Releases: ForgeRock/forgeops
2025.2.1
RELEASE=2025.2.1
Release Notes
New Features/Updated functionality
Changing base-generate.sh
The base-generate.sh script creates kustomize/base from the Helm chart. It
has been updated to use --output-dir with helm template to generate
individual template files. This allows us to remove logic from the Helm chart
that's only there for base-generate.sh. Update your
$FORGEOPS_DATA/kustomize/base with these changes.
Adding ability to provide custom secrets
The platform.secrets functionality added in 2025.2.0 has been updated to
allow for fully custom secrets. This enables users to use an alternate secrets
provider like external-secrets, or add extra secrets without having to use
secret-generator. The Helm value platform.secret_generator_enable has been
renamed to platform.secrets_enabled.
Bugfixes
Fixed backwards compatibility of PingAM images built from 2025.2.0
The import-pem-certs.sh script was moved from the PingAM docker image to a configmap.
Because the script isn't available as a configmap in 2025.1.x, new images built from
2025.2.0 and used in 2025.1.2 fail. So the script has been added back to docker/am.
Bitnami images going away
The Bitnami images have been pulled from Docker Hub, and are no longer
available. We have switched to the Alpine kubectl image for the keystore-create
and ds-snapshot jobs.
Fixed no downtime password rotations for legacy installs
In 2025.2.0, we added the ability to do no downtime password rotations for DS
passwords. This requires allow-mutliple-password-values to be set to true in
the Default and Root password policies. This was added to
docker/ds/ds-setup.sh, but that is only effective for fresh deployment. For
existing deployments it has no effect. We have added the dsconfig commands
necessary to enable no downtime password rotations to the startup for DS pods.
Removed Features
Documentation updates
How To on custom secrets
Added how-tos/custom-secrets.md that describes how to create custom secrets
with secret-generator. It also describes how to use the same platform.secrets
dictionary to use an alternate Kubernetes secrets provider.
Full Changelog: 2025.2.0...2025.2.1
identity-platform-2025.2.1
A Helm chart for Kubernetes
2025.2.0
RELEASE=2025.2.0
Release Notes
New Features/Updated functionality
New secret-agent release available
secret-agent 1.2.7 has been released to resolve the latest security
vulnerabilities.
New Ping Identity Platform product versions available
PingIDM 7.4.1 and 7.5.2 and PingGateway 2025.6.0 have been released and are available to deploy with forgeops tooling.
Option to provision keystores without secret-agent
When secret-generator and keystore-create Kubernetes job are enabled,
a single keystore is now created for AM and IDM. When the keystore-create
job is enabled, the keystore configurations will been consolidated under the
keystore_create.config helm values settings.
Truststore no longer provisioned by secret-agent
OpenSSL now provides the default root CAs. User can provide additional
certificates via the Helm chart.
Removed curl from ldif-importer
Curl has been replaced with ldapsearch in the ldif-importer job. Curl often has
security vulnerabilities, and so we decided to remove it.
Replace curl with wget in Amster
Curl has been replaced with wget in the amster job. Curl often has
security vulnerabilities, and so we've changed it to wget which is more secure.
Added ability to use secret-generator
Is is now possible to use secret-generator to provision platform secrets
instead of secret-agent. In the future, secret-agent will be deprecated. It is
recommended that new deployments use secret-generator.
New forgeops prereqs command
This replaces charts/scripts/install-prereqs, and the settings move into
forgeops.conf. See forgeops prereqs -h for more information.
Added ability to do no downtime DS password rotations
DS images must be built with ForgeOps 2025.2.0 in order to enable multiple
password values. Rebuild your current images, or use the latest available tag
for DS images.
New forgeops rotate command
This new command assists with no downtime DS password rotations for the
ds-env-secrets and ds-passwords secrets. It will create the old-ds-env-secrets
and old-ds-passwords secrets which are used by the ds-set-passwords job and
the init container to maintain the old passwords during the rotation process.
New forgeops upgrade command
This command will upgrade your Kustomize overlays. It is safe to rerun because
it checks to see if any work needs to be done. It is being added to update the
secrets child overlay with the new structure. It will be used in the future as
we update the default overlay. If you use an alternate default overlay, upgrade
that one first. Test the upgraded overlay to ensure that you don't need to add
back any customizations you made.
New migration script for secret-generator
Since the process to migrate to secret-generator from secret-agent is so
complex, we have created a script that will do the steps for you. It uses the
new rotate command with the new no downtime password rotation logic to
eliminate downtime during the migration.
Bugfixes
Fix forgeops amster import/export command
Reordered the patches in the amster/upload and amster/export sub overlays to correctly manage amster configuration.
Renamed FORGEOPS_ROOT to FORGEOPS_DATA
In order to reduce confusion, the optional FORGEOPS_ROOT env var has been
renamed FORGEOPS_DATA. The forgeops command will offer to fix this in
~/.forgeops.conf if FORGEOPS_ROOT is detected.
Stop AM failing if openam container restarts
Ensure openam container has access to the default boot.json when something causes the
container to restart. This is because the fbc-init init-container doesn't run when the
openam container restarts so the default boot.json isn't set for startup.
Fixed bug in info command
The forgeops info -e my-env command would throw an exception when an image
has a tag that doesn't start with X.Y.Z. This was due to a bug in
lib.python.releases.is_valid_release(). It now properly returns false if a tag
doesn't match that pattern.
Fixed bug in build command
The forgeops build command didn't properly handle a user not providing a tag.
It now will use latest if a tag is not specified.
Removed Features
Documentation updates
Expanded section on alternate release files
Organizations that need to build their own container images can create their
own release files so forgeops image and forgeops info will work with these
custom images.
Added how-to on creating custom environment variables
Created a new document on how to add custom environment variables to the
platform-config ConfigMap, AM, and IDM. You can find it at
how-tos/custom-envs.md.
Full Changelog: 2025.1.2...2025.2.0
identity-platform-2025.2.0
A Helm chart for Kubernetes
2025.1.2
RELEASE=2025.1.2
Release Notes
New Features/Updated functionality
New PingGateway version available
PingGateway 2025.3.0 has been released and is available to deploy with forgeops tooling.
Update PingGateway deployment to use the new default admin endpoint
Ping Gateway has 2 endpoints now:
/igthe main entry point to PingGateway/adminthe API of the PingGateway admin, containing the/pinghandler used for live checks for example.
Custom ENV variables in Helm chart
Implemented a customer request to provide a mechanism to define extra ENV
variables for AM and IDM as well as adding custom variables to the
platform-config ConfigMap.
Look in the following sections in charts/identity-platform/values.yaml for
examples. Update the values.yaml for your environments with the desired
configuration. The env arrays should contain maps of Kubernetes ENV
configurations.
platform.configMap.data # Map of custom key:value pairs for platform-config
platform.env # Shared custom ENV vars
am.env # AM custom ENV vars
idm.env # AM custom ENV vars
install-prereqs
The install-prereqs script has been refactored with many new features.
- Added a usage statement
- Added trust-manager as a prereq
- Added secret-generator as a prereq
- Can choose between secret-agent and secret-generator
- Added the --upgrade flag for easy upgrading of prereqs
- Added the ability to provide a config file to pin versions
- Can target specific prereqs
install-prereqs cert-manager secrets
Started new secret management method
We have been working on an alternate method to managing secrets that relies on
3rd party tooling instead of secret-agent. While this work has started, it is
not complete. You should not enable it in a production envirionment.
Prometheus and Grafana added to Helm chart
Added the ability to enable Prometheus and Grafana in the Helm chart.
Increased TTL for keeping amster and ldif-importer jobs
Increased the TTL for keeping the amster and ldif-importer jobs from 300 to 600 seconds.
Improved release detection
When using forgeops image and forgeops info, it can now look forward for a
release if a customer select X.0.0 and it doesn't exist. This was added due to
AM/Amster 8.0.0 being skipped making 8.0.1 the first version.
Bugfixes
Fix --amster-retain option
Added --amster-retain option to bin/forgeops env.
Now user can configure environment to keep amster running for troubleshooting purposes.
Fix VolumeSnapshots in Kustomize deployments
The forgeops env command has been updated to add a patch to update the
namespace when enabling volume snapshots for DS.
Removed Features
Removed generate command
The deprecated forgeops generate command has been removed.
bin/certmanager-deploy.sh
The old certmanager-deploy.sh script has been removed in favor of charts/scripts/install-prereqs.
bin/secret-agent
The old secret-agent script has been removed in favor of charts/scripts/install-prereqs.
Documentation updates
New how-to explaining how to add a second DNS alias for the root realm in PingAM
New how-to called add-additional-dns-alias-to-root-realm.md which provides steps on how to configure your Helm or Kustomize
deployment to use a second FQDN as an additional DNS alias for PingAM's root realm.
Full Changelog: 2025.1.1...2025.1.2
identity-platform-2025.1.2
A Helm chart for Kubernetes
2025.1.1
RELEASE=2025.1.1
Release Notes
New Features/Updated functionality
Ability to set FORGEOPS_ROOT
Users now have the ability to specify a separate FORGEOPS_ROOT location that contains the docker, helm, and kustomize folders. This allows users to keep their changes in a separate git repo. Users can create a ~/.forgeops.conf with their personal overrides like specifying FORGEOPS_ROOT=/path/to/my/local/checkout. Teams can place a forgeops.conf file in their FORGEOPS_ROOT that contains team-wide settings. It is not recommended to create a /path/to/forgeops_repo/forgeops.conf.
Doing this gives users the ability to clone the forgeops repo and just checkout the version tag they need. This should make it easier to keep track of what version of ForgeOps is being used, and upgrading to a newer version.
Removing forgeops-minikube script
The cluster/minikube/forgeops-minikube script was outdated, and unnecessary.
Please see:
[https://docs.pingidentity.com/forgeops/2025.1/deploy/deploy-scenario-helm-local.html](to deploy on Minikube using Helm)
[https://docs.pingidentity.com/forgeops/2025.1/deploy/deploy-scenario-kustomize-local.html](to deploy on Minikube using Kustomize)
info command can provide release information
You can now get a list of supported platform releases and their latest flags
with forgeops info --list-releases. You can get details for any release on
releases.forgeops.com with forgeops info --release x.y.z.
env command supports PingGateway (IG)
You can now update IG settings for cpu, memory, replicas, and pull policy in an
environment.
pyyaml updated
The version of pyyaml has been updated. Please run forgeops configure to update your libraries.
Bugfixes
forgeops info --env-name
In the last release, the info command got a new flag to provide details about a
specific environment. It threw an error when images with a timestamp we added
to the product release files. That has been fixed.
DS certificates are now deployed in helm pre-install
Helm pre-install hooks are now used to deploy DS certificates and they will no
longer be deleted when the helm chart is uninstalled.
Updated AM service target port
Updated the AM service in the Helm chart to use https target port.
Prometheus updates
Default ports and labels have been updated to match the new Helm chart.
DS certificates are now deployed in helm pre-install
Helm pre-install hooks are now used to deploy DS certificates and they will no
longer be deleted when the helm chart is uninstalled.
Updated AM service target port
Updated the AM service in the helm chart to use https target port.
Prometheus updates
Default ports and labels have been updated to match the new helm chart.
Documentation updates
Full Changelog: 2025.1.0...2025.1.1
identity-platform-2025.1.1
A Helm chart for Kubernetes
2025.1.0
Release Notes
New Features/Updated functionality
main branch is now always the current release branch
Master branch is no longer used.
dev images are now available using the bin/forgeops image command.
New forgeops command:
- bin/forgeops-ng is now bin/forgeops
- Provision environments for Kustomize and Helm with
bin/forgeops env. - Set image tag for environment or Dockerfiles with
bin/forgeops image. - View configured environments and product versions with
bin/forgeops info.
Refer to the ForgeOps deployment documentation for more information.
ForgeOps-provided Docker images are now supported
Ping Identity now supports ForgeOps-provided Docker images. Accordingly, the documentation is revised, and the "unsupported" admonition is removed.
New supported product versions
Platform UI versions: 7.5.1
PingAM versions: 7.4.1, 7.5.1
PingDS: 7.4.3, 7.5.1
PingGateway: 2024.6.0, 2024.9.0, 2024.11.0
Removed legacy DS docker directories
Removed the legacy docker/ds/idrepo and docker/ds/cts directories.
docker/ds/ds-new is now just docker/ds.
Removed requirement to build ldif-importer
ldif-importer now just uses the DS image. Scripts are mounted via a configmap.
Documentation updates
New forgeops command reference
Find doc page here
Description of the release process
Learn more about the ForgeOps release process here
New section on customizing DS image
We’ve added a section on customizing DS image. Learn more about customizing DS image [here](forgeops command reference.
Moved Base Docker Image page to the Reference section
Considering the ForgeOps-provided docker images are supported, the need for building base docker images is only required in special cases. Accordingly, the Base Docker Images section has been moved to the Reference section.
Full Changelog: 7.0.0...2025.1.0
identity-platform-2025.1.0
A Helm chart for Kubernetes