl create secret generic claude-credentials \
  --namespace nclaw \
  --from-file=credentials.json=$HOME/.claude/.credentials.json

# Codex
kubectl create secret generic codex-credentials \
  --namespace nclaw \
  --from-file=auth.json=$HOME/.codex/auth.json

# Copilot
kubectl create secret generic copilot-credentials \
  --namespace nclaw \
  --from-file=config.json=$HOME/.copilot/config.json

# Gemini
kubectl create secret generic gemini-credentials \
  --namespace nclaw \
  --from-file=oauth_creds.json=$HOME/.gemini/oauth_creds.json

Then reference the secret name in your Helm values (e.g. claudeCredentialsSecret, codexCredentialsSecret, etc.).

See Configuration for the full list of Helm values.

Development Architecture