feat: deploy paperclip to au-syd1 via ArgoCD (aitooling project) #99

Closed
opened 2026-05-02 17:32:18 +10:00 by unkinben · 0 comments
Owner

Summary

Paperclip is an open-source orchestration platform for managing teams of AI agents — org charts, budgets, governance, goal alignment, and multi-agent coordination. MIT licensed. Deploy it to the aitooling ArgoCD project alongside litellm.

Env var reference: https://docs.paperclip.ing/#/reference/deploy/environment-variables

Deployment Plan

Follow the litellm pattern: base kustomization + CNPG cluster + Vault secrets + overlay.

Base manifests: apps/base/paperclip/

File Purpose
namespace.yaml paperclip namespace
deployment.yaml ghcr.io/paperclipai/paperclip:latest, port 3100
services.yaml ClusterIP on port 3100
ingress.yaml paperclip.k8s.syd1.au.unkin.net
cnpg_cluster.yaml 3-instance CNPG cluster (paperclip-postgres)
cnpg_pooler.yaml Connection pooler
vaultauth.yaml VaultAuth ref
vaultstaticsecret.yaml Pulls paperclip-credentials and postgres-credentials from Vault
kustomization.yaml Wires everything together

Overlay: apps/overlays/au-syd1/paperclip/kustomization.yaml

resources:
  - ../../../base/paperclip

ApplicationSet update

Update argocd/applicationsets/aitooling.yaml:

directories:
  - path: apps/overlays/*/litellm
  - path: apps/overlays/*/paperclip

Environment Variables

In deployment manifest (non-secret)

Var Value Notes
PORT 3100
PAPERCLIP_BIND custom loopback default won't work in a pod
PAPERCLIP_BIND_HOST 0.0.0.0 Required when PAPERCLIP_BIND=custom
PAPERCLIP_API_URL https://paperclip.k8s.syd1.au.unkin.net Public URL behind ingress
PAPERCLIP_HOME /paperclip
PAPERCLIP_INSTANCE_ID default
PAPERCLIP_DEPLOYMENT_MODE authenticated
PAPERCLIP_DEPLOYMENT_EXPOSURE private
SERVE_UI true
HEARTBEAT_SCHEDULER_ENABLED true
PAPERCLIP_MIGRATION_AUTO_APPLY true
PAPERCLIP_STORAGE_PROVIDER s3 Use Ceph RGW
PAPERCLIP_STORAGE_S3_BUCKET paperclip Create bucket in RGW first
PAPERCLIP_STORAGE_S3_REGION us-east-1 Ceph RGW ignores region but requires a value
PAPERCLIP_STORAGE_S3_ENDPOINT https://radosgw.service.consul Matches MINIO_ENDPOINT in artifactapi
PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE true Required for Ceph RGW

Via Vault secret (paperclip-credentials)

Vault path: service/paperclip/environment (following service/artifactapi/environment pattern)

Var Notes
DATABASE_URL postgres://paperclip:<pw>@paperclip-pooler-rw:5432/paperclip
BETTER_AUTH_SECRET Strong random secret for auth sessions
PAPERCLIP_SECRETS_MASTER_KEY 32-byte encryption key (base64); encrypts agent secrets at rest
PAPERCLIP_STORAGE_S3_ACCESS_KEY_ID RGW access key
PAPERCLIP_STORAGE_S3_SECRET_ACCESS_KEY RGW secret key
ANTHROPIC_API_KEY For Claude Local adapter
OPENAI_API_KEY For Codex Local adapter

Via Vault secret (postgres-credentials)

Vault path: service/paperclip/postgres-credentials

Var Notes
username / password Used by CNPG bootstrap.initdb.secret

Pre-deploy checklist

  • Create paperclip bucket in Ceph RGW
  • Create RGW user and credentials for paperclip
  • Generate BETTER_AUTH_SECRET (openssl rand -base64 32)
  • Generate PAPERCLIP_SECRETS_MASTER_KEY (openssl rand -base64 32)
  • Populate Vault secrets at service/paperclip/
  • Set PAPERCLIP_AUTH_DISABLE_SIGN_UP=true after first user signs up
## Summary [Paperclip](https://github.com/paperclipai/paperclip) is an open-source orchestration platform for managing teams of AI agents — org charts, budgets, governance, goal alignment, and multi-agent coordination. MIT licensed. Deploy it to the `aitooling` ArgoCD project alongside litellm. Env var reference: https://docs.paperclip.ing/#/reference/deploy/environment-variables ## Deployment Plan Follow the litellm pattern: base kustomization + CNPG cluster + Vault secrets + overlay. ### Base manifests: `apps/base/paperclip/` | File | Purpose | |---|---| | `namespace.yaml` | `paperclip` namespace | | `deployment.yaml` | `ghcr.io/paperclipai/paperclip:latest`, port 3100 | | `services.yaml` | ClusterIP on port 3100 | | `ingress.yaml` | `paperclip.k8s.syd1.au.unkin.net` | | `cnpg_cluster.yaml` | 3-instance CNPG cluster (`paperclip-postgres`) | | `cnpg_pooler.yaml` | Connection pooler | | `vaultauth.yaml` | VaultAuth ref | | `vaultstaticsecret.yaml` | Pulls `paperclip-credentials` and `postgres-credentials` from Vault | | `kustomization.yaml` | Wires everything together | ### Overlay: `apps/overlays/au-syd1/paperclip/kustomization.yaml` ```yaml resources: - ../../../base/paperclip ``` ### ApplicationSet update Update `argocd/applicationsets/aitooling.yaml`: ```yaml directories: - path: apps/overlays/*/litellm - path: apps/overlays/*/paperclip ``` ## Environment Variables ### In deployment manifest (non-secret) | Var | Value | Notes | |---|---|---| | `PORT` | `3100` | | | `PAPERCLIP_BIND` | `custom` | `loopback` default won't work in a pod | | `PAPERCLIP_BIND_HOST` | `0.0.0.0` | Required when `PAPERCLIP_BIND=custom` | | `PAPERCLIP_API_URL` | `https://paperclip.k8s.syd1.au.unkin.net` | Public URL behind ingress | | `PAPERCLIP_HOME` | `/paperclip` | | | `PAPERCLIP_INSTANCE_ID` | `default` | | | `PAPERCLIP_DEPLOYMENT_MODE` | `authenticated` | | | `PAPERCLIP_DEPLOYMENT_EXPOSURE` | `private` | | | `SERVE_UI` | `true` | | | `HEARTBEAT_SCHEDULER_ENABLED` | `true` | | | `PAPERCLIP_MIGRATION_AUTO_APPLY` | `true` | | | `PAPERCLIP_STORAGE_PROVIDER` | `s3` | Use Ceph RGW | | `PAPERCLIP_STORAGE_S3_BUCKET` | `paperclip` | Create bucket in RGW first | | `PAPERCLIP_STORAGE_S3_REGION` | `us-east-1` | Ceph RGW ignores region but requires a value | | `PAPERCLIP_STORAGE_S3_ENDPOINT` | `https://radosgw.service.consul` | Matches `MINIO_ENDPOINT` in artifactapi | | `PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE` | `true` | Required for Ceph RGW | ### Via Vault secret (`paperclip-credentials`) Vault path: `service/paperclip/environment` (following `service/artifactapi/environment` pattern) | Var | Notes | |---|---| | `DATABASE_URL` | `postgres://paperclip:<pw>@paperclip-pooler-rw:5432/paperclip` | | `BETTER_AUTH_SECRET` | Strong random secret for auth sessions | | `PAPERCLIP_SECRETS_MASTER_KEY` | 32-byte encryption key (base64); encrypts agent secrets at rest | | `PAPERCLIP_STORAGE_S3_ACCESS_KEY_ID` | RGW access key | | `PAPERCLIP_STORAGE_S3_SECRET_ACCESS_KEY` | RGW secret key | | `ANTHROPIC_API_KEY` | For Claude Local adapter | | `OPENAI_API_KEY` | For Codex Local adapter | ### Via Vault secret (`postgres-credentials`) Vault path: `service/paperclip/postgres-credentials` | Var | Notes | |---|---| | `username` / `password` | Used by CNPG `bootstrap.initdb.secret` | ## Pre-deploy checklist - [ ] Create `paperclip` bucket in Ceph RGW - [ ] Create RGW user and credentials for paperclip - [ ] Generate `BETTER_AUTH_SECRET` (`openssl rand -base64 32`) - [ ] Generate `PAPERCLIP_SECRETS_MASTER_KEY` (`openssl rand -base64 32`) - [ ] Populate Vault secrets at `service/paperclip/` - [ ] Set `PAPERCLIP_AUTH_DISABLE_SIGN_UP=true` after first user signs up
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#99