ForgeOps 7.1 Release Notes

Running the CDK on Minikube on macOS systems with ARM-based chipsets, such as the Apple M1 or M2, is now available on an experimental basis.

Refer to this ForgeRock Community article for details.

Three additional limitations on DS in CDK and CDM deployments are now documented here:

Please note that these are not new limitations. They had inadvertently been omitted from the DS limitations section in the documentation.

When you create an EKS cluster for deploying version 7.1 of the platform, use Kubernetes version 1.22.

When you deploy the NGINX Ingress Controller in your CDM cluster, use version 1.4.0^[1] or higher.

New evaluation-only Docker images are now available for the following versions of ForgeRock Identity Platform components:

ForgeRock Identity Management and ForgeRock Identity Gateway Docker images remain at version 7.1.2.

This documentation has been updated to refer to these new version of Docker images.

For more information about changes to the ForgeRock Identity Platform, refer to the Release Notes for platform components at https://backstage.forgerock.com/docs.

To upgrade to the new versions, you’ll need to rebuild your custom Docker images. Refer to Base Docker Images for instructions.

forgeops repository branch names now consist of the major and minor release numbers of ForgeRock Identity Platform components, followed by the release date.

There’s an outstanding issue (CLOUD-4064) logged against the bin/prometheus-deploy.sh script. Do not attempt to run this script until this issue has been resolved.

The RCS Agent is no longer available in the CDM and CDK deployments.

Evaluation-only Docker images are now available for version 7.1.2 of ForgeRock Identity Platform components.

This documentation has been updated to refer to version 7.1.2 Docker images instead of version 7.1.1 Docker images.

For more information about changes to the ForgeRock Identity Platform for version 7.1.2, refer to the Release Notes for platform components at https://backstage.forgerock.com/docs.

To upgrade from version 7.1.1 of the ForgeRock Identity Platform to version 7.1.2, you’ll need to rebuild your custom Docker images. Refer to Base Docker Images for instructions.

You can now use the stable Kubernetes version when creating Minikube clusters that run the CDK.

Previously, the NGINX ingress configuration required the use of Kubernetes version 1.21 on Minikube. The ingress configuration has been updated, allowing the use of newer Kubernetes versions.

Evaluation-only Docker images are now available for version 7.1.1 of ForgeRock Identity Platform components.

This documentation has been updated to refer to version 7.1.1 Docker images instead of version 7.1.0 Docker images.

For more information about changes to the ForgeRock Identity Platform for version 7.1.1, refer to the Release Notes for platform components at https://backstage.forgerock.com/docs.

To upgrade from version 7.1.0 of the ForgeRock Identity Platform to version 7.1.1, you’ll need to rebuild your custom Docker images. Refer to Base Docker Images for instructions.

The Release Notes now document the limitation that the CDK and CDM are not preconfigured to support IDM’s workflow engine.

Note that this limitation has existed since version 7.0 of the platform, when the CDK and CDM starting using DS as the IDM repository.

The new cluster/minikube/cluster-up utility lets you create a Minikube cluster that’s configured for running the CDK.

The Minikube Cluster page now includes an example of how to run this utility.

When you create a Minikube cluster for deploying version 7.1 of the platform, use Kubernetes version 1.21.

Newer versions of Kubernetes are currently incompatible with version 7.1 of the platform.

The bin/debug-logs.sh script, which gathers information needed to help troubleshoot problems, has been replaced with a new utility, named bin/debug-logs.

In addition to the pod descriptions and container logs provided by the bin/debug-logs.sh script, the new utility provides information about PVCs, various Kubernetes objects, logs for the Secret Agent and DS operators, and other diagnostic information.

It’s now recommended that, when you deploy AM on Kubernetes, use a single root realm without any subrealms. For more information, see the section on AM limitations in the Release Notes.

Adding dynamic AM configuration to the amster Docker image is deprecated.

Instead, import and export dynamic configuration in and out of the CDK and CDM using utilities such as:

A new how-to that provides instructions for deploying IG, and for creating a custom IG image, is now available.

A new page provides information about which version of the NGINX version to use with ForgeRock Identity Platform 7.1.

The list of supported and unsupported Skaffold profiles is now explicitly listed in the Repository Reference.

The unsupported Skaffold profiles are for ForgeRock internal use only. Do not use any of the unsupported profiles or their associated Kustomize bases and overlays.

The new way of deploying the CDK has moved from technology preview status to evolving status.

The documentation for the new way of deploying the CDK, previously in the Technology Previews menu, can now be found here.

The DS operator is now supported for use with demonstration and developer deployments that use the CDK.

The DS operator remains in technology preview status for production deployments. Do not use the operator in production deployments of the ForgeRock Identity Platform.

Use the new amster import command instead of the config.sh import command to import sample AM run-time data to the CDK.

The new feature evolution page has been added to these release notes to clarify the meaning of feature statuses, such as technology preview, evolving, legacy, deprecated, and removed.

The former way of deploying the CDK is now deprecated.

The documentation for the the former way of deploying the CDK, previously in the Cloud Developer’s Kit (CDK) menu, can be found here.

The CDQ has been removed from the forgeops repository.

A first look at a new way to deploy the CDK, and to use the CDK to develop custom Docker images for the ForgeRock Identity Platform with it:

You’ll find the documentation for the new technology CDK here.

The DS operator uses the Kubernetes operator design pattern to let you easily deploy and manage DS instances running in a Kubernetes cluster. After you install the ds-operator custom resource definition (CRD) in a cluster, you can use it to create DS instances, scale them, and manage backup and restore.

The DS operator is offered as a technology preview. Do not use it production deployments of the ForgeRock Identity Platform.

For more information, refer to DS Operator.

The CDM now includes an RCS Agent pod. The RCS Agent is a reliable websocket proxy between remote connector servers and the IDM instances in the CDM.

For more information, refer to CDM Architecture.

The CDQ is a very quick, single-command deployment of the ForgeRock Identity Platform on a Kubernetes cluster. The CDQ has very limited capabilities.

The new Secret Agent operator provides secret generation and management services for ForgeRock Identity Platform deployments on Kubernetes. The new Secret Agent operator replaces the deprecated forgeops-secret job, which previously was invoked when you deployed the platform using Skaffold.

By default, the operator examines your namespace to determine whether it contains all the secrets required for ForgeRock Identity Platform deployment. If any of the required secrets are not present, the operator generates them. Configuration options that let you change this default behavior are available.

In addition to secret generation, the new operator also integrates with Google Cloud Secret Manager, AWS Secrets Manager, and Azure Key Vault, providing cloud backup and retrieval for secrets.

For more information about secret generation options and secret management, refer to the Secret Agent project README.

This release of the forgeops repository introduces the cluster-up.sh and cluster-down.sh scripts, which you use to create and delete CDM clusters. These scripts replace the Pulumi scripts previously in the repository.

The new scripts are designed to be lightweight, and easy to use and modify. For GKE and AKS, the scripts call the cloud providers' SDKs. For EKS, the scripts call the eksctl CLI.

Instructions for creating clusters using the new scripts are available in the CDM Cookbooks for GKE, EKS, and AKS.

The deprecated Pulumi scripts are still available in the forgeops repository, in the /path/to/forgeops/cluster/pulumi-deprecated directory. They are no longer being maintained or upgraded. You can still use them with Pulumi 2.7.1 before you move to the new scripts.

This release restores the ability to create sized CDM clusters. Before deploying the CDM, you specify one of three cluster sizes:

Version 7.1.0 of the forgeops repository is available in the release/7.1.0 branch.

Previously, release tags were used for forgeops repository releases.

The Docker images that implement UI elements in the ForgeRock Identity Platform are now supported for use in production deployments. For more information, see Base Docker Images.

Previously, users were required to build all the Docker images for the platform for use in their production deployments.

The section, Third-Party Kubernetes Services in the Statement of Support has been revised.

Inbound communication to DS instances now occurs over secure LDAP (LDAPS). Previously, communication was over LDAP connections.

Previously, IDM was deployed as a stateful set.

The bin directory in the forgeops repository now contains scripts written in Python 3.

Python 3 has been added to the list of third-party software that you need to install before using the forgeops repository. Note that Homebrew users can install Python 3 using the command, brew install python.

Some of the functionality available in bash scripts is replaced by the identical functionality in Python scripts. No functionality has been removed with these script changes:

A new step to configure the Secret Agent and create secrets is required when deploying the CDM.

The new step—running the kubectl apply command—has been added to the Secret Agent Operator sections in the CDM Cookbooks for GKE, EKS, and AKS.

Previously, this was done automatically by the skaffold run command.

Note that Skaffold still automates secret creation when you deploy the CDK.

Support for volume snapshots has been added to the DS operator technology preview. For more information, see Snapshots.

Configuration expressions used in an AM configuration profile are now preserved in that profile after you export a configuration from the CDK to a forgeops repository clone.

For more information, see About Property Value Substitution in the CDK documentation.

CDK and CDM deployments are now verified on newer Kubernetes versions. For more information, see Recommended Kubernetes Versions.

The Secret Agent operator now supports changing individual administration passwords. If periodic password changes are a requirement for your organization, you can change individual administration passwords as needed.

The ds-idrepo-2 replica is no longer deployed as part of the CDM.

IDM did not use this replica, and removing the replica improved replication performance for the CDM, and lowered the cost of the deployment.

CDM backups are now taken from the ds-idrepo-0 and ds-cts-0 DS instances by default.

In previous versions, backups were taken from the ds-idrepo-2 and ds-cts-2 DS instances by default.

For more information, see CDM Backup and Restore.

With this change, you must explicitly configure a region when you run one of the CDM cluster creation scripts. For details, see the environment setup sections for Google Cloud, AWS, and Azure.

Previously, CDM clusters were created in specific regions by default.

Long form command-line options are now available for the ingress-controller-deploy.sh command. To see the available options, run /path/to/forgeops/bin/ingress-controller-deploy.sh --help.

The CDK documentation now includes an optional step for adding a secret to Minikube deployments. The secret contains a TLS certificate issued by an external certificate authority (CA), or by a local CA that you create using the mkcert utility. Users who access ForgeRock web-based applications on deployments that have this type of secret do not need to accept a self-signed certificate.

See TLS Certificate.

The export and sync options of the config.sh command let you export AM run-time data from a running CDK instance to a configuration profile stored in a local clone of the forgeops repository. With this release, the export and sync options can now export all of these types of run-time data:

In previous releases, only OAuth 2.0 clients and IG agents were exported.

Two benchmarks are available for ForgeRock Identity Platform version 7:

Contact your ForgeRock sales representative to obtain our results for benchmarks for these ForgeRock Identity Platform version 7.

For simpler deployments, small and medium CDM clusters now use a single node pool for all pods instead of using a second node pool for DS pods.

Large CDM clusters continue to use two node pools.

The CDK and CDM documentation has been improved! New checklists help you navigate through set up and deployment activities:

Task maps are provided with each set up and deployment activity. They help you determine where you are in the deployment process, and indicate the next step you’ll perform.

ForgeRock now recommends that you start Minikube with the cni=true option. Starting Minikube with this option circumvents Minikube issue 1568, which required users to run the Minikube VM in promiscuous mode.

In Minikube Cluster:

The DevOps artifacts for deploying ForgeRock Identity Platform 7.0 are deprecated. You should migrate to version 7.1 as soon as you’re able to.

The DevOps artifacts for deploying version 7.0 of the platform have been removed from the master branch of the forgeops repository. You can still get them from the 2020.08.07-ZucchiniRicotta.1 release tag of the repository.

The forgeops-secret job is deprecated. Use the new Secret Agent operator to obtain similar functionality, and for storing and retrieving secrets in Google Cloud Secret Manager, AWS Secrets Manager, and Azure Key Vault.

The scripts that provision CDM clusters using Pulumi are deprecated. Use the new cluster provisioning and removal scripts to obtain similar functionality.

The Pulumi scripts are still available in the /path/to/forgeops/cluster/pulumi-deprecated directory to help you as you transition to the new cluster provisioning scripts. You should move to the new scripts as quickly as possible, because the Pulumi scripts will be removed from the forgeops repository in a future release.