Grip your cluster

GitOps-driven Kubernetes platform for deploying OpenClaw

~/pincer-ops

scroll

The Workload

What is OpenClaw?

OpenClaw is a personal AI assistant that actually does things. It runs locally on your hardware, connects to 14+ messaging platforms, and extends through a growing Skills ecosystem.

OpenClaw/OpenClaw 215K+ stars

💬

14+ Platforms

WhatsApp, Telegram, Discord, Slack, Signal, iMessage, Teams, and more.

🧠

AI Skills

ClawHub ecosystem with 50+ integrations. Browser automation, voice, Canvas.

🔒

Privacy-First

Self-hosted, local-first. Your data never leaves your infrastructure.

⚡

Gateway Runtime

Node.js gateway on port 18789. WebSocket-based, single-instance, PVC-backed.

Pincer Ops gives OpenClaw a production-grade Kubernetes home.
GitOps deployment, encrypted secrets, automated backups, and zero-trust networking. One command to deploy it all.

Architecture

Sync wave orchestration

Infrastructure deploys before workloads via ArgoCD sync waves. One kubectl apply reconstructs everything.

↻

-10

ArgoCD

Self-managing GitOps controller. App of Apps pattern.

⌖

-5

MetalLB

L2 LoadBalancer IP allocation for bare-metal.

⮕

-4

Envoy Gateway

Gateway API ingress. DaemonSet + hostPort routing.

🔒

-3

Sealed Secrets

Encrypted secrets in Git. Cluster-side decryption.

✓

-2

cert-manager

TLS certificate automation. Self-signed issuer.

⚙

+10

OpenClaw

AI Gateway. StatefulSet, single replica, PVC-backed.

↻

ArgoCD

-10

Self-managing GitOps controller. App of Apps pattern.

⌖

MetalLB

-5

L2 LoadBalancer IP allocation for bare-metal.

⮕

Envoy Gateway

-4

Gateway API ingress. DaemonSet + hostPort routing.

🔒

Sealed Secrets

-3

Encrypted secrets in Git. Cluster-side decryption.

✓

cert-manager

-2

TLS certificate automation. Self-signed issuer.

⚙

OpenClaw

+10

AI Gateway. StatefulSet, single replica, PVC-backed.

Features

Three commands. Full stack.

bootstrap.sh

$ make up

Bootstrap

Single command creates a KIND cluster, installs ArgoCD, and deploys the entire stack. Fully idempotent, run it again and nothing changes.

1/4 Creating KIND cluster (1 CP + 2 workers)...

2/4 Installing ArgoCD + App of Apps...

3/4 MetalLB + Envoy Gateway networking...

4/4 Sealed Secrets + cert-manager...

✓ Cluster ready. All apps Synced.

$ make status

Sync

ArgoCD watches main branch and auto-syncs. Drift is detected and self-healed. All state is declarative.

Drift detection

→ Self-heal

▸ Sync wave ordering (-10 to +10)
▸ ServerSideApply for CRD-heavy apps

$ make logs

Operate

Production-grade operational primitives. NetworkPolicies, daily backups, pre-commit hooks.

73

tests

0

leaks

24h

backups

The Stack

Why each tool exists

Every component in the cluster serves a specific purpose. Remove one and something breaks.

Watches the Git repo and auto-syncs to the cluster. App of Apps pattern, one root Application that discovers everything. Self-heals drift automatically.

✗ Without it: Manual kubectl apply for every change. No drift detection. No sync wave ordering.

Allocates virtual IPs for LoadBalancer Services via L2 ARP announcements. Cloud providers handle this automatically, KIND has no cloud, so MetalLB fills the gap.

✗ Without it: Envoy Gateway's Service stays Pending forever. No ingress IP allocated.

Implements the Gateway API. Runs as a DaemonSet with hostPort on the control-plane node. Routes localhost:80 traffic through an HTTPRoute to OpenClaw.

✗ Without it: OpenClaw runs but is unreachable from your browser. No path from host to pod.

Encrypts Kubernetes Secrets with a public key so they can be committed safely. Only the in-cluster controller has the private key. Daily key backup to ~/.pincer/.

✗ Without it: Can't store secrets in Git, violates the "everything in Git" principle.

Automates certificate issuance and renewal. Self-signed ClusterIssuer for dev environments. Infrastructure-ready for HTTPS when you need it.

✗ Without it: No automated TLS. Future HTTPS listeners require manual certificate management.

AI assistant gateway. Single-instance StatefulSet, PVC-backed. Connects to 14+ messaging platforms. The application everything else exists to serve.

✗ Without it: There's nothing to deploy. This is the whole point of the platform.

Request path

localhost:80 → KIND port map → Envoy Gateway → HTTPRoute → OpenClaw :18789

Ecosystem

The OpenClaw universe

📖

Documentation

Setup guides, API reference, and configuration docs.

↗ 🧩

ClawHub

Skills marketplace. Browse and install 50+ integrations.

↗ 💬

Discord

Join the community. Get help, share Skills, chat with devs.

↗ ⭐

GitHub

Source code, issues, and contributions. MIT licensed.

↗

Quick Start

Running in minutes

Prerequisites: Docker, kubectl, KIND, ArgoCD CLI

01

Fork & clone

terminal

# Fork on GitHub first, then:

$ git clone https://github.com/<you>/pincer-ops.git

$ cd pincer-ops

$ make setup-repo

▸ Configures ArgoCD to sync from your fork (or skip for a quick try)

02

Bootstrap the cluster

terminal

$ make up

▸ Creates KIND cluster + deploys full stack (~3 min)

03

Check status

terminal

$ make status

▸ All apps should show Synced / Healthy

04

Access OpenClaw

terminal

$ make openclaw-onboard

# Open http://localhost in your browser

▸ Configure your AI agent runtime via the web UI

Cloning without forking? make up still works — bootstrap falls back to local apply when ArgoCD can't reach the remote.