Kubernetes

Install into a customer-owned namespace and scope every connector.

Do not copy Arconath dogfood values into a customer install. Replace domain, auth mode, registry, database, cache, storage, and connector scope with customer-owned infrastructure.

Helm install

Helm

# Sign in to https://releasepassport.com/portal first.
# Customer runtime images are pulled only from the official Release Passport registry.
# The installer creates or preserves RELEASEPASSPORT_INSTALL_ID in the runtime Secret.
curl -fsSL https://releasepassport.com/install.sh | bash -s -- \
  --install-token <portal-install-token>

Kubernetes objects

ObjectNamespace

PurposeHolds Release Passport runtime.

GuidanceUse releasepassport or the customer platform namespace standard.

ObjectDeployment: API

PurposeServes /releasepassport/v1 and protected console backend.

GuidanceExpose only through configured ingress/Gateway API and auth.

ObjectDeployment: Worker

PurposeRuns connector sync and background jobs.

GuidanceMonitor restarts and connector queue lag.

ObjectService

PurposeRoutes API/worker where needed.

GuidanceKeep internal except the public API/console ingress path.

ObjectSecret

PurposeStores bootstrap admin password, optional OIDC/proxy secret material, gate token, connector credentials, storage, and license material.

GuidanceUse secret references; no plaintext values in Git.

ObjectConfigMap

PurposeStores non-secret runtime configuration.

GuidanceNo secret-shaped values such as keys, tokens, passwords.

ObjectServiceAccount/RBAC

PurposeAllows scoped Kubernetes evidence reads.

GuidanceGrant read-only access to configured namespaces and workload resources only.

Object	Purpose	Guidance
Namespace	Holds Release Passport runtime.	Use releasepassport or the customer platform namespace standard.
Deployment: API	Serves /releasepassport/v1 and protected console backend.	Expose only through configured ingress/Gateway API and auth.
Deployment: Worker	Runs connector sync and background jobs.	Monitor restarts and connector queue lag.
Service	Routes API/worker where needed.	Keep internal except the public API/console ingress path.
Secret	Stores bootstrap admin password, optional OIDC/proxy secret material, gate token, connector credentials, storage, and license material.	Use secret references; no plaintext values in Git.
ConfigMap	Stores non-secret runtime configuration.	No secret-shaped values such as keys, tokens, passwords.
ServiceAccount/RBAC	Allows scoped Kubernetes evidence reads.	Grant read-only access to configured namespaces and workload resources only.

Scoped Kubernetes evidence

Namespace

The connector should read only namespaces relevant to the registered services.

Labels

Use stable app labels to tie deployments, pods, and services to a Release Passport service.

Readiness

Evidence should include rollout availability, pod readiness, restarts, and recent condition changes.

Rollback

GitOps or deployment history should identify previous good revision when possible.

Freshness

A connector result should expire so stale green data does not allow a release.