Self-hosted
Release Passport runs in the customer environment, not Arconath's runtime.
Arconath hosts the public website, owner billing surface, and licensed distribution process. Customers install the Release Passport runtime in their own Kubernetes environment so release evidence stays close to their systems.
Self-hosted package contract
Included for customersConsole
PurposeExplain decisions and runtime evidence to customer operators.
Not includedOwner billing/admin app.
Included for customersSettings
PurposeShow license, runtime, OIDC, token, connector, and retention status.
Not includedLicense issuance and plan management tools.
Included for customersAPI
PurposeAccept gate/evidence writes and serve protected runtime reads.
Not includedArconath internal package entitlement services.
Included for customersWorker
PurposeSync scoped connector evidence.
Not includedBroad unscoped customer infra scanner.
Included for customersCLI
PurposeRun releasepassport gate from customer CI/CD.
Not includedA replacement for CI/CD or GitOps deployment.
| Included for customers | Purpose | Not included |
|---|---|---|
| Console | Explain decisions and runtime evidence to customer operators. | Owner billing/admin app. |
| Settings | Show license, runtime, OIDC, token, connector, and retention status. | License issuance and plan management tools. |
| API | Accept gate/evidence writes and serve protected runtime reads. | Arconath internal package entitlement services. |
| Worker | Sync scoped connector evidence. | Broad unscoped customer infra scanner. |
| CLI | Run releasepassport gate from customer CI/CD. | A replacement for CI/CD or GitOps deployment. |
Install flow
Trial install
# Sign in to https://releasepassport.com/portal first.
# Customer runtime images are pulled only from the official Release Passport registry.
# The installer creates or preserves RELEASEPASSPORT_INSTALL_ID in the runtime Secret.
curl -fsSL https://releasepassport.com/install.sh | bash -s -- \
--install-token <portal-install-token>Operating rules
Use customer-owned domain, OIDC provider, namespace, storage, registry, and secret manager.
Start release gates in shadow mode and inspect evidence before enforcing.
Configure scoped connectors per service/environment instead of broad infrastructure access.
Keep owner/admin functions outside the customer package.