CDK Architecture

Before you can deploy the CDK, you must have access to a namespace in a Kubernetes cluster. The cluster must have an ingress controller deployed on it.

CDK Deployments

  • Let you get the ForgeRock Identity Platform up and running on Kubernetes.

  • Are suitable for demonstrations and proofs of concept.

  • Build Kubernetes manifests based on the Kustomize bases and overlays in your local forgeops repository clone.

  • Use the image defaulter to specify which Docker images to use to run the platform:

    • By default, the image defaulter specifies the evaluation-only Docker images for release 7.1.0 of the platform, available from ForgeRock’s public registry. These images use ForgeRock’s canonical configurations for AM and IDM.

    • When you build custom Docker images with customized AM and IDM configurations, the cdk build command updates the image defaulter to specify your custom images.

The cdk install command with the --dev option uses your own Docker images.

CDK Pods

After deploying the platform, you’ll see the following pods running in your namespace. The pods are the same, regardless of whether you performed a demo or developer deployment:

Diagram of the deployed ${cdk.abbr}.
am

Runs ForgeRock Access Management.

When AM starts for the first time in a CDK deployment, it obtains its configuration from the AM Docker image. If you subsequently restart AM, it obtains its configuration from the Git repository running in your namespace.

After the am pod has started, a job is triggered that populates AM’s application store with several agents and OAuth 2.0 client definitions that are used by the CDK.

ds-idrepo-0

The ds-idrepo-0 pod provides directory services for:

  • The identity repository shared by AM and IDM

  • The IDM repository

  • The AM application and policy store

  • AM’s Core Token Service

idm

Runs ForgeRock Identity Management.

When IDM starts for the first time in a CDK deployment, it obtains its configuration from the IDM Docker image. If you subsequently restart IDM, it obtains its configuration from the Git repository running in your namespace.

In containerized deployments, IDM must retrieve its configuration from the file system and not from the IDM repository. The default values for the openidm.fileinstall.enabled and openidm.config.repo.enabled properties in the CDK’s system.properties file ensure that IDM retrieves its configuration from the file system. Do not override the default values for these properties.

rcs-agent

Runs the IDM Remote Connector Server Agent.

UI pods

Several pods provide access to ForgeRock common user interfaces:

  • admin-ui

  • end-user-ui

  • login-ui

Next Step