From badc34166997f83fdb61563c0474769a0ea2bbfc Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 8 May 2026 08:07:38 +0000
Subject: [PATCH] openclaw: regenerate kubeconfig at pod start using projected
 SA tokenFile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previously-baked kubeconfig at /home/node/.openclaw/kubeconfig retained
a service-account token bound to the original (long-dead) pod, so kubectl
calls from inside the openclaw container failed with "the server has asked
for the client to provide credentials" even though the openclaw SA has
cluster-admin and kubelet projects a fresh token at
/var/run/secrets/kubernetes.io/serviceaccount/token.

Add init-container "setup-kubeconfig" that writes a kubeconfig with
tokenFile + certificate-authority paths pointing at the projected
SA volume — kubelet auto-rotates the token, kubectl always reads
fresh creds, no Vault K8s-creds-engine refresh needed.

Verified end-to-end: agent ran `kubectl get nodes -o wide` inside the
pod and delivered a correct one-line summary to Telegram via
openai-codex/gpt-5.4-mini.
---
 stacks/openclaw/main.tf | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index 665b86eb..2ecd3b79 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -399,6 +399,44 @@ resource "kubernetes_deployment" "openclaw" {
           }
         }
 
+        # Init 1b: regenerate kubeconfig pointing at the projected SA tokenFile
+        # so kubectl always reads the fresh, kubelet-rotated token. Without
+        # this the previously-baked kubeconfig retains a SA token bound to a
+        # long-dead pod and kubectl returns "must be logged in to the server".
+        init_container {
+          name    = "setup-kubeconfig"
+          image   = "busybox:1.37"
+          command = ["sh", "-c", <<-EOT
+            cat > /home/node/.openclaw/kubeconfig <<'KUBECONFIG_EOF'
+            apiVersion: v1
+            kind: Config
+            clusters:
+            - cluster:
+                certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                server: https://kubernetes.default.svc
+              name: in-cluster
+            contexts:
+            - context:
+                cluster: in-cluster
+                user: openclaw
+                namespace: openclaw
+              name: in-cluster
+            current-context: in-cluster
+            users:
+            - name: openclaw
+              user:
+                tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+            KUBECONFIG_EOF
+            chown 1000:1000 /home/node/.openclaw/kubeconfig
+            chmod 0644 /home/node/.openclaw/kubeconfig
+          EOT
+          ]
+          volume_mount {
+            name       = "openclaw-home"
+            mount_path = "/home/node/.openclaw"
+          }
+        }
+
         # Init 2 removed: install-dotfiles init container was cloning dotfiles
         # repo via git on every pod start, causing 200+ small NFS writes.
         # Dotfiles already exist on NFS at /home/node/.openclaw/dotfiles from