#19683: feat: add Helm chart for Kubernetes deployment and Vertex AI streaming

## Summary - Adds a production-ready Helm chart under `deploy/helm/openclaw/` that supports all model provider configurations (Anthropic, Vertex AI, OpenAI-compatible) purely through Helm values — no manual `kubectl exec` needed to seed `openclaw.json` - Adds Vertex AI `rawPredict` streaming support so Claude can be accessed through Google Vertex AI's Anthropic integration - Integrates with [kubernetes-sigs/agent-sandbox](https://github.com/kubernetes-sigs/agent-sandbox) via `SandboxTemplate` CRD ## Helm chart details **`openclawConfig`**: Seeds `openclaw.json` from Helm values via an init container that copies a ConfigMap to the writable PVC on each startup. Config stays writable for runtime changes and is always re-synced on `helm upgrade`. **`vertexAI.credentials.create`**: Optionally creates a GCP credentials Secret from inline JSON (alternative to referencing a pre-existing Secret via `vertexAI.existingSecret`). **`secrets.openaiApiKey`**: Adds `OPENAI_API_KEY` env var for OpenAI-compatible providers. **No hardcoded org-specific values**: All `vertexAI` fields (`projectId`, `region`, `existingSecret`) default to empty strings. ### Example: Vertex AI ```yaml openclawConfig: enabled: true content: agents: defaults: model: primary: "google-vertex/claude-opus-4-6" models: providers: google-vertex: baseUrl: "https://us-east5-aiplatform.googleapis.com" api: "anthropic-messages" auth: "oauth" models: - id: "claude-opus-4-6" name: "Claude Opus 4.6" reasoning: true input: ["text", "image"] contextWindow: 1000000 maxTokens: 32000 vertexAI: enabled: true projectId: "my-gcp-project" region: "us-east5" credentials: create: true json: | { "type": "service_account", ... } ``` ### Example: Anthropic direct ```yaml openclawConfig: enabled: true content: agents: defaults: model: primary: "anthropic/claude-sonnet-4-20250514" secrets: create: true anthropicApiKey: "sk-ant-..." ``` ## Test plan - [x] `helm lint` passes - [x] `helm template` renders correctly for all provider modes (default, Anthropic, Vertex AI with credentials.create, OpenAI) - [x] Built Docker image locally, loaded into Kind cluster - [x] Init container creates `/data/.openclaw/` and seeds `openclaw.json` - [x] Config file is writable on PVC (required for runtime changes) - [x] Pod reaches 1/1 Running with Anthropic config - [x] `helm upgrade` re-seeds config and triggers pod restart via checksum annotation - [x] GCP credentials Secret created correctly when `vertexAI.credentials.create=true` - [x] `gcpSecretName` helper resolves to chart-managed or existing Secret correctly - [x] No Vertex/GCP references rendered when `vertexAI.enabled=false` 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds two main pieces: a comprehensive Helm chart for deploying the OpenClaw gateway on Kubernetes (`deploy/helm/openclaw/`), and a Vertex AI `rawPredict` streaming implementation (`src/agents/vertex-anthropic-stream.ts`) that enables Claude access through Google Vertex AI's Anthropic integration. The Helm chart is well-structured with proper security contexts, checksum-based rollout annotations, init container config seeding, and support for multiple provider modes (Anthropic, Vertex AI, OpenAI-compatible). It also integrates with the `kubernetes-sigs/agent-sandbox` CRD. The Vertex AI stream implementation follows the established pattern from `ollama-stream.ts`, correctly handling SSE parsing, content block accumulation, tool call assembly, and error propagation. - **Bug**: `createVertexAnthropicStreamFn` does not validate that `project` and `location` are non-empty, producing a malformed Vertex AI URL when `GOOGLE_CLOUD_PROJECT`/`GOOGLE_CLOUD_LOCATION` env vars are not set - **Bug**: The `gcpSecretName` Helm helper returns an empty string when `vertexAI.enabled=true` without `credentials.create` or `existingSecret` configured, producing an invalid Kubernetes volume spec that will prevent pod startup - Adds `google-vertex` as a new `ModelApi` type and corresponding Zod schema literal - Adds `google-auth-library` as a new dependency for OAuth token acquisition - Minor changes in `runner.entries.ts` add non-null assertions after existing null guards (safe) and reorder imports <h3>Confidence Score: 3/5</h3> - Two bugs should be fixed before merging: missing env var validation in the Vertex AI stream factory and empty secretName in the Helm gcpSecretName helper. - The two identified issues will cause runtime failures in common misconfiguration scenarios — empty project/location producing a malformed URL, and missing Vertex AI secret configuration producing an invalid Kubernetes manifest. Both are straightforward fixes but will impact users who deploy with incomplete configuration. - Pay close attention to `src/agents/vertex-anthropic-stream.ts` (missing parameter validation) and `deploy/helm/openclaw/templates/_helpers.tpl` (empty secretName bug). _{Last reviewed commit: e4e8be0} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) <!-- /greptile_comment -->