A production-ready GitOps template for managing ForgeRock identity configurations using ArgoCD and Kubernetes. Deploy ForgeRock AM, DS, and IDM configurations declaratively via Git — with automated sync, drift detection, and rollback.
Full tutorial: GitOps for ForgeRock: Managing Identity Configuration with ArgoCD
forgerock-gitops-argocd/
├── argocd/
│ ├── apps/
│ │ ├── forgerock-am.yaml # ArgoCD Application for ForgeRock AM
│ │ ├── forgerock-ds.yaml # ArgoCD Application for ForgeRock DS
│ │ ├── forgerock-idm.yaml # ArgoCD Application for ForgeRock IDM
│ │ └── app-of-apps.yaml # App-of-Apps pattern for all ForgeRock components
│ └── project.yaml # ArgoCD AppProject with RBAC policies
├── config/
│ ├── am/
│ │ ├── realms/
│ │ │ └── root.json # Root realm configuration
│ │ ├── services/
│ │ │ ├── oauth2.json # OAuth 2.0 provider settings
│ │ │ └── authentication.json # Authentication service config
│ │ └── applications/
│ │ └── oauth2-client.json # Example OAuth2 client
│ ├── ds/
│ │ ├── config.ldif # DS base configuration
│ │ └── schema-extensions.ldif # Custom schema extensions
│ └── idm/
│ ├── sync.json # IDM sync mappings
│ └── managed.json # Managed object schema
├── secrets/
│ ├── sealed-secret-template.yaml # Template for Sealed Secrets
│ └── README.md # Secrets management guide
├── scripts/
│ ├── setup-argocd.sh # Bootstrap ArgoCD in cluster
│ ├── seal-secrets.sh # Encrypt secrets with kubeseal
│ ├── validate-configs.sh # Pre-commit config validation
│ └── rollback.sh # Emergency rollback script
├── environments/
│ ├── dev/
│ │ └── kustomization.yaml # Dev environment overrides
│ ├── staging/
│ │ └── kustomization.yaml # Staging environment overrides
│ └── prod/
│ └── kustomization.yaml # Production environment overrides
└── .github/
└── workflows/
└── validate.yml # PR validation: lint + schema check
- Kubernetes cluster (1.25+)
kubectlconfiguredargocdCLI installedkubesealCLI for secrets management- ForgeRock ForgeOps images pulled
./scripts/setup-argocd.shThis installs ArgoCD, creates the forgerock AppProject, and waits for ArgoCD to be ready.
Before deploying, encrypt your ForgeRock admin credentials:
# Set your actual passwords as environment variables
export AM_ADMIN_PASSWORD="changeit"
export DS_ADMIN_PASSWORD="changeit"
export IDM_ADMIN_PASSWORD="changeit"
./scripts/seal-secrets.shThis generates sealed secrets safe to commit to Git.
kubectl apply -f argocd/apps/app-of-apps.yamlArgoCD will detect and deploy all ForgeRock components in order.
./scripts/validate-configs.shThe app-of-apps.yaml deploys a "parent" ArgoCD Application that manages all ForgeRock component apps. This ensures ordered deployment and centralized management:
App-of-Apps (forgerock-platform)
├── forgerock-ds (deployed first — data store)
├── forgerock-am (depends on DS)
└── forgerock-idm (depends on AM + DS)
All applications use automated sync with:
- prune: true — Removes resources deleted from Git
- selfHeal: true — Reverts manual changes (drift correction)
- retry — 5 attempts with exponential backoff
config/am/services/oauth2.json configures the OAuth 2.0 authorization server:
{
"serviceId": "oauth-oidc",
"realm": "/",
"supportedScopes": ["openid", "profile", "email", "address", "phone"],
"accessTokenLifetime": 3600,
"refreshTokenLifetime": 43200,
"supportedResponseTypes": ["code", "token", "id_token"],
"codeVerifierEnforced": "true"
}Learn how to tune these settings: OAuth 2.0 Complete Developer Guide
Use Kustomize overlays to manage differences between environments without duplicating config:
# environments/prod/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../config
patches:
- patch: |-
- op: replace
path: /spec/replicas
value: 3
target:
kind: StatefulSet
name: amSealed Secrets encrypts Kubernetes secrets with the cluster's public key — safe to store in Git:
# Encrypt a secret
kubectl -n forgerock create secret generic forgerock-am-secrets \
--from-literal=AM_PASSWORDS_AMADMIN_CLEAR=changeit \
--dry-run=client -o yaml | \
kubeseal --controller-name=sealed-secrets \
--controller-namespace=sealed-secrets \
-o yaml > secrets/am-secrets.yamlOnly the cluster holding the private key can decrypt it. Rotation requires re-sealing.
For more secrets strategies: ForgeRock Security Best Practices
The included GitHub Actions workflow (.github/workflows/validate.yml) runs on every PR:
- YAML lint — Validates Kubernetes manifests with
kubeval - JSON schema check — Validates ForgeRock config files
- ArgoCD dry-run — Checks if ArgoCD would accept the Application spec
- Secret scan — Ensures no plaintext credentials are committed
In case of a bad deployment:
# Roll back to a specific Git revision
./scripts/rollback.sh forgerock-am <git-sha>
# Or use ArgoCD CLI directly
argocd app rollback forgerock-am --revision <git-sha>ArgoCD keeps deployment history; rollback triggers a new sync to the specified revision.
- GitOps for ForgeRock: Managing Identity Configuration with ArgoCD
- Automating IAM Policy Deployments with GitOps
- Deploying ForgeRock ForgeOps on Red Hat OpenShift
- ForgeRock Backup and Restore Automation
- IAM Tools Comparison: Complete Guide
PRs welcome! See CONTRIBUTING.md for guidelines.
MIT License — free to use in production environments.