Deploy using Helm on GKE, EKS, or AKS
In a development or demo environment, you can use the helm chart available locally in /path/to/forgeops/charts directory for performing ForgeOps deployment. In a production environment, it is highly recommended to use the Helm charts published on the registry. |
-
Verify that you have set up your environment and created a Kubernetes cluster as documented in the setup section.
-
Enable the Python3 virtual environment:
$ source .venv/bin/activate
-
Set up a ForgeOps deployment environment:
$ cd /path/to/forgeops/bin $ ./forgeops env --env-name my-env --fqdn my-fqdn --cluster-issuer my-cluster-issuer --deployment-size
In the command above, replace my-fqdn, my-cluster-issuer, and --deployment-size with appropriate values from your environment.
-
If you want to use the issuer provided with the platform for demo, then you can use default-issuer.
-
For small, medium, and large deployments, specify --deployment-size as
--small
,--medium
, or--large
. -
For a single-instance deployment, specify --deployment-size as
--single-instance
. In a Minikube environment, use single instance deployment.Learn more about single-instance deployments and deployment sizes in Cluster and deployment sizes.
-
-
(Optional) By default, the latest platform images are used for ForgeOps deployment. If you need a specific image version to be deployed, then ensure that the
image.repository
andimage.tag
settings for the platform components are correct in the /path/to/forgeops/helm/my-env/values.yaml Helm values file. -
Set up your Kubernetes context:
-
Set the
KUBECONFIG
environment variable so that your Kubernetes context references the cluster in which you’ll perform the ForgeOps deployment. -
Create a Kubernetes namespace in the cluster for the Ping Identity Platform pods:
$ kubectl create namespace my-namespace
-
Set the active namespace in your Kubernetes context to the Kubernetes namespace you just created:
$ kubens my-namespace
-
-
Set up the certificate management, secret agent, and NGINX:
The
forgeops
repository contains the certmanager-deploy.sh to installcert-manager
in your cluster. If you need to use a different certificate management utility, you refer to the corresponding documentation for installing that utility.$ cd /path/to/forgeops/charts/scripts $ ./install-prereqs
-
(Optional) If you’ve set up your Kubernetes cluster using ForgeOps-provided Terraform manifest, then you would’ve already created the required
fast
storage and volume snapshot classes. If you set up your Kubernetes cluster using your own scripts, then create these classes using the corresponding YAML scripts provided in the /path/to/forgeops/cluster/resources folder.For example, on GKE:
$ kubectl apply -f /path/to/forgeops/cluster/resources/gke-fast-storage-class.yaml $ kubectl apply -f /path/to/forgeops/cluster/resources/gke-volume-snapshot-class.yaml
-
Run the helm-upgrade command:
$ cd /path/to/forgeops/charts/identity-platform $ helm upgrade --install identity-platform ./ \ --repo https://ForgeRock.github.io/forgeops/ \ --version 2025.1.1 --namespace my-namespace \ --values /path/to/forgeops/helm/my-env/values.yaml
When deploying the platform with Docker images other than the ForgeOps-provided images, you’ll also need to set additional Helm values such as
am.image.repository
,am.image.tag
,idm.image.repository
, andidm.image.tag
. For an example, refer to Redeploy AM: Helm deployments.Ping Identity only offers its software or services to legal entities that have entered into a binding license agreement with Ping Identity. When you install Docker images provided by ForgeOps, you agree either that: 1) you are an authorized user of a Ping Identity Platform customer that has entered into a license agreement with Ping Identity governing your use of the Ping Identity software; or 2) your use of the Ping Identity Platform software is subject to the Ping Identity Subscription Agreements.
-
Check the status of the pods in the namespace in which you deployed the platform until all the pods are ready:
-
Run the kubectl get pods command.
-
Review the output. Deployment is complete when:
-
All entries in the
STATUS
column indicateRunning
orCompleted
. -
The
READY
column indicates all running containers are available. The entry in theREADY
column represents [total number of containers/number of available containers].
-
-
If necessary, continue to query your deployment’s status until all the pods are ready.
-
-
Back up and save the Kubernetes secrets that contain the master and TLS keys:
-
To avoid accidentally putting the backups under version control, change to a directory that is outside your
forgeops
repository clone. -
The
ds-master-keypair
secret contains the DS master key. This key is required to decrypt data from a directory backup. Failure to save this key could result in data loss.Back up the Kubernetes secret that contains the DS master key:
$ kubectl get secret ds-master-keypair -o yaml > master-key-pair.yaml
-
The
ds-ssl-keypair
secret contains the DS TLS key. This key is needed for cross-environment replication topologies.Back up the Kubernetes secret that contains the DS TLS key pair:
$ kubectl get secret ds-ssl-keypair -o yaml > tls-key-pair.yaml
-
Save the two backup files.
-
-
(Optional) Deploy Prometheus, Grafana, and Alertmanager for monitoring and alerting[1]:
-
Deploy Prometheus, Grafana, and Alertmanager pods in your ForgeOps deployment:
$ /path/to/forgeops/bin/prometheus-deploy.sh **This script requires Helm version 3.04 or later due to changes in the behaviour of 'helm repo add' command.** namespace/monitoring created "stable" has been added to your repositories "prometheus-community" has been added to your repositories Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "ingress-nginx" chart repository ...Successfully got an update from the "codecentric" chart repository ...Successfully got an update from the "prometheus-community" chart repository ...Successfully got an update from the "stable" chart repository Update Complete. ⎈Happy Helming!⎈ Release "prometheus-operator" does not exist. Installing it now. NAME: prometheus-operator LAST DEPLOYED: ... NAMESPACE: monitoring STATUS: deployed REVISION: 1 NOTES: kube-prometheus-stack has been installed. Check its status by running: kubectl --namespace monitoring get pods -l "release=prometheus-operator" Visit https://github.com/prometheus-operator/kube-prometheus for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator. ... Release "forgerock-metrics" does not exist. Installing it now. NAME: forgerock-metrics LAST DEPLOYED: ... NAMESPACE: monitoring STATUS: deployed REVISION: 1 TEST SUITE: None
-
Check the status of the pods in the
monitoring
namespace until all the pods are ready:$ kubectl get pods --namespace monitoring NAME READY STATUS RESTARTS AGE alertmanager-prometheus-operator-kube-p-alertmanager-0 2/2 Running 0 119s prometheus-operator-grafana-95b8f5b7d-nn65h 3/3 Running 0 2m4s prometheus-operator-kube-p-operator-7d54989595-pdj44 1/1 Running 0 2m4s prometheus-operator-kube-state-metrics-d95996bc4-wcf7s 1/1 Running 0 2m4s prometheus-operator-prometheus-node-exporter-67xq4 1/1 Running 0 2m4s prometheus-operator-prometheus-node-exporter-b4grn 1/1 Running 0 2m4s prometheus-operator-prometheus-node-exporter-cwhcn 1/1 Running 0 2m4s prometheus-operator-prometheus-node-exporter-h9brd 1/1 Running 0 2m4s prometheus-operator-prometheus-node-exporter-q8zrk 1/1 Running 0 2m4s prometheus-operator-prometheus-node-exporter-vqpt5 1/1 Running 0 2m4s prometheus-prometheus-operator-kube-p-prometheus-0 2/2 Running 0 119s
-
-
(Optional) Install a TLS certificate instead of using the default self-signed certificate in your ForgeOps deployment. Refer to TLS certificate for details.