v0.1.12
Origamy CLI v0.1.12 — BYOD security release
Security hardening for Bring-Your-Own-Data-Plane enrollment and the install supply chain:
- mTLS enrollment (BYOD Phase 2 client): the CLI now generates an EC P-256 keypair + CSR locally, registers with the control plane in a single round-trip, and stores the issued identity (
tls.crt/tls.key/ca.crt) as a Kubernetes Secret or0600Docker files. The data plane's private key never leaves the machine. - Enrollment credential safety (HIGH): v2 enrollment handles are redeemed over HTTPS instead of decoding the permanent
dpt_token out of the enrollment string. v1 tokens still work for backward compatibility. - Supply-chain integrity: releases now publish
SHA256SUMSand a detached Ed25519 signature (SHA256SUMS.sig).install.shverifies both against an embedded public key (fail-closed) before running the downloaded binary. - ClickHouse password is sourced from a Kubernetes Secret instead of
helm --set(which leaks to Helm history).
Verify your download:
shasum -a 256 -c SHA256SUMS