ForgeOps release notes

Subscribe to the ForgeOps 2026.2.0 RSS feed to get notification when there’s an update to the latest ForgeOps documentation.

Learn more about configuring GitHub notifications here so you can get notified on ForgeOps releases.

Validated Kubernetes, Ingress-NGINX Controller, HAProxy Ingress, cert-manager, and operator versions for deploying Ping Identity Platform 2026.2

Link

Limitations when deploying Ping Identity Platform 2026.2 on Kubernetes

Link

More information about the evolving nature of the forgeops repository, including technology previews, legacy features, and feature deprecation and removal

Link

Legal notices

Link

Archive of release notes in ForgeOps 2026.1 are available from ForgeOps release 2026.1 documentation.

Link

Archive of release notes in ForgeOps 2025.1 and 2025.2 are available from ForgeOps release 2025.2 documentation.

Link

Archive of release notes in 2024 and before are available from ForgeOps release 7.5 documentation.

Link

Archive of release notes in 2023 and before are available from ForgeOps release 7.4 documentation

Link

2026

ForgeOps 2026.2 release features

Read-only root filesystem for init containers (Helm only): The init containers of all pods have been reconfigured to enable readOnlyRootFilesystem security context. This has no impact on deployments, but requires that DS stateful sets be recreated. To enable the readOnlyRootFilesystem security context, follow these steps.
Flags to enable or disable security features (Helm only): You can enable or disable the new security features in your ForgeOps environment using the --secure or --insecure flags. By default, new environments are created with the --secure flag, so the new security features are enabled.

These flags can be enabled or disabled only in ForgeOps environments deployed using Helm.

To enable the security features in an existing environment:

Run the forgeops command:

$ cd /path/to/forgeops
$ ./bin/forgeops env --env-name my-env --secure

Recreate the DS stateful set using the instructions in the how to recreate an STS article.

The platform pods deployed as non-root user using user ID

The AM, DS, and IDM pods are now deployed as the standard non-root user ID 11111 and the username is no longer referred to. The user ID 11111 is a security standard across the platform. This user ID is set in the pod security context as the runAsUser property.

PodDisruptionBudgets for product components

You can enable PodDisruptionBudgets for platform product components in the Helm charts for Ping Identity Platform including PingGateway. This feature is disabled by default. You can enable it for each component by setting component.pdb.enabled: true in your values file.

The default policy keeps at least one pod available by setting minAvailable: 1. You can change this value by appropriately changing the value of component.pdb.minAvailable or component.pdb.maxUnavailable.

The affected components are: am, idm, admin-ui, end-user-ui, login-ui, ds-idrepo, ds-cts and ig (ping-gateway).

Supported Ping Identity Platform images

ForgeOps supports the last three major or minor versions of the Ping Identity Platform images. With the availability of 8.1 images, ForgeOps supports 8.1, 8.0, and 7.5 versions of the platform images, and 7.4 images are no longer supported.

We recommend customers that upgrade to a newer version of the platform images. Use the upgrade guide to upgrade to the latest image. The older tags remain available on http://releases.forgeops.com until the next major/minor release.

The config export no-upgrade topic is removed from documentation

The config export functionality has been included in the forgeops config export command. Because the forgeops config export command already separates out the upgrade function, this topic is not required in the Troubleshooting section of the documentation. The no-upgrade option of config export topic is removed from the documentation.

New ttl options for use with amster and ds-set-passwords jobs

The amster and ds-set-passwords jobs now have a time-to-live (TTL) option that you can set to retain these jobs for a specified time. This is useful for jobs that are run manually need and to be retained to run to completion. To use this feature, set the ttlSecondsAfterFinished option. The default is 7200 seconds.

This feature is available in new environments only.

Ability to define apiVersion, kind, and spec for a secret

You can now define the apiVersion, kind, and spec for secrets defined in the platform.secrets. This allows you to define secrets using external-secrets.

Highlights in 2026.1 release

The Ping Identity Platform 8.1 product images

ForgeOps team is testing and validating the 8.1.0 version of Ping Identity Platform products for deployment with ForgeOps. We’ll make the new images available for deployment as soon as possible. In the meantime, you can use the 8.0.x images for your ForgeOps deployment.

Replaced ingress-nginx with Traefik as the default ingress controller

The default ingress controller has changed to Traefik because Kubernetes has retired the ingress-nginx controller. The ForgeOps documentation has been updated to reflect this change.

Learn more in the ForgeOps Architecture section.
Learn how to install Traefik in your cluster in the Prerequisites section.

Configuration profiles built into their own images

The configuration profiles for AM and IDM have been separated into their own BusyBox images. You no longer need to build the AM and IDM Docker images for configuration changes.

The forgeops config command has a new build subcommand to create custom BusyBox images for AM and IDM configuration profiles. ForgeOps deployment tools use the configuration images when available, and fall back to the built-in configuration in AM and IDM images.

To learn more, run the forgeops config build --help command.

Update ForgeOps deployment environments: The new custom images require changes to your ForgeOps deployment environments. Update your default Kustomize overlay if you’re using the FORGEOPS_DATA functionality. Run the forgeops env --env-name my-env --upgrade command in your environments to update the ForgeOps deployment environments to use the new configuration images. This command also updates the default Kustomize overlay when you run it the first time against any ForgeOps deployment environment.

Features and functionality in ForgeOps 2026.1 release

Newer Ping Identity platform product images

The following new secure images are available for ForgeOps deployment:

Secret agent updated

The secret agent has been updated to version 1.2.10 which fixes the bug in the version 1.12.9.

Helm 4 support

You can now use Helm 4 to deploy ForgeOps. Helm 4 has been tested with the ForgeOps 2026.1 release.

New --retain option for troubleshooting Amster

You can use the --retain duration option with forgeops amster import and forgeops amster export commands to keep the amster pod running for the specified duration.

Direct debug-logs output to a file

You can now direct the debug-logs command output directly to a file. This is useful for long-running log collection and allows you to view the output file. Learn more in Kubernetes logs and other diagnostics.

Increased TTL

Amster, ds-set-passwords, and keystore-create jobs will now remain for two hours after completion to allow viewing logs. This value can be amended.

Moved upgrade logic to env command

The forgeops upgrade functionality has been moved to the forgeops env as an option. You can now run the command as:

forgeops env --env-name my_env --upgrade

Display a message when requested image version isn’t available

The forgeops image command informs users when the selected image version is not available for a product, instead of selecting the next available version in the background. This avoids confusion when addressing version specific issues.

Ability to specify external DS hosts in the Helm chart

You can now specify host names external to the ForgeOps deployment environment. See platform.external_ds in charts/identity-platform/values.yaml for more info.

Updated python dependency versions

The python dependencies have been updated in lib/python/requirements.txt. Use forgeops configure to update your Python virtual environment (.venv) and run forgeops commands within the Python venv.

Ability to build am-config-upgrader image

Added the am-config-upgrader/Dockerfile file. You can now build an am-config-upgrader image with the forgeops build command.

Update to forgeops repository directories

The content in forgeops repository has been reorganized. Learn more in forgeops directories and files.

Added a note about deploying with custom certificates

A cautionary note has been included in the Deployment section to indicate that the self-signed certificate provided with ForgeOps artifacts is not suitable for production or for integration with other applications.

Bugfixes

Fixed bug in base-generate.sh: A step was missing in base-generate.sh that prevented the updated files from being placed properly. It now copies the results of helm template into the proper location.
Fixed bugs in amster: Included the --full option in forgeops amster export to enable exporting all realm entities. The bugs in this option have been fixed.

forgeops amster import src wasn’t overwriting the configuration baked into the image with the provided configuration. This has now been corrected.

forgeops amster export now waits for AM to be up. Previously this function was only included in the import command.
Fixed forgeops upgrade-am-config: The 8.0.2 am-config-upgrader image changed permissions on some files which caused forgeops upgrade-am-config to break. The forgeops upgrade-am-config command now connects to the container as root. This is an ephemeral container running outside the cluster and reduces the security impact.

How-tos

Following articles have been added in how-tos directory in the forgeops repository:

March 26, 2026

Configured ForgeOps pods with read-only root file systems: To provide better security, all the ForgeOps pods are configured to use read-only root file systems. This change is implemented in the Helm chart and applies to all ForgeOps deployments, including those that use Kustomize overlays.

February 24, 2026

Replaced NGINIX with Traefik as the default ingress controller: The default ingress controller in ForgeOps deployment is changed to Traefik, because Kubernetes has stopped the support for ingress-nginx controller. The documentation is updated to reflect this change. Learn more in the ForgeOps Architecture section.

February 23, 2026

Availability of newer PingGateway: Newer PingGateway images versions 2025.11.0 and 2025.11.1 are now available for ForgeOps deployment.

February 6, 2026

Added a note about deploying with custom certificate: A cautionary note has been included in the Deployment section of the document to indicate that the self-signed certificate provided with ForgeOps artifacts is not suitable in production or integration with other applications.

January 15, 2026

Update description of forgeops repo directories: Updated description of directories and files in the forgeops repository.

January 9, 2026

Include links to how-to articles: In the documentation, links to how-to articles in the forgeops repository have been added. Learn more in Articles in the forgeops repository.

January 5, 2026

Update debug-logs output: The output from debug-logs has been updated. Learn more in Kubernetes logs and other diagnostics.

January 14, 2026

Update to forgeops repository directories: The content in forgeops repository has been reorganized. Learn more in forgeops directories and files.

2025

December 11, 2025

Moved use of amster retain option

You can keep the amster job running only as required occasionally during import and export of configurations. Accordingly, the --amster-retain option has been removed from the forgeops env command. The --retain option is included in the forgeops amster export and forgeops amster import commands. Learn more about using --retain options.

Amster bug fixes

Using --full option to the forgeops amster export command ensures it exports all realm entities. Bugs with this option have been fixed.
The forgeops amster import command now updates the baked configuration in the image with the provided configuration.
The forgeops amster export command now waits for AM to be up. Previously, this function was only included in the forgeops amster import command.

December 5, 2025

New secure Docker images released

The following secure Docker images are now available:

IDM and DS 8.0.1
AM 7.5.2 and 8.0.2

December 1, 2025

Simplify steps to add custom ldap entries: Facilitated addition of custom ldap configuration files to DS setup profiles. Learn more here.

November 21, 2025

PingGateway installation using dedicated Helm chart: Revised Helm installation of PingGateway to use the dedicated chart for PingGateway.

November 19, 2025

Restructured Upgrade section: Rationalized and restructured the Upgrade section of the documentation.

November 12, 2025

Revise kubectl image: The kubectl image used in ForgeOps has been changed to use the alpine image, because the bitnami image isn’t available any longer.

November 05, 2025

Secrets rotation: Documented steps to rotate secrets and passwords used in ForgeOps deployments. Learn more in Secrets Rotation.

October 24, 2025

Quick set up on minikube: Documented a prescriptive section for setting up a minikube cluster and performing ForgeOps deployment. Learn more in Quick deployment on minikube.

October 10, 2025

PingIDM 8.1.0 new patch: New PingIDM 8.1.0 image patch has been released.