For years now, ForgeRock DevOps team is working and maintaining what are called the Cloud Developer’s Kit and the Cloud Deployment Model. It can be used to deploy the ForgeRock platform in Kubernetes using devops tools like Kustomize.io and Skaffold. It can be used on any cloud provider as long as they support Kubernetes. Anthos is a Google tool you can use to centrally manage your Kubernetes clusters wherever they are hosted (Google cloud, Amazon cloud, Azure Cloud and even On premise). This note, is my idiot’s guide to deploy ForgeRock Identity Platform on Google Cloud Platform and Anthos with the Cloud Developer’s Kit.
To make it easy to deploy the ForgeRock Identity Platform in a Kubernetes (K8s) cluster using devops tools, ForgeRock maintains two toolboxes, one for the developers and the other for cloud architects.
ForgeRock introduces the CDK with theses words:
The CDK is a minimal sample deployment of the ForgeRock Identity Platform on Kubernetes that you can use for demonstration and development purposes. It includes fully integrated AM, IDM, and DS installations, and randomly generated secrets.
The CDK is a documentation (step by step), a set of scripts and tooling using Kustoimize.io and Skaffold to deploy a fully functional ForgeRock Platform for integrators/developers on a K8s cluster. These scripts are available in a public Github project forgeops.
The final architecture once you deployed the CDK is really simple but functional to work as a developer/integrator. The architecture is available here.
To know more, please read ForgeRock’s CDK documentation.
ForgeRock’s description of the CDM is:
Deploy the CDM on GKE, Amazon EKS, or AKS to quickly spin up the platform for demonstration purposes. […] When you’re done, you won’t have a production-quality deployment. But you will have a robust, reference implementation of the ForgeRock Identity Platform.
The CDM includes all the documentation (step by step), scripts and tools to deploy the ForgeRock Platform in a Production-quality architecture. These scripts are available in a public Github project forgerops.
The CDM includes architecture models for 3 T-shirt sizes: 1M users, 10M users or 100M users.
To know more, please read ForgeRock’s CDM documentation.
There are plenty of information on the web about Google Cloud Platform (GCP), so I won’t try to explain what it is. I’ll just suggest you to know what it is and how it works because we will use GCP to host our K8s cluster. Google K8s Engine documentation is available here: Kubernetes – Google Kubernetes Engine (GKE) | Google Cloud
In 2019, Google launched Anthos, a multi-cloud hybrid management tool. From this platform you can manage any K8s cluster wherever it is hosted (GKS, EKS,AKS, on prem cluster…). I encourage you read Google online documentation, I won’t explain it here. In this note, we will just use Anthos to reference and manage our K8s cluster that will host the ForgeRock Platform.
To create a cluster on GCP for your CDK, follow theses steps:
- Login to you GCP cloud console : https://console.cloud.google.com/,
- In the top left dropdown menu select “Kubernetes Engine”. then click on “Create” to create your new cluster,
- Click on “Configure” next to “GKE Standard” and name it
K8s cluster creation — Basics menu
- Then on the left menu, slick on “Default-pool”, set the “Number of nodes” to 6, “Unable cluster autoscaler”, set the “Maximum number of nodes” to 6 (use default values for all other parameters) and click on “Create”,
K8s cluster creation — Node Pool details menu (note: on this figure I use only 3 nodes)
- Now, your K8s cluster is created on GCP and ready for CDK deployment.
K8s cluster creation — Cluster list menu
Note: In this part I’ll simply follow the step by step documentation of the CDK available here. I write it here mostly as an “ idiot’s guide” for me :)
Before using the CDK to deploy the platform you should create an ingress controller to route the requests from the public IP address of the cluster to the proper components of the platform. It can be done with a script provided by ForgeRock in forgeops git repo. To deploy the ingress controller using forgeops scripts follow theses steps:
- Update your kubeconfig file with appropriate credentials and endpoint information to point kubectl at your Google K8s cluster
gcloud container clusters get-credentials cluster-demo-anthos --zone us-central1-c --project anthos-fr,
- Create a namespace
kubectl create namespace anthos-frand move into it
- Get the forgeops repository
git clone https://github.com/ForgeRock/forgeops.git,
- Move to forgeops directory
cd forgeopsand check out the last version
git checkout master,
- Move to bin directory
cd binand run the script
- Check that the Ingress controller is properly deployed
kubectl --namespace nginx get services -o wide -w ingress-nginx-controllerand note the external IP address (greened in the following figure).
Ingress controller external IP address
- Update your host file with this command
echo "<external-ip>" | sudo tee -a <path-to-hosts-file>. Don’t forget to replace
<external-ip>by the value of the external IP address of your Ingress controller (noted from the previous step) and
<path-to-hosts-file>by the full path to your hosts file.
Now your Cluster is ready to deploy the ForgeRock CDK, just follow these steps:
- In forgeops/bin directory execute this command to deploy the
./forgeops install --cdk --fqdn cdk.example.com. When the command is finished, Forgerock platform is deployed! Administrators accounts and password are displayed in the shell.
Terminal after cdk deployment
The platform is operational but to finalise it and being able to access it from Chrome you must trust the self-signed certificates. To do so, we use mkcert tool. Follow theses steps to do it:
- Generate your certificates with this commande:
- Create a K8s Ingress annotation
kubectl annotate ingress forgerock cert-manager.io/cluster-issuer-,
- Delete the default sslcert secrets with these commands:
kubectl delete certificate sslcertand
kubectl delete secrets sslcert,
- Import the create new secrets in Ingress with the certificates created with mkcert
kubectl create secret tls sslcert --cert=_wildcard.example.com.pem --key=_wildcard.example.com-key.pem | kubectl replace -f -. Now your ForgeRock platform is fully operational and you can access it from this URL https://cdk.example.com/platform with amadmin account (the account is displayed in the console when you deployed the CDK in the previous step).
ForgeRock Platform UI
Finally integrate your GCP K8s cluster into Anthos admin console.
- From your GCP console click on “Anthos” in the left menu,
- On Anthos page click on “Clusters” in the left menu, and click on “Register Existing Cluster”,
- On the “Add clusters to fleet” page, you should see your GCP K8s cluster. Click on the “Register” button next to your K8s Cluster and wait for Anthos to register it.
- Then click again on “Clusters” in the left menu and you’ll see your K8s cluster registered in Anthos.
Anthos — List of registered clusters
In this note, we’ve created a GCP K8s cluster and then registered it in Anthos. This is cool but to start to understand the interest of Anthos, let’s create our GCP Cluster from Anthos interface.
- Go to Anthos admin console https://console.cloud.google.com/anthos,
- Click on “Clusters” left menu and click on “Create Cluster”. A pop-up is displayed allowing you to directly create your GCP K8s cluster from this interface (the same as what we did in GCP K8s engine interface).
Create your K8s cluster from Anthos console
- Then refresh the Clusters menu. The page is displaying a message saying that there is “ 1 unregistered cluster in this project”. Next to this message click on “Register”. Then one the next page, click again on “Register” button,
- Wait until the cluster is registered and refresh the clusters menu. Now you can see your new K8s cluster appearing in the list.
Anthos list of registered K8s clusters
But the real power of Anthos is the fact that you can create and register your K8s cluster whatever underlying technology you use (GKE, EKS, AKS, OnPrem, VM, etc…). The next screenshot shows you the different options you have to create your K8s Cluster from another cloud provider.
Create K8s clusters on other clouds providers
The figure below shows other options like deploying on VMWare or Bare metal.
Create K8s clusters on VM or bare metal
With this article we’ve seen how easy it is to deploy the ForgeRock Identity Platform in a K8s cluster with devops technics and we also just scratched the surface of what can Google Anthos bring to large and heterogeneous K8s architectures with different underlying technologies.