ForgeOps

CDM deployment

Now that you’ve set up your deployment environment following the instructions in the Setup section for your cloud platform, you’re ready to deploy the CDM:

  1. Identify Docker images to deploy:

    • If you want to use custom Docker images for the platform, update the image defaulter file with image names and tags generated by the forgeops build command. The image defaulter file is located at /path/to/forgeops/kustomize/deploy/image-defaulter/kustomization.yaml.

      You can get the image names and tags from the image defaulter file on the system on which the customized Docker images were developed.

    • If you want to use ForgeRock’s evaluation-only Docker images for the platform, do not modify the image defaulter file.

  2. Set the active namespace in your local Kubernetes context to the namespace in which you want to deploy the CDM.

  3. Run the forgeops install command. For example, to install a small-sized CDM deployment:

    $ cd /path/to/forgeops/bin
    $ ./forgeops install --small --fqdn cdm.example.com

    The forgeops install command examines the image defaulter file to determine which Docker images to use.

    If you prefer not to deploy the CDM using a single forgeops install command, see Alternative deployment techniques for more information.

    ForgeRock only offers ForgeRock software or services to legal entities that have entered into a binding license agreement with ForgeRock. When you install ForgeRock’s Docker images, you agree either that: 1) you are an authorized user of a ForgeRock customer that has entered into a license agreement with ForgeRock governing your use of the ForgeRock software; or 2) your use of the ForgeRock software is subject to the ForgeRock Subscription License Agreement located at link:https://www.forgerock.com/terms.

  4. Check the status of the pods in the namespace in which you deployed the CDM until all the pods are ready:

    1. Run the kubectl get pods command:

      $ kubectl get pods
      NAME                           READY   STATUS      RESTARTS   AGE
      admin-ui-69fb55cb7-plkbf       1/1     Running     0          2m30s
      am-655d4465d6-cg4cb            1/1     Running     0          3m33s
      am-655d4465d6-xqbt5            1/1     Running     0          3m33s
      amster-t5zgt                   0/1     Completed   0          3m32s
      ds-cts-0                       1/1     Running     0          10m
      ds-cts-1                       1/1     Running     0          7m50s
      ds-cts-2                       1/1     Running     0          5m47s
      ds-idrepo-0                    1/1     Running     0          10m
      ds-idrepo-1                    1/1     Running     0          8m
      ds-idrepo-2                    1/1     Running     0          5m57s
      end-user-ui-6bf9dbc8b7-pqrh6   1/1     Running     0          2m30s
      idm-766899bdf5-4q487           1/1     Running     0          3m32s
      idm-766899bdf5-fdk88           1/1     Running     0          3m32s
      login-ui-6f66c46697-zs75r      1/1     Running     0          2m29s
    2. Review the output. Deployment is complete when:

      • All entries in the STATUS column indicate Running or Completed.

      • The READY column indicates all running containers are available. The entry in the READY column represents [total number of containers/number of available containers].

      • Three AM and two IDM pods are present.

    3. If necessary, continue to query your deployment’s status until all the pods are ready.

  5. Back up and save the Kubernetes secrets that contain the master and TLS keys created by the DS operator:

    1. To avoid accidentally putting the backups under version control, change to a directory that is outside your forgeops repository clone.

    2. The ds-master-keypair secret contains the DS master key. This key is required to decrypt data from a directory backup. Failure to save this key could result in data loss.

      Back up the Kubernetes secret that contains the DS master key:

      $ kubectl get secret ds-master-keypair -o yaml > master-key-pair.yaml
    3. The ds-ssl-keypair secret contains the DS TLS key. This key is needed for cross-environment replication topologies.

      Back up the Kubernetes secret that contains the DS TLS key pair:

      $ kubectl get secret ds-ssl-keypair -o yaml > tls-key-pair.yaml
    4. Save the two backup files.

  6. (Optional) Deploy Prometheus, Grafana, and Alertmanager monitoring and alerts[1]:

    1. Deploy Prometheus, Grafana, and Alertmanager pods in the CDM:

      $ /path/to/forgeops/bin/prometheus-deploy.sh
      
      This script requires Helm version 3.04 or later due to changes in the behaviour of 'helm repo add' command.
      
      namespace/monitoring created
      "stable" has been added to your repositories
      "prometheus-community" has been added to your repositories
      Hang tight while we grab the latest from your chart repositories…​
      …​Successfully got an update from the "ingress-nginx" chart repository
      …​Successfully got an update from the "codecentric" chart repository
      …​Successfully got an update from the "prometheus-community" chart repository
      …​Successfully got an update from the "stable" chart repository
      Update Complete. ⎈Happy Helming!⎈
      Release "prometheus-operator" does not exist. Installing it now.
      NAME: prometheus-operator
      LAST DEPLOYED: ...
      NAMESPACE: monitoring
      STATUS: deployed
      REVISION: 1
      NOTES:
      kube-prometheus-stack has been installed. Check its status by running:
        kubectl --namespace monitoring get pods -l "release=prometheus-operator"
      
      Visit https://github.com/prometheus-operator/kube-prometheus for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator.
      . . .
      Release "forgerock-metrics" does not exist. Installing it now.
      NAME: forgerock-metrics
      LAST DEPLOYED: ...
      NAMESPACE: monitoring
      STATUS: deployed
      REVISION: 1
      TEST SUITE: None
    2. Check the status of the pods in the monitoring namespace until all the pods are ready:

      $ kubectl get pods --namespace monitoring
      NAME                                                      READY   STATUS    RESTARTS   AGE
      alertmanager-prometheus-operator-kube-p-alertmanager-0    2/2     Running   0          59s
      prometheus-operator-grafana-5b4cff5d9-h7ff7               3/3     Running   0          64s
      prometheus-operator-kube-p-operator-55ff8cb674-4q6sr      1/1     Running   0          64s
      prometheus-operator-kube-state-metrics-57578df45b-7tq92   1/1     Running   0          64s
      prometheus-operator-prometheus-node-exporter-8d44h        1/1     Running   0          64s
      prometheus-operator-prometheus-node-exporter-dwg8b        1/1     Running   0          64s
      prometheus-operator-prometheus-node-exporter-zsw5m        1/1     Running   0          64s
      prometheus-prometheus-operator-kube-p-prometheus-0        2/2     Running   0          59s
  7. (Optional) Install a TLS certificate instead of using the default self-signed certificate in your CDM deployment. See TLS certificate for details.

Alternative deployment techniques

If you prefer not to deploy the CDM using a single forgeops install command, you can use one of these options:

  1. Deploy the CDM in stages component by component instead of with a single command.

    Staging the deployment can be useful if you need to troubleshoot a deployment issue. Make sure you specify a CDM size (such as --small) instead of --cdk when you run the forgeops install command to install components.

  2. Back up and save the master and TLS key pairs created by the DS operator. Refer to this step for details.

  3. Generate Kustomize manifests, and then deploy the CDM with the kubectl apply -k command.

    The forgeops install command generates Kustomize manifests that let you recreate your CDM deployment. The manifests are written to the /path/to/forgeops/kustomize/deploy directory of your forgeops repository clone. Advanced users who prefer to work directly with Kustomize manifests that describe their CDM deployment can use the generated content in the kustomize/deploy directory as an alternative to using the forgeops command:

    1. Generate an initial set of Kustomize manifests by running the forgeops install command. If you prefer to generate the manifests without installing the CDM, you can run the forgeops generate command.

    2. Run kubectl apply -k commands to deploy and remove CDM components. Specify a manifest in the kustomize/deploy directory as an argument when you run kubectl apply -k commands.

    3. Use GitOps to manage CDK configuration changes to the kustomize/deploy directory instead of making changes to files in the kustomize/base and kustomize/overlay directories.

Next step


1. Installing Prometheus, Grafana, and Alertmanager technology in the CDM provides an example of how you might set up monitoring and alerting in a ForgeRock Identity Platform deployment in the cloud. Remember, the CDM is a reference implementation and not for production use. When you create a project plan, you’ll need to determine how to monitor and send alerts in your production deployment.
Copyright © 2010-2024 ForgeRock, all rights reserved.