Skip to content

v0.1.12

Choose a tag to compare

@africhild africhild released this 30 Jun 18:19
9216093

Origamy CLI v0.1.12 — BYOD security release

Security hardening for Bring-Your-Own-Data-Plane enrollment and the install supply chain:

  • mTLS enrollment (BYOD Phase 2 client): the CLI now generates an EC P-256 keypair + CSR locally, registers with the control plane in a single round-trip, and stores the issued identity (tls.crt/tls.key/ca.crt) as a Kubernetes Secret or 0600 Docker files. The data plane's private key never leaves the machine.
  • Enrollment credential safety (HIGH): v2 enrollment handles are redeemed over HTTPS instead of decoding the permanent dpt_ token out of the enrollment string. v1 tokens still work for backward compatibility.
  • Supply-chain integrity: releases now publish SHA256SUMS and a detached Ed25519 signature (SHA256SUMS.sig). install.sh verifies both against an embedded public key (fail-closed) before running the downloaded binary.
  • ClickHouse password is sourced from a Kubernetes Secret instead of helm --set (which leaks to Helm history).

Verify your download:

shasum -a 256 -c SHA256SUMS