- The RCS Agent has been removed from the CDM and CDK deployments
The RCS Agent is no longer available in the CDM and CDK deployments.
- The stable version of Kubernetes is now supported on Minikube clusters
You can now use the stable Kubernetes version when creating Minikube clusters that run the CDK.
Previously, the NGINX ingress configuration required the use of Kubernetes version 1.21 on Minikube. The ingress configuration has been updated, allowing the use of newer Kubernetes versions.
- Limitation on IDM workflow support in the CDK and CDM
The Release Notes now document the limitation that the CDK and CDM are not preconfigured to support IDM’s workflow engine.
Note that this limitation has existed since version 7.0 of the platform, when the CDK and CDM starting using DS as the IDM repository.
- Use the new cluster/minikube/cluster-up utility to create a Minikube cluster
The new cluster/minikube/cluster-up utility lets you create a Minikube cluster that’s configured for running the CDK.
The Minikube Cluster page now includes an example of how to run this utility.
- Use Kubernetes version 1.21 with Minikube deployments
When you create a Minikube cluster for deploying version 7.1 of the platform, use Kubernetes version 1.21.
Newer versions of Kubernetes are currently incompatible with version 7.1 of the platform.
- Enhanced debug-logs utility
The bin/debug-logs.sh script, which gathers information needed to help troubleshoot problems, has been replaced with a new utility, named bin/debug-logs.
In addition to the pod descriptions and container logs provided by the bin/debug-logs.sh script, the new utility provides information about PVCs, various Kubernetes objects, logs for the Secret Agent and DS operators, and other diagnostic information.
- New recommendation: deploy AM without subrealms
It’s now recommended that, when you deploy AM on Kubernetes, use a single root realm without any subrealms. For more information, see the section on AM limitations in the Release Notes.
- New amster command
Use the new amster import command instead of the config.sh import command to import sample AM run-time data to the CDK.
- Release branch
Version 7.1.0 of the
forgeopsrepository is available in the
Previously, release tags were used for
- Several Docker images from ForgeRock are supported in production deployments
The Docker images that implement UI elements in the ForgeRock Identity Platform are now supported for use in production deployments. For more information, see Base Docker Images.
Previously, users were required to build all the Docker images for the platform for use in their production deployments.
- Third-Party Kubernetes support changes
- Secure LDAP
Inbound communication to DS instances now occurs over secure LDAP (LDAPS). Previously, communication was over LDAP connections.
- IDM is now a Kubernetes deployment
Previously, IDM was deployed as a stateful set.
- Python 3 is now on the list of required third-party software
bindirectory in the
forgeopsrepository now contains scripts written in Python 3.
Python 3 has been added to the list of third-party software that you need to install before using the
forgeopsrepository. Note that Homebrew users can install Python 3 using the command,
brew install python.
- Python scripts
Some of the functionality available in bash scripts is replaced by the identical functionality in Python scripts. No functionality has been removed with these script changes:
clean.sh - Use the cdk delete Python script instead.
ds-operator.sh - Use the ds-operator Python script instead.
print-secrets.sh - Use the print-secrets Python script instead.
secret-agent.sh - Use the secret-agent Python script instead.
- Secrets are not created automatically when you install the platform on the CDM
A new step to configure the Secret Agent and create secrets is required when deploying the CDM.
Previously, this was done automatically by the skaffold run command.
Note that Skaffold still automates secret creation when you deploy the CDK.
- Volume snapshots technology preview
Support for volume snapshots has been added to the DS operator technology preview. For more information, see Snapshots.
- Configuration expressions in the AM configuration are preserved when the configuration is exported
Configuration expressions used in an AM configuration profile are now preserved in that profile after you export a configuration from the CDK to a
For more information, see About Property Value Substitution in the CDK documentation.
- CDK and CDM deployment verified on newer Kubernetes versions
CDK and CDM deployments are now verified on newer Kubernetes versions. For more information, see Recommended Kubernetes Versions.
- The Secret Agent operator lets you change individual administration passwords
- CDM deployments no longer create a third
ds-idrepo-2replica is no longer deployed as part of the CDM.
IDM did not use this replica, and removing the replica improved replication performance for the CDM, and lowered the cost of the deployment.
- CDM backups are now taken from the
-0DS instances by default
CDM backups are now taken from the
ds-cts-0DS instances by default.
In previous versions, backups were taken from the
ds-cts-2DS instances by default.
For more information, see CDM Backup and Restore.
- Regions for CDM cluster creation no longer default
Previously, CDM clusters were created in specific regions by default.
- Long form command-line options for the
Long form command-line options are now available for the
ingress-controller-deploy.shcommand. To see the available options, run
- How to eliminate the need to accept a self-signed certificate on Minikube deployments
The CDK documentation now includes an optional step for adding a secret to Minikube deployments. The secret contains a TLS certificate issued by an external certificate authority (CA), or by a local CA that you create using the mkcert utility. Users who access ForgeRock web-based applications on deployments that have this type of secret do not need to accept a self-signed certificate.
- All main AM run-time data types supported when exporting configuration data
syncoptions of the
config.shcommand let you export AM run-time data from a running CDK instance to a configuration profile stored in a local clone of the
forgeopsrepository. With this release, the
syncoptions can now export all of these types of run-time data:
OAuth 2.0 clients
OpenID Connect 1.0 clients
IG, Web, Java, and SOAP STS agents
SAML v2.0 circles of trust and entities
In previous releases, only OAuth 2.0 clients and IG agents were exported.
- Performance benchmark changes
Two benchmarks are available for ForgeRock Identity Platform version 7:
An authentication rate benchmark, which measures authentication performed with AM REST API calls to an AM server configured to use CTS-based (stateful) sessions.
An OAuth 2.0 authorization code flow benchmark, which measures the throughput and response time of an AM server performing authentication, authorization, and session token management. AM is configured to use client-based (stateful) sessions for this benchmark.
Contact your ForgeRock sales representative to obtain our results for benchmarks for these ForgeRock Identity Platform version 7.
- Small and medium clusters now use a single node pool
For simpler deployments, small and medium CDM clusters now use a single node pool for all pods instead of using a second node pool for DS pods.
Large CDM clusters continue to use two node pools.
- Task maps and checklists in the documentation
The CDK and CDM documentation has been improved! New checklists help you navigate through set up and deployment activities:
Task maps are provided with each set up and deployment activity. They help you determine where you are in the deployment process, and indicate the next step you’ll perform.
ForgeRock now recommends that you start Minikube with the
cni=trueoption. Starting Minikube with this option circumvents Minikube issue 1568, which required users to run the Minikube VM in promiscuous mode.
In Minikube Cluster:
The step to create the Minikube VM has been modified to use the
The instruction to circumvent Minikube issue 1568 by placing the Minikube VM in promiscuous mode has been removed.