openclaw: regenerate kubeconfig at pod start using projected SA tokenFile

The previously-baked kubeconfig at /home/node/.openclaw/kubeconfig retained a service-account token bound to the original (long-dead) pod, so kubectl calls from inside the openclaw container failed with "the server has asked for the client to provide credentials" even though the openclaw SA has cluster-admin and kubelet projects a fresh token at /var/run/secrets/kubernetes.io/serviceaccount/token. Add init-container "setup-kubeconfig" that writes a kubeconfig with tokenFile + certificate-authority paths pointing at the projected SA volume — kubelet auto-rotates the token, kubectl always reads fresh creds, no Vault K8s-creds-engine refresh needed. Verified end-to-end: agent ran `kubectl get nodes -o wide` inside the pod and delivered a correct one-line summary to Telegram via openai-codex/gpt-5.4-mini.
2026-05-08 08:07:38 +00:00 · 2026-05-08 08:07:38 +00:00 · badc341669
commit badc341669
parent 8b0b4e5148
1 changed files with 38 additions and 0 deletions
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -399,6 +399,44 @@ resource "kubernetes_deployment" "openclaw" {
          }
        }

+        # Init 1b: regenerate kubeconfig pointing at the projected SA tokenFile
+        # so kubectl always reads the fresh, kubelet-rotated token. Without
+        # this the previously-baked kubeconfig retains a SA token bound to a
+        # long-dead pod and kubectl returns "must be logged in to the server".
+        init_container {
+          name    = "setup-kubeconfig"
+          image   = "busybox:1.37"
+          command = ["sh", "-c", <<-EOT
+            cat > /home/node/.openclaw/kubeconfig <<'KUBECONFIG_EOF'
+            apiVersion: v1
+            kind: Config
+            clusters:
+            - cluster:
+                certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                server: https://kubernetes.default.svc
+              name: in-cluster
+            contexts:
+            - context:
+                cluster: in-cluster
+                user: openclaw
+                namespace: openclaw
+              name: in-cluster
+            current-context: in-cluster
+            users:
+            - name: openclaw
+              user:
+                tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+            KUBECONFIG_EOF
+            chown 1000:1000 /home/node/.openclaw/kubeconfig
+            chmod 0644 /home/node/.openclaw/kubeconfig
+          EOT
+          ]
+          volume_mount {
+            name       = "openclaw-home"
+            mount_path = "/home/node/.openclaw"
+          }
+        }
+
        # Init 2 removed: install-dotfiles init container was cloning dotfiles
        # repo via git on every pod start, causing 200+ small NFS writes.
        # Dotfiles already exist on NFS at /home/node/.openclaw/dotfiles from