ForgeOps 7.2 release notes

New evaluation-only Docker images are now available for the following versions of ForgeRock Identity Platform components:

This documentation has been updated to refer to these new versions of Docker images.

For more information about changes to the ForgeRock Identity Platform, refer to the Release Notes for platform components at https://backstage.forgerock.com/docs.

To upgrade to the new versions, you’ll need to rebuild your custom Docker images. Refer to Base Docker Images for instructions.

The benefit of this change is that the forgeops install command now pulls small Docker images, or, in some cases, no Docker images at all. Therefore, the forgeops install command should run faster, and timeouts caused by slow image pulls are eliminated.

A new task to initialize deployment environments has been added to the instructions for developing custom Docker images using the CDK.

Before you can use a new deployment environment, you must initialize a directory that supports the environment.

The Support from ForgeRock page has been updated to state that environments that deviate from the published CDK and CDM architecture are not supported. For details, refer to Support limitations.

When you create a cluster for deploying version 7.3 of the platform, use Kubernetes version 1.27.

A new how-to provides steps for upgrading to newer patch releases of version 7.2.

Running the CDK on Minikube on macOS systems with ARM-based chipsets, such as the Apple M1 or M2, is now available on an experimental basis.

Refer to this ForgeRock Community article for details.

A new how-to provides steps for upgrading a version 7.1 CDM to version 7.2.

New steps describe how to build Docker images for Java, and how to base your own base Docker images on those Java images.

forgeops repository branch names now consist of the major and minor release numbers of ForgeRock Identity Platform components, followed by the release date.

Updates for ForgeRock Identity Platform version 7.2 are available in the release/7.2-20240117 branch of the forgeops repository.

The release/7.2-20240117 branch replaces the release/7.2.0 branch. Upgrade to the new branch as soon as possible.

New evaluation-only Docker images are now available for the following versions of ForgeRock Identity Platform components:

The ForgeRock Identity Gateway Docker image remains at version 2023.11.0.

This documentation has been updated to refer to these new versions of Docker images.

For more information about changes to the ForgeRock Identity Platform, refer to the Release Notes for platform components at https://backstage.forgerock.com/docs.

To upgrade to the new versions, you’ll need to rebuild your custom Docker images. Refer to Base Docker Images for instructions.

A reference for the forgeops command is now available here.

Deployment environments let you manage deployment manifests and image defaulters for multiple environments in a single forgeops repository clone.

Specify a deployment environment by using the forgeops command’s new --deploy-env option.

By default, the image defaulter and generated Kustomize manifests reside in the kustomize/deploy directory.

Each deployment environment has its own image defaulter, located in the kustomize/deploy-environment/image-defaulter directory.

When you specify a deployment environment, Kustomize manifests are generated in the kustomize/deploy-environment directory. For example, if you ran forgeops generate --deploy-env production, Kustomize manifests would be placed in the kustomize/deploy-production directory.

Three additional limitations on DS in CDK and CDM deployments are now documented here:

Please note that these are not new limitations. They had inadvertently been omitted from the DS limitations section in the documentation.

When you create an EKS cluster for deploying version 7.2 of the platform, use Kubernetes version 1.22.

When you deploy the NGINX Ingress Controller in your CDM cluster, use version 1.4.0^[1] or higher.

In previous versions, AM object deletion was not implemented in the bin/config export command. If you deleted objects from the CDK’s AM configuration, and then exported the configuration, the deleted objects remained in your configuration profile in many instances.

A new step to back up the Kubernetes secrets that contain the DS master and TLS keys has been added to the instructions for deploying the CDM.

It is extremely important to back up these secrets and retain them in a secure location. Loss of these secrets could result in the inability to restore data from backups.

The Secret Agent operator page previously stated that the Secret Agent operator generates all secrets required for a ForgeRock Identity Platform deployment.

This page has been corrected to state that the Secret Agent operator generates all secrets required for a ForgeRock Identity Platform deployment except for the DS master and TLS keys. In version 7.2, the DS operator calls the certificate manager to generate these two keys.

The recommendation that you always configure cloud secret management has been relaxed. ForgeRock now recommends that you configure cloud secret management only when you have multiple deployments that need to use the same secrets.

The Base Docker images page has been significantly updated. A new section, Create Docker images for use in production, explains how to build customized Docker images for the ForgeRock Identity Platform that:

A new forgeops command is now available in the bin directory of the forgeops repository. Use this new command to:

To obtain ForgeRock Identity Platform passwords after installing the CDK or CDM, run the forgeops info command.

With this release, the DS operator moves from technology preview status to evolving status.

The DS operator is now supported for use with the CDK and the CDM, and for production deployments of the ForgeRock Identity Platform.

You can migrate an existing deployment of the ForgeRock Identity Platform on Kubernetes to use the DS operator. Details here.

A new way to deploy the CDM is now available:

You’ll find the documentation for the new technology CDM here.

Sample artifacts for a multicluster deployment of the ForgeRock Identity Platform on Google Cloud are available in the forgeops repository.

The sample includes:

For details about the sample, see the multicluster README. Note that the sample artifacts are available for Google Cloud only.

Configuration profiles, formerly in the config directory of the forgeops repository, now reside in the docker directory. Utility scripts have been modified to accommodate the new location. Intermediate 7.0 directories are no longer used.

For more information about the location of configuration profiles, see Configuration profiles.

This change impacts CDK deployment as follows:

The name of the IDM evaluation-only Docker image repository has been changed to gcr.io/forgerock-io/idm-cdk. This image repository was formerly named gcr.io/forgerock-io/idm.

The IDM canonical configuration for the CDK has been incorporated into the idm-cdk Docker image.

Because of this, you no longer need to copy files from the docker/idm/config-profiles/cdk directory when you initialize a new configuration profile. Simply create a new subdirectory under the docker/idm/config-profiles directory.

For an updated procedure for creating a new configuration profile, see Create a configuration profile.

The new bin/ds-debug.sh script lets you obtain diagnostic information for any DS pod running in your cluster. It also lets you perform several cleanup and recovery operations on DS pods.

For more information, see Debug script.

The RCS Agent is no longer available in the CDM and CDK deployments.

Building your own rcs-agent_docker_image Docker image is no longer required when deploying the ForgeRock Identity Platform on Kubernetes.

The LDIF importer is no longer used in CDM and CDK deployments.

Building your own ldif-importer Docker image is no longer required when deploying the ForgeRock Identity Platform on Kubernetes.

The ds-idrepo-2 replica is now deployed as part of the CDM for failover purposes.

Previously, IDM was not able to use a third ds-idrepo replica, so the number of ds-idrepo replicas was set at 2. A recent enhancement to IDM lets additional replicas be used for failover, so a third replica has been added to the CDM architecture.

Small CDM clusters now have 2 AM pods. Previously, they had 3 AM pods.

The Release Notes now document the limitation that the CDK and CDM are not preconfigured to support IDM’s workflow engine.

Note that this limitation has existed since version 7.0 of the platform, when the CDK and CDM starting using DS as the IDM repository.

The forgeops install command now installs cert-manager as part of CDK and CDM deployment.

Because of this, the steps for configuring the CDK and CDM to use a certificate from a CA have changed. See TLS certificate for details.

The new cluster/minikube/cdk-minikube utility lets you create a Minikube cluster that’s configured for running the CDK.

The Minikube cluster page now includes an example of how to run this utility.

It’s now recommended that you use the Hyperkit driver for Minikube clusters on macOS systems, and the Docker driver for Minikube clusters on Linux systems.

ForgeRock has tested Minikube clusters with these two drivers, and the new cluster/minikube/cdk-minikube utility creates Minikube clusters with these two drivers by default.

CDK deployments on Minikube now require you to enable the volume snapshots plugin. See Minikube cluster.

The DevOps artifacts for deploying ForgeRock Identity Platform 7.1 are deprecated. You should migrate to version 7.2 as soon as you’re able to.

The former way of deploying the CDM is deprecated.

The documentation for the former way of deploying the CDM, previously in the Cloud Deployment Model (CDM) menu, can be found here.

The following CDM cluster creation and deletion scripts in the /path/to/forgeops/cluster directory are deprecated:

Note that the scripts in the /path/to/forgeops/cluster/minikube directory are not deprecated.

The schedule-backups.sh script is deprecated, and ForgeRock recommends that you change your backup strategy to use the new backup techniques introduced in this release as soon as possible.

Adding dynamic AM configuration to the amster Docker image is deprecated.

Instead, import and export dynamic configuration in and out of the CDK and CDM using utilities such as:

The IDM canonical configuration has been removed from the docker/idm/config-profiles/cdk directory. The configuration is now incorporated into the idm Docker image from Forge Rock.

It’s no longer necessary to copy files from this directory when initializing a new configuration profile.

For an updated procedure for creating a new configuration profile, see Create a configuration profile.

The ability to install the CDK using the skaffold run command, deprecated in version 7.1, is no longer available.

Use the bin/forgeops install command instead.

The cdk command has been removed from the forgeops repository.

Instead, use the new forgeops command to install ForgeRock Identity Platform components into the CDK, build custom Docker images, and delete components from the CDK. Note that for installing components into the CDK, you’ll need to specify the --cdk option. For example, forgeops install am --cdk.

See CDK deployment and Staged CDK and CDM installation for examples.

The print-secrets command

The forgeops info command provides equivalent functionality in this version of the forgeops repository.