Additional Setup

This page covers setup tasks that you’ll need to perform before you can develop custom Docker images for the ForgeRock Identity Platform. Complete all of the tasks on this page before proceeding.

Configure Your Environment to Write to Your Docker Registry

Set up your local environment to write Docker images:

Minikube

Set up your local environment to execute docker commands on Minikube’s Docker engine.

ForgeRock recommends using the built-in Docker engine when developing custom Docker images using Minikube. When you use Minikube’s Docker engine, you don’t have to build Docker images on a local engine and then push the images to a local or cloud-based Docker registry. Instead, you build images using the same Docker engine that Minikube uses. This streamlines development.

To set up your local computer to use Minikube’s Docker engine:

  1. Run the docker-env command in your shell:

    $ eval $(minikube docker-env)
  2. Stop Skaffold from pushing Docker images to a remote Docker registry [1]:

    $ skaffold config set --kube-context minikube local-cluster true
    set value local-cluster to true for context minikube

For more information about using Minikube’s built-in Docker engine, see Use local images by re-using the Docker daemon in the Minikube documentation.

GKE shared cluster

In the environment you’re setting up, Skaffold builds Docker images using the Docker software you’ve installed on your local computer. After it builds the images, Skaffold pushes them to a Docker registry available to your GKE cluster.

For Skaffold to be able to push the Docker images:

  • Docker must be running on your local computer.

  • Your local computer needs credentials that let Skaffold push the images to the Docker registry available to your cluster.

  • Skaffold needs to know the location of the Docker registry.

To set up your local computer to push Docker images:

  1. If it’s not already running, start Docker on your local computer. For more information, see the Docker documentation.

  2. Set up a Docker credential helper:

    $ gcloud auth configure-docker
  3. Run the kubectx command to obtain the Kubernetes context.

  4. Configure Skaffold with the Docker registry location you obtained from your cluster administrator and the Kubernetes context you obtained in Context for the Shared Cluster:

    $ skaffold config set default-repo my-docker-registry --kube-context my-kubernetes-context
EKS shared cluster

In the environment you’re setting up, Skaffold builds Docker images using the Docker software you’ve installed on your local computer. After it builds the images, Skaffold pushes them to a Docker registry available to your EKS cluster.

For Skaffold to be able to push the Docker images:

  • Docker must be running on your local computer.

  • Your local computer needs credentials that let Skaffold push the images to the Docker registry available to your cluster.

  • Skaffold needs to know the location of the Docker registry.

To set up your local computer to push Docker images:

  1. If it’s not already running, start Docker on your local computer. For more information, see the Docker documentation.

  2. Log in to Amazon ECR. Use the Docker registry location you obtained from your cluster administrator:

    $ aws ecr get-login-password | \
     docker login --username AWS --password-stdin my-docker-registry
    stdin my-docker-registry
    Login Succeeded

    ECR login sessions expire after 12 hours. Because of this, you’ll need to perform these steps again whenever your login session expires.[2]

  3. Run the kubectx command to obtain the Kubernetes context.

  4. Configure Skaffold with the Docker registry location and the Kubernetes context:

    $ skaffold config set default-repo my-docker-registry --kube-context my-kubernetes-context
AKS shared cluster

In the environment you’re setting up, Skaffold builds Docker images using the Docker software you’ve installed on your local computer. After it builds the images, Skaffold pushes them to a Docker registry available to your AKS cluster.

For Skaffold to be able to push the Docker images:

  • Docker must be running on your local computer.

  • Your local computer needs credentials that let Skaffold push the images to the Docker registry available to your cluster.

  • Skaffold needs to know the location of the Docker registry.

To set up your local computer to push Docker images:

  1. If it’s not already running, start Docker on your local computer. For more information, see the Docker documentation.

  2. Install the ACR Docker Credential Helper.

  3. Run the kubectx command to obtain the Kubernetes context.

  4. Configure Skaffold with the Docker registry location you obtained from your cluster administrator and the Kubernetes context you obtained in Context for the Shared Cluster:

    $ skaffold config set default-repo my-docker-registry --kube-context my-kubernetes-context

Create a Configuration Profile

Your configuration profile contains your customizations to ForgeRock’s canonical configuration.

To initialize your configuration profile with ForgeRock’s canonical configuration:

  • First, initialize the staging area with ForgeRock’s canonical configuration.

  • Then, save the configuration to your configuration profile in the /path/to/forgeops/config directory.

Perform these steps:

  1. Change to the /path/to/forgeops/bin directory.

  2. Initialize the staging area with the canonical CDK configuration profile for the ForgeRock Identity Platform:

    $ cd /path/to/forgeops/bin
    $ ./config.sh init --profile cdk
    Removing docker/7.0/am/config/
    Removing docker/7.0/amster/config/
    Removing docker/7.0/idm/conf/
    Removing docker/7.0/idm/ui/
    Removing docker/7.0/ig/config/
    Copying /path/to/forgeops/config/7.0/cdk/idm.
    Copying /path/to/forgeops/config/7.0/cdk/am.
    Copying /path/to/forgeops/config/7.0/cdk/ig.
    Copying /path/to/forgeops/config/7.0/cdk/amster.
    Completed

    The config.sh init --profile cdk command clears out the staging area, and then copies the canonical configuration for the CDK from the config/7.0/cdk directory to the staging area:

    Initializing the staging area.
  3. Initialize your configuration profile with the canonical AM static configuration:

    $ ./config.sh save --component am --profile my-profile
    Saving AM configuration.

    The config.sh save --component am --profile my-profile command copies AM’s static configuration from the staging area to a configuration profile. Because the configuration profile does not exist yet, the config.sh save command creates it.

    Saving the configuration from the staging area.
  4. Initialize your configuration profile with the canonical AM dynamic configuration:

    $ ./config.sh save --component amster --profile my-profile
    Saving Amster configuration..
    
    * APPLYING FIXES *
    Adding back amsterVersion placeholder …​
    Adding back FQDN placeholder …​
    Removing 'userpassword-encrypted' fields …​
    
    Adding back password placeholder with defaults in these files:
    
    idm-provisioning.json
    idm-resource-server.json
    resource-server.json
    oauth2.json
    ig-agent.json
    
    The above fixes have been made to the Amster files.
    If you have exported new files that should contain commons
    placeholders or passwords, please update the rules in this script.

    The config.sh save --component amster --profile my-profile command copies AM dynamic configuration from the staging area to a configuration profile.

    Saving the configuration from the staging area.
  5. Initialize your configuration profile with the canonical IDM static configuration:

    $ ./config.sh save --component idm --profile my-profile
    Saving IDM configuration.

    The config.sh save --component idm --profile my-profile command copies IDM’s static configuration from the staging area to a configuration profile.

    Saving the configuration from the staging area.

Next Step


1. If your cluster’s context is not minikube, replace minikube with the actual context name in the skaffold config set command.
2. You can automate logging into ECR every 12 hours by using the cron utility.