ForgeOps

Deploy using Kustomize on GKE, EKS, or AKS

  1. Verify that you have set up your environment and created a Kubernetes cluster as documented in the setup section.

  2. Enable the Python3 virtual environment:

    $ source .venv/bin/activate

  3. Set up a ForgeOps deployment environment:

    $ cd /path/to/forgeops/bin
$ ./forgeops env --env-name my-env --fqdn my-fqdn --cluster-issuer my-cluster-issuer --deployment-size

    In the command above, replace my-fqdn, my-cluster-issuer, and --deployment-size with appropriate values from your environment.

    • If you want to use the issuer provided with the platform for demo, then you can use default-issuer.

    • For a single-instance deployment, specify --deployment-size as --single-instance.

    • For small, medium, and large deployments, specify --deployment-size as --small, --medium, or --large.

      Learn more about single-instance deployments and deployment sizes in Cluster and deployment sizes.

  4. Identify Docker images to deploy:

    • If you want to use custom Docker images for the platform, update the image defaulter file with image names and tags generated by the forgeops build command. The image defaulter file is located in your environment (my-env) folder /path/to/forgeops/kustomize/overlay/my-env directory.

      You can get the image names and tags from the image defaulter file on the system on which the customized Docker images were developed.

    • If you want to use ForgeOps-provided Docker images for the platform, do not modify the image defaulter file.

    • Use the forgeops image command to set up the correct component images to be deployed. The following command sets up the latest ForgeOps-provided Docker image for deployment:

      $ cd /path/to/forgeops/bin
$ forgeops image --env-name my-env --release 2025.1.0 platform

      If you want to set up your deployment environment with your own image, then use the following example command:

      $ cd /path/to/forgeops/bin
$ forgeops image --release my-image --env-name my-env platform

  5. Set up your Kubernetes context:

    1. Set the KUBECONFIG environment variable so that your Kubernetes context references the cluster in which you’ll perform the ForgeOps deployment.

    2. Create a Kubernetes namespace in the cluster for the Ping Identity Platform pods:

      $ kubectl create namespace my-namespace

    3. Set the active namespace in your Kubernetes context to the Kubernetes namespace you just created:

      $ kubens my-namespace

  6. Set up the certificate management utility. The forgeops repository contains certmanager-deploy.sh to install cert-manager in your cluster. If you need to use a different certificate management utility, then you refer to the corresponding documentation for installing that utility.

    $ cd /path/to/forgeops/bin
$ ./certmanager-deploy.sh

  7. Set up the secret agent to manage Kubernetes secrets:

    $ cd /path/to/forgeops/bin
$ ./secret-agent install

  8. Run the forgeops apply command. Learn more in forgeops apply command reference.

    For example:

    $ cd /path/to/forgeops/bin
$ ./forgeops apply --env-name my-env

    If you prefer not to deploy using a single forgeops apply command, you can find more information in Alternative deployment techniques when using Kustomize.

    Ping Identity only offers its software or services to legal entities that have entered into a binding license agreement with Ping Identity. When you install Docker images provided by ForgeOps, you agree either that: 1) you are an authorized user of a Ping Identity Platform customer that has entered into a license agreement with Ping Identity governing your use of the Ping Identity software; or 2) your use of the Ping Identity Platform software is subject to the Ping Identity Subscription Agreements.

  9. Check the status of the pods in the namespace in which you deployed the platform until all the pods are ready:

    1. Run the kubectl get pods command.

    2. Review the output. Deployment is complete when:

      • All entries in the STATUS column indicate Running or Completed.

      • The READY column indicates all running containers are available. The entry in the READY column represents [total number of containers/number of available containers].

    3. If necessary, continue to query your deployment’s status until all the pods are ready.

  10. Back up and save the Kubernetes secrets that contain the master and TLS keys:

    1. To avoid accidentally putting the backups under version control, change to a directory that is outside your forgeops repository clone.

    2. The ds-master-keypair secret contains the DS master key. This key is required to decrypt data from a directory backup. Failure to save this key could result in data loss.

      Back up the Kubernetes secret that contains the DS master key:

      $ kubectl get secret ds-master-keypair -o yaml > master-key-pair.yaml

    3. The ds-ssl-keypair secret contains the DS TLS key. This key is needed for cross-environment replication topologies.

      Back up the Kubernetes secret that contains the DS TLS key pair:

      $ kubectl get secret ds-ssl-keypair -o yaml > tls-key-pair.yaml

    4. Save the two backup files.

  11. (Optional) Deploy Prometheus, Grafana, and Alertmanager for monitoring and alerting[1]:

    1. Deploy Prometheus, Grafana, and Alertmanager pods in your ForgeOps deployment:

      $ /path/to/forgeops/bin/prometheus-deploy.sh

**This script requires Helm version 3.04 or later due to changes in the behaviour of 'helm repo add' command.**

namespace/monitoring created
"stable" has been added to your repositories
"prometheus-community" has been added to your repositories
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "ingress-nginx" chart repository
...Successfully got an update from the "codecentric" chart repository
...Successfully got an update from the "prometheus-community" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
Release "prometheus-operator" does not exist. Installing it now.
NAME: prometheus-operator
LAST DEPLOYED: ...
NAMESPACE: monitoring
STATUS: deployed
REVISION: 1
NOTES:
kube-prometheus-stack has been installed. Check its status by running:
  kubectl --namespace monitoring get pods -l "release=prometheus-operator"

Visit https://github.com/prometheus-operator/kube-prometheus for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator.
...
Release "forgerock-metrics" does not exist. Installing it now.
NAME: forgerock-metrics
LAST DEPLOYED: ...
NAMESPACE: monitoring
STATUS: deployed
REVISION: 1
TEST SUITE: None

    2. Check the status of the pods in the monitoring namespace until all the pods are ready:

      $ kubectl get pods --namespace monitoring
NAME                                                     READY   STATUS    RESTARTS   AGE
alertmanager-prometheus-operator-kube-p-alertmanager-0   2/2     Running   0          119s
prometheus-operator-grafana-95b8f5b7d-nn65h              3/3     Running   0          2m4s
prometheus-operator-kube-p-operator-7d54989595-pdj44     1/1     Running   0          2m4s
prometheus-operator-kube-state-metrics-d95996bc4-wcf7s   1/1     Running   0          2m4s
prometheus-operator-prometheus-node-exporter-67xq4       1/1     Running   0          2m4s
prometheus-operator-prometheus-node-exporter-b4grn       1/1     Running   0          2m4s
prometheus-operator-prometheus-node-exporter-cwhcn       1/1     Running   0          2m4s
prometheus-operator-prometheus-node-exporter-h9brd       1/1     Running   0          2m4s
prometheus-operator-prometheus-node-exporter-q8zrk       1/1     Running   0          2m4s
prometheus-operator-prometheus-node-exporter-vqpt5       1/1     Running   0          2m4s
prometheus-prometheus-operator-kube-p-prometheus-0       2/2     Running   0          119s

  12. (Optional) Install a TLS certificate instead of using the default self-signed certificate in your ForgeOps deployment. Refer to TLS certificate for details.

Alternative deployment techniques when using Kustomize

Staged deployments

If you prefer not to perform a ForgeOps Kustomize deployment using a single forgeops apply command, you can deploy the platform in stages, component by component, instead of deploying with a single command. Staging deployments can be useful if you need to troubleshoot a deployment issue.

Generating Kustomize manifests and using kubectl apply commands

You can generate Kustomize manifests using the forgeops env command, and then deploy the platform using the kubectl apply -k command.

The forgeops env command generates Kustomize manifests for your ForgeOps deployment environment. The manifests are written to the /path/to/forgeops/kustomize/overlay/my-env directory of your forgeops repository clone. Advanced users who prefer to work directly with Kustomize manifests that describe their ForgeOps deployment can use the generated content in the kustomize/overlay/my-env directory as an alternative to using the forgeops command:

  1. Generate an initial set of Kustomize manifests by running the forgeops env command.

  2. Run kubectl apply -k commands to deploy and remove platform components. Specify a manifest in the kustomize/overlay/my-env directory as an argument when you run kubectl apply -k commands.

    1. Use GitOps to manage configuration changes to the kustomize/overlay/my-env directory.

Next step

1. Installing Prometheus, Grafana, and Alertmanager technology in ForgeOps deployments provides an example of how you might set up monitoring and alerting in a Ping Identity Platform deployment in the cloud. Remember, ForgeOps deployments are reference implementations and not for production use. When you create a project plan, you’ll need to determine how to monitor and send alerts in your production deployment.