Deploy FAPI with Kubernetes and Helm
|
This feature requires PingGateway 2026.6 or later. Ping Identity provides no commercial support for production deployments that use these evaluation-only Docker images and Helm charts. For production, you must build and use your own Docker images and Helm charts. Get the FAPI configuration for Docker images from the evaluation-only images. Download the Helm charts from the Ping Identity Download Center. Learn more about building PingGateway Docker images in Deploying PingGateway with Docker. |
As an alternative to manual configuration, you can deploy the PingGateway FAPI components on Kubernetes using Helm.
Sample Docker images are available at gcr.io/forgerock-io for evaluation.
Sample Helm charts are included in the product distribution.
When you deploy with Kubernetes and Helm, the Docker images contain static configuration for FAPI. The Helm charts configure PingGateway and the sample trusted directory.
The FAPI deployment uses three Helm charts:
-
ig-fapi-pep-as— PingGateway acting as a FAPI-compliant reverse proxy for the authorization server -
ig-fapi-pep-rs— PingGateway acting as a FAPI-compliant reverse proxy for the resource server -
sample-trusted-directory— a sample trusted directory for evaluation and conformance testing
Prerequisites
-
For conformance testing, a Kubernetes cluster accessible over the internet.
-
The PingGateway FAPI Helm charts from the Ping Identity Download Center.
Find additional details in the README files provided with the Helm charts.
-
Kubernetes 1.21 or later.
-
Helm 3.x.
-
An NGINX Ingress Controller with mTLS support (
auth-tlsannotations). -
Access to a container registry that your cluster can pull images from.
This example pulls the evaluation-only Docker images from
gcr.io.
Deploy the sample trusted directory
Use these hints to deploy the sample trusted directory.
Create secrets
Create the following Kubernetes secrets in your target namespace before installing the chart:
-
Generate a key store for the sample trusted directory and export certificates for trust stores.
Find an example in Run the sample trusted directory. The example uses
changeitas the key store password and key password in all cases.The key store must contain two key aliases:
jwt-signerfor signing JWTs, andcafor signing transport certificates. -
Create the key store secret:
kubectl create secret generic sample-trusted-directory-keystore \ --from-file=sample-trusted-directory-keystore.p12=/path/to/trusted-directory/secrets/trusted-directory-keystore.p12 \ -n <namespace> -
Create the TLS certificate secret:
kubectl create secret tls sample-trusted-directory-tls-cert \ --cert=/path/to/tls.crt \ --key=/path/to/tls.key \ -n <namespace> -
Create the mTLS CA certificates secret:
kubectl create secret generic sample-trusted-directory-mtls-ca-certs \ --from-file=ca.crt=/path/to/ca-bundle.crt \ -n <namespace>
Install
helm install sample-trusted-directory ./openig-helm/sample-trusted-directory \
--namespace <namespace> \
--set config.fqdn=trustdir.example.com \
--set config.ca.keystoreKeyPwd=Y2hhbmdlaXQ= \
--set config.ca.keystorePwd=Y2hhbmdlaXQ= \
--set config.signing.keystoreKeyPwd=Y2hhbmdlaXQ= \
--set config.signing.keystorePwd=Y2hhbmdlaXQ= \
--set deployment.image.repo=gcr.io/forgerock-io/ig-sample-trusted-directory:2026.6.0 \
--set ingress.host=trustdir.example.com \
--set ingress.tls.host=trustdir.example.com
Keystore passwords must be Base64-encoded. Use echo -n 'your-password' | base64 to encode them.
This example uses Y2hhbmdlaXQ=, the base64-encoded form of changeit.
Configuration parameters
| Parameter | Description | Default |
|---|---|---|
|
Fully-qualified domain name used in issued certificates |
|
|
Name used as the JWT issuer |
|
|
Alias of the CA key in the keystore |
|
|
Base64-encoded password for the CA private key |
|
|
Base64-encoded password for the keystore |
|
|
Alias of the JWT signing key in the keystore |
|
|
Base64-encoded password for the signing private key |
|
|
Base64-encoded password for the keystore |
|
|
RSA key size in bits for generated certificates |
|
|
Validity period in days for generated certificates |
|
|
Container image repository (required) |
— |
|
Enable a PersistentVolumeClaim to survive pod restarts |
|
|
PVC storage size |
|
When persistence.enabled is false,
the JWKS file is stored on the container’s ephemeral filesystem and is lost on every pod restart.
All previously registered software statements become invalid.
|
Deploy the FAPI PEP AS
The FAPI PEP AS acts as a FAPI-compliant reverse proxy for the authorization server. It enforces dynamic client registration (DCR), token, PAR, and authorize endpoints.
Use these hints to deploy the FAPI PEP AS.
Create secrets
Create the following Kubernetes secrets before installing the chart:
-
Create a PEM trust store secret to trust the sample trusted directory:
kubectl create secret generic ig-truststore-pem \ --from-file=ig-truststore.pem=/path/to/trusted-directory/secrets/trusted-directory-ca.pem \ -n <namespace>If the AS and platform services certificates aren’t signed by a well-known CA, include their CA certificates in this trust store.
-
Create the TLS certificate secrets:
# Standard TLS ingress kubectl create secret tls fapi-pep-as-tls-cert \ --cert=/path/to/tls.crt \ --key=/path/to/tls.key \ -n <namespace> # mTLS ingress kubectl create secret tls fapi-pep-as-mtls-tls-cert \ --cert=/path/to/mtls.crt \ --key=/path/to/mtls.key \ -n <namespace> -
Create the mTLS CA bundle secret:
kubectl create secret generic fapi-pep-as-mtls-ca-certs \ --from-file=ca.crt=/path/to/ca-bundle.crt \ -n <namespace>
Install
helm install ig-fapi-pep-as ./openig-helm/ig-fapi-pep-as \
--namespace <namespace> \
--set authorizationServer.fqdn=myTenant.forgeblocks.com \
--set authorizationServer.mtlsFqdn=myTenant.forgeblocks.com \
--set authorizationServer.baseFqdn=myTenant.forgeblocks.com \
--set identityPlatform.fqdn=myTenant.forgeblocks.com \
--set testDirectory.fqdn=trustdir.example.com \
--set deployment.image.repo=gcr.io/forgerock-io/ig-fapi-pep-as:2026.6.0 \
--set pingGateway.oauth2Client.id=Z2F0ZXdheS1vYXV0aDItY2xpZW50 \
--set pingGateway.oauth2Client.secret=cGFzc3dvcmQ= \
--set pingGateway.idm.user=Z2F0ZXdheS1pZG0tdXNlcg== \
--set pingGateway.idm.password=U2VjcmV0MTIhCg==
Secret values must be Base64-encoded. Use echo -n 'your-value' | base64 to encode them.
This example uses the values from Create an OAuth 2.0 client account
and Configuring identity management for FAPI:
-
OAuth 2.0 client ID:
gateway-oauth2-client(base64-encoding:Z2F0ZXdheS1vYXV0aDItY2xpZW50) -
OAuth 2.0 client secret:
password(base64-encoding:cGFzc3dvcmQ=) -
IDM user:
gateway-idm-user(base64-encoding:Z2F0ZXdheS1pZG0tdXNlcg==) -
IDM user password:
Secret12!(base64-encoding:U2VjcmV0MTIhCg==)
Configuration parameters
| Parameter | Description | Default |
|---|---|---|
|
Public FQDN of the authorization server |
|
|
mTLS FQDN of the authorization server |
|
|
Base domain for the deployment |
|
|
AM realm used in OAuth2 endpoint paths |
|
|
FQDN of the identity platform (AM/IDM) |
|
|
Platform type: |
|
|
IDM user object name |
|
|
FQDN of the test trusted directory |
|
|
Base64-encoded OAuth2 client ID |
|
|
Base64-encoded OAuth2 client secret |
|
|
Base64-encoded IDM service account username |
|
|
Base64-encoded IDM service account password |
|
|
Container image repository (required) |
— |
Deploy the FAPI PEP RS
The FAPI PEP RS acts as a FAPI-compliant reverse proxy for the resource server. It validates access tokens and enforces scope-based access control.
Use these hints to deploy a FAPI PEP RS for each resource server.
Create secrets
Create the following Kubernetes secrets before installing the chart:
-
Create a PEM trust store secret to trust the sample trusted directory:
kubectl create secret generic ig-truststore-pem \ --from-file=ig-truststore.pem=/path/to/trusted-directory/secrets/trusted-directory-ca.pem \ -n <namespace>If the AS and platform services certificates aren’t signed by a well-known CA, include their CA certificates in this trust store.
-
Create the TLS certificate secrets:
# Standard TLS ingress kubectl create secret tls fapi-pep-rs-core-tls-cert \ --cert=/path/to/tls.crt \ --key=/path/to/tls.key \ -n <namespace> # mTLS ingress kubectl create secret tls fapi-pep-rs-core-mtls-tls-cert \ --cert=/path/to/mtls.crt \ --key=/path/to/mtls.key \ -n <namespace> -
Create the mTLS CA bundle secret:
kubectl create secret generic fapi-pep-rs-core-mtls-ca-certs \ --from-file=ca.crt=/path/to/ca-bundle.crt \ -n <namespace>
Install
helm install ig-fapi-pep-rs ./openig-helm/ig-fapi-pep-rs \
--namespace <namespace> \
--set authorizationServer.fqdn=myTenant.forgeblocks.com \
--set authorizationServer.baseFqdn=myTenant.forgeblocks.com \
--set identityPlatform.fqdn=myTenant.forgeblocks.com \
--set resourceServer.fqdn=rs.example.com \
--set resourceServer.mtlsFqdn=rs-mtls.example.com \
--set deployment.image.repo=gcr.io/forgerock-io/ig-fapi-pep-rs:2026.6.0 \
--set resourceServer.oauth2Client.id=Z2F0ZXdheS1vYXV0aDItY2xpZW50) \
--set resourceServer.oauth2Client.secret=cGFzc3dvcmQ= \
--set resourceServer.idm.user=Z2F0ZXdheS1pZG0tdXNlcg== \
--set resourceServer.idm.password=U2VjcmV0MTIhCg==
Secret values must be Base64-encoded. Use echo -n 'your-value' | base64 to encode them.
This example uses the values from Create an OAuth 2.0 client account
and Configuring identity management for FAPI:
-
OAuth 2.0 client ID:
gateway-oauth2-client(base64-encoding:Z2F0ZXdheS1vYXV0aDItY2xpZW50) -
OAuth 2.0 client secret:
password(base64-encoding:cGFzc3dvcmQ=) -
IDM user:
gateway-idm-user(base64-encoding:Z2F0ZXdheS1pZG0tdXNlcg==) -
IDM user password:
Secret12!(base64-encoding:U2VjcmV0MTIhCg==)
Configuration parameters
| Parameter | Description | Default |
|---|---|---|
|
FQDN of the authorization server |
|
|
Base domain for the deployment |
|
|
AM realm used in OAuth2 endpoint paths |
|
|
FQDN of the identity platform (AM/IDM) |
|
|
Platform type: |
|
|
Public FQDN of the resource server |
|
|
mTLS FQDN of the resource server |
|
|
Base64-encoded OAuth2 client ID |
|
|
Base64-encoded OAuth2 client secret |
|
|
Base64-encoded IDM service account username |
|
|
Base64-encoded IDM service account password |
|
|
Container image repository (required) |
— |