Highlights
June 30, 2022
- New forgeops command
-
A new forgeops command is now available in the bin directory of the
forgeops
repository. Use this new command to:-
Install the CDK. The forgeops command replaces the cdk command in version 7.1. The cdk command is deprecated in version 7.5.
To install Ping Identity Platform components in the CDK, run the forgeops install command with the --single-instance option.
-
Install the CDM. Refer to New CDM deployment technology.
To obtain Ping Identity Platform passwords after installing the CDK or CDM, run the forgeops info command.
-
- DS operator released from technology preview status
-
With this release, the DS operator moves from technology preview status to evolving status.
The DS operator is now supported for use with the CDK and the CDM, and for production deployments of the Ping Identity Platform.
You can migrate an existing deployment of the Ping Identity Platform on Kubernetes to use the DS operator. Details here.
- New CDM deployment technology
-
A new way to deploy the CDM is now available:
-
Deploying the CDM is generally simpler and faster.
-
The forgeops install command, already used for CDK deployments, has been enhanced to support CDM as well. Refer to ForgeOps deployment for an example.
-
As with CDK deployment, you can deploy the entire CDM with a single forgeops install command. You can also deploy individual CDM components one at a time, review the results, and then deploy the next component. Deploying the platform one component at a time can make troubleshooting simpler if you run into a problem.
For a list of CDM components you can install one at a time, run the forgeops install -h command.
-
The CDM’s deployment namespace is no longer required to be
prod
, and the deployment FQDN is no longer required to bemy-namespace.iam.example.com
. Use the forgeops install command’s--namespace
and--fqdn
arguments to specify your desired deployment namespace and FQDN. Refer to ForgeOps deployment for an example. -
The forgeops install command is idempotent. The command checks the installation status of a component before it attempts to install it. For example, if you run the forgeops install command, and the UI pods are already installed and available, the installer won’t attempt to install the UI a second time unless you’ve specified different Docker images for running it, or modified the Kustomize files that orchestrate it.
-
The image defaulter gives developers fine-grained control over which Docker images are deployed with the CDM. The deployed Docker image no longer needs to be the last image that you built.
-
CDM deployment no longer uses Skaffold. Because of this, users no longer need to configure a default Skaffold repository before deploying the CDM.
-
The CDM incorporates the DS operator, simplifying directory deployment.
-
The forgeops install command incorporates Secret Agent, DS operator, and cert-manager installation. Separate commands are no longer required to install these CDM components.
-
The CDM’s example Prometheus deployment requires cert-manager to be deployed before Prometheus can be deployed. In the new CDM, cert-manager is deployed when you run the forgeops install command. Because of this, you must now deploy the Prometheus, Grafana, and Alertmanager pods after you deploy the CDM.
The bin/certmanager-deploy.sh script is no longer used to deploy cert-manager.
-
Kustomize manifests are now generated in the kustomize/deploy directory when you:
-
Install the CDM using the forgeops install command
-
Run the new forgeops generate command, which only generates the manifests, but does not install the CDM
-
The Kustomize manifests let you:
-
Delete and redeploy CDM components using the kubectl delete and kubectl apply commands
-
More easily manage CDM deployment configuration changes using CI/CD systems
-
The forgeops delete command is now used to delete the CDM from a Kubernetes cluster.
-
-
- Multicluster deployment sample
-
Sample artifacts for a multicluster deployment of the Ping Identity Platform on Google Cloud are available in the
forgeops
repository.The sample includes:
-
Fully meshed multicluster DS topology using Cloud DNS for GKE
-
Global HTTP(S) load balancing across multiple clusters with a multicluster ingress
-
Health checks to manage application-level failover between clusters
-
Proximity-based routing
-
Active/active deployment
-
Failover deployment
-
Blue/green deployment
For details about the sample, refer to the multicluster README. Note that the sample artifacts are available for Google Cloud only.
-
- Configuration profiles moved to
docker
directory -
Configuration profiles, formerly in the
config
directory of theforgeops
repository, now reside in thedocker
directory. Utility scripts have been modified to accommodate the new location. Intermediate7.0
directories are no longer used.For more information about the location of configuration profiles, refer to Configuration Profiles.
This change impacts CDK deployment as follows:
-
The
docker
directory must now be Git-managed, because your configuration profiles are now stored there. -
You can now use Git utilities, such as the git diff command, to review your changes to configuration profiles before you commit them.
-
When building a Docker image with the cdk build command, you must now use the new --config-profile option to specify the configuration profile that is to be included in your Docker image.
-
There is no longer a staging area in the
docker
directory. Previous versions required you to copy configuration (usually from theconfig
directory) to the staging area in thedocker
directory before you built Docker images for the platform. -
The config.sh command is deprecated.
-
You no longer need to use the config.sh init command to initialize the staging area.
-
Instead of using the config.sh export and config.sh save commands to export configuration from a running CDK instance to your configuration profile, use the new config export command. Refer to
am
image andidm
image.
If you are developing custom Docker images for the Ping Identity Platform, you must move existing configuration profiles in the
forgeops
repository from theconfig
directory to the new locations in thedocker
directory before you can work with this version of theforgeops
repository. For example, if you have a configuration profile namedmy-profile
:-
Move the contents of the config/7.0/my-profile/am directory to the path docker/am/config-profiles/my-profile.
-
Move the contents of the config/7.0/my-profile/amster directory to the path docker/amster/config-profiles/my-profile.
-
Move the contents of the config/7.0/my-profile/idm directory to the path docker/idm/config-profiles/my-profile.
-
If present, move the contents of the config/7.0/my-profile/ig directory to the path docker/ig/config-profiles/my-profile.
Do not move the canonical
cdk
configuration profile. Thedocker
directory has already been provisioned with this configuration profile. -
- New CDM backup techniques
-
The CDM now includes two new techniques you can use when implementing data backup:
-
Kubernetes volume snapshots.
Refer to the backup and restore overview for more information.
The schedule-backups.sh script is deprecated, and ForgeRock recommends that you change your backup method to use a different backup and restore solution as soon as possible.
-
July 12, 2021
- New CDK technology released from technology preview status
-
The new way of deploying the CDK, described here, has moved from technology preview status to evolving status.
The documentation for the new way of deploying the CDK, previously in the Technology Previews menu, can now be found in the CDK documentation.
- DS operator supported for use with the CDK
-
The DS operator is now supported for use with demonstration and developer deployments that use the CDK.
May 12, 2021
- New CDK technology preview
-
A first look at a new way to deploy the CDK, and to use the CDK to develop custom Docker images for the Ping Identity Platform with it:
-
The new way of deploying the CDK is generally simpler and faster.
-
The new CDK deployment uses a single DS pod—
ds-idrepo-0
. Functionality provided by the DS CTS pod in previous CDK versions is now merged into the ID repo pod. Deployment with a single DS pod is simpler, faster, and requires less resources than earlier versions. For example, the memory requirement for Minikube deployments decreases from 12GB to 10GB. -
The new cdk install command lets developers deploy the CDK one component at a time. It’s still possible to deploy the entire CDK with a single cdk install command, but you can also deploy individual CDK components one at a time, review the results, and then deploy the next component. Deploying the platform one component at a time can make troubleshooting simpler if you run into a problem.
For a list of CDK components you can install one at a time, run the cdk install -h command.
-
The new cdk install command is idempotent. The command checks the installation status of a component before it attempts to install it. For example, if you run the cdk install command, and the ForgeRock UI pods are already installed and available, the installer won’t attempt to install the UI a second time unless you’ve specified different Docker images for running it, or modified the Kustomize files that orchestrate it.
-
The new cdk build command lets you build custom Docker images for the Ping Identity Platform.
-
The new image defaulter gives developers fine-grained control over which Docker images are deployed with the CDK. The deployed Docker image no longer needs to be the last image that you built.
-
The CDK incorporates the DS operator, simplifying directory deployment. Note that the DS operator remains in technology preview status for CDM deployments.
-
The cdk install command incorporates Secret Agent and DS operator installation. Separate commands are no longer required to install these CDK components.
-
- DS operator technology preview
-
The DS operator uses the Kubernetes operator design pattern to let you easily deploy and manage DS instances running in a Kubernetes cluster. After you install the
ds-operator
custom resource definition (CRD) in a cluster, you can use it to create DS instances, scale them, and manage backup and restore.For more information, see the DS operator README.
- New RCS Agent pod in the CDM
-
The CDM now includes an RCS Agent pod. The RCS Agent is a reliable websocket proxy between remote connector servers and the IDM instances in the CDM.
For more information, refer to ForgeOps architecture.
- Cloud Deployment Quickstart (CDQ)
-
The CDQ is a very quick, single-command deployment of the Ping Identity Platform on a Kubernetes cluster. The CDQ has very limited capabilities.
- New Secret Agent operator
-
The new Secret Agent operator provides secret generation and management services for Ping Identity Platform deployments on Kubernetes. The new Secret Agent operator replaces the deprecated
forgeops-secret
job, which previously was invoked when you deployed the platform using Skaffold.By default, the operator examines your namespace to determine whether it contains all the secrets required for Ping Identity Platform deployment. If any of the required secrets are not present, the operator generates them. Configuration options that let you change this default behavior are available.
In addition to secret generation, the new operator also integrates with Google Cloud Secret Manager, AWS Secrets Manager, and Azure Key Vault, providing cloud backup and retrieval for secrets.
For more information about secret generation options and secret management, see the Secret Agent project README.
- New cluster provisioning scripts
-
This release of the
forgeops
repository introduces thecluster-up.sh
andcluster-down.sh
scripts, which you use to create and delete CDM clusters. These scripts replace the Pulumi scripts previously in the repository.The new scripts are designed to be lightweight, and easy to use and modify. For GKE and AKS, the scripts call the cloud providers' SDKs. For EKS, the scripts call the eksctl CLI.
Instructions for creating clusters using the new scripts are available in the CDM Cookbooks for GKE, EKS, and AKS.
The deprecated Pulumi scripts are still available in the
forgeops
repository, in the/path/to/forgeops/cluster/pulumi-deprecated
directory. They are no longer being maintained or upgraded. You can still use them with Pulumi 2.7.1 before you move to the new scripts.
- Small, medium, and large CDM cluster sizing
-
This release restores the ability to create sized CDM clusters. Before deploying the CDM, you specify one of three cluster sizes:
-
A small cluster with capacity to handle 1,000,000 test users
-
A medium cluster with capacity to handle 10,000,000 test users
-
A large cluster with capacity to handle 100,000,000 test users
-
August 10, 2020
- Docker- and Kubernetes-ready DS
-
This release lifts restrictions on running DS servers in Docker and Kubernetes deployments. Many individual improvements make this possible:
-
Replication improvements let you scale the number of DS replicas in your stateful sets up and down.
-
The new dsrepl command runs well in Docker containers.
-
- DS backup to cloud storage
-
The CDM supports the new dsbackup command. This command lets you back up directory data to, and restore data from cloud storage.
- AM and IDM integration
-
AM and IDM are integrated in CDK and CDM deployments:
-
AM authenticates IDM administrator and end user logins.
-
AM and IDM share a single, replicated DS user store.
-
IDM REST API users must now obtain an authorization code from AM to make API calls. refer to Access the IDM REST APIs for an example.
-
- DS as IDM’s repository
-
IDM now uses DS for repository services. In previous versions, IDM used a PostgreSQL repository.
- AM file-based configuration
-
Kubernetes deployments of the Ping Identity Platform now use file-based configuration, available in AM 7. Implementing file-based configuration necessitated some changes to how AM static and dynamic configuration are managed:
-
AM configuration data is now stored in the
am
Docker image. -
AM configuration data is copied to the /home/forgerock/openam/config directory when AM starts.
-
AM run-time data continues to be stored in the
amster
Docker image (as it was in previous versions). -
After AM starts, an Amster job loads AM run-time data to the application and policy store.
-
Amster jobs are triggered as needed to import and export AM run-time data. The
amster
pod has been removed from the CDK and CDM deployments.
For more information about customizing the AM and Amster Docker images with configuration and run-time data, see Docker Image Development.
-
- Revised DevOps documentation
-
The DevOps documentation is now deployed as a single site, rather than as a set of guides. Find your way around the DevOps documentation set using the navigation menu on the left side of the page. Use the tables of contents on the right side of each page to help you make your way around longer pages.
February 20, 2020
- Docker images include the AM, IDM, and PingGateway configuration
-
In this version, the AM, IDM, and PingGateway configurations are incorporated into the
am
,idm
, andig
Docker images.This change improves Ping Identity Platform startup times. It also eliminates the startup dependency on the availability of an external Git repository.
Configurations for AM, IDM, and PingGateway now reside in the
forgeops
repository’s config directory. Before building a customized Docker image for the Ping Identity Platform, you run the new config.sh script. This script copies a configuration to a staging area in theforgeops
repository’sdocker
directory.For information about customizing Docker images for the Ping Identity Platform, see Docker Image Development.
- Skaffold framework support
-
The
forgeops
repository contains new artifacts that let you deploy the Ping Identity Platform using the Skaffold framework. Deploying with Skaffold lets you:-
Quickly and easily start the Ping Identity Platform.
-
Modify the AM, IDM, and PingGateway configurations.
-
Build updated Docker images that include your configuration changes.
-
Restart the Ping Identity Platform with the updated Docker images.
Before you can use Skaffold with Ping Identity Platform, you’ll need to install Skaffold software on your local computer. Refer to any of the Setup sections in the CDK or CDM documentation for more information.
-
- Kustomize framework support
-
This revision uses the Kustomize framework to orchestrate AM, DS, IDM, and PingGateway on Kubernetes. You no longer use Helm charts to orchestrate the Ping Identity Platform.
Before you can use the Kustomize framework with Ping Identity Platform, you’ll need to install Kustomize software on your local computer. Refer to any of the Environment Setup sections in the CDK or CDM documentation for more information.
- The Cloud Developer’s Kit
-
The Ping Identity Platform documentation now uses the term Cloud Developer’s Kit to describe what was previously referred to as the Kubernetes Examples.
For more information about the Cloud Developer’s Kit, refer to the following:
- Identical configurations for the CDK and the CDM
-
The CDK and the CDM now use uniformly comprehensive AM, IDM, and PingGateway configurations. Examples in the documentation now illustrate full-featured configurations, and are no longer based on minimally viable configurations. See Configuration in the
forgeops
repository’s top-level README file for more information about the configurations.In earlier versions, different configurations were used for CDK and CDM deployments. The Kubernetes Examples used a minimal configuration for AM, IDM, and PingGateway, while the CDM used a more full-featured configuration.
- Pulumi scripts for cluster creation
-
This revision uses Pulumi scripts to create clusters for CDM deployments.
For information about how to create Kubernetes clusters for the CDM using Pulumi, refer to the Setup sections in the CDM documentation.
The previous version used a set of bash scripts for cluster creation. These scripts have been removed from the
forgeops
repository.
- Secrets generator
-
The ForgeRock secrets generator randomly generates all secrets for AM, IDM, and DS services running in the CDK and the CDM. Random secrets generation greatly improves security for CDK and CDM deployments from previous versions.
The secrets generator runs as a Kubernetes job before AM, IDM, and DS are deployed.
- Completely revised AKS Cookbook
-
Because of the previous lack of support in AKS for multiple availability zones for AKS clusters, ForgeRock formerly recommended against deploying the platform on Azure in production. With support for zones now available in AKS, Azure is now a supported platform for production deployments, and the CDM documentation for AKS is no longer designated "evaluation-only."
Changes from the evaluation-only version of the CDM documentation include:
-
The CDM deployment topology on Azure now matches the CDM deployment topology on Google Cloud and AWS.
-
Pulumi scripts demonstrate AKS cluster creation.
-
Benchmark results are available for a sample deployment with 10,000,000 users.
-