By Le Deng, Sr. IAM SME – ForgeRock
By Tony Song, Sr. ISV Success PSA – AWS
The pandemic has shaken organizations in many ways; as a result, enterprises have accelerated moving their IT infrastructures to cloud so they have a robust and elastic foundation to embrace the incoming business challenges.
Identity and access management (IAM) technologies stand in the front line for this infrastructure movement, and this post describes how ForgeRock can help you make this complex concept a seamless experience using Amazon Elastic Kubernetes Service (Amazon EKS).
ForgeRock is an AWS Partner and multinational IAM software company. Its modern digital IAM platform empowers customers and the workforce management for enterprises, providing engaging and secure user experiences.
The ForgeRock Identity Platform is a full-suite identity solution that works across a wide range of industries. The artificial intelligence (AI)-driven platform helps organizations improve and scale all things identity, governance, and access management.
Amazon EKS is a managed service that simplifies the deployment, management, and scaling of containerized applications by using Kubernetes on Amazon Web Services (AWS). It runs on infrastructure across multiple AWS Availability Zones (AZs) to eliminate a single-point of failure. With Kubernetes at its core, Amazon EKS is compatible with any other Kubernetes-based environments and makes it easy for migration.
Let’s look at some of the benefits of Amazon EKS and explore ForgeOps (ForgeRock DevOps) to understand the specific Kubernetes structure that can address different user volumes. Then, we’ll see how to deploy the Kubernetes workloads in EKS, and touch on the benchmarking the stack and cleanup.
Benefits of Containerization with Amazon EKS
Using Amazon EKS for DevOps optimization comes with multi-faceted advantages.
First, Amazon EKS handles most of the Kubernetes cluster provisioning and administration tasks for you, including creating the master cluster, setting up service discovery, and networking. You can focus more on the design and management of your application and leave the legwork to AWS.
Amazon EKS provisions the Kubernetes infrastructure, including the control plane, backend services, and workloads, across multiple AZs. It ensures high availability and eliminates a single point of failure from the infrastructural perspective.
The managed EKS platform is constantly being maintained, patched, and upgraded. AWS proactively works with the Kubernetes community and contributes to the Kubernetes code base, resulting in a more robust and secure platform.
Lastly, you can leverage other AWS services together with Amazon EKS to make it even more powerful, efficient, and cost-effective. For example, using AWS Fargate—a serverless compute engine for containers—you no longer need to provision and manage servers. Organizations can pay per use with this metered service.
Figure 1 – Amazon EKS process diagram.
ForgeRock Identity Platform Overview
ForgeRock Identity Platform has four core products:
- Access management (ForgeRock AM)
- Identity management (ForgeRock IDM)
- Directory service (ForgeRock DS)
- Identity gateway (ForgeRock IG)
ForgeRock AM is a dynamic authentication and authorization product that utilizes single sign-on (SSO), federation, intelligent access, and password authentication.
ForgeRock IDM is a modern identity management product that fully automates the identity lifecycle management process.
ForgeRock DS is a next-generation directory services that supports consumers, workforce users, and the growing Internet of Things (IoT) footprints.
ForgeRock IG is an intelligent identity-aware proxy that can enforce authentication and authorization of applications, APIs and microservices
Figure 2 – The AI-powered ForgeRock Identity Platform,
ForgeRock Identity Platform with DevOps
To help accelerate the ForgeRock Identity Platform deployment in the cloud environment with automation, ForgeRock has provided several resources to get you started in the cloud. We’ll look at two major ones: ForgeOps Repository and the CDK/CDM model.
- ForgeOps Repository: The ForgeOps repository is the official Git repository from ForgeRock dedicated to DevOps. It provides Docker and Kustomize artifacts for deploying the ForgeRock Identity Platform on a Kubernetes cluster. It also offers various utility scripts and sample files.
- CDK and CDM: The ForgeOps repository contains two primary artifacts to get started: CDK (Cloud Developer Kit) and CDM (Cloud Deployment Model). While CDK is a minimal sample deployment for developing purposes, CDM is a reference implementation for ForgeRock cloud deployments.
CDM is ready for production deployment, and we’ll take a closer look at this one.
Figure 3 – Deploying the CDM.
CDM is a robust reference implementation for ForgeRock cloud deployments. Resources such as Docker images, Kustomize bases and overlays, Skaffold workflows, shell scripts, and other artifacts are the building blocks for this cloud deployment and are provided in the ForgeOps repository.
CDM is a fully operational ForgeRock Identity Platform Kubernetes cluster. A list of features include:
- Well-tuned JVM, memory, and CPU
- Multi-zone Kubernetes cluster
- Different cluster sizes accommodating different volume of end users
- Third-party deployment and monitoring
- Ready-to-use ForgeRock Identity Platform components
- Load balancing
- Secret management
- TLS secured communication
- Stateful sets
- Directory Service replication
- Backup and restore
Using the CDM artifacts, you can get a ForgeRock Identity Platform up and running in a Kubernetes cloud environment. It’s designed and developed with several purposes:
- Standardize the process: Have a standard process for deploying the ForgeRock Identity Platform natively in the cloud.
- Simplifies baseline deployment: A number of DevOps tools are used to simplify the building and deployment process with CI/CD pipelines and different scale sizes.
- Eliminates guesswork: This helps customers bypass the deploy-test-integrate-test-repeat cycle which is time-consuming and inefficient.
- Prepare for production: CDM is designed with production usage in mind.
Here is a CDM cluster diagram for small and medium volume. Pods are deployed across three AZs in a single pool; this ensureSs the ingress controller and other components are highly available.
Figure 4 – ForgeRock CDM Kubernetes cluster.
Pods with Directory Service (DS) are configured using soft anti-affinity. In this case, Directory Service pods will run on nodes that don’t have any other DS pods. Furthermore, Kubernetes stateful sets are used to manage the DS pods, which protect against data loss if Kubernetes containers fail.
The NGINX Ingress Controller provides load balancing services for CDM deployment.
There are other third-party tools such as Prometheus, Grafana, Certificate Manager, and Helm used as well.
Amazon EKS Setup and CDM Deployment
The following diagram provides an overview of a CDM deployment on Amazon EKS.
Figure 5 – Amazon EKS stack with ForgeRock CDM deployment.
Here, an AWS stack template is employed to create a virtual private cloud (VPC), where three subnets are configured across three Availability Zones. A Kubernetes cluster is then created over the three subnets, and three worker nodes are created within the cluster. A local file system is mounted to the DS pod for storing directory data backup.
You’ll first set up the environment on AWS which involves adding resources such as Amazon Elastic File Service (Amazon EFS), virtual private cloud, subnet, Elastic Load Balancing, and AWS Key Management Service (KMS).
Once you have the VPC and cluster, you can start to deploy the CDM. The detailed steps can be found in the ForgeRock documentation.
Benchmarking helps measure the deployed stack’s general performance to strike a balance between the performance target and asset cost. ForgeRock CDM provides three cluster sizes for three different volumes of end-users:
- Small cluster: 1,000,000 users
- Medium cluster: 10,000,000 users
- Large cluster: 100,000,000 users
Directory Service benchmarking tests can be done through ‘search rate,’ ‘modify rate,’ and ‘add rate,’ which are packaged into ForgeRock DS.
ForgeRock AM, IDM, and IG benchmarking can be done through Gatling, an open-source benchmarking tool.
To clean up the environment, you first need to remove the CDM deployment, which is provided with the utility script by ForgeRock. Next, delete the AWS resources, if any, to avoid unexpected charges.
We described the rapid deployment process of a production-ready ForgeRock Identity Platform based on Amazon EKS. We hope this helps you get a general picture of the magic hand-shaking between ForgeRock and Amazon EKS.
ForgeRock – AWS Partner Spotlight
ForgeRock is an AWS Partner and modern digital IAM platform that empowers customers and the workforce management for enterprises, providing engaging and secure user experiences.
*Already worked with ForgeRock? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.