diff --git a/argocd/application-openclaw.yaml b/argocd/application-openclaw.yaml
new file mode 100644
index 0000000..fcb9535
--- /dev/null
+++ b/argocd/application-openclaw.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openclaw
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea.gitea.svc.cluster.local:3000/chemavx/k8s-manifests.git
+    targetRevision: main
+    path: openclaw
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: openclaw
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/openclaw/deployment-openclaw.yaml b/openclaw/deployment-openclaw.yaml
index 568ab1a..7c47632 100644
--- a/openclaw/deployment-openclaw.yaml
+++ b/openclaw/deployment-openclaw.yaml
@@ -1,72 +1,46 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  annotations:
-    deployment.kubernetes.io/revision: '5'
-    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"name":"openclaw","namespace":"openclaw"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"openclaw"}},"template":{"metadata":{"labels":{"app":"openclaw"}},"spec":{"containers":[{"env":[{"name":"OPENCLAW_DATA_DIR","value":"/data"}],"image":"ghcr.io/openclaw/openclaw:2026.3.2","name":"openclaw","ports":[{"containerPort":18789}],"resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"volumeMounts":[{"mountPath":"/data","name":"data"}]}],"securityContext":{"fsGroup":1000,"runAsUser":1000},"volumes":[{"name":"data","persistentVolumeClaim":{"claimName":"openclaw-pvc"}}]}}}}
-
-      '
   name: openclaw
   namespace: openclaw
 spec:
-  progressDeadlineSeconds: 600
   replicas: 1
-  revisionHistoryLimit: 10
   selector:
     matchLabels:
       app: openclaw
-  strategy:
-    rollingUpdate:
-      maxSurge: 25%
-      maxUnavailable: 25%
-    type: RollingUpdate
   template:
     metadata:
-      annotations:
-        kubectl.kubernetes.io/restartedAt: '2026-04-09T18:59:08Z'
       labels:
         app: openclaw
     spec:
+      nodeSelector:
+        kubernetes.io/hostname: chemavx-k8
+      serviceAccountName: openclaw-agent
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
       containers:
-      - env:
+      - name: openclaw
+        image: ghcr.io/openclaw/openclaw:2026.4.12
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 18789
+        env:
         - name: OPENCLAW_DATA_DIR
           value: /data
         - name: NODE_OPTIONS
           value: --max-old-space-size=1536
-        - name: OPENCLAW_STATE_DIR
-          value: /data
-        - name: OPENCLAW_TOKEN
-          valueFrom:
-            secretKeyRef:
-              key: OPENCLAW_TOKEN
-              name: openclaw-token
-        image: ghcr.io/openclaw/openclaw:2026.4.12
-        imagePullPolicy: IfNotPresent
-        name: openclaw
-        ports:
-        - containerPort: 18789
-          protocol: TCP
         resources:
-          limits:
-            cpu: '1'
-            memory: 2Gi
           requests:
             cpu: 100m
             memory: 512Mi
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
+          limits:
+            cpu: "1"
+            memory: 2Gi
         volumeMounts:
-        - mountPath: /data
-          name: data
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
-      schedulerName: default-scheduler
-      securityContext:
-        fsGroup: 1000
-        runAsUser: 1000
-      terminationGracePeriodSeconds: 30
+        - name: data
+          mountPath: /data
       volumes:
       - name: data
         persistentVolumeClaim:
           claimName: openclaw-pvc
-
diff --git a/openclaw/ingress-openclaw.yaml b/openclaw/ingress-openclaw.yaml
index d6011b5..5603fe8 100644
--- a/openclaw/ingress-openclaw.yaml
+++ b/openclaw/ingress-openclaw.yaml
@@ -1,29 +1,25 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"cert-manager.io/cluster-issuer":"letsencrypt-prod","traefik.ingress.kubernetes.io/router.entrypoints":"websecure"},"name":"openclaw","namespace":"openclaw"},"spec":{"ingressClassName":"traefik","rules":[{"host":"openclaw.chemavx.xyz","http":{"paths":[{"backend":{"service":{"name":"openclaw","port":{"number":18789}}},"path":"/","pathType":"Prefix"}]}}],"tls":[{"hosts":["openclaw.chemavx.xyz"],"secretName":"openclaw-tls"}]}}
-
-      '
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
   name: openclaw
   namespace: openclaw
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
   ingressClassName: traefik
   rules:
   - host: openclaw.chemavx.xyz
     http:
       paths:
-      - backend:
+      - path: /
+        pathType: Prefix
+        backend:
           service:
             name: openclaw
             port:
               number: 18789
-        path: /
-        pathType: Prefix
   tls:
   - hosts:
     - openclaw.chemavx.xyz
     secretName: openclaw-tls
-
diff --git a/openclaw/namespace-openclaw.yaml b/openclaw/namespace-openclaw.yaml
new file mode 100644
index 0000000..394432e
--- /dev/null
+++ b/openclaw/namespace-openclaw.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openclaw
diff --git a/openclaw/pvc-openclaw.yaml b/openclaw/pvc-openclaw.yaml
new file mode 100644
index 0000000..3c48e21
--- /dev/null
+++ b/openclaw/pvc-openclaw.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openclaw-pvc
+  namespace: openclaw
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
diff --git a/openclaw/rbac-openclaw.yaml b/openclaw/rbac-openclaw.yaml
new file mode 100644
index 0000000..4033e58
--- /dev/null
+++ b/openclaw/rbac-openclaw.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openclaw-agent
+  namespace: openclaw
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: openclaw-agent-readonly
+rules:
+- apiGroups: [""]
+  resources: [pods, pods/log, services, nodes, namespaces, events]
+  verbs: [get, list, watch]
+- apiGroups: [apps]
+  resources: [deployments, replicasets, statefulsets, daemonsets]
+  verbs: [get, list, watch]
+- apiGroups: [networking.k8s.io]
+  resources: [ingresses]
+  verbs: [get, list, watch]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: openclaw-agent-readonly-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openclaw-agent-readonly
+subjects:
+- kind: ServiceAccount
+  name: openclaw-agent
+  namespace: openclaw
diff --git a/openclaw/service-openclaw.yaml b/openclaw/service-openclaw.yaml
index 6cdafd0..ee0f8a8 100644
--- a/openclaw/service-openclaw.yaml
+++ b/openclaw/service-openclaw.yaml
@@ -4,19 +4,9 @@ metadata:
   name: openclaw
   namespace: openclaw
 spec:
-  clusterIP: 10.43.34.126
-  clusterIPs:
-  - 10.43.34.126
-  internalTrafficPolicy: Cluster
-  ipFamilies:
-  - IPv4
-  ipFamilyPolicy: SingleStack
-  ports:
-  - port: 18789
-    protocol: TCP
-    targetPort: 18789
   selector:
     app: openclaw
-  sessionAffinity: None
+  ports:
+  - port: 18789
+    targetPort: 18789
   type: ClusterIP
-