From 1fc7233267766a7e90b19d4e11c6b0eeaa1043d9 Mon Sep 17 00:00:00 2001
From: jenkins <jenkins@bstein.dev>
Date: Wed, 20 May 2026 18:35:08 -0300
Subject: [PATCH] agent(openclaw): trust oauth proxy identity

---
 services/openclaw/configmap.yaml  | 8 +++-----
 services/openclaw/deployment.yaml | 7 +------
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/services/openclaw/configmap.yaml b/services/openclaw/configmap.yaml
index e495d372..b9be06ca 100644
--- a/services/openclaw/configmap.yaml
+++ b/services/openclaw/configmap.yaml
@@ -30,11 +30,9 @@ data:
       "gateway": {
         "mode": "local",
         "auth": {
-          "mode": "token",
-          "token": {
-            "source": "env",
-            "provider": "default",
-            "id": "OPENCLAW_GATEWAY_TOKEN"
+          "mode": "trusted-proxy",
+          "trustedProxy": {
+            "userHeader": "x-forwarded-email"
           }
         },
         "port": 18789,
diff --git a/services/openclaw/deployment.yaml b/services/openclaw/deployment.yaml
index 535def93..cfc2aaf7 100644
--- a/services/openclaw/deployment.yaml
+++ b/services/openclaw/deployment.yaml
@@ -23,7 +23,7 @@ spec:
         ai.bstein.dev/instructions: kubectl-field-selectors
         ai.bstein.dev/role: testing-triage
         ai.bstein.dev/placement: arm64 gateway lane (jetson preferred)
-        ai.bstein.dev/config-rev: "20260520-agent-origin"
+        ai.bstein.dev/config-rev: "20260520-agent-trusted-proxy"
     spec:
       serviceAccountName: openclaw-triage
       automountServiceAccountToken: true
@@ -187,11 +187,6 @@ spec:
               value: https://scm.bstein.dev
             - name: GRAFANA_BASE_URL
               value: https://metrics.bstein.dev
-            - name: OPENCLAW_GATEWAY_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: openclaw-secrets
-                  key: OPENCLAW_GATEWAY_TOKEN
           volumeMounts:
             - name: home
               mountPath: /home/node/.openclaw