ForgeOps

Secret Generator

The kubernetes-secret-generator (secret generator) is a third-party Kubernetes operator that simplifies secret management in a Kubernetes environment. You can use the secret generator instead of secret agent to manage secrets in new ForgeOps deployments.

  1. To use the secret generator in your ForgeOps deployment, you must install and enable it in your Kubernetes cluster before you install AM,IDM, and DS.

  2. The secret-agent will be deprecated and the secret-generator will be the default secret management tool in the next ForgeOps release,

In addition to the ForgeOps needed secrets, you can also add and manage your own custom secrets using the secret generator. Learn more in the Kubernetes secret generator page on GitHub.

Setting up secret generator

  1. Install the secret generator in your cluster using the forgeops prereqs command:

    $ kubectx my-context
$ ./bin/forgeops prereqs --secret-generator
...
Secret Generator not found. Installing ...
Release "kubernetes-secret-generator" does not exist. Installing it now.
NAME: kubernetes-secret-generator
LAST DEPLOYED: ...
NAMESPACE: secret-generator
STATUS: deployed
REVISION: 1
TEST SUITE: None

  2. Verify that the secret generator has been installed.

    $ kubectl get pods --namespace secret-generator
NAME                                           READY   STATUS    RESTARTS   AGE
kubernetes-secret-generator-865694dbc8-5c9mx   1/1     Running   0          27h

  3. Enable the Python3 virtual environment:

    $ source .venv/bin/activate

  4. Verify that you’ve set up your environment as documented in the setup section.

  5. The configuration of a ForgeOps deployment is steered through the use of Kustomize overlays or Helm values. Use the forgeops env command to set up the Kustomize overlays and Helm values files to configure your ForgeOps deployment environment:

    On cloud platforms

    • If you want to use the issuer provided with the platform for demo, then you can use default-issuer.

    • For a single-instance deployment, specify --deployment-size as --single-instance.

    • Specify --secret-generator option to enable secret generator.

      $ cd /path/to/forgeops/bin
$ ./forgeops env --env-name my-env --fqdn my-fqdn.example.com \
  --cluster-issuer my-cluster-issuer --deployment-size \
 --secret-generator

      In the previous command, replace my-fqdn.example.com, my-cluster-issuer, and --deployment-size with appropriate values from your environment. For example:

      $ ./bin/forgeops env --env-name my-sg-env --fqdn my-fqdn.example.com \
  --cluster-issuer default-issuer --small \
  --secret-generator
    On minikube

    In a minikube environment, use the single instance deployment.

    $ cd /path/to/forgeops/bin
$ ./forgeops env --env-name my-env --fqdn my-fqdn.example.com \
  --cluster-issuer my-cluster-issuer --single-instance \
  --secret-generator

    For example:

    $ ./bin/forgeops env --env-name my-sg-env --fqdn my-fqdn.example.com \
  --cluster-issuer default-issuer --single-instance \
  --secret-generator

Creating new overlay
From: /.../forgeops/kustomize/overlay/default
To: /.../forgeops/kustomize/overlay/my-sg-env

Updating existing Helm values.

    When --secret-generator option is used, the forgeops env command creates a secret-generator based Helm values file and Kubernetes overlay.

    Learn more about the forgeops env command in the forgeops env command reference.

    Learn more about deployment sizes in Cluster and deployment sizes and about single instances here.

  6. (Optional) By default, the latest platform images are used for ForgeOps deployment. If you need a specific image version to be deployed, then ensure that the image.repository and image.tag settings for the platform components are correct in the /path/to/forgeops/helm/my-env/values.yaml Helm values file.

  7. Set up your Kubernetes context:

    1. Set the KUBECONFIG environment variable so that your Kubernetes context references the cluster in which you’ll perform the ForgeOps deployment.

    2. Create a Kubernetes namespace in the cluster for the Ping Identity Platform pods:

      $ kubectl create namespace my-namespace

    3. Set the active namespace in your Kubernetes context to the Kubernetes namespace you just created:

      $ kubens my-namespace

Deploy platform products

Deploy using Helm on Cloud

  1. Set up the certificate and secret management prerequisites:

    1. The forgeops repository provides cert-manager as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility.

    2. Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The secret agent utility will be deprecated in the next release.

    3. Forgeops artifacts include alternatives for secrets management (secret agent or secret-generator) and ingress (nginx or ha-proxy). The forgeops prereqs command provides a corresponding -- option for those components. The -- option isn’t available for components, such as cert-manager, for which an alternative isn’t provided. Some examples are provided in forgeops prereqs command reference.

    1. To install the secret generator for secret management:

      $ forgeops prereqs --secret-generator

    2. To install the secret agent for secret management:

      $ forgeops prereqs

  2. (Optional) If you’ve set up your Kubernetes cluster using ForgeOps provided Terraform manifest, then you would have already created the required fast storage and volume snapshot classes. If you are setting your Kubernetes cluster using your own scripts, then create these classes using corresponding YAML scripts provided in the /path/to/forgeops/cluster/resources folder.

    For example, on GKE:

    $ kubectl apply -f /path/to/forgeops/cluster/resources/gke-fast-storage-class.yaml
$ kubectl apply -f /path/to/forgeops/cluster/resources/gke-volume-snapshot-class.yaml

  3. Enable secret generator in your deployment environment:

    $ forgeops env --env-name my-env --namespace my-namespace  --secret-generator
    The secret agent is enabled and used in the environment if the secret agent is installed and the secret generator isn’t enabled.

  4. Run the helm upgrade command to perform a ForgeOps deployment:

    $ helm upgrade --install identity-platform  identity-platform \
 --repo https://ForgeRock.github.io/forgeops/ \
 --version 2025.2.0 --namespace my-namespace \
 --values /path/to/forgeops/helm/my-env/values.yaml

    When deploying the platform with Docker images other than the ForgeOps-provided images, you’ll also need to set additional Helm values such as am.image.repository, am.image.tag, idm.image.repository, and idm.image.tag. For an example, refer to Redeploy AM: Helm deployments.

Deploy using Helm on minikube

  1. Set up the certificate management and secret agent.

    1. Since minikube provides its own ingress controller, NGINX controller need not be installed.

    2. The forgeops repository provides cert-manager as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility.

    3. Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The secret agent utility will be deprecated in the next release.

    4. Forgeops artifacts include alternatives for secrets management (secret agent or secret-generator) and ingress (nginx or ha-proxy). The forgeops prereqs command provides a corresponding -- option for those components. The -- option isn’t available for components, such as cert-manager, for which an alternative isn’t provided. Some examples are provided in forgeops prereqs command reference.

    1. To install the secret generator for secret management:

      $ forgeops prereqs --secret-generator

    2. To install the secret agent for secret management:

      $ forgeops prereqs

  2. In a separate terminal tab or window, run the minikube tunnel command, and enter your system’s superuser password when prompted:

    $ minikube tunnel
✅  Tunnel successfully started

📌  NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible …​

❗  The service/ingress forgerock requires privileged ports to be exposed: [80 443]
🔑  sudo permission will be asked for it.
❗  The service/ingress ig requires privileged ports to be exposed: [80 443]
🏃  Starting tunnel for service forgerock.
🔑  sudo permission will be asked for it.
🏃  Starting tunnel for service ig.
Password:

    The tunnel creates networking that lets you access the minikube cluster’s ingress on the localhost IP address (127.0.0.1). Leave the tab or window that started the tunnel open for as long as you run the ForgeOps deployment.

    Refer to this post for an explanation about why a minikube tunnel is required to access ingress resources when running minikube on an ARM-based macOS system.

  3. Set up the fast storage class using the minikube-fast-storage-class.yaml file in the /path/to/forgeops/cluster/resources directory:

    $ kubectl apply -f /path/to/forgeops/cluster/resources/minikube-fast-storage-class.yaml

  4. Enable secret generator in your deployment environment:

    $ forgeops env --env-name my-env --namespace my-namespace  --secret-generator
    The secret agent is enabled and used in the environment if the secret generator isn’t enabled.

  5. Run the helm upgrade command to perform a ForgeOps deployment:

    $ helm upgrade --install identity-platform identity-platform \
 --repo https://ForgeRock.github.io/forgeops/ \
 --namespace my-namespace \
 --values /path/to/forgeops/helm/my-env/values.yaml

    The preceding command creates a single-instance ForgeOps deployment. Only single-instance deployments are supported on minikube.

    Learn more about single-instance deployments in Cluster and deployment sizes.

Deploy using Kustomize on Cloud

  1. Set up the certificate management, secret agent, and NGINX:

    1. The forgeops repository provides cert-manager as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility.

    2. Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The secret agent utility will be deprecated in the next release.

    3. Forgeops artifacts include alternatives for secrets management (secret agent or secret-generator) and ingress (nginx or ha-proxy). The forgeops prereqs command provides a corresponding -- option for those components. The -- option isn’t available for components, such as cert-manager, for which an alternative isn’t provided. Some examples are provided in forgeops prereqs command reference.

    1. To install the secret generator for secret management:

      $ forgeops prereqs --secret-generator

    2. To install the secret agent for secret management:

      $ forgeops prereqs

  2. (Optional) If you’ve set up your Kubernetes cluster using ForgeOps provided Terraform manifest, then you would have already created the required fast storage and volume snapshot classes. If you are setting your Kubernetes cluster using your own scripts, then create these classes using corresponding YAML scripts provided in the /path/to/forgeops/cluster/resources folder.

    For example, on GKE:

    $ kubectl apply -f /path/to/forgeops/cluster/resources/gke-fast-storage-class.yaml
$ kubectl apply -f /path/to/forgeops/cluster/resources/gke-volume-snapshot-class.yaml

  3. Enable secret generator in your deployment environment:

    $ forgeops env --env-name my-env --namespace my-namespace  --secret-generator
    The secret agent is enabled and used in the environment if the secret generator isn’t enabled.

  4. Run the forgeops apply command to perform a ForgeOps deployment. Learn more in forgeops apply command reference.

    For example:

    $ cd /path/to/forgeops/bin
$ ./forgeops apply --env-name my-env

    If you prefer not to deploy using a single forgeops apply command, you can find more information in Alternative deployment techniques when using Kustomize.

Deploy using Kustomize on minikube

  1. Set up the certificate and secret management prerequisites:

    1. Since minikube provides its own ingress controller, NGINX controller need not be installed.

    2. The forgeops repository provides cert-manager as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility.

    3. Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The secret agent utility will be deprecated in the next release.

    4. Forgeops artifacts include alternatives for secrets management (secret agent or secret-generator) and ingress (nginx or ha-proxy). The forgeops prereqs command provides a corresponding -- option for those components. The -- option isn’t available for components, such as cert-manager, for which an alternative isn’t provided. Some examples are provided in forgeops prereqs command reference.

    1. To install the secret generator for secret management:

      $ forgeops prereqs --secret-generator

    2. To install the secret agent for secret management:

      $ forgeops prereqs

  2. In a separate terminal tab or window, run the minikube tunnel command, and enter your system’s superuser password when prompted:

    $ minikube tunnel
✅  Tunnel successfully started

📌  NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible …​

❗  The service/ingress forgerock requires privileged ports to be exposed: [80 443]
🔑  sudo permission will be asked for it.
❗  The service/ingress ig requires privileged ports to be exposed: [80 443]
🏃  Starting tunnel for service forgerock.
🔑  sudo permission will be asked for it.
🏃  Starting tunnel for service ig.
Password:

    The tunnel creates networking that lets you access the minikube cluster’s ingress on the localhost IP address (127.0.0.1). Leave the tab or window that started the tunnel open for as long as you run the ForgeOps deployment.

    Refer to this post for an explanation about why a minikube tunnel is required to access ingress resources when running minikube on an ARM-based macOS system.

  3. Set up the fast storage class using the minikube-fast-storage-class.yaml file in the /path/to/forgeops/cluster/resources directory:

    $ kubectl apply -f /path/to/forgeops/cluster/resources/minikube-fast-storage-class.yaml

  4. Enable secret generator in your deployment environment:

    $ forgeops env --env-name my-env --namespace my-namespace  --secret-generator
    The secret agent is enabled and used in the environment if the secret generator isn’t enabled.

  5. Run the forgeops apply command. Learn more in forgeops apply command reference.

    For example:

    $ cd /path/to/forgeops/bin
$ ./forgeops apply --env-name my-env

    The preceding command creates a single-instance ForgeOps deployment. Only single-instance deployments are supported on minikube.

    If you prefer not to deploy using a single forgeops apply command, you can find more information in Alternative deployment techniques when using Kustomize.