December 8, 2022

CDM deployments on EKS should now use Kubernetes version 1.22

When you create an EKS cluster for deploying version 7.2 of the platform, use Kubernetes version 1.22.

CDM deployments should now use NGINX Ingress Controller version 1.4.0 or higher

When you deploy the NGINX Ingress Controller in your CDM cluster, use version 1.4.0[1] or higher.

August 17, 2022

The bin/config export command now handles object deletion correctly

Deletion of configuration objects, such as AM authentication trees and service definitions, is now handled correctly by the bin/config export command.

In previous versions, AM object deletion was not implemented in the bin/config export command. If you deleted objects from the CDK’s AM configuration, and then exported the configuration, the deleted objects remained in your configuration profile in many instances.

June 30, 2022

IDM evaluation-only Docker image repository name change

The name of the IDM evaluation-only Docker image repository has been changed to This image repository was formerly named

The IDM canonical configuration is now built in to the idm-cdk Docker image

The IDM canonical configuration for the CDK has been incorporated into the idm-cdk Docker image.

Because of this, you no longer need to copy files from the docker/idm/config-profiles/cdk directory when you initialize a new configuration profile. Simply create a new subdirectory under the docker/idm/config-profiles directory.

For an updated procedure for creating a new configuration profile, see Create a Configuration Profile.

New bin/ script

The new bin/ script lets you obtain diagnostic information for any DS pod running in your cluster. It also lets you perform several cleanup and recovery operations on DS pods.

For more information, see Debug script.

The RCS Agent has been removed from the CDM and CDK deployments

The RCS Agent is no longer available in the CDM and CDK deployments.

Building your own rcs-agent_docker_image Docker image is no longer required when deploying the ForgeRock Identity Platform on Kubernetes.

The LDIF importer is no longer used

The LDIF importer is no longer used in CDM and CDK deployments.

Building your own ldif-importer Docker image is no longer required when deploying the ForgeRock Identity Platform on Kubernetes.

CDM deployments create a third ds-idrepo replica

The ds-idrepo-2 replica is now deployed as part of the CDM for failover purposes.

Previously, IDM was not able to use a third ds-idrepo replica, so the number of ds-idrepo replicas was set at 2. A recent enhancement to IDM lets additional replicas be used for failover, so a third replica has been added to the CDM architecture.

Number of AM pods in small CDM clusters changed to 2

Small CDM clusters now have 2 AM pods. Previously, they had 3 AM pods.

Limitation on IDM workflow support in the CDK and CDM

The Release Notes now document the limitation that the CDK and CDM are not preconfigured to support IDM’s workflow engine.

Note that this limitation has existed since version 7.0 of the platform, when the CDK and CDM starting using DS as the IDM repository.

Changes to the steps for configuring the CDK and CDM to use a CA certificate

The forgeops install command now installs cert-manager as part of CDK and CDM deployment.

Because of this, the steps for configuring the CDK and CDM to use a certificate from a CA have changed. See TLS certificate for details.

Use the new cluster/minikube/cdk-minikube utility to create a Minikube cluster

The new cluster/minikube/cdk-minikube utility lets you create a Minikube cluster that’s configured for running the CDK.

The Minikube cluster page now includes an example of how to run this utility.

New recommendation: use the Hyperkit and Docker drivers for Minikube clusters

It’s now recommended that you use the Hyperkit driver for Minikube clusters on macOS systems, and the Docker driver for Minikube clusters on Linux systems.

ForgeRock has tested Minikube clusters with these two drivers, and the new cluster/minikube/cdk-minikube utility creates Minikube clusters with these two drivers by default.

CDK deployments on Minikube require the volume snapshots plugin

CDK deployments on Minikube now require you to enable the volume snapshots plugin. See Minikube cluster.

July 12, 2021

New amster command

Use the new amster import command instead of the import command to import sample AM run-time data to the CDK.

Statement on forgeops repository feature evolution

The new forgeops repository feature evolution section has been added to these DevOps release notes to clarify the meaning of feature statuses, such as technology preview, evolving, legacy, deprecated, and removed.

May 12, 2021

Release branch

Version 7.1.0 of the forgeops repository is available in the release/7.1.0 branch.

Previously, release tags were used for forgeops repository releases.

Several Docker images from ForgeRock are supported in production deployments

The Docker images that implement UI elements in the ForgeRock Identity Platform are now supported for use in production deployments. For more information, see Base Docker images.

Previously, users were required to build all the Docker images for the platform for use in their production deployments.

Third-Party Kubernetes support changes

The section, Third-Party Kubernetes Services in Support from ForgeRock has been revised.

Secure LDAP

Inbound communication to DS instances now occurs over secure LDAP (LDAPS). Previously, communication was over LDAP connections.

IDM is now a Kubernetes deployment

Previously, IDM was deployed as a stateful set.

Python 3 is now on the list of required third-party software

The bin directory in the forgeops repository now contains scripts written in Python 3.

Python 3 has been added to the list of third-party software that you need to install before using the forgeops repository. Note that Homebrew users can install Python 3 using the command, brew install python.

Python scripts

Some of the functionality available in bash scripts is replaced by the identical functionality in Python scripts. No functionality has been removed with these script changes:

  • - Use the cdk delete Python script instead.

  • - Use the ds-operator Python script instead.

  • - Use the print-secrets Python script instead.

  • - Use the secret-agent Python script instead.

Secrets are not created automatically when you install the platform on the CDM

A new step to configure the Secret Agent and create secrets is required when deploying the CDM.

The new step—running the kubectl apply command—has been added to the CDM Cookbooks.

Previously, this was done automatically by the skaffold run command.

Note that Skaffold still automates secret creation when you deploy the CDK.

Volume snapshots technology preview

Support for volume snapshots has been added to the DS operator technology preview. For more information, see the DS operator README.

Configuration expressions in the AM configuration are preserved when the configuration is exported

Configuration expressions used in an AM configuration profile are now preserved in that profile after you export a configuration from the CDK to a forgeops repository clone.

For more information, see About property value substitution in the CDK documentation.

CDK and CDM deployment verified on newer Kubernetes versions

CDK and CDM deployments are now verified on newer Kubernetes versions. For more information, see Recommended Kubernetes versions.

The Secret Agent operator lets you change individual administration passwords

The Secret Agent operator now supports changing individual administration passwords. If periodic password changes are a requirement for your organization, you can change individual administration passwords as needed.

CDM deployments no longer create a third ds-idrepo replica

The ds-idrepo-2 replica is no longer deployed as part of the CDM.

IDM did not use this replica, and removing the replica improved replication performance for the CDM, and lowered the cost of the deployment.

CDM backups are now taken from the -0 DS instances by default

CDM backups are now taken from the ds-idrepo-0 and ds-cts-0 DS instances by default.

In previous versions, backups were taken from the ds-idrepo-2 and ds-cts-2 DS instances by default.

For more information, see CDM backup and restore.

Regions for CDM cluster creation no longer default

With this change, you must explicitly configure a region when you run one of the CDM cluster creation scripts. For details, see the environment setup sections for Google Cloud, AWS, and Azure.

Previously, CDM clusters were created in specific regions by default.

Long form command-line options for the command

Long form command-line options are now available for the command. To see the available options, run /path/to/forgeops/bin/ --help.

How to eliminate the need to accept a self-signed certificate on Minikube deployments

The CDK documentation now includes an optional step for adding a secret to CDK deployments. The secret contains a TLS certificate issued by an external certificate authority (CA), or by a local CA that you create using the mkcert utility. Users who access ForgeRock web-based applications on deployments that have this type of secret do not need to accept a self-signed certificate.

All main AM run-time data types supported when exporting configuration data

The export and sync options of the command let you export AM run-time data from a running CDK instance to a configuration profile stored in a local clone of the forgeops repository. With this release, the export and sync options can now export all of these types of run-time data:

  • OAuth 2.0 clients

  • OpenID Connect 1.0 clients

  • IG, Web, Java, and SOAP STS agents

  • Policies

  • SAML v2.0 circles of trust and entities

In previous releases, only OAuth 2.0 clients and IG agents were exported.

Performance benchmark changes

Two benchmarks are available for ForgeRock Identity Platform version 7:

  • An authentication rate benchmark, which measures authentication performed with AM REST API calls to an AM server configured to use CTS-based (stateful) sessions.

  • An OAuth 2.0 authorization code flow benchmark, which measures the throughput and response time of an AM server performing authentication, authorization, and session token management. AM is configured to use client-based (stateful) sessions for this benchmark.

Contact your ForgeRock sales representative to obtain our results for benchmarks for these ForgeRock Identity Platform version 7.

Small and medium clusters now use a single node pool

For simpler deployments, small and medium CDM clusters now use a single node pool for all pods instead of using a second node pool for DS pods.

Large CDM clusters continue to use two node pools.

Task maps and checklists in the documentation

The CDK and CDM documentation has been improved! New checklists help you navigate through set up and deployment activities:

Task maps are provided with each set up and deployment activity. They help you determine where you are in the deployment process, and indicate the next step you’ll perform.

Minikube cni=true option

ForgeRock now recommends that you start Minikube with the cni=true option. Starting Minikube with this option circumvents Minikube issue 1568, which required users to run the Minikube VM in promiscuous mode.

  • The step to create the Minikube VM has been modified to use the cni=true option.

  • The instruction to circumvent Minikube issue 1568 by placing the Minikube VM in promiscuous mode has been removed.

1. NGINX Ingress Controller Helm chart version 4.3.0 installs NGINX Ingress Controller version 1.4.0.
Copyright © 2010-2022 ForgeRock, all rights reserved.