Configuration

This guide covers configuring OpenClaw for Cloudeka, including channels, models, sessions, and security settings.

Configuration Overview

OpenClaw configuration is stored in openclaw.json and managed via Helm ConfigMap:

# charts/openclaw/values.yaml
app-template:
  configMaps:
    config:
      data:
        openclaw.json: |
          { ... }

Config Mode: Merge vs Overwrite

Mode

Behavior

Use Case

merge (default)

Helm values are deep-merged with existing config. Runtime changes (paired devices, UI settings) are preserved.

Development, manual testing

overwrite

Helm values completely replace existing config.

GitOps, strict infrastructure-as-code

app-template:
  configMode: merge  # or "overwrite"

Important: ArgoCD with Merge Mode

If using ArgoCD with configMode: merge, prevent ArgoCD from overwriting runtime changes:

# ArgoCD Application manifest
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openclaw
spec:
  ignoreDifferences:
    - group: ""
      kind: ConfigMap
      name: openclaw
      jsonPointers:
        - /data

Gateway Configuration

{
  "gateway": {
    "port": 18789,
    "mode": "local",
    // IMPORTANT: trustedProxies uses exact IP matching only
    // - CIDR notation is NOT supported
    // - List each proxy IP individually
    "trustedProxies": ["10.250.199.254"]
  }
}

trustedProxies Explained

The trustedProxies setting controls which IPs are trusted for forwarding client connection information. This affects:

Rate limiting
Access control
IP-based routing

Common values for Cloudeka:

Ingress controller IP: 10.250.199.254
Gateway system IPs: Add each individually, no CIDR

Browser Configuration (Chromium Sidecar)

The Chromium sidecar enables browser automation via CDP (Chrome DevTools Protocol):

{
  "browser": {
    "enabled": true,
    "defaultProfile": "default",
    "profiles": {
      "default": {
        "cdpUrl": "http://localhost:9222",
        "color": "#4285F4"
      }
    }
  }
}

To disable browser automation, set "enabled": false and disable the sidecar in values.yaml:

app-template:
  controllers:
    main:
      containers:
        chromium:
          enabled: false

Agent Configuration

Single Agent (Default)

{
  "agents": {
    "defaults": {
      "workspace": "/home/node/.openclaw/workspace",
      "model": {
        "primary": "dekallm/zai/glm-4.7-fp8"
      },
      "userTimezone": "UTC",
      "timeoutSeconds": 600,
      "maxConcurrent": 1
    },
    "list": [
      {
        "id": "main",
        "default": true,
        "identity": {
          "name": "OpenClaw",
          "emoji": "🦞"
        }
      }
    ]
  }
}

Multi-Agent Configuration

For multiple agents with different personalities and permissions:

{
  "agents": {
    "list": [
      {
        "id": "main",
        "default": true,
        "workspace": "/home/node/.openclaw/workspace-main",
        "identity": { "name": "OpenClaw Main", "emoji": "🦞" }
      },
      {
        "id": "aira",
        "workspace": "/home/node/.openclaw/workspace-aira",
        "agentDir": "/home/node/.openclaw/agents/aira/agent",
        "identity": { "name": "Aira", "emoji": "🤖" },
        "model": { "primary": "dekallm/zai/glm-4.7-fp8" },
        "tools": {
          "allow": ["exec", "read", "write", "edit"],
          "deny": ["browser"]
        }
      }
    ]
  }
}

See Multi-Agent Guide for complete setup.

Model Providers

Cloudeka DEKALLM (Default)

{
  "models": {
    "mode": "merge",
    "providers": {
      "dekallm": {
        "baseUrl": "https://dekallm.cloudeka.ai/v1",
        "apiKey": "${DEKALLM_API_KEY}",
        "api": "openai-completions",
        "models": [
          { "id": "zai/glm-4.7-fp8", "name": "GLM 4.7" }
        ]
      }
    }
  }
}

Adding Anthropic (Optional)

{
  "models": {
    "providers": {
      "anthropic": {
        "baseUrl": "https://api.anthropic.com/v1",
        "apiKey": "${ANTHROPIC_API_KEY}",
        "api": "openai-completions",
        "models": [
          { "id": "claude-opus-4-6", "name": "Claude Opus 4.6" },
          { "id": "claude-sonnet-4-5", "name": "Claude Sonnet 4.5" }
        ]
      }
    }
  }
}

Add ANTHROPIC_API_KEY to your secrets.

Session Management

{
  "session": {
    "scope": "per-sender",        // or "global" for shared sessions
    "store": "/home/node/.openclaw/sessions",
    "reset": {
      "mode": "idle",             // or "manual", "never"
      "idleMinutes": 60           // Reset after 60min of inactivity
    }
  }
}

Session Scopes

Scope

Behavior

per-sender

Each user gets their own isolated session history

global

All users share one conversation (not recommended for multi-user)

Channel Configuration

Only enable channels you have configured. If a channel is enabled but its environment variable (token) is not set, OpenClaw will fail to start. Comment out any channels you are not using.

{
  "channels": {
    "telegram": {
      "botToken": "${TELEGRAM_BOT_TOKEN}",
      "enabled": true
    }
  }
}

Telegram Pairing Required:

After enabling Telegram, you must pair the bot with OpenClaw:

Start a conversation with your Telegram bot
Send /start or any message to get a pairing code
Approve the pairing from within the pod:

kubectl exec -n openclaw deployment/openclaw -c main -- \
  node dist/index.js pairing approve telegram <PAIRING_CODE>

Setup Steps:

Create a Telegram bot via @BotFather
Add TELEGRAM_BOT_TOKEN to your secrets
Deploy OpenClaw
Get pairing code from Telegram and approve it

Slack

{
  "channels": {
    "slack": {
      "botToken": "${SLACK_BOT_TOKEN}",
      "appToken": "${SLACK_APP_TOKEN}",
      "enabled": true,
      "replyToMode": "all",       // or "replies" only
      "channels": {
        "C0AEWJDTED6": {
          "allow": true,
          "requireMention": false  // Set true for @mention only
        }
      }
    }
  }
}

Only enable Slack if you have configured the tokens. Delete/uncomment the entire slack block if using Telegram only.

Setting up Slack

Create a Slack App: https://api.slack.com/apps
Enable Socket Mode
Add OAuth Scopes: chat:write, channels:history, groups:history, im:history, mpim:history
Add SLACK_BOT_TOKEN and SLACK_APP_TOKEN to secrets
Install app to your workspace

Discord

{
  "channels": {
    "discord": {
      "token": "${DISCORD_BOT_TOKEN}",
      "enabled": true
    }
  }
}

Setting up Discord

Create application: https://discord.com/developers/applications
Create bot user
Enable Privileged Intents: Server Members Intent, Message Content Intent
Add bot token to secrets
Invite bot with applications.commands and bot scopes

Example: Using Only Telegram

If you only want Telegram (not Slack), comment out the Slack section:

{
  "channels": {
    "telegram": {
      "botToken": "${TELEGRAM_BOT_TOKEN}",
      "enabled": true
    }
    // "slack": {
    //   "botToken": "${SLACK_BOT_TOKEN}",
    //   "appToken": "${SLACK_APP_TOKEN}",
    //   "enabled": true
    // }
  }
}

Logging Configuration

{
  "logging": {
    "level": "info",              // debug, info, warn, error
    "consoleLevel": "info",
    "consoleStyle": "compact",    // or "pretty"
    "redactSensitive": "tools"    // Redact sensitive data in tool outputs
  }
}

Tools Configuration

{
  "tools": {
    "profile": "full",            // or "minimal"
    "web": {
      "search": {
        "enabled": false          // Web search (requires API key)
      },
      "fetch": {
        "enabled": true           // HTTP fetch
      }
    }
  }
}

Tool Profiles

Profile

Available Tools

full

All tools enabled (exec, read, write, edit, browser, etc.)

minimal

Read-only tools, no execution or modification

Hooks Configuration

Enable webhooks for external integrations:

{
  "hooks": {
    "enabled": true,
    "token": "${OPENCLAW_HOOKS_TOKEN}"
  }
}

Example webhook call:

curl -X POST http://openclaw:18789/hooks/myhook \
  -H "Authorization: Bearer ${OPENCLAW_HOOKS_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"key": "value"}'

Network Policy (Optional)

Enable network policy to restrict OpenClaw's network access:

app-template:
  networkpolicies:
    main:
      enabled: true

Default policy allows:

Ingress from gateway-system namespace
DNS (kube-dns)
Egress to public internet (blocks private RFC1918 ranges)

Resource Limits

Adjust based on your workload:

app-template:
  controllers:
    main:
      containers:
        main:
          resources:
            requests:
              cpu: 200m
              memory: 512Mi
            limits:
              cpu: 2000m
              memory: 2Gi

Environment Variables

Additional environment variables can be added:

app-template:
  controllers:
    main:
      containers:
        main:
          env:
            CUSTOM_VAR: "value"
            NODE_ENV: "production"

Optional Persistence (Comment Out When Not Used)

Some persistence entries in values.yaml are commented out by default. Leave them commented unless you have created the required secrets/configmaps, otherwise OpenClaw will fail to start.

Kubeconfig (for kubectl access)

# Uncomment ONLY after creating the secret:
# kubectl create secret generic openclaw-kubeconfig \
#   --from-file=config=/path/to/kubeconfig \
#   -n openclaw

app-template:
  persistence:
    kubeconfig:
      enabled: true
      type: secret
      name: openclaw-kubeconfig
      advancedMounts:
        main:
          main:
            - path: /home/node/.kube/config
              subPath: config
              readOnly: true

Custom Skills

# Uncomment ONLY after creating the skill ConfigMap:
# kubectl create configmap my-skill \
#   --from-file=SKILL.md=./skills/my-skill/SKILL.md \
#   -n openclaw

app-template:
  persistence:
    my-skill:
      enabled: true
      type: configMap
      name: my-skill
      advancedMounts:
        main:
          main:
            - path: /home/node/.openclaw/workspace/skills/my-skill/SKILL.md
              subPath: SKILL.md
              readOnly: true

MCP Server Config

# Uncomment ONLY after creating the MCP config:
# kubectl create configmap my-mcporter-config \
#   --from-file=mcporter.json=./mcporter.json \
#   -n openclaw

app-template:
  persistence:
    my-mcporter-config:
      enabled: true
      type: configMap
      name: my-mcporter-config
      advancedMounts:
        main:
          main:
            - path: /home/node/.openclaw/workspace/config/mcporter.json
              subPath: mcporter.json
              readOnly: true

Always create the secret/ConfigMap before uncommenting the persistence entry, or the pod will fail with "mount failed" errors.

PreviousInstallation NextSkills

Last updated 15 hours ago

hashtagConfiguration Overview

hashtagConfig Mode: Merge vs Overwrite

hashtagImportant: ArgoCD with Merge Mode

hashtagGateway Configuration

hashtagtrustedProxies Explained

hashtagBrowser Configuration (Chromium Sidecar)

hashtagAgent Configuration

hashtagSingle Agent (Default)

hashtagMulti-Agent Configuration

hashtagModel Providers

hashtagCloudeka DEKALLM (Default)

hashtagAdding Anthropic (Optional)

hashtagSession Management

hashtagSession Scopes

hashtagChannel Configuration

hashtagTelegram

hashtagSlack

hashtagSetting up Slack

hashtagDiscord

hashtagSetting up Discord

hashtagExample: Using Only Telegram

hashtagLogging Configuration

hashtagTools Configuration

hashtagTool Profiles

hashtagHooks Configuration

hashtagNetwork Policy (Optional)

hashtagResource Limits

hashtagEnvironment Variables

hashtagOptional Persistence (Comment Out When Not Used)

hashtagKubeconfig (for kubectl access)

hashtagCustom Skills

hashtagMCP Server Config

Configuration Overview

Config Mode: Merge vs Overwrite

Important: ArgoCD with Merge Mode

Gateway Configuration

trustedProxies Explained

Browser Configuration (Chromium Sidecar)

Agent Configuration

Single Agent (Default)

Multi-Agent Configuration

Model Providers

Cloudeka DEKALLM (Default)

Adding Anthropic (Optional)

Session Management

Session Scopes

Channel Configuration

Telegram

Slack

Setting up Slack

Discord

Setting up Discord

Example: Using Only Telegram

Logging Configuration

Tools Configuration

Tool Profiles

Hooks Configuration

Network Policy (Optional)

Resource Limits

Environment Variables

Optional Persistence (Comment Out When Not Used)

Kubeconfig (for kubectl access)

Custom Skills

MCP Server Config