August 10, 2020

CDM on newer Kubernetes versions

CDM has been tested on newer versions of Kubernetes. See Recommended Kubernetes Versions for details.

New script

Secrets for both the CDK and the CDM are generated dynamically when they start up. To obtain the secrets, run the script.

For example, to obtain the amadmin user’s password:

$ cd /path/to/forgeops/bin
$ ./ amadmin
New UI pods

Several new pods, deployed in both the CDK and the CDM, handle common user interface functions. The new pods are named admin-ui, end-user-ui, and login-ui.

No need to explicitly scale AM after CDM startup

The new version of the CDM starts three pods.

Previous versions of the CDM started a single AM pod. After CDM startup, you restarted the AM pod, and then ran the kubectl scale command to scale the number of AM pods.

Different directory superuser DN and backend database

In this revision, the CDK and the CDM use:

  • Directory superuser’s DN: uid=admin

  • Directory backend database: appData

No longer used:

  • Directory superuser’s DN: cn=Directory Manager

  • Directory backend database: userRoot

Increased virtual hardware requirements for running the CDK on Minikube

CPU and memory requirements for running the CDK on Minikube have increased:

  • 3 CPUs (or more) are now required.

  • 12288 MB (or more) virtual memory are now required.

New technique for building base Docker images

Because Dockerfiles for the base Docker images no longer reside in the forgeops repository, the steps for building base Docker images have changed. See Base Docker Images for the new steps.

New technique for IDM REST API access

Accessing the IDM REST API now requires an access token issued by AM. See Access the IDM REST APIs in IDM Services for an example.

February 20, 2020

Deployment with Skaffold and Kustomize instead of Helm

This revision uses Skaffold and Kustomize, instead of using Helm charts, to deploy the platform.

Skaffold can detect changes to the file system that holds the AM, IDM, and IG configurations. When it detects a change to one of those configurations, it rebuilds the am, idm, or ig Docker image. Then, it reorchestrates the ForgeRock Identity Platform deployment.

Note that changes to dynamic AM configuration data—policies and application data—are not automatically detected by Skaffold. Changes to dynamic AM configuration data still need to be exported using Amster.

For more information about customizing the ForgeRock Identity Platform configuration when working with Skaffold, see Docker Image Development.

Changes to CDM zones and node pools

In the new revision, CDM deployments use three availability zones and two node pools.

In previous versions, CDM deployments used two zones and a single node pool.

New scripts for installing third-party components

This revision includes improved bash scripts for installing the NGINX ingress controller, Certificate Manager, Prometheus, Grafana, and Alertmanager in a CDM cluster.

Helm tiller pod no longer required

Although the CDM still uses Helm charts to install the NGINX ingress controller and Prometheus, a Helm tiller pod is no longer needed in the CDM cluster.

In the previous version, CDM deployment required a running tiller pod to support Helm chart deployment.

Revised benchmarking technique

This revision uses Gradle to trigger AM and IDM simulations for benchmarking performance.

Revised backup technique

In this revision, backup is greatly simplified. Backups are made to local disks running in the same pods in which DS runs.

The previous version required an NFS-mounted external storage device (Google Filestore or EFS) to be available for backup. The external storage device is no longer needed.

For more information, see CDM Backup and Restore.

Modified DS topology in the CDM

This revision’s DS topology:

  • Two DS services are used: the CTS and ID Repo services. CTS directories hold CTS tokens. ID Repo directories hold identities, configuration data, policies, application data, and IDM run-time data.

  • Three replicas of each service are deployed.

The previous version’s DS topology:

  • Three DS services were used: CTS, AM userstore, and AM configuration store. A PostgreSQL database hosted IDM run-time data.

  • Two replicas of each service were deployed.

For more information, see CDM Architecture.

IG not deployed by default

In this revision, IG is not deployed as part of the CDK or CDM, and benchmarks for IG performance are no longer published in the CDM Cookbooks.

You can still deploy IG with the CDK or CDM; use the Kustomize base and overlays in the /path/to/forgeops/kustomize/ig directory.

CDM sizing and benchmarks

The CDM Cookbooks provide the steps for creating medium-sized (10,000,000 users) clusters.

You can still create small-sized (1,000,000 users) and large-sized (100,000,000) clusters using the artifacts in the forgeops repository.

Benchmarks for small, medium, and large clusters are available for Google GKE. Benchmarks for medium clusters only are available for Amazon EKS and Microsoft Azure AKS.

Randomly generated administrator passwords

The CDM and CDK use administrator passwords that are randomly generated by the secrets generator.

See the UI and API Access pages in the CDM and CDK documentation for information about how to obtain the administrator passwords.

New Docker image and pod names

ForgeRock’s Docker image repository names are now am, idm, and ig. In previous versions, the Docker image repository names were openam, openidm, and openig.

Kubernetes pod names now include the strings am, idm, and ig. In previous versions, the pod names included the strings openam, openidm, and openig.

New method for building base Docker images

As with previous versions, you must still build your own base Docker images for the ForgeRock Identity Platform for production deployments on Kubernetes.

In this version, you must download the ForgeRock binaries manually before building the Docker images.

In the previous version, a script automatically downloaded the binaries from ForgeRock’s Artifactory repository. This script has been removed from the forgeops repository.

For more information, see Base Docker Images.

AM WAR file customization script removed

The script is no longer available in this revision of the forgeops repository.

To customize the AM web container in this revision, add instructions to the am Dockerfile to copy your customizations into the /usr/local/tomcat/webapps/am directory.

New script

The new script lets you create PVCs from DS binary backups before you start the platform, so that DS instances in the platform use the data from the PVCs.

Different default URLs

Use the following default URLs to access ForgeRock Identity Platform services in this revision:

  • AM: https://namespace.iam.domain/am

  • IDM: https://namespace.iam.domain/idm

  • IG: https://namespace.iam.domain/ig

Support for newer versions of CDM third-party software

The CDM includes more recent versions of these third-party components.

See these scripts for details about versions of third-party software currently used with the CDM:,, and

Certificate Manager no longer required for the CDK on Minikube

Support for self-signed certificates and signing certificates is built into the CDK when it runs on Minikube. Because of this, you no longer need to deploy Certificate Manager when deploying the CDK on Minikube.

Self-signed certificates for GKE CDM deployments

CDM deployments use Certificate Manager for TLS support. In previous versions, Certificate Manager was configured to call Let’s Encrypt to provide certificates for CDM deployments on GKE.

In this revision, Certificate Manager is configured to provide a self-signed certificate for CDM deployments on GKE.

DevOps Developer’s Guide replaced

The DevOps Developer’s Guide has been replaced with two new guides:

  • DevOps Developer’s Guide: Using Minikube

  • DevOps Developer’s Guide: Using a Shared Cluster

The content in the new guides is similar to the DevOps Developer’s Guide. Each of the new guides limits its descriptions to a single type of cluster, thus simplifying procedures.

Before You Deploy section moved

The information formerly in the Before You Deploy section of the Release Notes has been moved. This information is now available where it’s needed instead of on linked pages.

DevOps QuickStart Guide removed

The DevOps QuickStart Guide tutorial has been removed from the documentation.

CDM and CDK installation requires Linux or macOS

ForgeRock supports CDK and CDM installation on Linux and macOS only. If you use a Microsoft Windows computer, you’ll need to create a Linux virtual machine for installing the CDK and the CDM.

Copyright © 2010-2024 ForgeRock, all rights reserved.