ForgeOps 2025.2 release notes

In the ForgeOps release 2025.2.0, the import-pem-certs.sh script was moved from the docker/am directory in PingAM docker image to a configmap. Because the script isn’t available as a configmap in release 2025.1.x, the latest AM images built for ForgeOps 2025.2.0 fail when deployed to a ForgeOps 2025.1.x environment. To fix this issue, the import-pem-certs.sh script is added back to the docker/am directory in the PingAM image.

ForgeOps documentation for 2025.2 release is updated to cover ForgeOps 2025.2.1 release.

Described secrets and passwords rotation. Learn more at Secrets Rotation.

Updated the TLS certificate section.

We’ve released the new secret agent 1.2.7 to resolve the latest security vulnerabilities.

The following product releases are also available for use in ForgeOps deployments:

When secret-generator and keystore-create Kubernetes jobs are enabled, a single keystore is created for PingAM and PingIDM, and the keystore configurations are consolidated under the keystore_create.config Helm values.

OpenSSL now provides the default root certificate authorities. Users can provide additional certificates through the Helm chart.

Curl often has security vulnerabilities, and it has been removed from ldif-importer and amster jobs. Curl has been replaced with:

This new command helps with no downtime in DS password rotations for the ds-env-secrets and ds-passwords secrets. It creates old-ds-env-secrets and old-ds-passwords secrets that are used by the ds-set-passwords job and the init container to maintain the old passwords during the rotation process.

Use this command to upgrade existing Kustomize overlays. It is used to update the secrets child overlay with the new structure and to update the ForgeOps-provided default overlay in the future.

Customers who need to build their own container images can create their own release files so forgeops image and forgeops info commands can work with these custom images.

Reordered the patches in the amster/upload and amster/export sub overlays to manage amster configuration correctly.

To reduce confusion, the optional FORGEOPS_ROOT environment variable is renamed FORGEOPS_DATA. The forgeops command prompts and fixes this in the ~/.forgeops.conf file if FORGEOPS_ROOT is detected.

Ensure the openam container has access to the default boot.json when something causes the container to restart. This is because the fbc-init init container doesn’t run when the openam container restarts so the default boot.json isn’t set for startup.

The forgeops info -e my-env command would throw an exception when an image has a tag that is not in the form x.y.z. This was due to a bug in lib.python.releases.is_valid_release(). It now returns false if a tag doesn’t match that pattern.

The forgeops build command didn’t work properly if the proper tag was not provided. It now will use latest if a tag is not specified.

Learn more about the updated ForgeOps limitations Limitations.

The ldif-importer Kubernetes job was used for setting and importing DS passwords. The Kubernetes job is renamed ds-set-passwords to clearly state it’s purpose.

The support page has been updated to clarify the product lifecycle support. Learn more at ForgeOps Lifecycle Policy.

Added the forgeops prereqs command and replaced install-prereqs to install ForgeOps prerequisites. Learn more in the forgeops prereqs command reference.

Included a new technical preview section highlighting the use secret generator as the secret management utility. Learn more in Secret Generator.

Included a section to describe the different Kubernetes secrets used in ForgeOps. Learn more in Secrets Reference.

The script used for generating AM base image from AM zip file had a flaw. A workaround has been documented. Learn more in Base Docker images.

Steps to build customized base images are updated to use AM-8.1.0. Learn more at Base Docker images.

Steps to build customized base images are updated to use Java version 21. Learn more at Base Docker images.

PingGateway 2025.3.0 Docker image has been released. The forgeops command has been updated to deploy PingGateway in a ForgeOps deployment.

PingGateway has two endpoints now:

The Terraform cluster creation manifests have been updated to use Kubernetes version 1.32 on all platforms.

Implemented a mechanism to define extra environment variables for AM, IDM and custom variables to the platform configuration map.

The following new features have been added to the install-prereqs script:

Added the ability to enable Prometheus and Grafana in the Helm chart.

Using forgeops image and forgeops info commands, you can now look for and select a newer version, skipping the version you specified in the command if it isn’t available.

Added the --amster-retain option to the forgeops env command. You can configure a ForgeOps deployment environment to keep the amster pod running for troubleshooting purposes.

The forgeops env command now adds a patch to update the namespace when enabling volume snapshots.

The deprecated forgeops generate command has been removed.

The certmanager-deploy.sh and secret-agent scripts have been removed in favor of the charts/scripts/install-prereqs script, which includes steps to deploy certmanager and secret-agent.

The following platform Docker images have been released:

The debug-log utility is updated to use the new ForgeOps deployment environments and parameters. Learn more at Kubernetes logs and other diagnostics.

The Docker image for PingGateway is updated to 2025.3.0.

Ingress and Benchmark sections are moved from the Prepare branch to the Reference navigation branch.

Updated the list of third-party software required for ForgeOps deployment. Included third-party software requirement in the Getting Started section. Learn more at your cluster environment at Setup overview.

Monitoring tools Grafana and Prometheus have been updated to use the latest versions, along with newer monitoring endpoints. Learn more at About ForgeOps deployment monitoring.

The DS team has removed the disaster subcommand from the ds-debug command. Accordingly, that subcommand description is removed from the Troubleshooting section.

The name of the ingress controller used by default in ForgeOps deployment is corrected to Ingress-NGINX controller.

Procedures to install PingGateway are corrected. Learn more at Deploy PingGateway and Custom PingGateway image.

The steps to enable volume snapshots have been simplified with the use of the forgeops env command. Learn more in Backup and restore using volume snapshots.

Added the command reference for the forgeops image command. Learn more at the forgeops image command reference page.

The Upgrade document section is updated to cover the new format of the forgeops command and the ForgeOps deployment environment. Learn more in the Upgrade and Migration Overview section.

The amster command has been subsumed in the forgeops amster command. Learn more in the Troubleshooting amster pod section.

You can set FORGEOPS_ROOT parameter to specify the local folder that contains the Docker, Helm, and Kustomize configurations. This allows you to keep your changes in a separate Git repository. You can create a ~/.forgeops.conf file with your overrides. Your development team can place a forgeops.conf file in their FORGEOPS_ROOT location which contains team-wide settings.

You can now get a list of supported platform releases and their latest flags using the forgeops info --list-releases command.

You can now define and update PingGateway node configuration parameters, such as CPU, memory, replicas, and pull policy in a ForgeOps deployment environment. This lets you install PingGateway quickly in a ForgeOps deployment.

The version of pyyaml is updated. Run the [.command]forgeops configure# command to update your libraries.

The timestamp issue in the forgeops info --env-name has been fixed.

Helm pre-install hooks are now used to deploy DS certificates. These certificates are no longer deleted when the Helm chart is uninstalled.

Updated the AM service in the Helm chart to use HTTPS target port.

Prometheus default ports and labels have been updated to match the new Helm chart.

The procedures to upgrade ForgeOps artifacts and component images are revised. Learn more in Upgrade and Migration Overview.

We’ve added sample storage class definition files required for ForgeOps deployment. This helps users who set up Kubernetes clusters without using the ForgeOps-provided Terraform manifests.

Because we’ve removed the forgeops-minikube script, we’ve revised the steps to create a minikube cluster to use the generic minikube command. Learn more about creating a minikube cluster here.

We’ve added the step to create the fast storage class required for ForgeOps deployment on minikube.

Revised the procedure to perform ForgeOps deployment on minikube using generic Kubernetes tools rather than proprietary forgeops-minikube utility.

The master branch of forgeops repository is no longer used. The ForgeOps artifacts are released from the main branch. The latest Docker images are tagged as dev images. You can view the available Docker images using the forgeops image command.

Ping Identity now supports ForgeOps-provided Docker images. We’ve revised the documentation and removed the "unsupported" admonition.

Removed the legacy docker/ds/idrepo and docker/ds/cts directories. The content that was in docker/ds/ds-new is now in docker/ds.

The ldif-importer component uses the DS Docker image, you don’t need to build a separate Docker image. The required ldif-importer scripts are mounted to the ldif-importer pod using a configmap.

The new forgeops command reference contains more information on the new forgeops command.

Learn more about the new ForgeOps release process here

Learn more about customizing DS image in the new section on Customizing DS image.

Learn more about the new ForgeOps release process

The new forgeops command is supported, so we’ve moved the corresponding documentation pages to the Reference section. Learn more in the forgeops command reference.

Considering the ForgeOps-provided docker images are supported, you need to build base Docker images only in special cases. Accordingly, we’ve moved the Base Docker Images section to the Reference section.