March 3, 2023

Additional documented DS limitations in CDK and CDM deployments

Three additional limitations on DS in CDK and CDM deployments are now documented here:

  • Database encryption is not supported

  • DS starts successfully even when it cannot decrypt a backend

  • Root file system write access is required to run the DS Docker image

Please note that these are not new limitations. They had inadvertently been omitted from the DS limitations section in the documentation.

December 6, 2022

CDM deployments on EKS should now use Kubernetes version 1.22

When you create an EKS cluster for deploying version 7.1 of the platform, use Kubernetes version 1.22.

CDM deployments should now use NGINX Ingress Controller version 1.4.0 or higher

When you deploy the NGINX Ingress Controller in your CDM cluster, use version 1.4.0[1] or higher.

November 11, 2022

The bin/ script is temporarily unavailable

There’s an outstanding issue (CLOUD-4064) logged against the bin/ script. Do not attempt to run this script until this issue has been resolved.

May 19, 2022

The RCS Agent has been removed from the CDM and CDK deployments

The RCS Agent is no longer available in the CDM and CDK deployments.

March 4, 2022

The stable version of Kubernetes is now supported on Minikube clusters

You can now use the stable Kubernetes version when creating Minikube clusters that run the CDK.

Previously, the NGINX ingress configuration required the use of Kubernetes version 1.21 on Minikube. The ingress configuration has been updated, allowing the use of newer Kubernetes versions.

November 11, 2021

Limitation on IDM workflow support in the CDK and CDM

The Release Notes now document the limitation that the CDK and CDM are not preconfigured to support IDM’s workflow engine.

Note that this limitation has existed since version 7.0 of the platform, when the CDK and CDM starting using DS as the IDM repository.

October 6, 2021

Use the new cluster/minikube/cluster-up utility to create a Minikube cluster

The new cluster/minikube/cluster-up utility lets you create a Minikube cluster that’s configured for running the CDK.

The Minikube Cluster page now includes an example of how to run this utility.

September 28, 2021

Use Kubernetes version 1.21 with Minikube deployments

When you create a Minikube cluster for deploying version 7.1 of the platform, use Kubernetes version 1.21.

Newer versions of Kubernetes are currently incompatible with version 7.1 of the platform.

Enhanced debug-logs utility

The bin/ script, which gathers information needed to help troubleshoot problems, has been replaced with a new utility, named bin/debug-logs.

In addition to the pod descriptions and container logs provided by the bin/ script, the new utility provides information about PVCs, various Kubernetes objects, logs for the Secret Agent and DS operators, and other diagnostic information.

August 10, 2021

New recommendation: deploy AM without subrealms

It’s now recommended that, when you deploy AM on Kubernetes, use a single root realm without any subrealms. For more information, see the section on AM limitations in the Release Notes.

July 12, 2021

New amster command

Use the new amster import command instead of the import command to import sample AM run-time data to the CDK.

Statement on forgeops repository feature evolution

The new forgeops Repository Feature Evolution section has been added to these DevOps Release Notes to clarify the meaning of feature statuses, such as technology preview, evolving, legacy, deprecated, and removed.

May 12, 2021

Release branch

Version 7.1.0 of the forgeops repository is available in the release/7.1.0 branch.

Previously, release tags were used for forgeops repository releases.

Several Docker images from ForgeRock are supported in production deployments

The Docker images that implement UI elements in the ForgeRock Identity Platform are now supported for use in production deployments. For more information, see Base Docker Images.

Previously, users were required to build all the Docker images for the platform for use in their production deployments.

Third-Party Kubernetes support changes

The section, Third-Party Kubernetes Services in Support From ForgeRock has been revised.

Secure LDAP

Inbound communication to DS instances now occurs over secure LDAP (LDAPS). Previously, communication was over LDAP connections.

IDM is now a Kubernetes deployment

Previously, IDM was deployed as a stateful set.

Python 3 is now on the list of required third-party software

The bin directory in the forgeops repository now contains scripts written in Python 3.

Python 3 has been added to the list of third-party software that you need to install before using the forgeops repository. Note that Homebrew users can install Python 3 using the command, brew install python.

Python scripts

Some of the functionality available in bash scripts is replaced by the identical functionality in Python scripts. No functionality has been removed with these script changes:

  • - Use the cdk delete Python script instead.

  • - Use the ds-operator Python script instead.

  • - Use the print-secrets Python script instead.

  • - Use the secret-agent Python script instead.

Secrets are not created automatically when you install the platform on the CDM

A new step to configure the Secret Agent and create secrets is required when deploying the CDM.

The new step—running the kubectl apply command—has been added to the Secret Agent Operator sections in the CDM Cookbooks for GKE, EKS, and AKS.

Previously, this was done automatically by the skaffold run command.

Note that Skaffold still automates secret creation when you deploy the CDK.

Volume snapshots technology preview

Support for volume snapshots has been added to the DS operator technology preview. For more information, see Snapshots.

Configuration expressions in the AM configuration are preserved when the configuration is exported

Configuration expressions used in an AM configuration profile are now preserved in that profile after you export a configuration from the CDK to a forgeops repository clone.

For more information, see About Property Value Substitution in the CDK documentation.

CDK and CDM deployment verified on newer Kubernetes versions

CDK and CDM deployments are now verified on newer Kubernetes versions. For more information, see Recommended Kubernetes Versions.

The Secret Agent operator lets you change individual administration passwords

The Secret Agent Operator now supports changing individual administration passwords. If periodic password changes are a requirement for your organization, you can change individual administration passwords as needed.

CDM deployments no longer create a third ds-idrepo replica

The ds-idrepo-2 replica is no longer deployed as part of the CDM.

IDM did not use this replica, and removing the replica improved replication performance for the CDM, and lowered the cost of the deployment.

CDM backups are now taken from the -0 DS instances by default

CDM backups are now taken from the ds-idrepo-0 and ds-cts-0 DS instances by default.

In previous versions, backups were taken from the ds-idrepo-2 and ds-cts-2 DS instances by default.

For more information, see CDM Backup and Restore.

Regions for CDM cluster creation no longer default

With this change, you must explicitly configure a region when you run one of the CDM cluster creation scripts. For details, see the environment setup sections for Google Cloud, AWS, and Azure.

Previously, CDM clusters were created in specific regions by default.

Long form command-line options for the command

Long form command-line options are now available for the command. To see the available options, run /path/to/forgeops/bin/ --help.

How to eliminate the need to accept a self-signed certificate on Minikube deployments

The CDK documentation now includes an optional step for adding a secret to Minikube deployments. The secret contains a TLS certificate issued by an external certificate authority (CA), or by a local CA that you create using the mkcert utility. Users who access ForgeRock web-based applications on deployments that have this type of secret do not need to accept a self-signed certificate.

All main AM run-time data types supported when exporting configuration data

The export and sync options of the command let you export AM run-time data from a running CDK instance to a configuration profile stored in a local clone of the forgeops repository. With this release, the export and sync options can now export all of these types of run-time data:

  • OAuth 2.0 clients

  • OpenID Connect 1.0 clients

  • IG, Web, Java, and SOAP STS agents

  • Policies

  • SAML v2.0 circles of trust and entities

In previous releases, only OAuth 2.0 clients and IG agents were exported.

Performance benchmark changes

Two benchmarks are available for ForgeRock Identity Platform version 7:

  • An authentication rate benchmark, which measures authentication performed with AM REST API calls to an AM server configured to use CTS-based (stateful) sessions.

  • An OAuth 2.0 authorization code flow benchmark, which measures the throughput and response time of an AM server performing authentication, authorization, and session token management. AM is configured to use client-based (stateful) sessions for this benchmark.

Contact your ForgeRock sales representative to obtain our results for benchmarks for these ForgeRock Identity Platform version 7.

Small and medium clusters now use a single node pool

For simpler deployments, small and medium CDM clusters now use a single node pool for all pods instead of using a second node pool for DS pods.

Large CDM clusters continue to use two node pools.

Task maps and checklists in the documentation

The CDK and CDM documentation has been improved! New checklists help you navigate through set up and deployment activities:

Task maps are provided with each set up and deployment activity. They help you determine where you are in the deployment process, and indicate the next step you’ll perform.

Minikube cni=true option

ForgeRock now recommends that you start Minikube with the cni=true option. Starting Minikube with this option circumvents Minikube issue 1568, which required users to run the Minikube VM in promiscuous mode.

  • The step to create the Minikube VM has been modified to use the cni=true option.

  • The instruction to circumvent Minikube issue 1568 by placing the Minikube VM in promiscuous mode has been removed.

1. NGINX Ingress Controller Helm chart version 4.3.0 installs NGINX Ingress Controller version 1.4.0.
Copyright © 2010-2023 ForgeRock, all rights reserved.