feat: deploy paperclip to au-syd1 via ArgoCD (aitooling project) #99
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Paperclip is an open-source orchestration platform for managing teams of AI agents — org charts, budgets, governance, goal alignment, and multi-agent coordination. MIT licensed. Deploy it to the
aitoolingArgoCD project alongside litellm.Env var reference: https://docs.paperclip.ing/#/reference/deploy/environment-variables
Deployment Plan
Follow the litellm pattern: base kustomization + CNPG cluster + Vault secrets + overlay.
Base manifests:
apps/base/paperclip/namespace.yamlpaperclipnamespacedeployment.yamlghcr.io/paperclipai/paperclip:latest, port 3100services.yamlingress.yamlpaperclip.k8s.syd1.au.unkin.netcnpg_cluster.yamlpaperclip-postgres)cnpg_pooler.yamlvaultauth.yamlvaultstaticsecret.yamlpaperclip-credentialsandpostgres-credentialsfrom Vaultkustomization.yamlOverlay:
apps/overlays/au-syd1/paperclip/kustomization.yamlApplicationSet update
Update
argocd/applicationsets/aitooling.yaml:Environment Variables
In deployment manifest (non-secret)
PORT3100PAPERCLIP_BINDcustomloopbackdefault won't work in a podPAPERCLIP_BIND_HOST0.0.0.0PAPERCLIP_BIND=customPAPERCLIP_API_URLhttps://paperclip.k8s.syd1.au.unkin.netPAPERCLIP_HOME/paperclipPAPERCLIP_INSTANCE_IDdefaultPAPERCLIP_DEPLOYMENT_MODEauthenticatedPAPERCLIP_DEPLOYMENT_EXPOSUREprivateSERVE_UItrueHEARTBEAT_SCHEDULER_ENABLEDtruePAPERCLIP_MIGRATION_AUTO_APPLYtruePAPERCLIP_STORAGE_PROVIDERs3PAPERCLIP_STORAGE_S3_BUCKETpaperclipPAPERCLIP_STORAGE_S3_REGIONus-east-1PAPERCLIP_STORAGE_S3_ENDPOINThttps://radosgw.service.consulMINIO_ENDPOINTin artifactapiPAPERCLIP_STORAGE_S3_FORCE_PATH_STYLEtrueVia Vault secret (
paperclip-credentials)Vault path:
service/paperclip/environment(followingservice/artifactapi/environmentpattern)DATABASE_URLpostgres://paperclip:<pw>@paperclip-pooler-rw:5432/paperclipBETTER_AUTH_SECRETPAPERCLIP_SECRETS_MASTER_KEYPAPERCLIP_STORAGE_S3_ACCESS_KEY_IDPAPERCLIP_STORAGE_S3_SECRET_ACCESS_KEYANTHROPIC_API_KEYOPENAI_API_KEYVia Vault secret (
postgres-credentials)Vault path:
service/paperclip/postgres-credentialsusername/passwordbootstrap.initdb.secretPre-deploy checklist
paperclipbucket in Ceph RGWBETTER_AUTH_SECRET(openssl rand -base64 32)PAPERCLIP_SECRETS_MASTER_KEY(openssl rand -base64 32)service/paperclip/PAPERCLIP_AUTH_DISABLE_SIGN_UP=trueafter first user signs up