Releases: ForgeRock/forgeops
2026.2.1
RELEASE=2026.2.1
Release Notes
New Features/Updated functionality
SBOMs for images
We know produce Software Bill of Materials (SBOM) for our images. You can find
them at http://releases.forgeops.com/sbom . See
<./how-tos/retrieve-SBOMs-based-on-original-image-URL.md> for more details on
using them.
Bugfixes
Fixed VolumeSnapshot cleanup
When using the provided VolumeSnapshot capability, the purgeDelay setting was
not being honored. The logic to determine that was changed to use the more
reliable seconds since epoch.
Added volume for Tomcat temp dir
When readOnlyRootFilesystem is enabled for AM, it can throw errors when it
needs to create something in /usr/local/tomcat. The tomcat dir has been moved
to the writable volume.
How-tos
recreating-ds-sts
This how-to describes how to recreate a DS sts without downtime when you need
to make a significant change to a STS. <./how-tos/recreateing-ds-sts.md>
Full Changelog: 2026.2.0...2026.2.1
ping-gateway-2026.2.1
A Helm chart for Kubernetes
identity-platform-2026.2.1
A Helm chart for Kubernetes
2026.2.0
RELEASE=2026.2.0
Release Notes
New Features/Updated functionality
Added initContainers to enable readOnlyRootFilesystem (Helm only)
The init containers have been reworked to allow users to enable the
readOnlyRootFilesystem securityContext. This has no impact on the Deployments,
but requires that the StatefulSets (DSes) be recreated.
Added --secure/--insecure flags to env (Helm only)
With the addition of support for security features like readOnlyRootFilesystem,
you are now able to toggle all security features with these new flags. By
default, new envs will be created with --secure enabled.
To enable the secure features on an existing env run the following command,
then follow the instructions in <./how-tos/recreating-ds-sts.md> to apply the
change.
forgeops env -e my-env --secure
No longer supporting 7.4 Ping Identity Platform images
ForgeOps supports the last three major/minor versions of the Ping Identity Platform images.
With the availability of 8.1 images, ForgeOps supports 8.1, 8.0, and 7.5 versions of the
platform images, and 7.4 images are no longer supported. We recommend customers to upgrade
to newer version of the platform images. Refer to the upgrade guide. The older tags remain
available on http://releases.forgeops.com until the next major/minor release.
New amster and ds-set-passwords ttl options for forgeops env command(New envs only)
New options added to the forgeops env command to allow the user to set the length
of the ttlSecondsAfterFinished value in the amster and ds-set-passwords jobs.
Default is set to 7200 seconds.
PodDisruptionBudget support for all product Helm chart components
PodDisruptionBudgets can now be enabled for all product components in the identity-platform and ping-gateway Helm charts. The feature is disabled by default; enable it per component by setting <component>.pdb.enabled: true in your values file. The default policy keeps at least one pod available (minAvailable: 1); this can be changed via <component>.pdb.minAvailable or <component>.pdb.maxUnavailable.
Affected components: am, idm, admin-ui, end-user-ui, login-ui, ds-idrepo, ds-cts (identity-platform) and ig (ping-gateway).
Ability to define apiVersion, kind, and spec for a secret
You now have the ability to define apiVersion, kind, and spec for secrets
defined in platform.secrets. This allows folks to define secrets using
external-secrets.
Bugfixes
How-tos
recreating-ds-sts
This how-to describes how to recreate a DS sts without downtime when you need
to make a significant change to a STS. <./how-tos/recreateing-ds-sts.md>
Full Changelog: 2026.1.0...2026.2.0
ping-gateway-2026.2.0
A Helm chart for Kubernetes
identity-platform-2026.2.0
A Helm chart for Kubernetes
2026.1.0
RELEASE=2026.1.0
Release Notes
Highlights in this release
Traefik is now the default prereqs ingress controller
The prereqs script now deploys Traefik proxy by default instead of Nginx
Ingress.
Upgrade your environments
The new custom image requires changes to your environments and your default
environment if you are using the FORGEOPS_DATA functionality. Run forgeops env against your environments with the --upgrade flag.
forgeops env -e my_env --upgrade
New image for customizations
The forgeops config command has a new build subcommand to create custom
busybox images for AM and IDM with the FBC config profile. The deployment (Helm
and Kustomize) have been updated to use the FBC on these images if it
exists. If it doesn't exist, then it will use the built-in config in images as
before. Now it is no longer necessary to build the config into images.
- See
forgeops config build --helpfor more info
New Features/Updated functionality
Direct debug-logs output to a file
Added the ability to send the output of bin/debug-logs directly to a file.
New product versions available
The following secure versions are available:
- 8.1.0 now available for all products
- PingIDM 8.0.1
- PingDS 8.0.2
- PingAM 7.5.2 and 8.0.2
- Secret Agent 1.2.10
- PingGateway 2025.11.0 and 2025.11.1
Helm 4 supported
Tested Helm 4 with our charts and everything works.
New --retain option for troubleshooting Amster
You can use the --retain {duration} option with forgeops amster import and
forgeops amster export commands to keep the pod running longer.
Increased TTL
Amster, ds-set-passwords and keystore-create jobs will now remain for two hours
after completion to allow viewing logs. This value can be amended.
Moved upgrade logic into env command
The forgeops upgrade logic has been moved to forgeops env as a flag. You
can now call it like:
forgeops env -e my_env --upgrade
Display a message when requested image version isn't available
The forgeops image command will select the next available version if the user
requests a version that isn't available for a product. Now, it will tell you
that it can't find the requested image to avoid confusion.
Ability to specify external DS hosts in Helm chart
Added the ability to specify external DS host names in your values.yaml.
See platform.external_ds in charts/identity-platform/values.yaml for more
info.
Updated python dependency versions
The python dependencies have been updated in lib/python/requirements.txt.
Use forgeops configure to update your venv.
cd /path/to/forgeops
source .venv/bin/activate
./bin/forgeops configure
Ability to build am-config-upgrader image
Added am-config-upgrader/Dockerfile and the ability to build an
am-config-upgrader image with forgeops build.
Repository clean up
The forgeops repository has been cleaned up by moving several items around.
This is being done to focus the forgeops repository on the essential artifacts
needed to manage ForgeOps deployments.
- Moved examples from
etcfolder to thesamplesfolder inforgeops-extras
repository. - Moved the contents of the
clusterfolder into theetcfolder. - Removed the scripts in the old
binfolder, as their functionality is now
provided through theforgeopstool.- bin/amster ->
forgeops amster - bin/config ->
forgeops config - bin/am-config-upgrader ->
forgeops upgrade-am-config
- bin/amster ->
Adding ability to skip appending the image to a repo when building
This is a user suggestion to make it easier to use AWS ECR repos. You can now
use --skip-image-append with the image, build, and config build subcommands,
and the software will use what was given as the image repository as the full
image name minus the tag.
Bugfixes
Fixed bug in base-generate.sh
There was a step missing in the logic for base-generate.sh that prevented the
updated files from being placed properly. It now copies the results of helm template into the proper location.
Fixed bugs in amster
Included the --full option in forgeops amster export to enable exporting
all realm entities. The bugs in this option have been fixed.
forgeops amster import {src} wasn't overwriting the configuration baked in to
the image with the provided configuration. This has now been corrected.
forgeops amster export now waits for AM to be up. Previously this function
was only included in the import command.
Fixed forgeops upgrade-am-config
The 8.0.2 am-config-upgrader image changed permission on some files which
caused forgeops upgrade-am-config to break. The forgeops upgrade-am-config
command now connects to the container as root. This is an ephemeral
container running outside the cluster and reduces the security impact.
The keystore-create job now uses the AM image directly
Prior to 2026.1.0, the keystore-create job specified the AM image as an init
container separately. This meant that once you select a new AM image it didn't
update the keystore-create job. The job now uses the AM image as defined in
both Helm and Kustomize.
How-tos
Included new procedures
- Add user supplied certificates to the truststore.
- Change FQDN in a ForgeOps deployment.
- Use an externally deployed PingDS with a ForgeOps deployment.
Full Changelog: 2025.2.1...2026.1.0
identity-platform-2026.1.0
A Helm chart for Kubernetes
ping-gateway-1.0.0
Test ping-gateway helm chart release. DO NOT USE!
2025.2.1
RELEASE=2025.2.1
Release Notes
New Features/Updated functionality
Changing base-generate.sh
The base-generate.sh script creates kustomize/base from the Helm chart. It
has been updated to use --output-dir with helm template to generate
individual template files. This allows us to remove logic from the Helm chart
that's only there for base-generate.sh. Update your
$FORGEOPS_DATA/kustomize/base with these changes.
Adding ability to provide custom secrets
The platform.secrets functionality added in 2025.2.0 has been updated to
allow for fully custom secrets. This enables users to use an alternate secrets
provider like external-secrets, or add extra secrets without having to use
secret-generator. The Helm value platform.secret_generator_enable has been
renamed to platform.secrets_enabled.
Bugfixes
Fixed backwards compatibility of PingAM images built from 2025.2.0
The import-pem-certs.sh script was moved from the PingAM docker image to a configmap.
Because the script isn't available as a configmap in 2025.1.x, new images built from
2025.2.0 and used in 2025.1.2 fail. So the script has been added back to docker/am.
Bitnami images going away
The Bitnami images have been pulled from Docker Hub, and are no longer
available. We have switched to the Alpine kubectl image for the keystore-create
and ds-snapshot jobs.
Fixed no downtime password rotations for legacy installs
In 2025.2.0, we added the ability to do no downtime password rotations for DS
passwords. This requires allow-mutliple-password-values to be set to true in
the Default and Root password policies. This was added to
docker/ds/ds-setup.sh, but that is only effective for fresh deployment. For
existing deployments it has no effect. We have added the dsconfig commands
necessary to enable no downtime password rotations to the startup for DS pods.
Removed Features
Documentation updates
How To on custom secrets
Added how-tos/custom-secrets.md that describes how to create custom secrets
with secret-generator. It also describes how to use the same platform.secrets
dictionary to use an alternate Kubernetes secrets provider.
Full Changelog: 2025.2.0...2025.2.1