ForgeOps

ForgeOps 2026.1 release notes

Subscribe to the ForgeOps 2026.1 RSS feed to get notifications when there are updates to ForgeOps 2026.1 documentation.

Learn more about configuring GitHub notifications here so you can get notified on ForgeOps releases.

Important information for this ForgeOps release:

Validated Kubernetes, Ingress-NGINX Controller, HAProxy Ingress, cert-manager, and operator versions for deploying Ping Identity Platform 2026.1.0

Link

Limitations when deploying Ping Identity Platform 2026.1.0 on Kubernetes

Link

More information about the evolving nature of the forgeops repository, including technology previews, legacy features, and feature deprecation and removal

Link

Legal notices

Link

An archive of release notes for 2024 and before are available from ForgeOps release 7.5 documentation

Link

Archive of release notes in 2023 and earlier are available from ForgeOps release 7.4 documentation

Link

2026

New features and updated functionality in 2026.1.0

Availability of newer Ping Identity platform product images

The following new secure images are available for ForgeOps deployment:

Secret agent updated

The secret agent has been updated to version 1.2.11 which fixes the bugs in the version 1.12.9 and 1.2.10.

Helm 4 support

You can now use Helm 4 to deploy ForgeOps. Helm 4 has been tested with the ForgeOps 2026.1 release.

New --retain option for troubleshooting Amster

You can use the --retain duration option with forgeops amster import and forgeops amster export commands to keep the amster pod running for the specified duration.

Direct debug-logs output to a file

You can now direct the debug-logs command output directly to a file. This is useful for long-running log collection and allows you to view the output file. Learn more in Kubernetes logs and other diagnostics.

Increased TTL

Amster, ds-set-passwords, and keystore-create jobs will now remain for two hours after completion to allow viewing logs. This value can be amended.

Moved upgrade logic to env command

The forgeops upgrade functionality has been moved to the forgeops env as an option. You can now run the command as:

forgeops env --env-name my_env --upgrade

Display a message when requested image version isn’t available

The forgeops image command informs users when the selected image version is not available for a product, instead of selecting the next available version in the background. This avoids confusion when addressing version specific issues.

Ability to specify external DS hosts in the Helm chart

You can now specify host names external to the ForgeOps deployment environment. See platform.external_ds in charts/identity-platform/values.yaml for more info.

Updated python dependency versions

The python dependencies have been updated in lib/python/requirements.txt. Use forgeops configure to update your Python virtual environment (.venv) and run forgeops commands within the Python venv.

Ability to build am-config-upgrader image

Added the am-config-upgrader/Dockerfile file. You can now build an am-config-upgrader image with the forgeops build command.

Update to forgeops repository directories

The content in forgeops repository has been reorganized. Learn more in forgeops directories and files.

Added a note about deploying with custom certificates

A cautionary note has been included in the Deployment section to indicate that the self-signed certificate provided with ForgeOps artifacts is not suitable for production or for integration with other applications.

Bugfixes

Fixed bug in base-generate.sh

A step was missing in base-generate.sh that prevented the updated files from being placed properly. It now copies the results of helm template into the proper location.

Fixed bugs in amster

Included the --full option in forgeops amster export to enable exporting all realm entities. The bugs in this option have been fixed.

forgeops amster import src wasn’t overwriting the configuration baked into the image with the provided configuration. This has now been corrected.

forgeops amster export now waits for AM to be up. Previously this function was only included in the import command.

Fixed forgeops upgrade-am-config

The 8.0.2 am-config-upgrader image changed permissions on some files which caused forgeops upgrade-am-config to break. The forgeops upgrade-am-config command now connects to the container as root. This is an ephemeral container running outside the cluster and reduces the security impact.

How-tos

Following articles have been added in how-tos directory in the forgeops repository:

2025

December 11, 2025

Moved use of amster retain option

You can keep the amster job running only as required occasionally during import and export of configurations. Accordingly, the --amster-retain option has been removed from the forgeops env command. The --retain option is included in the forgeops amster export and forgeops amster import commands. Learn more about using --retain options.

Amster bug fixes

  • Using --full option to the forgeops amster export command ensures it exports all realm entities. Bugs with this option have been fixed.

  • The forgeops amster import command now updates the baked configuration in the image with the provided configuration.

  • The forgeops amster export command now waits for AM to be up. Previously, this function was only included in the forgeops amster import command.

December 5, 2025

New secure Docker images released

The following secure Docker images are now available:

  • IDM and DS 8.0.1

  • AM 7.5.2 and 8.0.2

December 1, 2025

Simplify steps to add custom ldap entries

Facilitated addition of custom ldap configuration files to DS setup profiles. Learn more here.

November 21, 2025

PingGateway installation using dedicated Helm chart

Revised Helm installation of PingGateway to use the dedicated chart for PingGateway.

November 19, 2025

Restructured Upgrade section

Rationalized and restructured the Upgrade section of the documentation.

November 12, 2025

Revise kubectl image

The kubectl image used in ForgeOps has been changed to use the alpine image, because the bitnami image isn’t available any longer.

November 05, 2025

Secrets rotation

Documented steps to rotate secrets and passwords used in ForgeOps deployments. Learn more in Secrets Rotation.

October 24, 2025

Quick set up on minikube

Documented a prescriptive section for setting up a minikube cluster and performing ForgeOps deployment. Learn more in Quick deployment on minikube.

October 10, 2025

PingIDM 8.1.0 new patch

New PingIDM 8.1.0 image patch has been released.

ForgeOps Release 2025.2.1

In the ForgeOps 2025.2 release, the team focused on streamlining secrets provisioning and rotation in ForgeOps deployment environments. It’s planned to deprecate the proprietary secret agent operator and move to use a more generic industry-familiar third-party tooling.

Highlights

Provision secrets using the secret generator operator

Forgeops secret generator is used to replace secret agent. The secret generator will be the default secrets provisioning tool in a future release. Learn more about Secret Generator.

Key stores can be provisioned by a Kubernetes job

The key stores can be provisioned using the new keystore-create Kubernetes job. This requires you to set up the secret generator in your ForgeOps deployment. Learn more about Secret Generator.

Trust stores are no longer provisioned by the secret agent

The default root certificate authorities are now provided by OpenSSL in the container. Learn more about providing user-supplied certificates to the truststore.

DS password rotation without downtime

New forgeops rotate command uses multiple userPassword fields enables no downtime DS password rotations.

New script to migrate secrets from secret agent to secret generator

The new migrate.py script assists with migrating secrets enabled by the secret agent to the new secret generator. Learn more about how to migrate secrets to secret generator.

Upgrade Kustomize overlays to use new secrets

New forgeops upgrade command option upgrades your Kustomize overlays to support the new secrets base layout.

New forgeops prereqs command

The forgeops prereqs command enables setting up the prerequisites, such as certificate agent, ingress controller, and secret management. Learn more about the new forgeops prereqs command here.

New secrets reference guide

The new platform secret descriptions and mount points are described in the Secrets Reference.

Documentation Updates

ForgeOps docs are on the Developer site

ForgeOps documentation can now be accessed through the Develop with Ping Identity site. To access ForgeOps documentation from there, click Build > ForgeOps.

New Technology Preview section

A new technology preview section has been added, describing the secret generator and its setup process.

New features and updated functionality

Changed base-generate.sh

The base-generate.sh script, creates kustomize/base from the Helm chart, We’ve updated the base-generate.sh script to use the --output-dir option with helm template to generate individual template files. This allowed removing logic from the Helm chart.

Ability to provide custom secrets

We’ve updated the platform.secrets functionality to allow for adding custom secrets. This enables users to use an alternate secrets provider such as external-secrets, or add extra secrets without having to use secret-generator. The Helm value platform.secret_generator_enable has been renamed to platform .secrets_enabled.

Bugfixes

Fixed backwards compatibility of PingAM images built from 2025.2.0

In the ForgeOps release 2025.2.0, the import-pem-certs.sh script was moved from the docker/am directory in PingAM docker image to a configmap. Because the script isn’t available as a configmap in release 2025.1.x, the latest AM images built for ForgeOps 2025.2.0 fail when deployed to a ForgeOps 2025.1.x environment. To fix this issue, the import-pem-certs.sh script is added back to the docker/am directory in the PingAM image.

Bitnami images not available on Docker Hub

The Bitnami images are no longer available from Docker Hub. So we’ve switched to use the Alpine kubectl image for the keystore-create and ds-snapshot jobs.

Fixed no downtime password rotations for legacy installs

In 2025.2.0, we added the ability to perform DS passwords rotation with no downtime. This requires allow-mutliple-password-values to be set to true in the default and root password policies. This was added to docker/ds/ds-setup.sh, but that’s only effective for fresh deployment. We’ve added the dsconfig commands necessary to enable no downtime password rotations to the startup for DS pods.

Documentation updates

ForgeOps documentation for 2025.2 release is updated to cover ForgeOps 2025.2.1 release.

Secrets rotation

The procedure to perform secrets rotation without downtime has been added in the Technology Preview section. Learn more at Secrets Rotation.

How To on custom secrets

Added the [How to add custom secrets] page that describes how to create custom secrets with secret-generator. It also describes how to use the same platform.secrets dictionary to use an alternate Kubernetes secrets provider.

September 10, 2025

Documentation update

Updated the TLS certificate section.

ForgeOps Release 2025.2.0

Highlighted new features

The main highlights of ForgeOps release 2025.2 are covered in the What’s new in ForgeOps 2026.1. Additional improvements and bug fixes are covered here.

Other improvements

New secret agent release available

We’ve released the new secret agent 1.2.11 to resolve the latest security vulnerabilities.

New Ping Identity Platform product versions available

The following product releases are also available for use in ForgeOps deployments:

Option to provision keystores without the secret agent

When secret-generator and keystore-create Kubernetes jobs are enabled, a single keystore is created for PingAM and PingIDM, and the keystore configurations are consolidated under the keystore_create.config Helm values.

Truststore no longer provisioned by the secret agent

OpenSSL now provides the default root certificate authorities. Users can provide additional certificates through the Helm chart.

Removed curl from ldif-importer and amster jobs

Curl often has security vulnerabilities, and is removed from ldif-importer and amster jobs. Curl has been replaced with:

  • ldapsearch in ldif-importer job.

  • wget in amster job.

New forgeops rotate command

This new command helps with no downtime in DS password rotations for the ds-env-secrets and ds-passwords secrets. It creates old-ds-env-secrets and old-ds-passwords secrets that are used by the ds-set-passwords job and the init container to maintain the old passwords during the rotation process.

New forgeops upgrade command

Use this command to upgrade existing Kustomize overlays. It’s used to update the secrets child overlay with the new structure and to update the ForgeOps-provided default overlay in the future.

If you use an alternate default overlay, upgrade that one first. Test the upgraded overlay to ensure that all your customizations are retained.

Expanded section on alternate release files

Customers who need to build their own container images can create their own release files so forgeops image and forgeops info commands can work with these custom images.

Fixes

Fix forgeops amster import/export commands

Reordered the patches in the amster/upload and amster/export sub overlays to manage amster configuration correctly.

Renamed FORGEOPS_ROOT to FORGEOPS_DATA

To reduce confusion, the optional FORGEOPS_ROOT environment variable is renamed FORGEOPS_DATA. The forgeops command prompts and fixes this in the ~/.forgeops.conf file if FORGEOPS_ROOT is detected.

Stop AM failing if the openam container restarts

Ensure the openam container has access to the default boot.json when something causes the container to restart. This is because the fbc-init init container doesn’t run when the openam container restarts so the default boot.json isn’t set for startup.

Fixed a bug in the forgeops info command

The forgeops info -e my-env command would throw an exception when an image has a tag that is not in the form x.y.z. This was due to a bug in lib.python.releases.is_valid_release(). It now returns false if a tag doesn’t match that pattern.

Fixed a bug in the forgeops build command

The forgeops build command didn’t work properly if the proper tag was not provided. It now will use latest if a tag is not specified.

July 22, 2025

Documentation updates

Limitations updated

Learn more about the updated ForgeOps limitations Limitations.

The ldif-importer job renamed ds-set-passwords

The ldif-importer Kubernetes job was used for setting and importing DS passwords. The Kubernetes job is renamed ds-set-passwords to clearly state its purpose.

July 11, 2025

Documentation updates

Updated support page

The support page has been updated to clarify the product lifecycle support. Learn more at ForgeOps Lifecycle Policy.

July 8, 2025

Documentation updates

Documented the forgeops prereqs command

Added the forgeops prereqs command and replaced install-prereqs to install ForgeOps prerequisites. Learn more in the forgeops prereqs command reference.

July 1, 2025

Documentation updates

Added the secret generator in technical preview

Included a new technical preview section highlighting the use secret generator as the secret management utility. Learn more in Secret Generator.

June 4, 2025

Documentation updates

Added reference for secrets

Included a section to describe the different Kubernetes secrets used in ForgeOps. Learn more in Secrets Reference.

May 21, 2025

Documentation updates

Workaround for AM base image creation

The script used for generating AM base image from AM zip file had a flaw. A workaround has been documented. Learn more in Base Docker images.

May 6, 2025

Documentation updates

Updated AM version to 8.1.0

Steps to build customized base images are updated to use AM-8.1.0. Learn more at Base Docker images.

Updated Java version

Steps to build customized base images are updated to use Java version 21. Learn more at Base Docker images.

May 1, 2025

New ForgeOps 2025.1.2 released

New features and updated functionality

New PingGateway version available

PingGateway 2025.3.0 Docker image has been released. The forgeops command has been updated to deploy PingGateway in a ForgeOps deployment.

Updated PingGateway deployment to use the new admin endpoint

PingGateway has two endpoints now:

  • /ig the main entry point to PingGateway

  • /admin the API of the PingGateway administration, containing the /ping handler used for live check, for example.

Updated the Kubernetes version to 1.32

The Terraform cluster creation manifests have been updated to use Kubernetes version 1.32 on all platforms.

Custom environment variables in Helm chart

Implemented a mechanism to define extra environment variables for AM, IDM and custom variables to the platform configuration map.

Update the values.yaml file for your environments with the desired configuration. The env arrays should contain maps of Kubernetes environment configurations. The following sections in the charts/identity-platform/values.yaml file contain examples:

  • platform.configMap.data: Map of custom key,value pairs for platform-config

  • platform.env: Shared custom environment variables

  • am.env: AM custom environment variables

  • idm.env: IDM custom environment variables

The install-prereqs script is updated

The following new features have been added to the install-prereqs script:

  • A usage statement.

  • The --upgrade flag for easy upgrading of prereqs.

  • The ability to provide a config file to pin versions.

Prometheus and Grafana added to the Helm chart

Added the ability to enable Prometheus and Grafana in the Helm chart.

Improved release detection

Using forgeops image and forgeops info commands, you can now look for and select a newer version, skipping the version you specified in the command if it isn’t available.

Bugfixes

Fix --amster-retain option

Added the --amster-retain option to the forgeops env command. You can configure a ForgeOps deployment environment to keep the amster pod running for troubleshooting purposes.

Fix VolumeSnapshots in Kustomize deployments

The forgeops env command now adds a patch to update the namespace when enabling volume snapshots.

Removed Features

Removed the forgeops generate command

The deprecated forgeops generate command has been removed.

Removed the separate scripts to deploy certmanager and secret-agent

The certmanager-deploy.sh and secret-agent scripts have been removed in favor of the charts/scripts/install-prereqs script, which includes steps to deploy certmanager and secret-agent.

April 24, 2025

ForgeOps updates

Platform product Docker images released

The following platform Docker images have been released:

PingAM

8.1.0

PingAM configuration upgrader

8.1.0

Amster

8.0.1

PingDS

8.0.0

PingIDM

8.0.0

PingGateway

2025.3.0

admin-ui

8.0.0

end-user-ui

8.0.0

April 22, 2025

ForgeOps updates

The debug-logs utility updated

The debug-log utility is updated to use the new ForgeOps deployment environments and parameters. Learn more in Kubernetes logs and other diagnostics.

April 17, 2025

ForgeOps updates

Updated Docker image for PingGateway

The Docker image for PingGateway is updated to 2025.11.1.

April 15, 2025

Documentation update

Moved Ingress and Benchmark sections

Ingress and Benchmark sections are moved from the Prepare branch to the Reference navigation branch.

April 9, 2025

Documentation updates

Third-party software

Updated the list of third-party software required for ForgeOps deployment. Included third-party software requirement in the Getting Started section. Learn more at your cluster environment at Setup overview.

ForgeOps updates

Prometheus update

Monitoring tools Grafana and Prometheus have been updated to use the latest versions, along with newer monitoring endpoints. Learn more at About ForgeOps deployment monitoring.

April 4, 2025

Documentation updates

Removed the disaster subcommand from the ds-debug command

The DS team has removed the disaster subcommand from the ds-debug command. Accordingly, that subcommand description is removed from the Troubleshooting section.

Fixed the name of the ingress controller used

The name of the ingress controller used by default in ForgeOps deployment is corrected to Ingress-NGINX controller.

Corrected steps to install PingGateway

Procedures to install PingGateway are corrected. Learn more at Deploy PingGateway and Custom PingGateway image.

March 19, 2025

Documentation updates

Revise steps to enable volume snapshots

The steps to enable volume snapshots have been simplified with the use of the forgeops env command. Learn more in Backup and restore using volume snapshots.

Command reference for forgeops image

Added the command reference for the forgeops image command. Learn more at the forgeops image command reference page.

March 05, 2025

Documentation updates

Revamp the Upgrade section

The Upgrade document section is updated to cover the new format of the forgeops command and the ForgeOps deployment environment. Learn more in the Upgrade and Migration Overview section.

Update the Troubleshooting amster section

The amster command has been subsumed in the forgeops amster command. Learn more in the Troubleshooting amster pod section.

February 19, 2025

New ForgeOps 2025.1 released

New features and updated functionality

Ability to set FORGEOPS_ROOT

You can set FORGEOPS_ROOT parameter to specify the local folder that contains the Docker, Helm, and Kustomize configurations. This allows you to keep your changes in a separate Git repository. You can create a ~/.forgeops.conf file with your overrides. Your development team can place a forgeops.conf file in their FORGEOPS_ROOT location which contains team-wide settings.

You can clone the forgeops repository and check out only the version tag you need. This makes it easier to keep track of the ForgeOps version you’re using and upgrade to a newer version consistently.

Don’t create or modify the forgeops.conf file in the /path/to/forgeops_repo/ directory.
forgeops info command can provide release information

You can now get a list of supported platform releases and their latest flags using the forgeops info --list-releases command.

You can get details for any release on releases.forgeops.com using the forgeops info --release xyz command.

forgeops env command supports PingGateway

You can now define and update PingGateway node configuration parameters, such as CPU, memory, replicas, and pull policy in a ForgeOps deployment environment. This lets you install PingGateway quickly in a ForgeOps deployment.

Version of pyyaml is updated

The version of pyyaml is updated. Run the [.command]forgeops configure# command to update your libraries.

Bugfixes

forgeops info --env-name command has been fixed

The timestamp issue in the forgeops info --env-name has been fixed.

DS certificates are now deployed in Helm pre-install

Helm pre-install hooks are now used to deploy DS certificates. These certificates are no longer deleted when the Helm chart is uninstalled.

AM service target ports are updated

Updated the AM service in the Helm chart to use HTTPS target port.

Prometheus ports are updated

Prometheus default ports and labels have been updated to match the new Helm chart.

Documentation updates

Upgrade procedures revised

The procedures to upgrade ForgeOps artifacts and component images are revised. Learn more in Upgrade and Migration Overview.

February 10, 2025

New features and updated functionality

Added sample storage class definition files

We’ve added sample storage class definition files required for ForgeOps deployment. This helps users who set up Kubernetes clusters without using the ForgeOps-provided Terraform manifests.

Documentation updates

Updated the procedure to set up minikube cluster

Because we’ve removed the forgeops-minikube script, we’ve revised the steps to create a minikube cluster to use the generic minikube command. Learn more about creating a minikube cluster here.

Updated the procedure to perform ForgeOps deployment on minikube

We’ve added the step to create the fast storage class required for ForgeOps deployment on minikube.

January 27, 2025

Documentation updates

Revised instruction for deployment on minikube

Revised the procedure to perform ForgeOps deployment on minikube using generic Kubernetes tools rather than proprietary forgeops-minikube utility.

Learn the revised steps to perform ForgeOps deployment on minikube:

January 13, 2025

New features and updated functionality

The ForgeOps releases are based on the main branch

The master branch of forgeops repository is no longer used. The ForgeOps artifacts are released from the main branch. The latest Docker images are tagged as dev images. You can view the available Docker images using the forgeops image command.

New forgeops command

  • The forgeops-ng command has been renamed forgeops. The new forgeops command subsumes all the functionality provided by the previous version of forgeops command. The previous version of the forgeops-ng command has been removed.

  • The process of deploying and managing ForgeOps deployments has been improved with the use of provisioning environments with the forgeops env command for both Kustomize and Helm user environments. Learn more about the forgeops env command in the forgeops env command].

  • Provided an option to select the Docker image as appropriate for a user deployment with the forgeops image command.

  • You can view configured environments and product versions using the forgeops info command.

Learn more in forgeops command reference

ForgeOps-provided Docker images are now supported

Ping Identity now supports ForgeOps-provided Docker images. We’ve revised the documentation and removed the "unsupported" admonition.

New supported product versions

Platform UI

7.5.1

PingAM

7.4.1, 7.5.1

PingDS

7.4.3, 7.5.1

PingGateway

2024.6.0, 2024.9.0, 2024.11.0

PingIDM

7.5.0
Removed legacy DS docker directories

Removed the legacy docker/ds/idrepo and docker/ds/cts directories. The content that was in docker/ds/ds-new is now in docker/ds.

Removed the requirement to build ldif-importer

The ldif-importer component uses the DS Docker image, you don’t need to build a separate Docker image. The required ldif-importer scripts are mounted to the ldif-importer pod using a configmap.

Documentation updates

New forgeops command reference

The new forgeops command reference contains more information on the new forgeops command.

Description of the release process

Learn more about the new ForgeOps release process here

New section on customizing DS image

Learn more about customizing DS image in the new section on Customizing DS image.

2024

December 05, 2024

Documentation updates

Added description of the release process

Learn more about the new ForgeOps release process

Moved the forgeops command description and reference to the Reference section

The new forgeops command is supported, so we’ve moved the corresponding documentation pages to the Reference section. Learn more in the forgeops command reference.

The previous version of the forgeops utility is not supported in this ForgeOps release. It continues to be supported in ForgeOps 7.5 and 7.4, as long as the corresponding Ping Identity Platform components are supported.
Moved Base Docker Image page to the Reference section

Considering the ForgeOps-provided docker images are supported, you need to build base Docker images only in special cases. Accordingly, we’ve moved the Base Docker Images section to the Reference section.