Parameterize Foundry base URL for OpenClaw on AKS

[antonslutskyms]

Summary
Documents the AKS + OpenClaw + Microsoft Foundry workshop, removes hardcoded Foundry host/project URLs in favor of configurable values (Kubernetes ConfigMap / environment variables and aligned local dev vars), and scrubs committed-looking API key material in favor of placeholders where manifests were edited.

Motivation
Workshop manifests and related nemoclaw assets pointed at a specific Foundry resource and project in URLs, which is not portable for other clusters or contributors.
Centralizing the OpenAI v1 base URL in OPENCLAW_FOUNDRY_BASE_URL (and NEMOCLAW_FOUNDRY_BASE_URL for NemoClaw k8s) matches how openclaw.json already references ${OPENCLAW_FOUNDRY_BASE_URL} and avoids repeating tenant-specific paths in the pod spec.
Reduces risk of shipping real secrets in YAML intended as samples.
Changes
Workshop (nim-deploy/.../aks-openclaw)

Added README.md: what the stack does, prerequisites, secrets, Foundry endpoint setup, deploy commands (including pod delete + apply), optional LB, access, troubleshooting.
openclaw-k8s.yaml: new ConfigMap openclaw-foundry-endpoint with key OPENCLAW_FOUNDRY_BASE_URL; pod env uses valueFrom.configMapKeyRef; header comments for kubectl create configmap; inline Secret sample key replaced with a clear placeholder.
Mirrored / aligned OpenClaw k8s

nemoclaw/Docker-openclaw/openclaw-k8s.yaml: same Foundry ConfigMap + pod wiring + placeholder secret as the workshop file.
NemoClaw on Kubernetes

nemoclaw/Docker2/nemoclaw-k8s.yaml (and nemoclaw-k8s copy.yaml): new nemoclaw-foundry-endpoint ConfigMap; NEMOCLAW_INFERENCE_BASE_URL / NEMOCLAW_ENDPOINT_URL (where present) sourced from that map; COMPATIBLE_API_KEY set to a placeholder (operators must inject a real key).
Local Foundry OpenClaw configs

nemoclaw/foundry-gpt53-chat/openclaw.json5 and nemoclaw/environments/foundry-gpt53-chat/openclaw.json5: baseUrl → "${OPENCLAW_FOUNDRY_BASE_URL}" with comments to export it.
nemoclaw/environments/my-gpt53-sandbox/.env.local: generic placeholder URL + comment.
Policy / samples

nemoclaw/Docker2/nemoclaw-blueprint/policies/openclaw-sandbox.yaml: explicit Foundry host replaced with YOUR_FOUNDRY_RESOURCE_NAME.services.ai.azure.com placeholder (policies cannot use k8s env substitution).
Notebooks

nemoclaw/Driver.ipynb: endpoint, API key, and deployment read from os.environ (AZURE_OPENAI_*) with non-production defaults.
Scripts

nemoclaw/scripts/verify-foundry-openclaw-setup.sh: validates OPENCLAW_FOUNDRY_BASE_URL is set.
nemoclaw/foundry-gpt53-chat/run-openclaw-gateway.sh and nemoclaw/scripts/run-openclaw-foundry-host.sh: checklist and OPENCLAW_FOUNDRY_BASE_URL guard before starting the gateway.
Operator / migration notes
AKS / kubectl: Create or edit openclaw-foundry-endpoint so OPENCLAW_FOUNDRY_BASE_URL is the real https://.services.ai.azure.com/api/projects//openai/v1 URL before relying on the pod.
Local: export OPENCLAW_FOUNDRY_BASE_URL=… (and existing MICROSOFT_FOUNDRY_GPT53_CHAT_API_KEY) before verify / gateway scripts.
NemoClaw k8s: Set nemoclaw-foundry-endpoint and replace COMPATIBLE_API_KEY placeholder with a real Foundry key (prefer Secret + secretKeyRef in a follow-up if you want stricter hygiene).
Sandbox policy: Replace YOUR_FOUNDRY_RESOURCE_NAME in the explicit host line, or rely on *.services.ai.azure.com if that is sufficient for your gateway.
Testing suggestions

kubectl apply
workshop manifest in a test namespace; pod becomes Ready;
OPENCLAW_FOUNDRY_BASE_URL
resolves from
ConfigMap
.

./scripts/verify-foundry-openclaw-setup.sh
with
OPENCLAW_FOUNDRY_BASE_URL
and API key set.

./scripts/run-openclaw-foundry-host.sh
or
foundry-gpt53-chat/run-openclaw-gateway.sh
smoke run against Foundry.

NemoClaw k8s pod (if used) gets both URL env vars from the new
ConfigMap
and can reach Foundry with a real key.