A slim Helm chart for OpenClaw designed without Chromium browser integration. This chart focuses on minimal resource usage while maintaining full OpenClaw functionality for text-based interactions.
There are two ways to install this chart.
Pull directly from GitHub Container Registry without any repo setup:
helm install openclaw oci://ghcr.io/thepagent/openclaw-helm \
-n openclaw --create-namespaceInstall a specific version:
helm install openclaw oci://ghcr.io/thepagent/openclaw-helm \
--version 1.3.11 \
-n openclaw --create-namespaceUpgrade to a newer version:
helm upgrade openclaw oci://ghcr.io/thepagent/openclaw-helm -n openclawAdd the Helm repository and install from there:
helm repo add openclaw https://thepagent.github.io/openclaw-helm
helm repo update
# Install latest
helm install openclaw openclaw/openclaw-helm -n openclaw --create-namespace
# Install a specific version
helm install openclaw openclaw/openclaw-helm --version 1.3.11 -n openclaw --create-namespaceBrowse available versions:
helm search repo openclaw --versionsThe --create-namespace flag will create the openclaw namespace if it doesn't exist.
Run the built-in connectivity test to verify the gateway is responding:
helm test openclaw -n openclawThis validates that the OpenClaw gateway is accessible on localhost within the pod.
This chart is designed with three core principles:
-
Minimal Resource Footprint - Optimized to run on small cloud instances (2 vCPU, 2GB RAM). Tested on Zeabur and similar constrained environments.
-
Decoupled Browser Architecture - We exclude the Chromium sidecar container. Browser capabilities should be decoupled from the gateway. For browser automation, we recommend using Vercel agent-browser with Amazon Bedrock AgentCore Browser.
-
Security by Design - The gateway binds to loopback (127.0.0.1) even in Kubernetes environments. This ensures the gateway is only accessible through Kubernetes Service boundaries, not directly exposed on all network interfaces.
After installing the chart, run the OpenClaw onboarding wizard to configure your AI provider:
sudo kubectl exec -it deployment/openclaw-openclaw-helm -n openclaw -c main -- openclaw onboardThis interactive wizard will guide you through:
- Security acknowledgment
- AI provider selection (OpenAI, Anthropic, etc.)
- Authentication setup (OAuth or API keys)
- Optional: Channel configuration (WhatsApp, Telegram, Slack, Discord, etc.)
- Optional: Skills installation
Your configuration will be stored in the pod's persistent volume.
To configure channels after onboarding:
# Enter the container
sudo kubectl exec -it deployment/openclaw-openclaw-helm -n openclaw -c main -- openclaw configure --section channels
# Approve a pairing request
sudo kubectl exec -it deployment/openclaw-openclaw-helm -n openclaw -c main -- openclaw pairing approve telegram *******If you prefer to skip the wizard and use API keys directly:
sudo kubectl create secret generic openclaw-api-key \
--from-literal=OPENAI_API_KEY=sk-...Update your values.yaml:
envFrom:
- secretRef:
name: openclaw-api-keyUpgrade the release:
helm upgrade openclaw oci://ghcr.io/thepagent/openclaw-helm -f values.yamlPOD=$(sudo kubectl get pod -n openclaw -l app.kubernetes.io/name=openclaw-helm -o jsonpath='{.items[0].metadata.name}')
sudo kubectl exec -n openclaw $POD -- openclaw models statusHost (k3s node)
┌─────────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────────────┐ ln -sf ┌──────────────────────────┐ │
│ │ ~/.openclaw │ ──────────▶│ /var/lib/rancher/k3s/ │ │
│ │ (symlink) │ │ storage/pvc-xxx/ │ │
│ └─────────────────┘ └────────────┬─────────────┘ │
│ │ (physical dir) │
└──────────────────────────────────────────────┼─────────────────┘
│ mounted via PVC
│
┌────────────────────▼─────────────────┐
│ Pod │
│ ┌─────────────────────────────────┐ │
│ │ /home/node/.openclaw │ │
│ │ (PVC mount) │ │
│ └─────────────────────────────────┘ │
│ ┌─────────────────────────────────┐ │
│ │ openclaw gateway │ │
│ └─────────────────────────────────┘ │
└───────────────────────────────────────┘
host ~/.openclaw ══════════════ pod /home/node/.openclaw
(same physical directory, both R/W)
If you are running on a single-node setup (e.g. k3s with local-path StorageClass), you can symlink your host ~/.openclaw to the PVC data directory so the pod and host share the same config, sessions, and skills.
# Find the PVC's actual host path
PV_PATH=$(kubectl get pv \
$(kubectl get pvc openclaw-openclaw-helm -n openclaw -o jsonpath='{.spec.volumeName}') \
-o jsonpath='{.spec.hostPath.path}')
echo "PVC is at: $PV_PATH"
# Symlink ~/.openclaw on the host to the PVC path
ln -sf "$PV_PATH" ~/.openclawNote: This works only with local StorageClasses (e.g. k3s
local-path) where the PV has a real host path. It does not apply to NFS, EBS, or other remote storage backends.
Before upgrading or making changes, backup your OpenClaw configuration:
POD=$(sudo kubectl get pod -n openclaw -l app.kubernetes.io/name=openclaw-helm -o jsonpath='{.items[0].metadata.name}')
sudo kubectl cp openclaw/$POD:/home/node/.openclaw ~/openclaw-backup-$(date +%Y%m%d-%H%M%S)This backs up all configuration, credentials, and channel settings to your host machine.
Note: This Helm chart will NOT override openclaw.json if it already exists in the PVC, but it's always best practice to backup before upgrading.
To restore a backup:
POD=$(sudo kubectl get pod -n openclaw -l app.kubernetes.io/name=openclaw-helm -o jsonpath='{.items[0].metadata.name}')
sudo kubectl cp ~/openclaw-backup-YYYYMMDD-HHMMSS/. openclaw/$POD:/home/node/.openclaw/
sudo kubectl rollout restart deployment/openclaw-openclaw-helm -n openclawTo upgrade to the latest version:
helm upgrade openclaw oci://ghcr.io/thepagent/openclaw-helm -n openclawFor k3s users: You need to specify the kubeconfig path:
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
sudo -E helm upgrade openclaw oci://ghcr.io/thepagent/openclaw-helm -n openclawThe -E flag preserves the KUBECONFIG environment variable when running with sudo.
helm uninstall openclawTo customize your own backup or auto-upgrade strategy, read:
- docs/backup.md — backup concept, workflow, and restore steps
- docs/auto_upgrade.md — automated version checking and upgrade workflow
Share these docs with your AI agent and ask it to implement the scripts for your environment.
Use standard Kubernetes scheduling fields to control where the OpenClaw pod runs:
All three fields — nodeSelector, tolerations, and affinity — are independent. You can use any of them individually or combine them as needed.
nodeSelector:
disktype: ssd
tolerations:
- key: "dedicated"
operator: "Equal"
value: "openclaw"
effect: "NoSchedule"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/zone
operator: In
values:
- us-east-1aAdd the fields you need to your values.yaml and apply during install or upgrade:
helm upgrade openclaw oci://ghcr.io/thepagent/openclaw-helm -n openclaw -f values.yamlskills:
- weather
- gog
- your-skill-name