ForgeOps

CDK deployment

After you’ve set up your environment, deploy the CDK:

  1. Set the active namespace in your local Kubernetes context to the namespace that you created when you performed the setup task.

  2. Deploy the CDK:

    • Use the forgeops command

    • Use Helm (technology preview)

    $ cd /path/to/forgeops/bin
    $ ./forgeops install --cdk --fqdn cdk.example.com

    By default, the forgeops install --cdk command uses the evaluation-only Docker images for release 7.4.0 of the platform, available from ForgeRock’s public registry However, if you’ve built custom images for the ForgeRock Identity Platform, the forgeops install --cdk command uses your custom images.

    If you prefer not to deploy the CDK using a single forgeops install command, refer to Alternative deployment techniques for more information.

    The forgeops install command does not use the kustomization.yaml file during deployment. Therefore, any configuration changes you incorporate in the kustomization.yaml file will not be used by the forgeops install command.

    • On Minikube

    • On shared GKE, EKS, or AKS clusters

    $ cd /path/to/forgeops/charts/scripts
    $ ./install-prereqs
    $ cd ../identity-platform
    $ helm upgrade identity-platform \
     oci://us-docker.pkg.dev/forgeops-public/charts/identity-platform \
     --install --version 7.4 --namespace my-namespace \
     --set 'ds_idrepo.volumeClaimSpec.storageClassName=standard' \
     --set 'ds_cts.volumeClaimSpec.storageClassName=standard' \
     --set 'platform.ingress.hosts={cdk.example.com}'
    $ cd /path/to/forgeops/charts/scripts
    $ ./install-prereqs
    $ cd ../identity-platform
    $ helm upgrade identity-platform \
     oci://us-docker.pkg.dev/forgeops-public/charts/identity-platform \
     --install --version 7.4 --namespace my-namespace \
     --set 'platform.ingress.hosts={cdk.example.com}'

    When deploying the platform with Docker images other than the public evaluation-only images, you’ll also need to set additional Helm values such as am.image.repository, am.image.tag, idm.image.repository, and idm.image.tag. For an example, refer to Redeploy AM: Helm installations (technology preview).

    ForgeRock only offers ForgeRock software or services to legal entities that have entered into a binding license agreement with ForgeRock. When you install ForgeRock’s Docker images, you agree either that: 1) you are an authorized user of a ForgeRock customer that has entered into a license agreement with ForgeRock governing your use of the ForgeRock software; or 2) your use of the ForgeRock software is subject to the ForgeRock Subscription License Agreement.

  3. In a separate terminal tab or window, run the kubectl get pods command to monitor status of the deployment. Wait until all the pods are ready.

    Your namespace should have the pods shown in this diagram.

  4. Perform this step only if you are running Minikube on an ARM-based macOS system[1] :

    In a separate terminal tab or window, run the minikube tunnel command, and enter your system’s superuser password when prompted:

    $ minikube tunnel
    ✅  Tunnel successfully started
    
    📌  NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible …​
    
    ❗  The service/ingress forgerock requires privileged ports to be exposed: [80 443]
    🔑  sudo permission will be asked for it.
    ❗  The service/ingress ig requires privileged ports to be exposed: [80 443]
    🏃  Starting tunnel for service forgerock.
    🔑  sudo permission will be asked for it.
    🏃  Starting tunnel for service ig.
    Password:

    The tunnel creates networking that lets you access the Minikube cluster’s ingress on the localhost IP address (127.0.0.1). Leave the tab or window that started the tunnel open for as long as you run the CDK.

    Refer to this post for an explanation about why a Minikube tunnel is required to access ingress resources when running Minikube on an ARM-based macOS system.

  5. (Optional) Install a TLS certificate instead of using the default self-signed certificate in your CDK deployment. See TLS certificate for details.

Alternative deployment techniques

If you prefer not to deploy the CDK using a single forgeops install command, you can use one of these options:

  • Deploy the CDK component by component instead of with a single command. Staging the deployment can be useful if you need to troubleshoot a deployment issue.

  • The forgeops install command generates Kustomize manifests that let you recreate your CDK deployment. The manifests are written to the /path/to/forgeops/kustomize/deploy directory of your forgeops repository clone. Advanced users who prefer to work directly with Kustomize manifests that describe their CDK deployment can use the generated content in the kustomize/deploy directory as an alternative to using the forgeops command:

    • Generate an initial set of Kustomize manifests by running the forgeops install command. If you prefer to generate the manifests without installing the CDK, you can run the forgeops generate command.

    • Run kubectl apply -k commands to deploy and remove CDK components. Specify a manifest in the kustomize/deploy directory as an argument when you run kubectl apply -k commands.

    • Use GitOps to manage CDK configuration changes to the kustomize/deploy directory instead of making changes to files in the kustomize/base and kustomize/overlay directories.

Next step


1. For example, systems based on M1 or M2 chipsets.