ForgeOps

Deploy using Helm on GKE, EKS, or AKS

  1. Verify that you have set up your environment and created a Kubernetes cluster as documented in the setup section.

  2. Ensure that the image.repository and image.tag settings for all the platform components are correct in your /path/to/forgeops/charts/identity-platform/values.yaml file. For example:

    1. The following lines pertain to the AM image:

      …​
      149 am:
      150   enabled: true
      151   replicaCount: 1
      152
      153   image:
      154     repository: us-docker.pkg.dev/forgeops-public/images/am
      155     tag: "7.5.0"
      156     pullPolicy: IfNotPresent
      157     imagePullSecrets: []
      158
      …​
    2. The following lines pertain to the IDM image:

      …​
      319 idm:
      320   enabled: true
      321   replicaCount: 1
      322
      323   image:
      324     repository: us-docker.pkg.dev/forgeops-public/images/idm
      325     tag: "7.5.0"
      326     pullPolicy: IfNotPresent
      327     imagePullSecrets: []
      …​
  3. Set up your Kubernetes context:

    1. Set the KUBECONFIG environment variable so that your Kubernetes context references the cluster in which you’ll perform the ForgeOps deployment.

    2. Create a Kubernetes namespace in the cluster for the ForgeRock Identity Platform pods:

      $ kubectl create namespace my-namespace
    3. Set the active namespace in your Kubernetes context to the Kubernetes namespace you just created:

      $ kubens my-namespace
  4. Run the install-prereqs command:

    $ cd /path/to/forgeops/charts/scripts
    $ ./install-prereqs
  5. Run the helm-upgrade command:

    $ cd ../identity-platform
    $ helm upgrade -i identity-platform \
     oci://us-docker.pkg.dev/forgeops-public/charts/identity-platform \
     --install --version 7.5 --namespace my-namespace \
     --values values-deployment-size.yaml \
     --set 'platform.ingress.hosts={forgeops.example.com}'

    For a single-instance deployment, omit the --values argument.

    For small, medium, and large deployments, provide a --values argument and specify deployment-size as small, medium, or large.

    For more information about single-instance deployments and deployment sizes, refer to Cluster and deployment sizes.

    When deploying the platform with Docker images other than the public evaluation-only images, you’ll also need to set additional Helm values such as am.image.repository, am.image.tag, idm.image.repository, and idm.image.tag. For an example, refer to Redeploy AM: Helm deployments.

    ForgeRock only offers ForgeRock software or services to legal entities that have entered into a binding license agreement with ForgeRock. When you install ForgeRock’s Docker images, you agree either that: 1) you are an authorized user of a ForgeRock customer that has entered into a license agreement with ForgeRock governing your use of the ForgeRock software; or 2) your use of the ForgeRock software is subject to the ForgeRock Subscription License Agreement.

  6. Check the status of the pods in the namespace in which you deployed the platform until all the pods are ready:

    1. Run the kubectl get pods command.

    2. Review the output. Deployment is complete when:

      • All entries in the STATUS column indicate Running or Completed.

      • The READY column indicates all running containers are available. The entry in the READY column represents [total number of containers/number of available containers].

    3. If necessary, continue to query your deployment’s status until all the pods are ready.

  7. Back up and save the Kubernetes secrets that contain the master and TLS keys:

    1. To avoid accidentally putting the backups under version control, change to a directory that is outside your forgeops repository clone.

    2. The ds-master-keypair secret contains the DS master key. This key is required to decrypt data from a directory backup. Failure to save this key could result in data loss.

      Back up the Kubernetes secret that contains the DS master key:

      $ kubectl get secret ds-master-keypair -o yaml > master-key-pair.yaml
    3. The ds-ssl-keypair secret contains the DS TLS key. This key is needed for cross-environment replication topologies.

      Back up the Kubernetes secret that contains the DS TLS key pair:

      $ kubectl get secret ds-ssl-keypair -o yaml > tls-key-pair.yaml
    4. Save the two backup files.

  8. (Optional) Deploy Prometheus, Grafana, and Alertmanager for monitoring and alerting[1]:

    1. Deploy Prometheus, Grafana, and Alertmanager pods in your ForgeOps deployment:

      $ /path/to/forgeops/bin/prometheus-deploy.sh
      
      **This script requires Helm version 3.04 or later due to changes in the behaviour of 'helm repo add' command.**
      
      namespace/monitoring created
      "stable" has been added to your repositories
      "prometheus-community" has been added to your repositories
      Hang tight while we grab the latest from your chart repositories...
      ...Successfully got an update from the "ingress-nginx" chart repository
      ...Successfully got an update from the "codecentric" chart repository
      ...Successfully got an update from the "prometheus-community" chart repository
      ...Successfully got an update from the "stable" chart repository
      Update Complete. ⎈Happy Helming!⎈
      Release "prometheus-operator" does not exist. Installing it now.
      NAME: prometheus-operator
      LAST DEPLOYED: ...
      NAMESPACE: monitoring
      STATUS: deployed
      REVISION: 1
      NOTES:
      kube-prometheus-stack has been installed. Check its status by running:
        kubectl --namespace monitoring get pods -l "release=prometheus-operator"
      
      Visit https://github.com/prometheus-operator/kube-prometheus for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator.
      ...
      Release "forgerock-metrics" does not exist. Installing it now.
      NAME: forgerock-metrics
      LAST DEPLOYED: ...
      NAMESPACE: monitoring
      STATUS: deployed
      REVISION: 1
      TEST SUITE: None
    2. Check the status of the pods in the monitoring namespace until all the pods are ready:

      $ kubectl get pods --namespace monitoring
      NAME                                                     READY   STATUS    RESTARTS   AGE
      alertmanager-prometheus-operator-kube-p-alertmanager-0   2/2     Running   0          119s
      prometheus-operator-grafana-95b8f5b7d-nn65h              3/3     Running   0          2m4s
      prometheus-operator-kube-p-operator-7d54989595-pdj44     1/1     Running   0          2m4s
      prometheus-operator-kube-state-metrics-d95996bc4-wcf7s   1/1     Running   0          2m4s
      prometheus-operator-prometheus-node-exporter-67xq4       1/1     Running   0          2m4s
      prometheus-operator-prometheus-node-exporter-b4grn       1/1     Running   0          2m4s
      prometheus-operator-prometheus-node-exporter-cwhcn       1/1     Running   0          2m4s
      prometheus-operator-prometheus-node-exporter-h9brd       1/1     Running   0          2m4s
      prometheus-operator-prometheus-node-exporter-q8zrk       1/1     Running   0          2m4s
      prometheus-operator-prometheus-node-exporter-vqpt5       1/1     Running   0          2m4s
      prometheus-prometheus-operator-kube-p-prometheus-0       2/2     Running   0          119s
  9. (Optional) Install a TLS certificate instead of using the default self-signed certificate in your ForgeOps deployment. Refer to TLS certificate for details.

Next step


1. Installing Prometheus, Grafana, and Alertmanager technology in ForgeOps deployments provides an example of how you might set up monitoring and alerting in a ForgeRock Identity Platform deployment in the cloud. Remember, ForgeOps deployments are reference implementations and not for production use. When you create a project plan, you’ll need to determine how to monitor and send alerts in your production deployment.
Copyright © 2010-2024 ForgeRock, all rights reserved.