ForgeOps release notes
Subscribe to the ForgeOps 2026.2.1 RSS feed to get notification when there’s an update to the latest ForgeOps documentation.
|
Learn more about configuring GitHub notifications here so you can get notified on ForgeOps releases. |
Validated Kubernetes, Ingress-NGINX Controller, HAProxy Ingress, cert-manager, and operator versions for deploying Ping Identity Platform 2026.2 |
|
Limitations when deploying Ping Identity Platform |
|
More information about the evolving nature of the |
|
Legal notices |
|
Archive of release notes in ForgeOps 2026.1 are available from ForgeOps release 2026.1 documentation. |
|
Archive of release notes in ForgeOps 2025.1 and 2025.2 are available from ForgeOps release 2025.2 documentation. |
|
Archive of release notes in 2024 and before are available from ForgeOps release 7.5 documentation. |
|
Archive of release notes in 2023 and before are available from ForgeOps release 7.4 documentation |
2026
ForgeOps 2026.2.1 release features
- SBOM for ForgeOps images
-
Software Bill of Materials (SBOM) is now available for ForgeOps images. SBOM provides a detailed inventory of the components and dependencies used in ForgeOps images, which can help you identify and manage security vulnerabilities and compliance issues. Learn more in the SBOM article.
- Added self-signed certificate
-
A self-signed certificate is now included for testing purposes in minikube environments.This certificate isn’t intended for production use and should be used only in test environments.
- Avoid using secret generator
-
There has been a lack of response from the secret generator project for questions and issues on using secret generator, we don’t recommend or use it in ForgeOps environments. We’ll be removing it from our artifacts in a future ForgeOps release. We’ve removed use of secret generator from ForgeOps documentation. Existing environments aren’t affected by this change.
- IDM admin UI is deprecated in 8.1
-
The IDM administration endpoint is deprecated in Ping Identity Platform 8.1 and will be removed in a future release. You should use the identity Ping Identity Platform admin UI or IDM REST API to administer user identities instead of the IDM admin UI. Learn more about this change in Platform admin UI for standalone IDM.
ForgeOps 2026.2.0 release features
- Removed
ds-utilcontainer -
The
ds-utilcontainer has been removed because the same tasks can be performed directly on DS pods.
- Read-only root filesystem for init containers (Helm only)
-
The init containers of all pods have been reconfigured to enable
readOnlyRootFilesystemsecurity context. This has no impact on deployments, but requires that DS stateful sets be recreated. To enable thereadOnlyRootFilesystemsecurity context, follow these steps. - Flags to enable or disable security features (Helm only)
-
You can enable or disable the new security features in your ForgeOps environment using the
--secureor--insecureflags. By default, new environments are created with the--secureflag, so the new security features are enabled.The
tempdirectory of Tomcat is writeable, so users can continue to edit scripts in AM admin UI even when security is enabled.
|
These flags can be enabled or disabled only in ForgeOps environments deployed using Helm. |
To enable the security features in an existing environment:
-
Run the
forgeopscommand:$ cd /path/to/forgeops $ ./bin/forgeops env --env-name my-env --secure -
Recreate the DS stateful set using the instructions in the how to recreate an STS article.
- The platform pods deployed as non-root user using user ID
-
The AM, DS, and IDM pods are now deployed as the standard non-root user ID
11111and the username is no longer referred to. The user ID11111is a security standard across the platform. This user ID is set in the pod security context as therunAsUserproperty. PodDisruptionBudgetsfor product components-
You can enable
PodDisruptionBudgetsfor platform product components in the Helm charts for Ping Identity Platform including PingGateway. This feature is disabled by default. You can enable it for each component by setting component.pdb.enabled: true in your values file.The default policy keeps at least one pod available by setting minAvailable: 1. You can change this value by appropriately changing the value of component.pdb.minAvailable or component.pdb.maxUnavailable.
The affected components are:
am,idm,admin-ui,end-user-ui,login-ui,ds-idrepo,ds-ctsandig(ping-gateway). - Supported Ping Identity Platform images
-
ForgeOps supports the last three major or minor versions of the Ping Identity Platform images. With the availability of 8.1 images, ForgeOps supports 8.1, 8.0, and 7.5 versions of the platform images, and 7.4 images are no longer supported.
We recommend customers that upgrade to a newer version of the platform images. Use the upgrade guide to upgrade to the latest image. The older tags remain available on http://releases.forgeops.com until the next major/minor release.
- The
config export no-upgradetopic is removed from documentation -
The
config exportfunctionality has been included in the forgeops config export command. Because the forgeops config export command already separates out the upgrade function, this topic is not required in the Troubleshooting section of the documentation. Theno-upgradeoption ofconfig exporttopic is removed from the documentation. - New
ttloptions for use withamsterandds-set-passwordsjobs -
The
amsterandds-set-passwordsjobs now have a time-to-live (TTL) option that you can set to retain these jobs for a specified time. This is useful for jobs that are run manually need and to be retained to run to completion. To use this feature, set thettlSecondsAfterFinishedoption. The default is 7200 seconds.This feature is available in new environments only.
- Ability to define
apiVersion,kind, andspecfor a secret -
You can now define the
apiVersion,kind, andspecfor secrets defined in theplatform.secrets. This allows you to define secrets usingexternal-secrets.