원클릭으로 Manus에서 모든 스킬 실행

gitops-deploy

스타0

포크0

업데이트2026년 2월 20일 04:02

End-to-end deployment workflow — commit, CI, Flux reconcile, pod restart, verify. Includes ConfigMap changes, Flux postBuild escaping, and SOPS secret management. Use when: You need to deploy changes to the OpenClaw pod — config updates, workspace changes, image rebuilds, or secret rotations. Also use when someone asks "how do I deploy this?" or "push this change live." Don't use when: You're debugging why a deployment failed (use flux-debugging or pod-troubleshooting). Don't use for changes to kubernetes-manifests repo (Dyson's pr-workflow handles that). Don't use for registry/image inspection (use zot-registry). Outputs: Deployed changes verified in the running pod. Confirmation includes CI status, Flux reconciliation state, pod status, and startup logs.

설치

Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.

Manus에서 실행

출처

rajsinghtech

rajsinghtech/openclaw-workspace

GitHub 저장소 열기 Creator 저장소 보기

다운로드

Manus에서 실행

GitOps Deploy

Routing

Note: This skill has disable-model-invocation: true — it won't be auto-invoked by the model. Reference it manually when needed.

Use This Skill When

Deploying config changes to the OpenClaw pod
Pushing workspace file updates that need to go live
Rebuilding and deploying the OpenClaw or workspace Docker image
Rotating or adding secrets via SOPS
Someone asks "deploy this" or "make this change live"
You just merged a PR and need to roll it out

Don't Use This Skill When

Flux kustomization is failing to reconcile → use flux-debugging
Pod is crashing after deployment → use pod-troubleshooting
CI build failed → use ci-diagnosis (morty)
You're inspecting images in the registry → use zot-registry
You're making changes to kubernetes-manifests repo → use pr-workflow (dyson)
You're only editing workspace docs with no need to deploy → just commit and push

Full Deployment Flow

git commit → git push → CI builds images → Flux reconciles → pod restarts

1. Push Changes

Commit and push to main. Two CI pipelines may trigger depending on what changed:

build-openclaw.yaml — Dockerfile.openclaw or workflow changes
build-workspace.yaml — workspace/** or Dockerfile.workspace changes

2. Monitor CI

# List recent workflow runs
gh run list --repo rajsinghtech/openclaw-workspace --limit 5

# Watch a specific run
gh run watch <run-id> --repo rajsinghtech/openclaw-workspace

# Check if the run succeeded
gh run view <run-id> --repo rajsinghtech/openclaw-workspace

3. Reconcile Flux

After CI completes and images are pushed, tell Flux to pick up the new git state:

# Reconcile source + kustomization in one shot
flux reconcile kustomization openclaw-workspace --with-source

# Wait for it
flux get kustomization openclaw-workspace

4. Force Image Pull

The deployment uses :latest tags. Kubernetes won't re-pull unless the pod restarts:

kubectl rollout restart deployment openclaw -n openclaw
kubectl rollout status deployment openclaw -n openclaw  # Wait for this to complete!

⚠️ Wait for rollout status to report success before checking logs. The new pod needs 10-30s to start. Checking too early shows the old pod's logs.

5. Verify

kubectl get pods -n openclaw -o wide
kubectl logs -l app.kubernetes.io/name=openclaw -n openclaw -c openclaw --tail=20

ConfigMap Changes

Config lives in kustomization/openclaw.json, delivered via kustomize configMapGenerator.

Key rules:

Generator uses disableNameSuffixHash: true — the ConfigMap name is always openclaw-config
Init container copies config from ConfigMap to emptyDir (writable)
Config changes require a pod restart to take effect (init container runs on startup)

Flux PostBuild Escaping

Flux performs ${VAR} substitution on all manifests. If your config contains literal ${VAR} references (for OpenClaw's own env var substitution), you must escape them:

Config value:      ${MY_SECRET}
In the file:       $${MY_SECRET}
After Flux sub:    ${MY_SECRET}   ← OpenClaw resolves this at runtime

Double-dollar $${} tells Flux to emit a literal ${} without substituting.

Common mistake: Forgetting to escape after editing openclaw.json. Always grep:

# These should NOT exist (Flux will eat them):
grep -n '${' kustomization/openclaw.json | grep -v '$${' 
# ^ If non-empty, you have unescaped vars that Flux will substitute incorrectly

SOPS Secret Management

Secrets are encrypted with SOPS using PGP key FAC8E7C3A2BC7DEE58A01C5928E1AB8AF0CF07A5.

# Decrypt and view
sops -d kustomization/secret.sops.yaml

# Edit (opens in $EDITOR, re-encrypts on save)
sops kustomization/secret.sops.yaml

# Set a single value
sops --set '["stringData"]["NEW_KEY"] "value"' kustomization/secret.sops.yaml

# Verify the change
sops -d kustomization/secret.sops.yaml | yq '.stringData.NEW_KEY'

After modifying secrets:

Commit and push the encrypted file
Flux decrypts during reconciliation using its SOPS provider
Restart the pod if the secret is consumed via envFrom

Security Notes

Never commit unencrypted secrets — always use SOPS
Never docker push to the registry — only skopeo copy docker-archive:
Verify $${VAR} escaping before pushing config changes
Review SOPS diffs carefully — sops -d both old and new to compare plaintext

Quick Deploy Checklist

☐ Make changes to config/manifests/workspace
☐ Validate: jq . openclaw.json, kustomize build kustomization/
☐ Check escaping: grep -n '${' openclaw.json | grep -v '$${' → should be empty
☐ git add && git commit && git push
☐ Wait for CI (if image changes): gh run watch
☐ flux reconcile kustomization openclaw-workspace --with-source
☐ kubectl rollout restart deployment openclaw -n openclaw (if images changed)
☐ kubectl get pods -n openclaw — verify Running
☐ kubectl logs ... -c openclaw --tail=20 — verify startup

Artifact Handoff

Write deployment verification results to /tmp/outputs/deploy-verification.md for complex deployments that need audit trails.

이 저장소의 다른 Skills

같은 저장소

code-review

rajsinghtech/openclaw-workspace

Structured PR review — security scan, correctness, consistency, style. Covers diff analysis, comment posting via gh, and priority-based finding reports. Use when: A PR needs review, someone asks for code feedback, or changes need security/correctness validation before merge. Also use for pre-commit review of your own changes. Don't use when: The issue is a runtime pod failure (use pod-troubleshooting), a Flux reconciliation error (use flux-debugging), or a CI build failure (use ci-diagnosis). Don't use for architecture-level design discussions (use architecture-design instead). Outputs: Review comment posted on the PR via `gh pr review`, or a structured findings report grouped by severity (Critical/High/Medium/Low).

2026-02-200

openspec-workflow

rajsinghtech/openclaw-workspace

Spec-driven development workflow — proposals, requirements, design docs, task breakdowns, and implementation using the OpenSpec framework. Use when: Starting a new feature or change that needs planning, someone says "I want to build X", creating proposals or specs, breaking down requirements into tasks, or transitioning from planning to implementation. Don't use when: Debugging or troubleshooting (use appropriate troubleshooting skill). Don't use for Kubernetes manifest changes (use pr-workflow). Don't use for reviewing existing code (use code-review). Outputs: OpenSpec change folder with proposal.md, specs/, design.md, and tasks.md. Implementation follows directly from tasks.md.

2026-02-200

session-review

rajsinghtech/openclaw-workspace

Analyze agent sessions for tool failures, retry patterns, knowledge gaps, context limits, and config drift. Use when: Running periodic session reviews (cron), investigating agent reliability issues, looking for recurring failure patterns, or identifying workspace improvements from real usage. This is the primary skill for Robert's review cron job. Don't use when: You're making changes to fix issues (use workspace-improvement for that). Don't use for live debugging of a current issue (use the appropriate troubleshooting skill). Don't use for code review of PRs (use code-review). Outputs: Session analysis report with categorized findings (tool failures, retries, knowledge gaps, config drift), severity ratings, and proposed fixes. Written to /tmp/outputs/session-review.md for handoff.

2026-02-200

cluster-context

rajsinghtech/openclaw-workspace

OpenClaw pod architecture, volumes, networking, secrets, and provider configuration reference. Use when: Debugging container, mount, networking, or credential issues. Also use when you need to understand pod structure, check which providers are configured, verify volume mounts, or inspect secrets configuration. Don't use when: Debugging pod crashes (use pod-troubleshooting). Don't use for Flux issues (use flux-debugging). Don't use for deploying changes (use gitops-deploy). This is a reference skill, not a diagnostic workflow. Outputs: Architecture reference information. No artifacts — this skill provides context for other skills to use.

2026-02-200

openclaw-docs-lookup-morty

rajsinghtech/openclaw-workspace

Look up OpenClaw documentation via web_fetch for config validation and verification. Use when: You need to verify a config key, understand OpenClaw configuration options, or check documentation for Kubernetes-specific settings before making changes. Don't use when: The answer is already in CONFIG.md, AGENTS.md, TOOLS.md in your workspace.

2026-02-200

sops-credentials

rajsinghtech/openclaw-workspace

Reference for how secrets flow from SOPS-encrypted files in Git through Flux postBuild substitution into Kubernetes Secrets and Pods. Use when: Debugging why a pod can't read a credential, tracing where a secret value comes from, adding a new secret to the pipeline, or understanding the substitution chain (Git → Flux → Secret → Pod). Don't use when: The pod is crashing for non-credential reasons (use pod-troubleshooting). Don't use for Flux reconciliation failures (use flux-debugging). Don't use for OpenClaw-specific config escaping (use config-audit — that covers the $${VAR} pattern). Don't use for CI/CD pipeline issues (use ci-diagnosis). Outputs: Architecture reference. No artifacts — provides context for debugging credential issues across the kubernetes-manifests repo.

2026-02-130

name	GitOps Deploy
description	End-to-end deployment workflow — commit, CI, Flux reconcile, pod restart, verify. Includes ConfigMap changes, Flux postBuild escaping, and SOPS secret management. Use when: You need to deploy changes to the OpenClaw pod — config updates, workspace changes, image rebuilds, or secret rotations. Also use when someone asks "how do I deploy this?" or "push this change live." Don't use when: You're debugging why a deployment failed (use flux-debugging or pod-troubleshooting). Don't use for changes to kubernetes-manifests repo (Dyson's pr-workflow handles that). Don't use for registry/image inspection (use zot-registry). Outputs: Deployed changes verified in the running pod. Confirmation includes CI status, Flux reconciliation state, pod status, and startup logs.
disable-model-invocation	true
requires	["kubectl","flux","sops"]

GitOps Deploy

Routing

Note: This skill has disable-model-invocation: true — it won't be auto-invoked by the model. Reference it manually when needed.

Use This Skill When

Deploying config changes to the OpenClaw pod
Pushing workspace file updates that need to go live
Rebuilding and deploying the OpenClaw or workspace Docker image
Rotating or adding secrets via SOPS
Someone asks "deploy this" or "make this change live"
You just merged a PR and need to roll it out

Don't Use This Skill When

Flux kustomization is failing to reconcile → use flux-debugging
Pod is crashing after deployment → use pod-troubleshooting
CI build failed → use ci-diagnosis (morty)
You're inspecting images in the registry → use zot-registry
You're making changes to kubernetes-manifests repo → use pr-workflow (dyson)
You're only editing workspace docs with no need to deploy → just commit and push

Full Deployment Flow

git commit → git push → CI builds images → Flux reconciles → pod restarts

1. Push Changes

Commit and push to main. Two CI pipelines may trigger depending on what changed:

build-openclaw.yaml — Dockerfile.openclaw or workflow changes
build-workspace.yaml — workspace/** or Dockerfile.workspace changes

2. Monitor CI

# List recent workflow runs
gh run list --repo rajsinghtech/openclaw-workspace --limit 5

# Watch a specific run
gh run watch <run-id> --repo rajsinghtech/openclaw-workspace

# Check if the run succeeded
gh run view <run-id> --repo rajsinghtech/openclaw-workspace

3. Reconcile Flux

After CI completes and images are pushed, tell Flux to pick up the new git state:

# Reconcile source + kustomization in one shot
flux reconcile kustomization openclaw-workspace --with-source

# Wait for it
flux get kustomization openclaw-workspace

4. Force Image Pull

The deployment uses :latest tags. Kubernetes won't re-pull unless the pod restarts:

kubectl rollout restart deployment openclaw -n openclaw
kubectl rollout status deployment openclaw -n openclaw  # Wait for this to complete!

⚠️ Wait for rollout status to report success before checking logs. The new pod needs 10-30s to start. Checking too early shows the old pod's logs.

5. Verify

kubectl get pods -n openclaw -o wide
kubectl logs -l app.kubernetes.io/name=openclaw -n openclaw -c openclaw --tail=20

ConfigMap Changes

Config lives in kustomization/openclaw.json, delivered via kustomize configMapGenerator.

Key rules:

Generator uses disableNameSuffixHash: true — the ConfigMap name is always openclaw-config
Init container copies config from ConfigMap to emptyDir (writable)
Config changes require a pod restart to take effect (init container runs on startup)

Flux PostBuild Escaping

Flux performs ${VAR} substitution on all manifests. If your config contains literal ${VAR} references (for OpenClaw's own env var substitution), you must escape them:

Config value:      ${MY_SECRET}
In the file:       $${MY_SECRET}
After Flux sub:    ${MY_SECRET}   ← OpenClaw resolves this at runtime

Double-dollar $${} tells Flux to emit a literal ${} without substituting.

Common mistake: Forgetting to escape after editing openclaw.json. Always grep:

# These should NOT exist (Flux will eat them):
grep -n '${' kustomization/openclaw.json | grep -v '$${' 
# ^ If non-empty, you have unescaped vars that Flux will substitute incorrectly

SOPS Secret Management

Secrets are encrypted with SOPS using PGP key FAC8E7C3A2BC7DEE58A01C5928E1AB8AF0CF07A5.

# Decrypt and view
sops -d kustomization/secret.sops.yaml

# Edit (opens in $EDITOR, re-encrypts on save)
sops kustomization/secret.sops.yaml

# Set a single value
sops --set '["stringData"]["NEW_KEY"] "value"' kustomization/secret.sops.yaml

# Verify the change
sops -d kustomization/secret.sops.yaml | yq '.stringData.NEW_KEY'

After modifying secrets:

Commit and push the encrypted file
Flux decrypts during reconciliation using its SOPS provider
Restart the pod if the secret is consumed via envFrom

Security Notes

Never commit unencrypted secrets — always use SOPS
Never docker push to the registry — only skopeo copy docker-archive:
Verify $${VAR} escaping before pushing config changes
Review SOPS diffs carefully — sops -d both old and new to compare plaintext

Quick Deploy Checklist

☐ Make changes to config/manifests/workspace
☐ Validate: jq . openclaw.json, kustomize build kustomization/
☐ Check escaping: grep -n '${' openclaw.json | grep -v '$${' → should be empty
☐ git add && git commit && git push
☐ Wait for CI (if image changes): gh run watch
☐ flux reconcile kustomization openclaw-workspace --with-source
☐ kubectl rollout restart deployment openclaw -n openclaw (if images changed)
☐ kubectl get pods -n openclaw — verify Running
☐ kubectl logs ... -c openclaw --tail=20 — verify startup

Artifact Handoff

Write deployment verification results to /tmp/outputs/deploy-verification.md for complex deployments that need audit trails.