---
title: Deploy FAPI with Kubernetes and Helm
description: Deploy PingGateway FAPI components on Kubernetes using evaluation Helm charts and Docker images, as an alternative to manual configuration
component: pinggateway
version: 2026
page_id: pinggateway:fapi:kubernetes
canonical_url: https://docs.pingidentity.com/pinggateway/2026/fapi/kubernetes.html
llms_txt: https://docs.pingidentity.com/pinggateway/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: 2026-06-25T00:00:00Z
section_ids:
  prerequisites: Prerequisites
  deploy_the_sample_trusted_directory: Deploy the sample trusted directory
  create_secrets: Create secrets
  install: Install
  configuration_parameters: Configuration parameters
  register: Register
  deploy_the_fapi_pep_as: Deploy the FAPI PEP AS
  create_secrets_2: Create secrets
  install_2: Install
  configuration_parameters_2: Configuration parameters
  deploy_the_fapi_pep_rs: Deploy the FAPI PEP RS
  create_secrets_3: Create secrets
  install_3: Install
  configuration_parameters_3: Configuration parameters
---

# Deploy FAPI with Kubernetes and Helm

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | **This feature requires PingGateway 2026.6 or later.**Ping Identity provides no commercial support for production deployments that use these evaluation-only Docker images and Helm charts.For production, you must build and use your own Docker images and Helm charts. Get the FAPI configuration for Docker images from the evaluation-only images. Download the Helm charts from the Ping Identity Download Center.Learn more about building PingGateway Docker images in [Deploying PingGateway with Docker](../devops-guide/preface.html). |

As an alternative to manual configuration, you can deploy the PingGateway FAPI components on Kubernetes using Helm. Sample Docker images are available at `gcr.io/forgerock-io` for evaluation. Sample Helm charts are included in the product distribution.

When you deploy with Kubernetes and Helm, the Docker images contain static configuration for FAPI. The Helm charts configure PingGateway and the sample trusted directory.

The FAPI deployment uses three Helm charts:

* `ig-fapi-pep-as` — PingGateway acting as a FAPI-compliant reverse proxy for the authorization server

* `ig-fapi-pep-rs` — PingGateway acting as a FAPI-compliant reverse proxy for the resource server

* `sample-trusted-directory` — a sample trusted directory for evaluation and conformance testing

## Prerequisites

* For conformance testing, a Kubernetes cluster accessible over the internet.

* The PingGateway FAPI Helm charts from the [Ping Identity Download Center](https://product-downloads.pingidentity.com/).

  Find additional details in the README files provided with the Helm charts.

* Kubernetes 1.21 or later.

* Helm 3.x.

* An NGINX Ingress Controller with mTLS support (`auth-tls` annotations).

* Access to a container registry that your cluster can pull images from.

  This example pulls the evaluation-only Docker images from `gcr.io`.

## Deploy the sample trusted directory

Use these hints to deploy the sample trusted directory.

### Create secrets

Create the following Kubernetes secrets in your target namespace before installing the chart:

1. Generate a key store for the sample trusted directory and export certificates for trust stores.

   Find an example in [Run the sample trusted directory](trusted-directory.html#fapi-run-sample-td). The example uses `changeit` as the key store password and key password in all cases.

   The key store must contain two key aliases: `jwt-signer` for signing JWTs, and `ca` for signing transport certificates.

2. Create the key store secret:

   ```bash
   kubectl create secret generic sample-trusted-directory-keystore \
     --from-file=sample-trusted-directory-keystore.p12=/path/to/trusted-directory/secrets/trusted-directory-keystore.p12 \
     -n <namespace>
   ```

3. Create the TLS certificate secret:

   ```bash
   kubectl create secret tls sample-trusted-directory-tls-cert \
     --cert=/path/to/tls.crt \
     --key=/path/to/tls.key \
     -n <namespace>
   ```

4. Create the mTLS CA certificates secret:

   ```bash
   kubectl create secret generic sample-trusted-directory-mtls-ca-certs \
     --from-file=ca.crt=/path/to/ca-bundle.crt \
     -n <namespace>
   ```

### Install

```bash
helm install sample-trusted-directory ./openig-helm/sample-trusted-directory \
  --namespace <namespace> \
  --set config.fqdn=trustdir.example.com \
  --set config.ca.keystoreKeyPwd=Y2hhbmdlaXQ= \
  --set config.ca.keystorePwd=Y2hhbmdlaXQ= \
  --set config.signing.keystoreKeyPwd=Y2hhbmdlaXQ= \
  --set config.signing.keystorePwd=Y2hhbmdlaXQ= \
  --set deployment.image.repo=gcr.io/forgerock-io/ig-sample-trusted-directory:2026.6.0 \
  --set ingress.host=trustdir.example.com \
  --set ingress.tls.host=trustdir.example.com
```

Keystore passwords must be Base64-encoded. Use `echo -n 'your-password' | base64` to encode them. This example uses `Y2hhbmdlaXQ=`, the base64-encoded form of `changeit`.

### Configuration parameters

**Sample trusted directory configuration**

| Parameter                       | Description                                             | Default          |
| ------------------------------- | ------------------------------------------------------- | ---------------- |
| `config.fqdn`                   | Fully-qualified domain name used in issued certificates | `replace-me`     |
| `config.issuerName`             | Name used as the JWT issuer                             | `test-publisher` |
| `config.ca.keystoreAlias`       | Alias of the CA key in the keystore                     | `ca`             |
| `config.ca.keystoreKeyPwd`      | Base64-encoded password for the CA private key          | `replace-me`     |
| `config.ca.keystorePwd`         | Base64-encoded password for the keystore                | `replace-me`     |
| `config.signing.keystoreAlias`  | Alias of the JWT signing key in the keystore            | `jwt-signer`     |
| `config.signing.keystoreKeyPwd` | Base64-encoded password for the signing private key     | `replace-me`     |
| `config.signing.keystorePwd`    | Base64-encoded password for the keystore                | `replace-me`     |
| `config.cert.keySize`           | RSA key size in bits for generated certificates         | `4096`           |
| `config.cert.validityDays`      | Validity period in days for generated certificates      | `365`            |
| `deployment.image.repo`         | Container image repository (required)                   | —                |
| `persistence.enabled`           | Enable a PersistentVolumeClaim to survive pod restarts  | `true`           |
| `persistence.size`              | PVC storage size                                        | `100Mi`          |

|   |                                                                                                                                                                                                        |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | When `persistence.enabled` is `false`, the JWKS file is stored on the container's ephemeral filesystem and is lost on every pod restart. All previously registered software statements become invalid. |

### Register

With the sample trusted directory running, register it with the AS and register API clients with it:

* [Register the sample trusted directory](trusted-directory.html#fapi-register-td)

* [Register the API clients](trusted-directory.html#api-clients)

## Deploy the FAPI PEP AS

The FAPI PEP AS acts as a FAPI-compliant reverse proxy for the authorization server. It enforces dynamic client registration (DCR), token, PAR, and authorize endpoints.

Use these hints to deploy the FAPI PEP AS.

### Create secrets

Create the following Kubernetes secrets before installing the chart:

1. Create a PEM trust store secret to trust the sample trusted directory:

   ```bash
   kubectl create secret generic ig-truststore-pem \
     --from-file=ig-truststore.pem=/path/to/trusted-directory/secrets/trusted-directory-ca.pem \
     -n <namespace>
   ```

   If the AS and platform services certificates aren't signed by a well-known CA, include their CA certificates in this trust store.

2. Create the TLS certificate secrets:

   ```bash
   # Standard TLS ingress
   kubectl create secret tls fapi-pep-as-tls-cert \
     --cert=/path/to/tls.crt \
     --key=/path/to/tls.key \
     -n <namespace>

   # mTLS ingress
   kubectl create secret tls fapi-pep-as-mtls-tls-cert \
     --cert=/path/to/mtls.crt \
     --key=/path/to/mtls.key \
     -n <namespace>
   ```

3. Create the mTLS CA bundle secret:

   ```bash
   kubectl create secret generic fapi-pep-as-mtls-ca-certs \
     --from-file=ca.crt=/path/to/ca-bundle.crt \
     -n <namespace>
   ```

### Install

```bash
helm install ig-fapi-pep-as ./openig-helm/ig-fapi-pep-as \
  --namespace <namespace> \
  --set authorizationServer.fqdn=myTenant.forgeblocks.com \
  --set authorizationServer.mtlsFqdn=myTenant.forgeblocks.com \
  --set authorizationServer.baseFqdn=myTenant.forgeblocks.com \
  --set identityPlatform.fqdn=myTenant.forgeblocks.com \
  --set testDirectory.fqdn=trustdir.example.com \
  --set deployment.image.repo=gcr.io/forgerock-io/ig-fapi-pep-as:2026.6.0 \
  --set pingGateway.oauth2Client.id=Z2F0ZXdheS1vYXV0aDItY2xpZW50 \
  --set pingGateway.oauth2Client.secret=cGFzc3dvcmQ= \
  --set pingGateway.idm.user=Z2F0ZXdheS1pZG0tdXNlcg== \
  --set pingGateway.idm.password=U2VjcmV0MTIhCg==
```

Secret values must be Base64-encoded. Use `echo -n 'your-value' | base64` to encode them. This example uses the values from [Create an OAuth 2.0 client account](aic-am.html#create-oauth2-client) and [Configuring identity management for FAPI](aic-idm.html):

* OAuth 2.0 client ID: `gateway-oauth2-client` (base64-encoding: `Z2F0ZXdheS1vYXV0aDItY2xpZW50`)

* OAuth 2.0 client secret: `password` (base64-encoding: `cGFzc3dvcmQ=`)

* IDM user: `gateway-idm-user` (base64-encoding: `Z2F0ZXdheS1pZG0tdXNlcg==`)

* IDM user password: `Secret12!` (base64-encoding: `U2VjcmV0MTIhCg==`)

### Configuration parameters

**FAPI PEP AS configuration**

| Parameter                         | Description                                                                             | Default                                  |
| --------------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------- |
| `authorizationServer.fqdn`        | Public FQDN of the authorization server                                                 | `as.sandbox.pinggateway.com`             |
| `authorizationServer.mtlsFqdn`    | mTLS FQDN of the authorization server                                                   | `as-mtls.sandbox.pinggateway.com`        |
| `authorizationServer.baseFqdn`    | Base domain for the deployment                                                          | `sandbox.pinggateway.com`                |
| `authorizationServer.realm`       | AM realm used in OAuth2 endpoint paths                                                  | `alpha`                                  |
| `identityPlatform.fqdn`           | FQDN of the identity platform (AM/IDM)                                                  | `iam.sandbox.pinggateway.com`            |
| `identityPlatform.type`           | Platform type: `CDK`, `CDM`, or `FIDC`. When `FIDC`, the AIC ConfigMap is also mounted. | `CDK`                                    |
| `identityPlatform.userObject`     | IDM user object name                                                                    | `user`                                   |
| `testDirectory.fqdn`              | FQDN of the test trusted directory                                                      | `test-directory.sandbox.pinggateway.com` |
| `pingGateway.oauth2Client.id`     | Base64-encoded OAuth2 client ID                                                         | `replace-me`                             |
| `pingGateway.oauth2Client.secret` | Base64-encoded OAuth2 client secret                                                     | `replace-me`                             |
| `pingGateway.idm.user`            | Base64-encoded IDM service account username                                             | `replace-me`                             |
| `pingGateway.idm.password`        | Base64-encoded IDM service account password                                             | `replace-me`                             |
| `deployment.image.repo`           | Container image repository (required)                                                   | —                                        |

## Deploy the FAPI PEP RS

The FAPI PEP RS acts as a FAPI-compliant reverse proxy for the resource server. It validates access tokens and enforces scope-based access control.

Use these hints to deploy a FAPI PEP RS for each resource server.

### Create secrets

Create the following Kubernetes secrets before installing the chart:

1. Create a PEM trust store secret to trust the sample trusted directory:

   ```bash
   kubectl create secret generic ig-truststore-pem \
     --from-file=ig-truststore.pem=/path/to/trusted-directory/secrets/trusted-directory-ca.pem \
     -n <namespace>
   ```

   If the AS and platform services certificates aren't signed by a well-known CA, include their CA certificates in this trust store.

2. Create the TLS certificate secrets:

   ```bash
   # Standard TLS ingress
   kubectl create secret tls fapi-pep-rs-core-tls-cert \
     --cert=/path/to/tls.crt \
     --key=/path/to/tls.key \
     -n <namespace>

   # mTLS ingress
   kubectl create secret tls fapi-pep-rs-core-mtls-tls-cert \
     --cert=/path/to/mtls.crt \
     --key=/path/to/mtls.key \
     -n <namespace>
   ```

3. Create the mTLS CA bundle secret:

   ```bash
   kubectl create secret generic fapi-pep-rs-core-mtls-ca-certs \
     --from-file=ca.crt=/path/to/ca-bundle.crt \
     -n <namespace>
   ```

### Install

```bash
helm install ig-fapi-pep-rs ./openig-helm/ig-fapi-pep-rs \
  --namespace <namespace> \
  --set authorizationServer.fqdn=myTenant.forgeblocks.com \
  --set authorizationServer.baseFqdn=myTenant.forgeblocks.com \
  --set identityPlatform.fqdn=myTenant.forgeblocks.com \
  --set resourceServer.fqdn=rs.example.com \
  --set resourceServer.mtlsFqdn=rs-mtls.example.com \
  --set deployment.image.repo=gcr.io/forgerock-io/ig-fapi-pep-rs:2026.6.0 \
  --set resourceServer.oauth2Client.id=Z2F0ZXdheS1vYXV0aDItY2xpZW50) \
  --set resourceServer.oauth2Client.secret=cGFzc3dvcmQ= \
  --set resourceServer.idm.user=Z2F0ZXdheS1pZG0tdXNlcg== \
  --set resourceServer.idm.password=U2VjcmV0MTIhCg==
```

Secret values must be Base64-encoded. Use `echo -n 'your-value' | base64` to encode them. This example uses the values from [Create an OAuth 2.0 client account](aic-am.html#create-oauth2-client) and [Configuring identity management for FAPI](aic-idm.html):

* OAuth 2.0 client ID: `gateway-oauth2-client` (base64-encoding: `Z2F0ZXdheS1vYXV0aDItY2xpZW50`)

* OAuth 2.0 client secret: `password` (base64-encoding: `cGFzc3dvcmQ=`)

* IDM user: `gateway-idm-user` (base64-encoding: `Z2F0ZXdheS1pZG0tdXNlcg==`)

* IDM user password: `Secret12!` (base64-encoding: `U2VjcmV0MTIhCg==`)

### Configuration parameters

**FAPI PEP RS configuration**

| Parameter                            | Description                                 | Default                           |
| ------------------------------------ | ------------------------------------------- | --------------------------------- |
| `authorizationServer.fqdn`           | FQDN of the authorization server            | `as.sandbox.pinggateway.com`      |
| `authorizationServer.baseFqdn`       | Base domain for the deployment              | `sandbox.pinggateway.com`         |
| `authorizationServer.realm`          | AM realm used in OAuth2 endpoint paths      | `alpha`                           |
| `identityPlatform.fqdn`              | FQDN of the identity platform (AM/IDM)      | `iam.sandbox.pinggateway.com`     |
| `identityPlatform.type`              | Platform type: `CDK`, `CDM`, or `FIDC`      | `CDK`                             |
| `resourceServer.fqdn`                | Public FQDN of the resource server          | `rs.sandbox.pinggateway.com`      |
| `resourceServer.mtlsFqdn`            | mTLS FQDN of the resource server            | `rs-mtls.sandbox.pinggateway.com` |
| `resourceServer.oauth2Client.id`     | Base64-encoded OAuth2 client ID             | `replace-me`                      |
| `resourceServer.oauth2Client.secret` | Base64-encoded OAuth2 client secret         | `replace-me`                      |
| `resourceServer.idm.user`            | Base64-encoded IDM service account username | `replace-me`                      |
| `resourceServer.idm.password`        | Base64-encoded IDM service account password | `replace-me`                      |
| `deployment.image.repo`              | Container image repository (required)       | —                                 |
