Introduction

Running ForgeRock ForgeOps on Red Hat OpenShift is a powerful way to simulate enterprise-grade IAM deployment scenarios. In this guide, we’ll walk through setting up ForgeOps inside a local OpenShift environment using CodeReady Containers (CRC), which enables a fast and lightweight test environment for development or evaluation purposes.

Prerequisites

Before we begin, make sure your machine meets the following minimum specs:

Install and configure CRC:

crc setup
crc config set cpus 8
crc config set memory 16384
crc config view

Start the OpenShift Cluster

crc start
# Optionally specify pull secret:
# crc start -p ~/openshift/pull-secret.txt

Once started, the console and login credentials will be displayed:

Web Console: https://console-openshift-console.apps-crc.testing
Admin: kubeadmin / <password>
Developer: developer / developer

Accessing the Cluster with oc

Set up the CLI environment:

eval $(crc oc-env)
oc login -u developer https://api.crc.testing:6443

Verify cluster status:

oc get nodes
oc whoami

Set Up an OpenShift Project

oc new-project demo

You can now use this project as the target for ForgeRock image streams and services.

Enable Image Registry and Push Images

Expose the default OpenShift image registry route:

oc patch configs.imageregistry.operator.openshift.io/cluster \
  --patch '{"spec":{"defaultRoute":true}}' --type=merge

Log in to the internal registry:

docker login -u $(oc whoami) \
  -p $(oc whoami --show-token) \
  default-route-openshift-image-registry.apps-crc.testing

Create the ForgeOps image stream and build/push ForgeRock IG:

oc create imagestream ig
export PUSH_TO=default-route-openshift-image-registry.apps-crc.testing/demo
cd /path/to/forgeops/bin
./forgeops build ig --tag 7.3.0

🔐 Note: You must ensure the image is tagged with the fully qualified registry path.

Install ForgeOps

Once the image is available:

./forgeops install ig

Check pod status:

oc get pods

Expose the ForgeRock IG Service

oc expose svc ig
oc get routes -o yaml ig

Example route:

spec:
  host: ig-demo.apps-crc.testing

You can now access ForgeRock IG via this route in your browser.

Configure SCC for NGINX (Optional)

If you plan to deploy NGINX-based Ingress or Admission components, OpenShift may block containers running as root. Define a custom SCC:

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: nginx-admission-scc
runAsUser:
  type: MustRunAs
  uid: 101  # Or 65532 depending on container
...

Apply and assign SCC:

oc apply -f scc.yaml
oc adm policy add-scc-to-user nginx-admission-scc -z ingress-nginx -n nginx

Alternatively, for testing, use:

oc adm policy add-scc-to-user anyuid -z ingress-nginx -n nginx

⚠️ Production environments should use the minimal privilege model.

Maintenance Tips

Reclaim disk space and clean up pods:

oc delete pod --field-selector=status.phase==Succeeded --all-namespaces
oc delete pod --field-selector=status.phase==Failed --all-namespaces

Check for container errors:

oc get pod --all-namespaces | grep Evicted

Conclusion

Deploying ForgeOps on OpenShift CRC gives developers a powerful sandbox to validate identity components in a real-world Kubernetes environment. With proper configuration of image registries and security contexts, you can simulate everything from IG to IDM locally, speeding up development and testing cycles.

Ready to deploy the full ForgeRock stack? Just modify the forgeops install profile and replicate the image build process for AM and IDM.

./forgeops build am --tag 7.3.0
./forgeops build idm --tag 7.3.0
./forgeops install --config-profile all

Happy forging!