PingGateway

Deploy FAPI with Kubernetes and Helm

This feature requires PingGateway 2026.6 or later.

Ping Identity provides no commercial support for production deployments that use these evaluation-only Docker images and Helm charts.

For production, you must build and use your own Docker images and Helm charts. Get the FAPI configuration for Docker images from the evaluation-only images. Download the Helm charts from the Ping Identity Download Center.

Learn more about building PingGateway Docker images in Deploying PingGateway with Docker.

As an alternative to manual configuration, you can deploy the PingGateway FAPI components on Kubernetes using Helm. Sample Docker images are available at gcr.io/forgerock-io for evaluation. Sample Helm charts are included in the product distribution.

When you deploy with Kubernetes and Helm, the Docker images contain static configuration for FAPI. The Helm charts configure PingGateway and the sample trusted directory.

The FAPI deployment uses three Helm charts:

  • ig-fapi-pep-as — PingGateway acting as a FAPI-compliant reverse proxy for the authorization server

  • ig-fapi-pep-rs — PingGateway acting as a FAPI-compliant reverse proxy for the resource server

  • sample-trusted-directory — a sample trusted directory for evaluation and conformance testing

Prerequisites

  • For conformance testing, a Kubernetes cluster accessible over the internet.

  • The PingGateway FAPI Helm charts from the Ping Identity Download Center.

    Find additional details in the README files provided with the Helm charts.

  • Kubernetes 1.21 or later.

  • Helm 3.x.

  • An NGINX Ingress Controller with mTLS support (auth-tls annotations).

  • Access to a container registry that your cluster can pull images from.

    This example pulls the evaluation-only Docker images from gcr.io.

Deploy the sample trusted directory

Use these hints to deploy the sample trusted directory.

Create secrets

Create the following Kubernetes secrets in your target namespace before installing the chart:

  1. Generate a key store for the sample trusted directory and export certificates for trust stores.

    Find an example in Run the sample trusted directory. The example uses changeit as the key store password and key password in all cases.

    The key store must contain two key aliases: jwt-signer for signing JWTs, and ca for signing transport certificates.

  2. Create the key store secret:

    kubectl create secret generic sample-trusted-directory-keystore \
      --from-file=sample-trusted-directory-keystore.p12=/path/to/trusted-directory/secrets/trusted-directory-keystore.p12 \
      -n <namespace>
  3. Create the TLS certificate secret:

    kubectl create secret tls sample-trusted-directory-tls-cert \
      --cert=/path/to/tls.crt \
      --key=/path/to/tls.key \
      -n <namespace>
  4. Create the mTLS CA certificates secret:

    kubectl create secret generic sample-trusted-directory-mtls-ca-certs \
      --from-file=ca.crt=/path/to/ca-bundle.crt \
      -n <namespace>

Install

helm install sample-trusted-directory ./openig-helm/sample-trusted-directory \
  --namespace <namespace> \
  --set config.fqdn=trustdir.example.com \
  --set config.ca.keystoreKeyPwd=Y2hhbmdlaXQ= \
  --set config.ca.keystorePwd=Y2hhbmdlaXQ= \
  --set config.signing.keystoreKeyPwd=Y2hhbmdlaXQ= \
  --set config.signing.keystorePwd=Y2hhbmdlaXQ= \
  --set deployment.image.repo=gcr.io/forgerock-io/ig-sample-trusted-directory:2026.6.0 \
  --set ingress.host=trustdir.example.com \
  --set ingress.tls.host=trustdir.example.com

Keystore passwords must be Base64-encoded. Use echo -n 'your-password' | base64 to encode them. This example uses Y2hhbmdlaXQ=, the base64-encoded form of changeit.

Configuration parameters

Sample trusted directory configuration
Parameter Description Default

config.fqdn

Fully-qualified domain name used in issued certificates

replace-me

config.issuerName

Name used as the JWT issuer

test-publisher

config.ca.keystoreAlias

Alias of the CA key in the keystore

ca

config.ca.keystoreKeyPwd

Base64-encoded password for the CA private key

replace-me

config.ca.keystorePwd

Base64-encoded password for the keystore

replace-me

config.signing.keystoreAlias

Alias of the JWT signing key in the keystore

jwt-signer

config.signing.keystoreKeyPwd

Base64-encoded password for the signing private key

replace-me

config.signing.keystorePwd

Base64-encoded password for the keystore

replace-me

config.cert.keySize

RSA key size in bits for generated certificates

4096

config.cert.validityDays

Validity period in days for generated certificates

365

deployment.image.repo

Container image repository (required)

persistence.enabled

Enable a PersistentVolumeClaim to survive pod restarts

true

persistence.size

PVC storage size

100Mi

When persistence.enabled is false, the JWKS file is stored on the container’s ephemeral filesystem and is lost on every pod restart. All previously registered software statements become invalid.

Register

With the sample trusted directory running, register it with the AS and register API clients with it:

Deploy the FAPI PEP AS

The FAPI PEP AS acts as a FAPI-compliant reverse proxy for the authorization server. It enforces dynamic client registration (DCR), token, PAR, and authorize endpoints.

Use these hints to deploy the FAPI PEP AS.

Create secrets

Create the following Kubernetes secrets before installing the chart:

  1. Create a PEM trust store secret to trust the sample trusted directory:

    kubectl create secret generic ig-truststore-pem \
      --from-file=ig-truststore.pem=/path/to/trusted-directory/secrets/trusted-directory-ca.pem \
      -n <namespace>

    If the AS and platform services certificates aren’t signed by a well-known CA, include their CA certificates in this trust store.

  2. Create the TLS certificate secrets:

    # Standard TLS ingress
    kubectl create secret tls fapi-pep-as-tls-cert \
      --cert=/path/to/tls.crt \
      --key=/path/to/tls.key \
      -n <namespace>
    
    # mTLS ingress
    kubectl create secret tls fapi-pep-as-mtls-tls-cert \
      --cert=/path/to/mtls.crt \
      --key=/path/to/mtls.key \
      -n <namespace>
  3. Create the mTLS CA bundle secret:

    kubectl create secret generic fapi-pep-as-mtls-ca-certs \
      --from-file=ca.crt=/path/to/ca-bundle.crt \
      -n <namespace>

Install

helm install ig-fapi-pep-as ./openig-helm/ig-fapi-pep-as \
  --namespace <namespace> \
  --set authorizationServer.fqdn=myTenant.forgeblocks.com \
  --set authorizationServer.mtlsFqdn=myTenant.forgeblocks.com \
  --set authorizationServer.baseFqdn=myTenant.forgeblocks.com \
  --set identityPlatform.fqdn=myTenant.forgeblocks.com \
  --set testDirectory.fqdn=trustdir.example.com \
  --set deployment.image.repo=gcr.io/forgerock-io/ig-fapi-pep-as:2026.6.0 \
  --set pingGateway.oauth2Client.id=Z2F0ZXdheS1vYXV0aDItY2xpZW50 \
  --set pingGateway.oauth2Client.secret=cGFzc3dvcmQ= \
  --set pingGateway.idm.user=Z2F0ZXdheS1pZG0tdXNlcg== \
  --set pingGateway.idm.password=U2VjcmV0MTIhCg==

Secret values must be Base64-encoded. Use echo -n 'your-value' | base64 to encode them. This example uses the values from Create an OAuth 2.0 client account and Configuring identity management for FAPI:

  • OAuth 2.0 client ID: gateway-oauth2-client (base64-encoding: Z2F0ZXdheS1vYXV0aDItY2xpZW50)

  • OAuth 2.0 client secret: password (base64-encoding: cGFzc3dvcmQ=)

  • IDM user: gateway-idm-user (base64-encoding: Z2F0ZXdheS1pZG0tdXNlcg==)

  • IDM user password: Secret12! (base64-encoding: U2VjcmV0MTIhCg==)

Configuration parameters

FAPI PEP AS configuration
Parameter Description Default

authorizationServer.fqdn

Public FQDN of the authorization server

as.sandbox.pinggateway.com

authorizationServer.mtlsFqdn

mTLS FQDN of the authorization server

as-mtls.sandbox.pinggateway.com

authorizationServer.baseFqdn

Base domain for the deployment

sandbox.pinggateway.com

authorizationServer.realm

AM realm used in OAuth2 endpoint paths

alpha

identityPlatform.fqdn

FQDN of the identity platform (AM/IDM)

iam.sandbox.pinggateway.com

identityPlatform.type

Platform type: CDK, CDM, or FIDC. When FIDC, the AIC ConfigMap is also mounted.

CDK

identityPlatform.userObject

IDM user object name

user

testDirectory.fqdn

FQDN of the test trusted directory

test-directory.sandbox.pinggateway.com

pingGateway.oauth2Client.id

Base64-encoded OAuth2 client ID

replace-me

pingGateway.oauth2Client.secret

Base64-encoded OAuth2 client secret

replace-me

pingGateway.idm.user

Base64-encoded IDM service account username

replace-me

pingGateway.idm.password

Base64-encoded IDM service account password

replace-me

deployment.image.repo

Container image repository (required)

Deploy the FAPI PEP RS

The FAPI PEP RS acts as a FAPI-compliant reverse proxy for the resource server. It validates access tokens and enforces scope-based access control.

Use these hints to deploy a FAPI PEP RS for each resource server.

Create secrets

Create the following Kubernetes secrets before installing the chart:

  1. Create a PEM trust store secret to trust the sample trusted directory:

    kubectl create secret generic ig-truststore-pem \
      --from-file=ig-truststore.pem=/path/to/trusted-directory/secrets/trusted-directory-ca.pem \
      -n <namespace>

    If the AS and platform services certificates aren’t signed by a well-known CA, include their CA certificates in this trust store.

  2. Create the TLS certificate secrets:

    # Standard TLS ingress
    kubectl create secret tls fapi-pep-rs-core-tls-cert \
      --cert=/path/to/tls.crt \
      --key=/path/to/tls.key \
      -n <namespace>
    
    # mTLS ingress
    kubectl create secret tls fapi-pep-rs-core-mtls-tls-cert \
      --cert=/path/to/mtls.crt \
      --key=/path/to/mtls.key \
      -n <namespace>
  3. Create the mTLS CA bundle secret:

    kubectl create secret generic fapi-pep-rs-core-mtls-ca-certs \
      --from-file=ca.crt=/path/to/ca-bundle.crt \
      -n <namespace>

Install

helm install ig-fapi-pep-rs ./openig-helm/ig-fapi-pep-rs \
  --namespace <namespace> \
  --set authorizationServer.fqdn=myTenant.forgeblocks.com \
  --set authorizationServer.baseFqdn=myTenant.forgeblocks.com \
  --set identityPlatform.fqdn=myTenant.forgeblocks.com \
  --set resourceServer.fqdn=rs.example.com \
  --set resourceServer.mtlsFqdn=rs-mtls.example.com \
  --set deployment.image.repo=gcr.io/forgerock-io/ig-fapi-pep-rs:2026.6.0 \
  --set resourceServer.oauth2Client.id=Z2F0ZXdheS1vYXV0aDItY2xpZW50) \
  --set resourceServer.oauth2Client.secret=cGFzc3dvcmQ= \
  --set resourceServer.idm.user=Z2F0ZXdheS1pZG0tdXNlcg== \
  --set resourceServer.idm.password=U2VjcmV0MTIhCg==

Secret values must be Base64-encoded. Use echo -n 'your-value' | base64 to encode them. This example uses the values from Create an OAuth 2.0 client account and Configuring identity management for FAPI:

  • OAuth 2.0 client ID: gateway-oauth2-client (base64-encoding: Z2F0ZXdheS1vYXV0aDItY2xpZW50)

  • OAuth 2.0 client secret: password (base64-encoding: cGFzc3dvcmQ=)

  • IDM user: gateway-idm-user (base64-encoding: Z2F0ZXdheS1pZG0tdXNlcg==)

  • IDM user password: Secret12! (base64-encoding: U2VjcmV0MTIhCg==)

Configuration parameters

FAPI PEP RS configuration
Parameter Description Default

authorizationServer.fqdn

FQDN of the authorization server

as.sandbox.pinggateway.com

authorizationServer.baseFqdn

Base domain for the deployment

sandbox.pinggateway.com

authorizationServer.realm

AM realm used in OAuth2 endpoint paths

alpha

identityPlatform.fqdn

FQDN of the identity platform (AM/IDM)

iam.sandbox.pinggateway.com

identityPlatform.type

Platform type: CDK, CDM, or FIDC

CDK

resourceServer.fqdn

Public FQDN of the resource server

rs.sandbox.pinggateway.com

resourceServer.mtlsFqdn

mTLS FQDN of the resource server

rs-mtls.sandbox.pinggateway.com

resourceServer.oauth2Client.id

Base64-encoded OAuth2 client ID

replace-me

resourceServer.oauth2Client.secret

Base64-encoded OAuth2 client secret

replace-me

resourceServer.idm.user

Base64-encoded IDM service account username

replace-me

resourceServer.idm.password

Base64-encoded IDM service account password

replace-me

deployment.image.repo

Container image repository (required)