image: repository: registry.c5ai.ch/pieced/pieced-operator tag: "0.1.51" pullPolicy: IfNotPresent imagePullSecrets: - name: registry-creds replicaCount: 1 # Operator configuration config: vault: # Internal service URL for OpenBao address: "http://openbao.openbao.svc:8200" # K8s auth role for the operator (must be pre-created in OpenBao) role: "pieced-operator" authPath: "kubernetes" litellm: # Internal service URL for LiteLLM url: "http://litellm.inference.svc:4000" # Security context — non-root, read-only rootfs, no privileges securityContext: runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 fsGroup: 65532 containerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL seccompProfile: type: RuntimeDefault resources: requests: cpu: 50m memory: 128Mi limits: cpu: 200m memory: 256Mi # Leader election ensures only one instance reconciles leaderElection: enabled: true # Service account — the operator's identity for RBAC and Vault K8s auth serviceAccount: name: pieced-operator annotations: {} # Network policy — restrict operator egress to only what it needs networkPolicy: enabled: true # OpenClaw image default (Feature: per-tenant version overrides). # # Materialised as the `pieced-openclaw-config` ConfigMap, which the # operator reads on every reconcile. Per-tenant overrides set via the # portal (PiecedTenant.spec.openClawImage.tag) take precedence over # this default for the affected tenants. # # We support tag-only (not digest) by design — a single image-selector # field avoids SSA field-ownership ambiguity when switching values, # and the downstream OpenClaw operator handles a tag-only image spec # unambiguously. For reproducibility-critical deployments, pin by # using an immutable release tag. # # Empty defaultTag falls back to the operator's built-in version. # Admins can edit this value at runtime via the portal admin UI; # the resulting ConfigMap edits trigger reconciles for every tenant # that doesn't have its own override. openClaw: defaultTag: "2026.4.22"