2026.1.0

RELEASE=2026.1.0

Release Notes

Highlights in this release

Traefik is now the default prereqs ingress controller

The prereqs script now deploys Traefik proxy by default instead of Nginx
Ingress.

Upgrade your environments

The new custom image requires changes to your environments and your default
environment if you are using the FORGEOPS_DATA functionality. Run forgeops env against your environments with the --upgrade flag.

forgeops env -e my_env --upgrade

New image for customizations

The forgeops config command has a new build subcommand to create custom
busybox images for AM and IDM with the FBC config profile. The deployment (Helm
and Kustomize) have been updated to use the FBC on these images if it
exists. If it doesn't exist, then it will use the built-in config in images as
before. Now it is no longer necessary to build the config into images.

• See forgeops config build --help for more info

New Features/Updated functionality

Direct debug-logs output to a file

Added the ability to send the output of bin/debug-logs directly to a file.

New product versions available

The following secure versions are available:

• 8.1.0 now available for all products
• PingIDM 8.0.1
• PingDS 8.0.2
• PingAM 7.5.2 and 8.0.2
• Secret Agent 1.2.10
• PingGateway 2025.11.0 and 2025.11.1

Helm 4 supported

Tested Helm 4 with our charts and everything works.

New --retain option for troubleshooting Amster

You can use the --retain {duration} option with forgeops amster import and
forgeops amster export commands to keep the pod running longer.

Increased TTL

Amster, ds-set-passwords and keystore-create jobs will now remain for two hours
after completion to allow viewing logs. This value can be amended.

Moved upgrade logic into env command

The forgeops upgrade logic has been moved to forgeops env as a flag. You
can now call it like:

forgeops env -e my_env --upgrade

Display a message when requested image version isn't available

The forgeops image command will select the next available version if the user
requests a version that isn't available for a product. Now, it will tell you
that it can't find the requested image to avoid confusion.

Ability to specify external DS hosts in Helm chart

Added the ability to specify external DS host names in your values.yaml.
See platform.external_ds in charts/identity-platform/values.yaml for more
info.

Updated python dependency versions

The python dependencies have been updated in lib/python/requirements.txt.
Use forgeops configure to update your venv.

cd /path/to/forgeops
source .venv/bin/activate
./bin/forgeops configure

Ability to build am-config-upgrader image

Added am-config-upgrader/Dockerfile and the ability to build an
am-config-upgrader image with forgeops build.

Repository clean up

The forgeops repository has been cleaned up by moving several items around.
This is being done to focus the forgeops repository on the essential artifacts
needed to manage ForgeOps deployments.

• Moved examples from etc folder to the samples folder in forgeops-extras
  repository.
• Moved the contents of the cluster folder into the etc folder.
• Removed the scripts in the old bin folder, as their functionality is now
  provided through the forgeops tool.
  • bin/amster -> forgeops amster
  • bin/config -> forgeops config
  • bin/am-config-upgrader -> forgeops upgrade-am-config

Adding ability to skip appending the image to a repo when building

This is a user suggestion to make it easier to use AWS ECR repos. You can now
use --skip-image-append with the image, build, and config build subcommands,
and the software will use what was given as the image repository as the full
image name minus the tag.

Bugfixes

Fixed bug in base-generate.sh

There was a step missing in the logic for base-generate.sh that prevented the
updated files from being placed properly. It now copies the results of helm template into the proper location.

Fixed bugs in amster

Included the --full option in forgeops amster export to enable exporting
all realm entities. The bugs in this option have been fixed.

forgeops amster import {src} wasn't overwriting the configuration baked in to
the image with the provided configuration. This has now been corrected.

forgeops amster export now waits for AM to be up. Previously this function
was only included in the import command.

Fixed forgeops upgrade-am-config

The 8.0.2 am-config-upgrader image changed permission on some files which
caused forgeops upgrade-am-config to break. The forgeops upgrade-am-config
command now connects to the container as root. This is an ephemeral
container running outside the cluster and reduces the security impact.

The keystore-create job now uses the AM image directly

Prior to 2026.1.0, the keystore-create job specified the AM image as an init
container separately. This meant that once you select a new AM image it didn't
update the keystore-create job. The job now uses the AM image as defined in
both Helm and Kustomize.

How-tos

Included new procedures

• Add user supplied certificates to the truststore.
• Change FQDN in a ForgeOps deployment.
• Use an externally deployed PingDS with a ForgeOps deployment.

Full Changelog: 2025.2.1...2026.1.0

identity-platform-2026.1.0

A Helm chart for Kubernetes

2025.2.1

RELEASE=2025.2.1

Release Notes

New Features/Updated functionality

Changing base-generate.sh

The base-generate.sh script creates kustomize/base from the Helm chart. It
has been updated to use --output-dir with helm template to generate
individual template files. This allows us to remove logic from the Helm chart
that's only there for base-generate.sh. Update your
$FORGEOPS_DATA/kustomize/base with these changes.

Adding ability to provide custom secrets

The platform.secrets functionality added in 2025.2.0 has been updated to
allow for fully custom secrets. This enables users to use an alternate secrets
provider like external-secrets, or add extra secrets without having to use
secret-generator. The Helm value platform.secret_generator_enable has been
renamed to platform.secrets_enabled.

Bugfixes

Fixed backwards compatibility of PingAM images built from 2025.2.0

The import-pem-certs.sh script was moved from the PingAM docker image to a configmap.
Because the script isn't available as a configmap in 2025.1.x, new images built from
2025.2.0 and used in 2025.1.2 fail. So the script has been added back to docker/am.

Bitnami images going away

The Bitnami images have been pulled from Docker Hub, and are no longer
available. We have switched to the Alpine kubectl image for the keystore-create
and ds-snapshot jobs.

Fixed no downtime password rotations for legacy installs

In 2025.2.0, we added the ability to do no downtime password rotations for DS
passwords. This requires allow-mutliple-password-values to be set to true in
the Default and Root password policies. This was added to
docker/ds/ds-setup.sh, but that is only effective for fresh deployment. For
existing deployments it has no effect. We have added the dsconfig commands
necessary to enable no downtime password rotations to the startup for DS pods.

Removed Features

Documentation updates

How To on custom secrets

Added how-tos/custom-secrets.md that describes how to create custom secrets
with secret-generator. It also describes how to use the same platform.secrets
dictionary to use an alternate Kubernetes secrets provider.

Full Changelog: 2025.2.0...2025.2.1

identity-platform-2025.2.1

A Helm chart for Kubernetes

2025.2.0

RELEASE=2025.2.0

Release Notes

New Features/Updated functionality

New secret-agent release available

secret-agent 1.2.7 has been released to resolve the latest security
vulnerabilities.

New Ping Identity Platform product versions available

PingIDM 7.4.1 and 7.5.2 and PingGateway 2025.6.0 have been released and are available to deploy with forgeops tooling.

Option to provision keystores without secret-agent

When secret-generator and keystore-create Kubernetes job are enabled,
a single keystore is now created for AM and IDM. When the keystore-create
job is enabled, the keystore configurations will been consolidated under the
keystore_create.config helm values settings.

Truststore no longer provisioned by secret-agent

OpenSSL now provides the default root CAs. User can provide additional
certificates via the Helm chart.

Removed curl from ldif-importer

Curl has been replaced with ldapsearch in the ldif-importer job. Curl often has
security vulnerabilities, and so we decided to remove it.

Replace curl with wget in Amster

Curl has been replaced with wget in the amster job. Curl often has
security vulnerabilities, and so we've changed it to wget which is more secure.

Added ability to use secret-generator

Is is now possible to use secret-generator to provision platform secrets
instead of secret-agent. In the future, secret-agent will be deprecated. It is
recommended that new deployments use secret-generator.

New forgeops prereqs command

This replaces charts/scripts/install-prereqs, and the settings move into
forgeops.conf. See forgeops prereqs -h for more information.

Added ability to do no downtime DS password rotations

DS images must be built with ForgeOps 2025.2.0 in order to enable multiple
password values. Rebuild your current images, or use the latest available tag
for DS images.

New forgeops rotate command

This new command assists with no downtime DS password rotations for the
ds-env-secrets and ds-passwords secrets. It will create the old-ds-env-secrets
and old-ds-passwords secrets which are used by the ds-set-passwords job and
the init container to maintain the old passwords during the rotation process.

New forgeops upgrade command

This command will upgrade your Kustomize overlays. It is safe to rerun because
it checks to see if any work needs to be done. It is being added to update the
secrets child overlay with the new structure. It will be used in the future as
we update the default overlay. If you use an alternate default overlay, upgrade
that one first. Test the upgraded overlay to ensure that you don't need to add
back any customizations you made.

New migration script for secret-generator

Since the process to migrate to secret-generator from secret-agent is so
complex, we have created a script that will do the steps for you. It uses the
new rotate command with the new no downtime password rotation logic to
eliminate downtime during the migration.

Bugfixes

Fix forgeops amster import/export command

Reordered the patches in the amster/upload and amster/export sub overlays to correctly manage amster configuration.

Renamed FORGEOPS_ROOT to FORGEOPS_DATA

In order to reduce confusion, the optional FORGEOPS_ROOT env var has been
renamed FORGEOPS_DATA. The forgeops command will offer to fix this in
~/.forgeops.conf if FORGEOPS_ROOT is detected.

Stop AM failing if openam container restarts

Ensure openam container has access to the default boot.json when something causes the
container to restart. This is because the fbc-init init-container doesn't run when the
openam container restarts so the default boot.json isn't set for startup.

Fixed bug in info command

The forgeops info -e my-env command would throw an exception when an image
has a tag that doesn't start with X.Y.Z. This was due to a bug in
lib.python.releases.is_valid_release(). It now properly returns false if a tag
doesn't match that pattern.

Fixed bug in build command

The forgeops build command didn't properly handle a user not providing a tag.
It now will use latest if a tag is not specified.

Removed Features

Documentation updates

Expanded section on alternate release files

Organizations that need to build their own container images can create their
own release files so forgeops image and forgeops info will work with these
custom images.

Added how-to on creating custom environment variables

Created a new document on how to add custom environment variables to the
platform-config ConfigMap, AM, and IDM. You can find it at
how-tos/custom-envs.md.

Full Changelog: 2025.1.2...2025.2.0

identity-platform-2025.2.0

A Helm chart for Kubernetes

2025.1.2

RELEASE=2025.1.2

Release Notes

New Features/Updated functionality

New PingGateway version available

PingGateway 2025.3.0 has been released and is available to deploy with forgeops tooling.

Update PingGateway deployment to use the new default admin endpoint

Ping Gateway has 2 endpoints now:

• /ig the main entry point to PingGateway
• /admin the API of the PingGateway admin, containing the /ping handler used for live checks for example.

Custom ENV variables in Helm chart

Implemented a customer request to provide a mechanism to define extra ENV
variables for AM and IDM as well as adding custom variables to the
platform-config ConfigMap.

Look in the following sections in charts/identity-platform/values.yaml for
examples. Update the values.yaml for your environments with the desired
configuration. The env arrays should contain maps of Kubernetes ENV
configurations.

platform.configMap.data # Map of custom key:value pairs for platform-config
platform.env # Shared custom ENV vars
am.env # AM custom ENV vars
idm.env # AM custom ENV vars

install-prereqs

The install-prereqs script has been refactored with many new features.

• Added a usage statement
• Added trust-manager as a prereq
• Added secret-generator as a prereq
• Can choose between secret-agent and secret-generator
• Added the --upgrade flag for easy upgrading of prereqs
• Added the ability to provide a config file to pin versions
• Can target specific prereqs install-prereqs cert-manager secrets

Started new secret management method

We have been working on an alternate method to managing secrets that relies on
3rd party tooling instead of secret-agent. While this work has started, it is
not complete. You should not enable it in a production envirionment.

Prometheus and Grafana added to Helm chart

Added the ability to enable Prometheus and Grafana in the Helm chart.

Increased TTL for keeping amster and ldif-importer jobs

Increased the TTL for keeping the amster and ldif-importer jobs from 300 to 600 seconds.

Improved release detection

When using forgeops image and forgeops info, it can now look forward for a
release if a customer select X.0.0 and it doesn't exist. This was added due to
AM/Amster 8.0.0 being skipped making 8.0.1 the first version.

Bugfixes

Fix --amster-retain option

Added --amster-retain option to bin/forgeops env.
Now user can configure environment to keep amster running for troubleshooting purposes.

Fix VolumeSnapshots in Kustomize deployments

The forgeops env command has been updated to add a patch to update the
namespace when enabling volume snapshots for DS.

Removed Features

Removed generate command

The deprecated forgeops generate command has been removed.

bin/certmanager-deploy.sh

The old certmanager-deploy.sh script has been removed in favor of charts/scripts/install-prereqs.

bin/secret-agent

The old secret-agent script has been removed in favor of charts/scripts/install-prereqs.

Documentation updates

New how-to explaining how to add a second DNS alias for the root realm in PingAM

New how-to called add-additional-dns-alias-to-root-realm.md which provides steps on how to configure your Helm or Kustomize
deployment to use a second FQDN as an additional DNS alias for PingAM's root realm.

Full Changelog: 2025.1.1...2025.1.2

identity-platform-2025.1.2

A Helm chart for Kubernetes

2025.1.1

RELEASE=2025.1.1

Release Notes

New Features/Updated functionality

Ability to set FORGEOPS_ROOT

Users now have the ability to specify a separate FORGEOPS_ROOT location that contains the docker, helm, and kustomize folders. This allows users to keep their changes in a separate git repo. Users can create a ~/.forgeops.conf with their personal overrides like specifying FORGEOPS_ROOT=/path/to/my/local/checkout. Teams can place a forgeops.conf file in their FORGEOPS_ROOT that contains team-wide settings. It is not recommended to create a /path/to/forgeops_repo/forgeops.conf.

Doing this gives users the ability to clone the forgeops repo and just checkout the version tag they need. This should make it easier to keep track of what version of ForgeOps is being used, and upgrading to a newer version.

Removing forgeops-minikube script

The cluster/minikube/forgeops-minikube script was outdated, and unnecessary.
Please see:
[https://docs.pingidentity.com/forgeops/2025.1/deploy/deploy-scenario-helm-local.html](to deploy on Minikube using Helm)
[https://docs.pingidentity.com/forgeops/2025.1/deploy/deploy-scenario-kustomize-local.html](to deploy on Minikube using Kustomize)

info command can provide release information

You can now get a list of supported platform releases and their latest flags
with forgeops info --list-releases. You can get details for any release on
releases.forgeops.com with forgeops info --release x.y.z.

env command supports PingGateway (IG)

You can now update IG settings for cpu, memory, replicas, and pull policy in an
environment.

pyyaml updated

The version of pyyaml has been updated. Please run forgeops configure to update your libraries.

Bugfixes

forgeops info --env-name

In the last release, the info command got a new flag to provide details about a
specific environment. It threw an error when images with a timestamp we added
to the product release files. That has been fixed.

DS certificates are now deployed in helm pre-install

Helm pre-install hooks are now used to deploy DS certificates and they will no
longer be deleted when the helm chart is uninstalled.

Updated AM service target port

Updated the AM service in the Helm chart to use https target port.

Prometheus updates

Default ports and labels have been updated to match the new Helm chart.

DS certificates are now deployed in helm pre-install

Helm pre-install hooks are now used to deploy DS certificates and they will no
longer be deleted when the helm chart is uninstalled.

Updated AM service target port

Updated the AM service in the helm chart to use https target port.

Prometheus updates

Default ports and labels have been updated to match the new helm chart.

Documentation updates

Full Changelog: 2025.1.0...2025.1.1

identity-platform-2025.1.1

A Helm chart for Kubernetes