Install
The customer package includes the dashboard. It excludes owner.
Sign in to the portal before generating an install token. Trial installs API, worker, console, CLI integration, and limited scoped evidence in the customer cluster. The owner app for users, plans, pricing, license issuance, billing, and package entitlement remains an Arconath-owned internal product surface.
Trial
Self-hosted core package.
Helm install
# Sign in to https://releasepassport.com/portal first.
# Customer runtime images are pulled only from the official Release Passport registry.
# The installer creates or preserves RELEASEPASSPORT_INSTALL_ID in the runtime Secret.
curl -fsSL https://releasepassport.com/install.sh | bash -s -- \
--install-token <portal-install-token>Values
Minimal production-shaped values.
Replace every example value with customer-owned infrastructure. Keep secrets in Kubernetes secrets, SOPS, or the customer's secret manager. The runtime Secret must include RELEASEPASSPORT_INSTALL_ID. The values file should reference secret names, not embed secret values.
releasepassport-values.yaml
global:
publicUrl: https://release-passport.example.com
apiBasePath: /releasepassport/v1
license:
edition: trial
installIdSecret: releasepassport-runtime
auth:
oidc:
enabled: true
issuerUrl: https://idp.example.com/realms/platform
clientId: releasepassport
existingSecret: releasepassport-oidc
callbackUrl: https://release-passport.example.com/releasepassport/v1/auth/callback
runtime:
mode: shadow
workspaceId: workspace-acme-prod
defaultEnvironment: production
storage:
postgresUrlSecret: releasepassport-runtime
valkeyUrlSecret: releasepassport-runtime
objectStorageSecret: releasepassport-runtime
connectors:
kubernetes:
enabled: true
namespaces: ["apps-checkout"]
labelSelector: "app.kubernetes.io/part-of=checkout"
prometheus:
enabled: true
baseUrl: https://prometheus.example.com
allowedQueries:
- name: checkout-error-rate
query: sum(rate(http_requests_total{service="checkout-api",status=~"5.."}[5m]))
gitops:
enabled: true
provider: argocd
applications: ["checkout-api-prod"]
retention:
passportsDays: 30
evidenceDays: 14
reportsDays: 7What gets installed
Customer console at /console and customer settings at /settings.
Release Passport API under /releasepassport/v1.
Worker for connector sync and background jobs.
CLI integration for CI/CD gate calls.
Limited scoped evidence connectors in Trial.
No owner app for billing, license issuance, user sales ops, or package entitlement.
Auth
Basic auth is built in; OIDC and proxy auth are optional.
Self-hosted installs start with a bootstrap admin password. If switching to OIDC, configure Google, Okta, Entra ID, Authentik, Dex, Keycloak, or any compatible provider. The callback ishttps://release-passport.example.com/releasepassport/v1/auth/callback.
Upgrade
Upgrade is plan-first and token-first.
Upgrades reuse the same installer and official registry path. Review the plan, pin a version when change control requires it, then run the printed command.
releasepassport upgrade
# Preview a token-first runtime upgrade plan.
releasepassport upgrade
# Pin a specific package version when your change-control process requires it.
releasepassport upgrade --version 0.1.1
# Apply remains plan-first: run the printed installer command after review.
releasepassport upgrade apply --version 0.1.1Uninstall
One command removes the runtime.
The default uninstall preserves bundled data. Operators must explicitly choose purge mode before deleting Compose volumes or the Kubernetes namespace.
releasepassport uninstall
# Stop/remove the self-hosted runtime and preserve data by default.
releasepassport uninstall
# Preview exact Compose or Kubernetes commands first.
releasepassport uninstall --dry-run
# Automation can skip the interactive prompt.
releasepassport uninstall --yes
# Full data wipe: Compose volumes + directory, or Kubernetes namespace.
releasepassport uninstall --purgeInstall architecture
ComponentConsole
PurposeCustomer UI for decisions, services, passports, connectors, reports, and settings.
Customer responsibilityProtect with OIDC and do not make runtime data public.
ComponentAPI
PurposeReceives gate/evidence writes and serves console/session reads under /releasepassport/v1.
Customer responsibilityExpose through the customer ingress, Gateway API, or equivalent routing.
ComponentWorker
PurposeRuns connector sync, freshness checks, and background jobs.
Customer responsibilityGrant only scoped connector credentials and monitor worker health.
ComponentStorage
PurposeStores passports, evidence summaries, connectors, policies, reports, and settings.
Customer responsibilityUse customer-approved database/storage and retention policy.
ComponentCLI
PurposeRuns in CI/CD and calls the API before promotion.
Customer responsibilityInstall from the public/trial or licensed download channel and keep tokens in CI secrets.
ComponentOwner app
PurposeBilling, plans, license issuance, package entitlement.
Customer responsibilityNot installed in the customer package. Managed by Arconath separately.
| Component | Purpose | Customer responsibility |
|---|---|---|
| Console | Customer UI for decisions, services, passports, connectors, reports, and settings. | Protect with OIDC and do not make runtime data public. |
| API | Receives gate/evidence writes and serves console/session reads under /releasepassport/v1. | Expose through the customer ingress, Gateway API, or equivalent routing. |
| Worker | Runs connector sync, freshness checks, and background jobs. | Grant only scoped connector credentials and monitor worker health. |
| Storage | Stores passports, evidence summaries, connectors, policies, reports, and settings. | Use customer-approved database/storage and retention policy. |
| CLI | Runs in CI/CD and calls the API before promotion. | Install from the public/trial or licensed download channel and keep tokens in CI secrets. |
| Owner app | Billing, plans, license issuance, package entitlement. | Not installed in the customer package. Managed by Arconath separately. |