Barka

My personal k3s cluster setup.

Structure

• ./dev/ local development
• ./charts/ in-repo Helm charts
• ./tools/ cluster tools (non-Helm manifests)
• ./apps/ apps running in the cluster

Task Naming

• kube:*: cluster-agnostic operations using plain kubectl/helm against the selected mise environment (KUBECONFIG)
• local:*: local-only lifecycle tasks (k3s-in-Docker)
• prod:*: prod wrappers around kube:* tasks with guardrails (e.g. confirm)

Within kube:*:

• kube:operators:*: install/uninstall/diff cluster operators (Headlamp, OpenClaw operator, Infisical operator)
• kube:secrets:*: prod-only secret sync resources (InfisicalSecret)

kube:tools:* is a convenience wrapper:

• kube:tools:apply runs kube:operators:apply then kube:secrets:apply
• kube:tools:diff runs kube:operators:diff then kube:secrets:diff
• kube:tools:delete runs kube:secrets:delete then kube:operators:delete

Local Development

1. Have mise installed
2. mise trust to allow mise to use the mise.toml
3. mise install
4. Create .env.local (used by mise -E local tasks):

KUBECONFIG=dev/k3s/kubeconfig/kubeconfig.yaml
OPENCLAW_OWNER_PHONE=+15551234567
OPENCLAW_GATEWAY_TOKEN=REPLACE_ME

Tip: start from .env.local.example.

5. mise -E local run local:up

Prod uses mise.prod.toml (loads .env.prod). Set KUBECONFIG in .env.prod (recommended: point at a kubeconfig outside this repo, e.g. ~/kubeconfigs/barka.yaml).

Prod (tools install via Helm; Infisical via Universal Auth):

• Put KUBECONFIG, INFISICAL_CLIENT_ID, and INFISICAL_CLIENT_SECRET in .env.prod (recommended) or export them in your shell.

mise -E prod run prod:tools:apply

Prod secrets are synced from Infisical by an InfisicalSecret resource rendered from charts/openclaw/templates/infisical.yaml.

Local k3s (Docker Desktop, single-node)

• Requirements: Docker Desktop running
• Compose file: dev/k3s/docker-compose.yml

Start the cluster:

mise -E local run local:up

Use kubectl (plain kubectl, kubeconfig generated by k3s):

export KUBECONFIG=dev/k3s/kubeconfig/kubeconfig.yaml
kubectl get nodes

Or via mise:

mise -E local run kube:kubectl -- get pods -A

Note: local:up installs tools by running kube:tools:apply (Helm-based) using the selected KUBECONFIG.

Endpoints:

• Kubernetes API: https://localhost:6443
• Ingress (Traefik): http://localhost:8080 and https://localhost:8443

Stop the cluster:

mise -E local run local:down

Reset (delete cluster data volume, regenerates certs, etc.):

mise -E local run local:reset

Headlamp UI

Headlamp is installed by mise -E local run local:up from charts/headlamp/.

URL: http://headlamp.localhost:8080/

Prod: Headlamp has no Ingress; use port-forward:

mise -E prod run kube:headlamp:port-forward

Login token (creates a short-lived token):

mise -E <env> run kube:headlamp:token

To uninstall tools:

mise -E <env> run kube:tools:delete

OpenClaw

The OpenClaw operator is installed by kube:tools:apply, and the instance is managed by the in-repo Helm chart at charts/openclaw/ via kube:apps:apply.

OpenClaw autoupdate (pod): enable the operator's OCI polling by setting instance.autoUpdate.enabled=true in charts/openclaw/values.yaml.

Local secrets: set OPENCLAW_GATEWAY_TOKEN in .env.local (required). OPENCLAW_OWNER_PHONE and OPENAI_API_KEY are optional. Then run:

Web search (optional): set PERPLEXITY_API_KEY (or OPENROUTER_API_KEY) in .env.local.

Web fetch fallback (optional): set FIRECRAWL_API_KEY.

mise -E local run local:openclaw:secrets:apply
mise -E local run kube:apps:apply

Production secrets: Infisical syncs into secret/openclaw-secrets in the openclaw namespace (must include OPENCLAW_GATEWAY_TOKEN).

Port-forward the instance service:

mise -E local run kube:openclaw:port-forward

Local Ingress:

• URL: http://openclaw.localhost:8080/

Browser automation:

• Local enables the Chromium sidecar (see charts/openclaw/values-local.yaml).

GitHub CLI (gh) in the OpenClaw pod

The OpenClaw Helm chart installs the GitHub CLI (gh) into the instance's persistent volume via an init container (init-deps). The binary ends up at /home/openclaw/.openclaw/.local/bin/gh and is already on PATH.

SSH key material is expected to come from secret/openclaw-secrets (prod: synced from Infisical; local: created by local:openclaw:secrets:apply). The init container writes it into /home/openclaw/.openclaw/.ssh/.

Required secret keys (Infisical or local env):

• SSH_PRIVATE_KEY: an ed25519 (or RSA) private key PEM
• SSH_KNOWN_HOSTS: known_hosts entries for the git hosts you will access

Tip: generate known_hosts content locally with (replace the hostname as needed):

ssh-keyscan -t ed25519 <git-host>

Login guidance (inside the pod):

mise -E <env> run kube:kubectl -- -n openclaw exec -it openclaw-0 -- sh
gh --version
gh auth login
gh auth status

Note: SSH keys are for git@github.com:... operations; gh API access still needs a token. For a non-interactive setup, store a token as GH_TOKEN in Infisical (or export it in .env.local); gh will pick it up automatically without running gh auth login.

gh stores the auth token on disk in hosts.yml. In this cluster the config directory is set to GH_CONFIG_DIR=/home/openclaw/.openclaw/.config/gh, so the file is:

• /home/openclaw/.openclaw/.config/gh/hosts.yml

If GITHUB_PAT_KEY is present in secret/openclaw-secrets, the init container will write hosts.yml automatically.

The file is written in the same shape as gh expects (including the users.<name>.oauth_token entry). The username defaults to AntonioClawbot and can be changed via instance.depsInit.gh.user.

If CLAW_EMAIL is present in secret/openclaw-secrets, the init container configures git identity:

• user.name is set to instance.depsInit.gh.user
• user.email is set to CLAW_EMAIL

gogcli in the OpenClaw pod

The OpenClaw Helm chart installs gogcli into the instance's persistent volume via the same init container (init-deps). The binary ends up at /home/openclaw/.openclaw/.local/bin/gog and is already on PATH.

Verify inside the pod:

mise -E <env> run kube:kubectl -- -n openclaw exec -it openclaw-0 -- sh
gog --version