Secret Generator
The kubernetes-secret-generator
(secret generator) is a third-party Kubernetes
operator that simplifies secret management in a Kubernetes environment. You can
use the secret generator instead of secret agent to manage secrets in new
ForgeOps deployments.
|
In addition to the ForgeOps needed secrets, you can also add and manage your own custom secrets using the secret generator. Learn more in the Kubernetes secret generator page on GitHub.
Setting up secret generator
-
Install the secret generator in your cluster using the forgeops prereqs command:
$ kubectx my-context $ ./bin/forgeops prereqs --secret-generator ... Secret Generator not found. Installing ... Release "kubernetes-secret-generator" does not exist. Installing it now. NAME: kubernetes-secret-generator LAST DEPLOYED: ... NAMESPACE: secret-generator STATUS: deployed REVISION: 1 TEST SUITE: None
-
Verify that the secret generator has been installed.
$ kubectl get pods --namespace secret-generator NAME READY STATUS RESTARTS AGE kubernetes-secret-generator-865694dbc8-5c9mx 1/1 Running 0 27h
-
Enable the Python3 virtual environment:
$ source .venv/bin/activate
-
Verify that you’ve set up your environment as documented in the setup section.
-
The configuration of a ForgeOps deployment is steered through the use of Kustomize overlays or Helm values. Use the forgeops env command to set up the Kustomize overlays and Helm values files to configure your ForgeOps deployment environment:
On cloud platforms
-
If you want to use the issuer provided with the platform for demo, then you can use default-issuer.
-
For a single-instance deployment, specify --deployment-size as
--single-instance
. -
Specify --secret-generator option to enable secret generator.
$ cd /path/to/forgeops/bin $ ./forgeops env --env-name my-env --fqdn my-fqdn.example.com \ --cluster-issuer my-cluster-issuer --deployment-size \ --secret-generator
In the previous command, replace my-fqdn.example.com, my-cluster-issuer, and --deployment-size with appropriate values from your environment. For example:
$ ./bin/forgeops env --env-name my-sg-env --fqdn my-fqdn.example.com \ --cluster-issuer default-issuer --small \ --secret-generator
On minikube
In a minikube environment, use the single instance deployment.
$ cd /path/to/forgeops/bin $ ./forgeops env --env-name my-env --fqdn my-fqdn.example.com \ --cluster-issuer my-cluster-issuer --single-instance \ --secret-generator
For example:
$ ./bin/forgeops env --env-name my-sg-env --fqdn my-fqdn.example.com \ --cluster-issuer default-issuer --single-instance \ --secret-generator Creating new overlay From: /.../forgeops/kustomize/overlay/default To: /.../forgeops/kustomize/overlay/my-sg-env Updating existing Helm values.
When
--secret-generator
option is used, the forgeops env command creates a secret-generator based Helm values file and Kubernetes overlay.Learn more about the forgeops env command in the forgeops env command reference.
Learn more about deployment sizes in Cluster and deployment sizes and about single instances here.
-
-
(Optional) By default, the latest platform images are used for ForgeOps deployment. If you need a specific image version to be deployed, then ensure that the
image.repository
andimage.tag
settings for the platform components are correct in the /path/to/forgeops/helm/my-env/values.yaml Helm values file. -
Set up your Kubernetes context:
-
Set the
KUBECONFIG
environment variable so that your Kubernetes context references the cluster in which you’ll perform the ForgeOps deployment. -
Create a Kubernetes namespace in the cluster for the Ping Identity Platform pods:
$ kubectl create namespace my-namespace
-
Set the active namespace in your Kubernetes context to the Kubernetes namespace you just created:
$ kubens my-namespace
-
Deploy platform products
Deploy using Helm on Cloud
-
Set up the certificate and secret management prerequisites:
-
The
forgeops
repository providescert-manager
as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility. -
Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The secret agent utility will be deprecated in the next release.
-
To install the secret generator for secret management:
$ forgeops prereqs cert-manager ingress secrets --secret-generator
-
To install the secret agent for secret management:
$ forgeops prereqs cert-manager ingress secrets
-
-
(Optional) If you’ve set up your Kubernetes cluster using ForgeOps provided Terraform manifest, then you would have already created the required
fast
storage and volume snapshot classes. If you are setting your Kubernetes cluster using your own scripts, then create these classes using corresponding YAML scripts provided in the /path/to/forgeops/cluster/resources folder.For example, on GKE:
$ kubectl apply -f /path/to/forgeops/cluster/resources/gke-fast-storage-class.yaml $ kubectl apply -f /path/to/forgeops/cluster/resources/gke-volume-snapshot-class.yaml
-
Run the helm upgrade command to perform a ForgeOps deployment:
$ helm upgrade --install identity-platform identity-platform \ --repo https://ForgeRock.github.io/forgeops/ \ --version 2025.2.0 --namespace my-namespace \ --values /path/to/forgeops/helm/my-env/values.yaml
When deploying the platform with Docker images other than the ForgeOps-provided images, you’ll also need to set additional Helm values such as
am.image.repository
,am.image.tag
,idm.image.repository
, andidm.image.tag
. For an example, refer to Redeploy AM: Helm deployments.
Deploy using Helm on minikube
-
Set up the certificate management and secret agent.
-
Since minikube provides its own ingress controller, NGINX controller need not be installed.
-
The
forgeops
repository providescert-manager
as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility. -
Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The
secret agent
utility will be deprecated in the next release.
-
To install the secret generator for secret management:
$ forgeops prereqs cert-manager ingress secrets --secret-generator
-
To install the secret agent for secret management:
$ forgeops prereqs cert-manager ingress secrets
-
-
In a separate terminal tab or window, run the minikube tunnel command, and enter your system’s superuser password when prompted:
$ minikube tunnel ✅ Tunnel successfully started 📌 NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible … ❗ The service/ingress forgerock requires privileged ports to be exposed: [80 443] 🔑 sudo permission will be asked for it. ❗ The service/ingress ig requires privileged ports to be exposed: [80 443] 🏃 Starting tunnel for service forgerock. 🔑 sudo permission will be asked for it. 🏃 Starting tunnel for service ig. Password:
The tunnel creates networking that lets you access the minikube cluster’s ingress on the localhost IP address (127.0.0.1). Leave the tab or window that started the tunnel open for as long as you run the ForgeOps deployment.
Refer to this post for an explanation about why a minikube tunnel is required to access ingress resources when running minikube on an ARM-based macOS system.
-
Set up the
fast
storage class using theminikube-fast-storage-class.yaml
file in the /path/to/forgeops/cluster/resources directory:$ kubectl apply -f /path/to/forgeops/cluster/resources/minikube-fast-storage-class.yaml
-
Run the helm upgrade command to perform a ForgeOps deployment:
$ helm upgrade --install identity-platform identity-platform \ --repo https://ForgeRock.github.io/forgeops/ \ --namespace my-namespace \ --values /path/to/forgeops/helm/my-env/values.yaml
The preceding command creates a single-instance ForgeOps deployment. Only single-instance deployments are supported on minikube.
Learn more about single-instance deployments in Cluster and deployment sizes.
Deploy using Kustomize on Cloud
-
Set up the certificate management, secret agent, and NGINX:
-
The
forgeops
repository providescert-manager
as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility. -
Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The
secret agent
utility will be deprecated in the next release.
-
To install the secret generator for secret management:
$ forgeops prereqs cert-manager ingress secrets --secret-generator
-
To install the secret agent for secret management:
$ forgeops prereqs cert-manager ingress secrets
-
-
(Optional) If you’ve set up your Kubernetes cluster using ForgeOps provided Terraform manifest, then you would have already created the required
fast
storage and volume snapshot classes. If you are setting your Kubernetes cluster using your own scripts, then create these classes using corresponding YAML scripts provided in the /path/to/forgeops/cluster/resources folder.For example, on GKE:
$ kubectl apply -f /path/to/forgeops/cluster/resources/gke-fast-storage-class.yaml $ kubectl apply -f /path/to/forgeops/cluster/resources/gke-volume-snapshot-class.yaml
-
Run the forgeops apply command to perform a ForgeOps deployment. Learn more in
forgeops apply
command reference.For example:
$ cd /path/to/forgeops/bin $ ./forgeops apply --env-name my-env
If you prefer not to deploy using a single forgeops apply command, you can find more information in Alternative deployment techniques when using Kustomize.
Deploy using Kustomize on minikube
-
Set up the certificate and secret management prerequisites:
-
Since minikube provides its own ingress controller, NGINX controller need not be installed.
-
The
forgeops
repository providescert-manager
as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility. -
Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The
secret agent
utility will be deprecated in the next release.
-
To install the secret generator for secret management:
$ forgeops prereqs cert-manager ingress secrets --secret-generator
-
To install the secret agent for secret management:
$ forgeops prereqs cert-manager ingress secrets
-
-
In a separate terminal tab or window, run the minikube tunnel command, and enter your system’s superuser password when prompted:
$ minikube tunnel ✅ Tunnel successfully started 📌 NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible … ❗ The service/ingress forgerock requires privileged ports to be exposed: [80 443] 🔑 sudo permission will be asked for it. ❗ The service/ingress ig requires privileged ports to be exposed: [80 443] 🏃 Starting tunnel for service forgerock. 🔑 sudo permission will be asked for it. 🏃 Starting tunnel for service ig. Password:
The tunnel creates networking that lets you access the minikube cluster’s ingress on the localhost IP address (127.0.0.1). Leave the tab or window that started the tunnel open for as long as you run the ForgeOps deployment.
Refer to this post for an explanation about why a minikube tunnel is required to access ingress resources when running minikube on an ARM-based macOS system.
-
Set up the
fast
storage class using theminikube-fast-storage-class.yaml
file in the /path/to/forgeops/cluster/resources directory:$ kubectl apply -f /path/to/forgeops/cluster/resources/minikube-fast-storage-class.yaml
-
Run the forgeops apply command. Learn more in
forgeops apply
command reference.For example:
$ cd /path/to/forgeops/bin $ ./forgeops apply --env-name my-env
The preceding command creates a single-instance ForgeOps deployment. Only single-instance deployments are supported on minikube.
If you prefer not to deploy using a single forgeops apply command, you can find more information in Alternative deployment techniques when using Kustomize.