A simple guide to ForgeRock on GCP and Anthos

Architecture
, ,
#1

A simple guide to ForgeRock on GCP and Anthos

For years now, ForgeRock DevOps team is working and maintaining what are called the Cloud Developer’s Kit and the Cloud Deployment Model. It can be used to deploy the ForgeRock platform in Kubernetes using devops tools like Kustomize.io and Skaffold. It can be used on any cloud provider as long as they support Kubernetes. Anthos is a Google tool you can use to centrally manage your Kubernetes clusters wherever they are hosted (Google cloud, Amazon cloud, Azure Cloud and even On premise). This note, is my idiot’s guide to deploy ForgeRock Identity Platform on Google Cloud Platform and Anthos with the Cloud Developer’s Kit.

Introduction to ForgeRock Cloud Developer’s Kit and Cloud Deployment Model

To make it easy to deploy the ForgeRock Identity Platform in a Kubernetes (K8s) cluster using devops tools, ForgeRock maintains two toolboxes, one for the developers and the other for cloud architects.

ForgeRock Cloud Developer’s Kit (CDK)

ForgeRock introduces the CDK with theses words:

The CDK is a minimal sample deployment of the ForgeRock Identity Platform on Kubernetes that you can use for demonstration and development purposes. It includes fully integrated AM, IDM, and DS installations, and randomly generated secrets.

The CDK is a documentation (step by step), a set of scripts and tooling using Kustoimize.io and Skaffold to deploy a fully functional ForgeRock Platform for integrators/developers on a K8s cluster. These scripts are available in a public Github project forgeops.

The final architecture once you deployed the CDK is really simple but functional to work as a developer/integrator. The architecture is available here.

To know more, please read ForgeRock’s CDK documentation.

ForgeRock Cloud Deployment Model (CDM)

ForgeRock’s description of the CDM is:

Deploy the CDM on GKE, Amazon EKS, or AKS to quickly spin up the platform for demonstration purposes. […] When you’re done, you won’t have a production-quality deployment. But you will have a robust, reference implementation of the ForgeRock Identity Platform.

The CDM includes all the documentation (step by step), scripts and tools to deploy the ForgeRock Platform in a Production-quality architecture. These scripts are available in a public Github project forgerops.

The CDM includes architecture models for 3 T-shirt sizes: 1M users, 10M users or 100M users.

To know more, please read ForgeRock’s CDM documentation.

A few words concerning Google Cloud Platform and Anthos

There are plenty of information on the web about Google Cloud Platform (GCP), so I won’t try to explain what it is. I’ll just suggest you to know what it is and how it works because we will use GCP to host our K8s cluster. Google K8s Engine documentation is available here: Google Kubernetes Engine (GKE)  |  Google Cloud

In 2019, Google launched Anthos, a multi-cloud hybrid management tool. From this platform you can manage any K8s cluster wherever it is hosted (GKS, EKS,AKS, on prem cluster…). I encourage you read Google online documentation, I won’t explain it here. In this note, we will just use Anthos to reference and manage our K8s cluster that will host the ForgeRock Platform.

Deploy ForgeRock CDK on GCP and Anthos

Create a GCP K8s cluster for ForgeRock CDK

To create a cluster on GCP for your CDK, follow theses steps:

  • Login to you GCP cloud console : https://console.cloud.google.com/,
  • In the top left dropdown menu select “Kubernetes Engine”. then click on “Create” to create your new cluster,
  • Click on “Configure” next to “GKE Standard” and name it cluster-demo-anthos,

1_Z2jYTUd9GjvW7R6mdlH65g
1_Z2jYTUd9GjvW7R6mdlH65g1400×1615 244 KB

K8s cluster creation — Basics menu

  • Then on the left menu, slick on “Default-pool”, set the “Number of nodes” to 6, “Unable cluster autoscaler”, set the “Maximum number of nodes” to 6 (use default values for all other parameters) and click on “Create”,

1_ONxBBcZfeO7-7oiTuTNyAw
1_ONxBBcZfeO7-7oiTuTNyAw1400×1615 236 KB

K8s cluster creation — Node Pool details menu (note: on this figure I use only 3 nodes)

  • Now, your K8s cluster is created on GCP and ready for CDK deployment.

1_LN5v54u8wPFQdfkP2gk_4g
1_LN5v54u8wPFQdfkP2gk_4g1400×950 135 KB

K8s cluster creation — Cluster list menu

Deploy ForgeRock on GCP

Note: In this part I’ll simply follow the step by step documentation of the CDK available here. I write it here mostly as an “ idiot’s guide” for me :)

Before using the CDK to deploy the platform you should create an ingress controller to route the requests from the public IP address of the cluster to the proper components of the platform. It can be done with a script provided by ForgeRock in forgeops git repo. To deploy the ingress controller using forgeops scripts follow theses steps:

  • Update your kubeconfig file with appropriate credentials and endpoint information to point kubectl at your Google K8s cluster gcloud container clusters get-credentials cluster-demo-anthos --zone us-central1-c --project anthos-fr,
  • Create a namespace kubectl create namespace anthos-fr and move into it kubens anthos-fr,
  • Get the forgeops repository git clone https://github.com/ForgeRock/forgeops.git ,
  • Move to forgeops directory cd forgeops and check out the last version git checkout master,
  • Move to bin directory cd bin and run the script ./ingress-controller-deploy.sh -g,
  • Check that the Ingress controller is properly deployed kubectl --namespace nginx get services -o wide -w ingress-nginx-controllerand note the external IP address (greened in the following figure).

1_715NdFg-P_0KTeKZ0mc5LQ
1_715NdFg-P_0KTeKZ0mc5LQ1400×115 84.3 KB

Ingress controller external IP address

  • Update your host file with this command echo "<external-ip>" | sudo tee -a <path-to-hosts-file>. Don’t forget to replace <external-ip> by the value of the external IP address of your Ingress controller (noted from the previous step) and <path-to-hosts-file> by the full path to your hosts file.

Now your Cluster is ready to deploy the ForgeRock CDK, just follow these steps:

  • In forgeops/bin directory execute this command to deploy the ./forgeops install --cdk --fqdn cdk.example.com. When the command is finished, Forgerock platform is deployed! Administrators accounts and password are displayed in the shell.

1_wWVGnDfny2QRdBTcWpHILA
1_wWVGnDfny2QRdBTcWpHILA976×570 114 KB

Terminal after cdk deployment

The platform is operational but to finalise it and being able to access it from Chrome you must trust the self-signed certificates. To do so, we use mkcert tool. Follow theses steps to do it:

  • Generate your certificates with this commande: mkcert "*.example.com",
  • Create a K8s Ingress annotation kubectl annotate ingress forgerock cert-manager.io/cluster-issuer-,
  • Delete the default sslcert secrets with these commands: kubectl delete certificate sslcert and kubectl delete secrets sslcert,
  • Import the create new secrets in Ingress with the certificates created with mkcert kubectl create secret tls sslcert --cert=_wildcard.example.com.pem --key=_wildcard.example.com-key.pem | kubectl replace -f -. Now your ForgeRock platform is fully operational and you can access it from this URL https://cdk.example.com/platform with amadmin account (the account is displayed in the console when you deployed the CDK in the previous step).

1_O9PPy66Nd_1mzLJNVBswvw
1_O9PPy66Nd_1mzLJNVBswvw1017×1038 102 KB

ForgeRock Platform UI

Register your Cluster in Anthos

Finally integrate your GCP K8s cluster into Anthos admin console.

  • From your GCP console click on “Anthos” in the left menu,
  • On Anthos page click on “Clusters” in the left menu, and click on “Register Existing Cluster”,
  • On the “Add clusters to fleet” page, you should see your GCP K8s cluster. Click on the “Register” button next to your K8s Cluster and wait for Anthos to register it.
  • Then click again on “Clusters” in the left menu and you’ll see your K8s cluster registered in Anthos.

1_0s_eMrdNqnQ3-F-qqoqsvg
1_0s_eMrdNqnQ3-F-qqoqsvg1216×796 148 KB

Anthos — List of registered clusters

What’s next with Anthos?

Create your GCP K8s Cluster from Anthos admin console

In this note, we’ve created a GCP K8s cluster and then registered it in Anthos. This is cool but to start to understand the interest of Anthos, let’s create our GCP Cluster from Anthos interface.

  • Go to Anthos admin console https://console.cloud.google.com/anthos,
  • Click on “Clusters” left menu and click on “Create Cluster”. A pop-up is displayed allowing you to directly create your GCP K8s cluster from this interface (the same as what we did in GCP K8s engine interface).

1_9fVCshefWtGiYEsP0_OBDQ
1_9fVCshefWtGiYEsP0_OBDQ1042×947 177 KB

Create your K8s cluster from Anthos console

  • Then refresh the Clusters menu. The page is displaying a message saying that there is “ 1 unregistered cluster in this project”. Next to this message click on “Register”. Then one the next page, click again on “Register” button,
  • Wait until the cluster is registered and refresh the clusters menu. Now you can see your new K8s cluster appearing in the list.

1_Wg4nkqsCFHZr_QWLhlRdwA
1_Wg4nkqsCFHZr_QWLhlRdwA1042×947 159 KB

Anthos list of registered K8s clusters

Create any K8s Cluster from Anthos admin console

But the real power of Anthos is the fact that you can create and register your K8s cluster whatever underlying technology you use (GKE, EKS, AKS, OnPrem, VM, etc…). The next screenshot shows you the different options you have to create your K8s Cluster from another cloud provider.

1_nmPWollIlDaX-0gaJ1-eng
1_nmPWollIlDaX-0gaJ1-eng1042×947 169 KB

Create K8s clusters on other clouds providers

The figure below shows other options like deploying on VMWare or Bare metal.

1_xVlKNBfo5QQgxSVCjGWqzA
1_xVlKNBfo5QQgxSVCjGWqzA1042×947 173 KB

Create K8s clusters on VM or bare metal

Conclusion

With this article we’ve seen how easy it is to deploy the ForgeRock Identity Platform in a K8s cluster with devops technics and we also just scratched the surface of what can Google Anthos bring to large and heterogeneous K8s architectures with different underlying technologies.

2 Likes
#2

Thank you. I prefer to customize the CDM, for lots of reasons. But you overview of the value of anthos is appreciated.

1 Like