{"answer":"Custom images let you pre-bundle organization-specific configurations and artifacts, reducing runtime dependencies and improving consistency.","question":"Why use custom Docker images for ForgeOps?"}

"Please refer to the article for detailed explanation."

{"answer":"OpenShift enforces stricter default Security Context Constraints (SCC), disallowing containers from running as root unless explicitly granted. This may block ForgeOps containers if not configured.","question":"How does OpenShift's securityContext differ from vanilla Kubernetes?"}

"Please refer to the article for detailed explanation."

{"answer":"Helm templates expect pre-created Kubernetes Secrets (like `ds-passwords`). If these Secrets aren’t provisioned before Helm install, pods may fail to initialize or crash loop.","question":"Why did my Helm deployment fail due to missing Secrets?"}

"Please refer to the article for detailed explanation."

Advanced ForgeRock ForgeOps Helm Deployment on OpenShift CRC: Custom Images, Secrets, and Security Contexts

ForgeRock ForgeOps provides a powerful Helm-based deployment model for the Identity Platform. In this advanced deployment guide, we focus on deploying ForgeOps 7.5 to Red Hat OpenShift CRC (CodeReady Containers) using custom-built Docker images, Helm charts, and fine-grained security controls.

This article assumes you’re already familiar with the basics of ForgeOps and OpenShift. If you’re looking for the beginner version of this tutorial, check out:

👉 Deploying ForgeRock ForgeOps on Red Hat OpenShift CRC: A Step-by-Step Guide

🔧 Prerequisites

OpenShift CRC installed and running
ForgeOps 7.5 Git repository cloned
Docker or Podman for image builds
Helm CLI installed and logged into OpenShift cluster
Access to modify /etc/hosts and manage SCCs in OpenShift

🏗️ Step 1: Build Custom Docker Images

Build your ForgeOps Identity Platform images locally to customize configurations or plug in custom scripts:

# Build AM
cd forgeops/docker/am-base
docker build -t am-base:7.5.0 .

cd ../am-cdk
docker build --build-arg docker_tag=7.5.0 -t am-cdk:7.5.0 .

# Build DS
cd forgeops/docker/ds-base
docker build -t ds-base:7.5.0 .

# Build LDIF Importer
cd forgeops/docker/ldif-importer
docker build -t ldif-importer:7.5.0 .

Once built, tag and push these to your OpenShift CRC’s internal registry:

TOKEN=$(oc whoami -t)
docker login -u kubeadmin -p $TOKEN default-route-openshift-image-registry.apps-crc.testing

docker tag am-cdk:7.5.0 default-route-openshift-image-registry.apps-crc.testing/forgeops/am:7.5.0
docker push default-route-openshift-image-registry.apps-crc.testing/forgeops/am:7.5.0

docker tag ds-base:7.5.0 default-route-openshift-image-registry.apps-crc.testing/forgeops/ds:7.5.0
docker push default-route-openshift-image-registry.apps-crc.testing/forgeops/ds:7.5.0

docker tag ldif-importer:7.5.0 default-route-openshift-image-registry.apps-crc.testing/forgeops/ldif-importer:7.5.0
docker push default-route-openshift-image-registry.apps-crc.testing/forgeops/ldif-importer:7.5.0

🔐 Step 2: Prepare Secrets Before Helm Deployment

❗ Common pitfall: Helm templates expect Secrets like ds-passwords and am-env-secrets to already exist. Missing Secrets cause initContainers or main containers to crash.

You can manually create the required Secrets (or use kubectl apply -f secrets.yaml) prior to running Helm:

oc create secret generic ds-passwords \
  --from-literal=dirmanager.pw=ForgeRock123 \
  --from-literal=keystore.pw=changeit \
  -n forgeops

oc create secret generic am-env-secrets \
  --from-literal=AM_PASSWORD=ForgeRock123 \
  -n forgeops

⚙️ Step 3: Configure Security Context (OpenShift Gotcha)

OpenShift enforces Security Context Constraints (SCC), which may block ForgeOps pods from starting.

Add anyuid SCC to the namespace’s default service account or create a dedicated one:

oc create namespace forgeops
oc adm policy add-scc-to-user anyuid -z default -n forgeops

# Optional: Use a separate SA
oc create sa forgeops-sa -n forgeops
oc adm policy add-scc-to-user anyuid -z forgeops-sa -n forgeops

Also, grant access to secrets via RBAC:

oc create role secret-accessor \
  --verb=get,list \
  --resource=secrets \
  -n forgeops

oc create rolebinding forgeops-binding \
  --role=secret-accessor \
  --serviceaccount=forgeops:forgeops-sa \
  -n forgeops

📦 Step 4: Deploy with Helm

Make sure your values-openshift.yaml overrides match your OpenShift domain and images:

am:
  image:
    repository: default-route-openshift-image-registry.apps-crc.testing/forgeops/am
    tag: "7.5.0"
  serviceAccount:
    name: forgeops-sa

ds:
  image:
    repository: default-route-openshift-image-registry.apps-crc.testing/forgeops/ds
    tag: "7.5.0"
  persistence:
    enabled: false

Deploy:

cd forgeops/charts/identity-platform

helm upgrade --install identity-platform . \
  --namespace forgeops \
  --values values-openshift.yaml \
  --set 'platform.ingress.hosts={forgeops.example.com}' \
  --set serviceAccount.name=forgeops-sa

🧪 Step 5: Validate and Access

Check services: oc get pods -n forgeops
Add to /etc/hosts: 127.0.0.1 forgeops.example.com
Access AM UI: https://forgeops.example.com/am

📌 Final Tips

Ensure Secrets are created before Helm is invoked
Don’t forget OpenShift’s securityContext is stricter than standard Kubernetes
Use custom service accounts and RBAC for least privilege
Double check image paths when pushing to OpenShift registry

🔧 Prerequisites#

🏗️ Step 1: Build Custom Docker Images#

🔐 Step 2: Prepare Secrets Before Helm Deployment#

⚙️ Step 3: Configure Security Context (OpenShift Gotcha)#

📦 Step 4: Deploy with Helm#

🧪 Step 5: Validate and Access#

📌 Final Tips#

🔗 Related Posts#

Related Articles

Latest Articles

🔧 Prerequisites

🏗️ Step 1: Build Custom Docker Images

🔐 Step 2: Prepare Secrets Before Helm Deployment

⚙️ Step 3: Configure Security Context (OpenShift Gotcha)

📦 Step 4: Deploy with Helm

🧪 Step 5: Validate and Access

📌 Final Tips

🔗 Related Posts