Changes

CDM has been tested on newer versions of Kubernetes. See Recommended Kubernetes Versions for details.

Secrets for both the CDK and the CDM are generated dynamically when they start up. To obtain the secrets, run the print-secrets.sh script.

For example, to obtain the amadmin user’s password:

Several new pods, deployed in both the CDK and the CDM, handle common user interface functions. The new pods are named admin-ui, end-user-ui, and login-ui.

The new version of the CDM starts three pods.

Previous versions of the CDM started a single AM pod. After CDM startup, you restarted the AM pod, and then ran the kubectl scale command to scale the number of AM pods.

CPU and memory requirements for running the CDK on Minikube have increased:

Because Dockerfiles for the base Docker images no longer reside in the forgeops repository, the steps for building base Docker images have changed. See Base Docker Images for the new steps.

Accessing the IDM REST API now requires an access token issued by AM. See Access the IDM REST APIs in IDM Services for an example.

This revision uses Skaffold and Kustomize, instead of using Helm charts, to deploy the platform.

Skaffold can detect changes to the file system that holds the AM, IDM, and IG configurations. When it detects a change to one of those configurations, it rebuilds the am, idm, or ig Docker image. Then, it reorchestrates the ForgeRock Identity Platform deployment.

Note that changes to dynamic AM configuration data—policies and application data—are not automatically detected by Skaffold. Changes to dynamic AM configuration data still need to be exported using Amster.

For more information about customizing the ForgeRock Identity Platform configuration when working with Skaffold, see Docker Image Development.

In the new revision, CDM deployments use three availability zones and two node pools.

In previous versions, CDM deployments used two zones and a single node pool.

This revision includes improved bash scripts for installing the NGINX ingress controller, Certificate Manager, Prometheus, Grafana, and Alertmanager in a CDM cluster.

The new scripts are ingress-controller-deploy.sh, certmanager-deploy.sh, and prometheus-deploy.sh.

Although the CDM still uses Helm charts to install the NGINX ingress controller and Prometheus, a Helm tiller pod is no longer needed in the CDM cluster.

In the previous version, CDM deployment required a running tiller pod to support Helm chart deployment.

This revision uses Gradle to trigger AM and IDM simulations for benchmarking performance.

In this revision, backup is greatly simplified. Backups are made to local disks running in the same pods in which DS runs.

The previous version required an NFS-mounted external storage device (Google Filestore or EFS) to be available for backup. The external storage device is no longer needed.

For more information, see CDM Backup and Restore.

For more information, see CDM Architecture.

In this revision, IG is not deployed as part of the CDK or CDM, and benchmarks for IG performance are no longer published in the CDM Cookbooks.

You can still deploy IG with the CDK or CDM; use the Kustomize base and overlays in the /path/to/forgeops/kustomize/ig directory.

The CDM Cookbooks provide the steps for creating medium-sized (10,000,000 users) clusters.

You can still create small-sized (1,000,000 users) and large-sized (100,000,000) clusters using the artifacts in the forgeops repository.

Benchmarks for small, medium, and large clusters are available for Google GKE. Benchmarks for medium clusters only are available for Amazon EKS and Microsoft Azure AKS.

The CDM and CDK use administrator passwords that are randomly generated by the secrets generator.

See the UI and API Access pages in the CDM and CDK documentation for information about how to obtain the administrator passwords.

ForgeRock’s Docker image repository names are now am, idm, and ig. In previous versions, the Docker image repository names were openam, openidm, and openig.

Kubernetes pod names now include the strings am, idm, and ig. In previous versions, the pod names included the strings openam, openidm, and openig.

As with previous versions, you must still build your own base Docker images for the ForgeRock Identity Platform for production deployments on Kubernetes.

In this version, you must download the ForgeRock binaries manually before building the Docker images.

In the previous version, a script automatically downloaded the binaries from ForgeRock’s Artifactory repository. This script has been removed from the forgeops repository.

For more information, see Base Docker Images.

The customize-am.sh script is no longer available in this revision of the forgeops repository.

To customize the AM web container in this revision, add instructions to the am Dockerfile to copy your customizations into the /usr/local/tomcat/webapps/am directory.

The new backup-loader.sh script lets you create PVCs from DS binary backups before you start the platform, so that DS instances in the platform use the data from the PVCs.

Use the following default URLs to access ForgeRock Identity Platform services in this revision:

The CDM includes more recent versions of these third-party components.

See these scripts for details about versions of third-party software currently used with the CDM: ingress-controller-deploy.sh, certmanager-deploy.sh, and prometheus-deploy.sh.

Support for self-signed certificates and signing certificates is built into the CDK when it runs on Minikube. Because of this, you no longer need to deploy Certificate Manager when deploying the CDK on Minikube.

CDM deployments use Certificate Manager for TLS support. In previous versions, Certificate Manager was configured to call Let’s Encrypt to provide certificates for CDM deployments on GKE.

In this revision, Certificate Manager is configured to provide a self-signed certificate for CDM deployments on GKE.

The DevOps Developer’s Guide has been replaced with two new guides:

The content in the new guides is similar to the DevOps Developer’s Guide. Each of the new guides limits its descriptions to a single type of cluster, thus simplifying procedures.

The information formerly in the Before You Deploy section of the Release Notes has been moved. This information is now available where it’s needed instead of on linked pages.

The DevOps QuickStart Guide tutorial has been removed from the documentation.

ForgeRock supports CDK and CDM installation on Linux and macOS only. If you use a Microsoft Windows computer, you’ll need to create a Linux virtual machine for installing the CDK and the CDM.