Production-ready scripts for deploying ForgeRock Identity Platform (ForgeOps) on Red Hat OpenShift CRC (Code Ready Containers). Solves the 3 most common deployment failures: SCC violations, internal registry issues, and disk exhaustion.
Full guide: Deploying ForgeRock ForgeOps on Red Hat OpenShift CRC: A Step-by-Step Guide
Most ForgeOps-on-OpenShift deployments fail at the same 3 points:
| Error | Root Cause | Fix |
|---|---|---|
pods "ig-0" is forbidden: unable to validate against any security context constraint |
ForgeRock runs as UID 11111; OpenShift restricts UIDs to 1000680000+ | Custom SCC (scc/forgerock-scc.yaml) |
Failed to pull image: ImagePullBackOff |
Internal registry not exposed; TLS cert not trusted | scripts/01-setup-registry.sh |
Evicted pod: node was low on ephemeral-storage |
ForgeRock images are 600MB–1.2GB each; CRC default disk is 31GB | Resize to 80GB in setup |
| Resource | Minimum | Recommended |
|---|---|---|
| CPUs | 8 vCPUs | 16 vCPUs |
| Memory | 16 GB | 32 GB |
| Disk | 80 GB | 100 GB |
| OS | macOS 10.14+ / RHEL / Ubuntu | Same |
# Clone this repo
git clone https://github.com/IAMDevBox/forgeops-openshift-deployment.git
cd forgeops-openshift-deployment
# Make scripts executable
chmod +x scripts/*.sh
# Step 1: Setup CRC (5-10 min)
./scripts/00-setup-crc.sh
# Step 2: Expose internal registry and trust TLS cert
eval $(crc oc-env)
oc login -u kubeadmin https://api.crc.testing:6443
./scripts/01-setup-registry.sh
# Step 3: Create namespace and apply ForgeRock SCC
./scripts/02-apply-scc.sh
# Step 4: Clone ForgeOps and build images (requires ForgeRock license)
git clone https://github.com/ForgeRock/forgeops.git ~/forgeops
./scripts/03-build-push-images.sh
# Step 5: Deploy ForgeRock components
./scripts/04-deploy-forgeops.shforgeops-openshift-deployment/
├── scc/
│ └── forgerock-scc.yaml # Custom SecurityContextConstraints for ForgeRock
├── scripts/
│ ├── 00-setup-crc.sh # Install and configure OpenShift CRC
│ ├── 01-setup-registry.sh # Expose internal image registry
│ ├── 02-apply-scc.sh # Create namespace and bind SCC
│ ├── 03-build-push-images.sh # Build and push ForgeRock images
│ ├── 04-deploy-forgeops.sh # Deploy ForgeRock platform
│ └── 05-troubleshoot.sh # Diagnose common failures
└── README.md
The key configuration is the custom SecurityContextConstraints:
# scc/forgerock-scc.yaml
runAsUser:
type: RunAsAny # Allows ForgeRock's UID 11111 (vs default 1000680000+)
fsGroup:
type: RunAsAny # Allows ForgeRock's GID
supplementalGroups:
type: RunAsAny
allowedCapabilities:
- NET_BIND_SERVICE # Required for IG port 443/80 bindingWithout this SCC, every ForgeRock pod fails immediately with:
Error: pods "am-0" is forbidden: unable to validate against any security context constraint
See the full SCC guide for binding to specific service accounts.
ForgeRock components have a strict startup dependency:
DS (Directory Server) → AM + IDM (can be parallel) → IG
The 04-deploy-forgeops.sh script handles this order automatically. For individual component deployment:
# Individual components (recommended for CRC with limited RAM)
DEPLOY_MODE=individual ./scripts/04-deploy-forgeops.sh
# Full stack (requires 32GB RAM)
DEPLOY_MODE=full ./scripts/04-deploy-forgeops.shRun the diagnostic script first:
./scripts/05-troubleshoot.shSCC violation:
# Re-apply SCC (idempotent)
oc apply -f scc/forgerock-scc.yaml
oc adm policy add-scc-to-user forgerock-scc -z default -n forgerockImage pull failure:
# Re-login to registry
REGISTRY=$(oc get route default-route -n openshift-image-registry -o jsonpath='{.spec.host}')
podman login -u $(oc whoami) -p $(oc whoami -t) $REGISTRY --tls-verify=falseDisk exhaustion:
# Clean failed pods
oc delete pod --field-selector=status.phase==Failed -n forgerock
oc delete pod --field-selector=status.phase==Evicted -n forgerock
oc adm prune images --confirm- Deploying ForgeOps on OpenShift CRC — Complete Guide
- ForgeRock DS Replication Troubleshooting
- ForgeRock IDM Scripting Guide
- ForgeRock Blue-Green Deployment on Kubernetes
- IAM Tools Comparison: ForgeRock vs Keycloak vs Ping
| Variable | Default | Description |
|---|---|---|
NAMESPACE |
forgerock |
OpenShift project name |
FQDN |
forgerock.apps-crc.testing |
Base FQDN for routes |
FORGEOPS_DIR |
~/forgeops |
Path to cloned ForgeOps repo |
FORGEOPS_VERSION |
7.3.0 |
ForgeOps release tag |
CRC_CPUS |
8 |
vCPU count for CRC |
CRC_MEMORY |
16384 |
Memory in MB for CRC |
CRC_DISK_SIZE |
80 |
Disk size in GB for CRC |
PULL_SECRET |
~/Downloads/pull-secret.txt |
Red Hat pull secret path |
DEPLOY_MODE |
individual |
individual or full |
Scripts are MIT licensed. ForgeRock/PingOne Advanced Identity Cloud software requires a valid ForgeRock/Ping license.
Maintained by IAMDevBox.com — Identity and Access Management tutorials and tools.