ForgeOps

Deploy using Helm on minikube

In a development or demo environment, you can use the helm chart available locally in /path/to/forgeops/charts directory for performing ForgeOps deployment. In a production environment, it is highly recommended to use the Helm charts published on the registry.

  1. Verify you’ve set up your environment and created a Kubernetes cluster as documented in the setup section.

  2. Use the terminal where you have already activated Python3 virtual environment. If you haven’t already done so, activate the virtual environment in a new terminal window:

    $ source .venv/bin/activate

  3. The configuration of a ForgeOps deployment is steered through the use of Kustomize overlays or Helm values. Use the forgeops env command to set up the Kustomize overlays and Helm values files to configure your ForgeOps deployment environment:

    In a minikube environment, use the single instance deployment. For example:

    $ cd /path/to/forgeops/bin
$ ./forgeops env --env-name my-env --fqdn my-fqdn \
  --cluster-issuer my-cluster-issuer --single-instance

    Learn more about deployment sizes in Cluster and deployment sizes and about single instances here.

  4. (Optional) By default, the latest platform images are used for ForgeOps deployment. If you need a specific image version to be deployed, then ensure that the image.repository and image.tag settings for the platform components are correct in the /path/to/forgeops/helm/my-env/values.yaml Helm values file.

  5. Set up your Kubernetes context:

    1. Create a Kubernetes namespace in the cluster for the Ping Identity Platform pods:

      $ kubectl create namespace my-namespace

    2. Set the active namespace in your Kubernetes context to the Kubernetes namespace you just created:

      $ kubens my-namespace

  6. Set up the certificate management and secret agent.

    1. Since minikube provides its own ingress controller, NGINX controller need not be installed.

    2. The forgeops repository provides cert-manager as the certificate management utility. If you need to use a different certificate management utility, refer to the corresponding documentation for installing that utility.

    3. Currently, the secret agent is used as the default secrets management utility in ForgeOps deployments. You can continue to use the secret agent in existing deployments. In new ForgeOps deployments, you should install and use the secret generator to manage Kubernetes secrets. The secret agent utility will be deprecated in the next release.

    4. Forgeops artifacts include alternatives for secrets management (secret agent or secret-generator) and ingress (nginx or ha-proxy). The forgeops prereqs command provides a corresponding -- option for those components. The -- option isn’t available for components, such as cert-manager, for which an alternative isn’t provided. Some examples are provided in forgeops prereqs command reference.

    1. To install the secret generator for secret management:

      $ forgeops prereqs --secret-generator

    2. To install the secret agent for secret management:

      $ forgeops prereqs

  7. In a separate terminal tab or window, run the minikube tunnel command, and enter your system’s superuser password when prompted:

    $ minikube tunnel
✅  Tunnel successfully started

📌  NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible …​

❗  The service/ingress forgerock requires privileged ports to be exposed: [80 443]
🔑  sudo permission will be asked for it.
❗  The service/ingress ig requires privileged ports to be exposed: [80 443]
🏃  Starting tunnel for service forgerock.
🔑  sudo permission will be asked for it.
🏃  Starting tunnel for service ig.
Password:

    The tunnel creates networking that lets you access the minikube cluster’s ingress on the localhost IP address (127.0.0.1). Leave the tab or window that started the tunnel open for as long as you run the ForgeOps deployment.

    Refer to this post for an explanation about why a minikube tunnel is required to access ingress resources when running minikube on an ARM-based macOS system.

  8. Set up the fast storage class using the minikube-fast-storage-class.yaml file in the /path/to/forgeops/cluster/resources directory:

    $ kubectl apply -f /path/to/forgeops/cluster/resources/minikube-fast-storage-class.yaml

  9. Enable secret generator in your deployment environment:

    $ forgeops env --env-name my-env --namespace my-namespace  --secret-generator
    The secret agent is enabled and used in the environment if the secret generator isn’t enabled.

  10. Run the helm upgrade command to perform a ForgeOps deployment:

    $ helm upgrade --install identity-platform identity-platform \
 --repo https://ForgeRock.github.io/forgeops/ \
 --namespace my-namespace \
 --values /path/to/forgeops/helm/my-env/values.yaml

    The preceding command creates a single-instance ForgeOps deployment. Only single-instance deployments are supported on minikube.

    Learn more about single-instance deployments in Cluster and deployment sizes.

    Ping Identity only offers its software or services to legal entities that have entered into a binding license agreement with Ping Identity. When you install Docker images provided by ForgeOps, you agree either that: 1) you are an authorized user of a Ping Identity Platform customer that has entered into a license agreement with Ping Identity governing your use of the Ping Identity software; or 2) your use of the Ping Identity Platform software is subject to the Ping Identity Subscription Agreements.

  11. Check the status of the pods in the namespace in which you deployed the platform until all the pods are ready:

    1. Run the kubectl get pods command.

    2. Review the output. Deployment is complete when:

      • All entries in the STATUS column indicate Running or Completed.

      • The READY column indicates all running containers are available. The entry in the READY column represents [total number of containers/number of available containers].

    3. If necessary, continue to query your deployment’s status until all the pods are ready.

  12. (Optional) Install a TLS certificate instead of using the default self-signed certificate in your ForgeOps deployment. Refer to TLS certificate for details.

Next step