openclaw/docs/enterprise/deployment.md

349 lines
8.6 KiB
Markdown

# Enterprise Deployment Guide
This guide covers deployment patterns for enterprise environments with multiple users, teams, and security requirements.
## Deployment Patterns
### Single-Tenant (Recommended for Teams)
A single gateway serves one team with shared configuration:
```
┌─────────────────────────────────────────┐
│ Gateway Host │
│ ┌─────────────────────────────────┐ │
│ │ Moltbot Gateway │ │
│ │ - All team channels │ │
│ │ - Shared agent config │ │
│ │ - Team-wide RBAC │ │
│ └─────────────────────────────────┘ │
└─────────────────────────────────────────┘
│ │ │
┌────┴───┐ ┌────┴───┐ ┌────┴───┐
│ User A │ │ User B │ │ User C │
└────────┘ └────────┘ └────────┘
```
**Configuration:**
```yaml
# config.yaml
gateway:
port: 18789
auth:
mode: token
token: ${GATEWAY_TOKEN}
rbac:
enabled: true
defaultRole: user
assignments:
"admin@company.com": admin
"dev@company.com": operator
```
### Multi-Tenant (Isolated Teams)
Separate gateway instances per team for full isolation:
```
┌──────────────────┐ ┌──────────────────┐
│ Team A Host │ │ Team B Host │
│ ┌──────────────┐ │ │ ┌──────────────┐ │
│ │ Gateway A │ │ │ │ Gateway B │ │
│ │ Port 18789 │ │ │ │ Port 18790 │ │
│ └──────────────┘ │ │ └──────────────┘ │
└──────────────────┘ └──────────────────┘
│ │
Team A Users Team B Users
```
**Benefits:**
- Complete data isolation between teams
- Independent configuration and credentials
- Separate audit logs per team
- Different RBAC policies per team
**Setup:**
```bash
# Team A gateway
clawdbot config set gateway.port 18789
clawdbot config set gateway.auth.token "team-a-token"
# Team B gateway (different host or port)
clawdbot config set gateway.port 18790
clawdbot config set gateway.auth.token "team-b-token"
```
### Multi-Agent Routing
Route different users to different agents based on channel or identity:
```yaml
# config.yaml
agents:
main:
model: claude-sonnet-4-20250514
system: "You are a general assistant."
devops:
model: claude-sonnet-4-20250514
system: "You are a DevOps specialist."
tools:
policy: elevated
support:
model: claude-sonnet-4-20250514
system: "You are a customer support agent."
tools:
policy: read-only
bindings:
- channel: slack
channelId: "devops-channel"
agentId: devops
- channel: telegram
senderId: "support-team"
agentId: support
```
### Per-User Agent Isolation
Give each user their own agent instance:
```yaml
# config.yaml
agents:
template:
model: claude-sonnet-4-20250514
session:
mode: persistent
dir: ~/.clawdbot/sessions/${senderId}
bindings:
- channel: "*"
agentId: template
sessionKey: "${channel}:${senderId}"
```
## Container Deployment
### Docker
```dockerfile
FROM node:22-alpine
RUN npm install -g clawdbot@latest
EXPOSE 18789
VOLUME /root/.clawdbot
CMD ["clawdbot", "gateway", "run", "--bind", "0.0.0.0"]
```
```yaml
# docker-compose.yaml
services:
clawdbot:
image: clawdbot:latest
ports:
- "18789:18789"
volumes:
- ./config:/root/.clawdbot
environment:
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
- GATEWAY_TOKEN=${GATEWAY_TOKEN}
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:18789/health"]
interval: 30s
timeout: 10s
retries: 3
```
### Kubernetes
```yaml
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: clawdbot-gateway
spec:
replicas: 1
selector:
matchLabels:
app: clawdbot
template:
metadata:
labels:
app: clawdbot
spec:
containers:
- name: gateway
image: clawdbot:latest
ports:
- containerPort: 18789
env:
- name: ANTHROPIC_API_KEY
valueFrom:
secretKeyRef:
name: clawdbot-secrets
key: anthropic-api-key
livenessProbe:
httpGet:
path: /health
port: 18789
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /ready
port: 18789
initialDelaySeconds: 5
periodSeconds: 10
volumeMounts:
- name: config
mountPath: /root/.clawdbot
volumes:
- name: config
configMap:
name: clawdbot-config
```
```yaml
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: clawdbot
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "18789"
prometheus.io/path: "/metrics"
spec:
selector:
app: clawdbot
ports:
- port: 18789
targetPort: 18789
```
## High Availability
### Load Balancing Considerations
Moltbot gateway is stateful (WebSocket connections, session state). For HA:
1. **Sticky sessions** - Route users to the same instance
2. **Shared state** - Use external session storage (future feature)
3. **Active-passive** - Run standby instance for failover
### Health Endpoints
Configure your load balancer to use:
- **Liveness:** `GET /health` - Returns 200 if process is alive
- **Readiness:** `GET /ready` - Returns 200 if channels are connected
### Graceful Shutdown
The gateway handles SIGTERM gracefully:
1. Stops accepting new connections
2. Completes in-flight requests
3. Closes WebSocket connections cleanly
4. Flushes audit logs
## Network Configuration
### Firewall Rules
| Port | Direction | Purpose |
|------|-----------|---------|
| 18789 | Inbound | Gateway WebSocket/HTTP |
| 443 | Outbound | Anthropic API, channel APIs |
### Reverse Proxy
With nginx:
```nginx
upstream clawdbot {
server localhost:18789;
}
server {
listen 443 ssl;
server_name gateway.company.com;
ssl_certificate /etc/ssl/certs/gateway.crt;
ssl_certificate_key /etc/ssl/private/gateway.key;
location / {
proxy_pass http://clawdbot;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
}
}
```
Configure trusted proxies in Moltbot:
```yaml
gateway:
trustedProxies:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
```
## Environment Variables
| Variable | Description |
|----------|-------------|
| `ANTHROPIC_API_KEY` | API key for Claude models |
| `GATEWAY_TOKEN` | Gateway authentication token |
| `CLAWDBOT_CONFIG_PATH` | Custom config file path |
| `CLAWDBOT_STATE_DIR` | State directory (sessions, logs) |
| `LOG_LEVEL` | Logging verbosity (debug, info, warn, error) |
## Backup and Recovery
### Critical Data
| Path | Description | Backup Priority |
|------|-------------|-----------------|
| `~/.clawdbot/config.yaml` | Configuration | High |
| `~/.clawdbot/credentials/` | Channel tokens, pairing | High |
| `~/.clawdbot/sessions/` | Session history | Medium |
| `~/.clawdbot/audit.jsonl` | Audit logs | High |
### Backup Script
```bash
#!/bin/bash
BACKUP_DIR="/backups/clawdbot/$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR"
# Config and credentials (encrypted)
tar -czf "$BACKUP_DIR/config.tar.gz" \
~/.clawdbot/config.yaml \
~/.clawdbot/credentials/
# Audit logs
cp ~/.clawdbot/audit*.jsonl "$BACKUP_DIR/"
# Retain 30 days
find /backups/clawdbot -mtime +30 -delete
```
## Next Steps
- [Security Hardening](/enterprise/security-hardening) - TLS, rate limiting, audit configuration
- [Observability](/enterprise/observability) - Metrics, tracing, dashboards
- [Gateway Configuration](/gateway/configuration) - Full configuration reference