.. SPDX-FileCopyrightText: 2024 - 2025 Univention GmbH .. .. SPDX-License-Identifier: AGPL-3.0-only .. _nubus-requirements: ************ Requirements ************ This section describes the requirements you need to meet before you can start deploying Univention Nubus on a Kubernetes cluster. In general, you need a Kubernetes cluster and additional services. Nubus has a default configuration for the additional services, so you can decide whether to use them or use your own deployments of these services. Nubus requires the following services. See the respective sections for details. #. :ref:`Kubernetes cluster ` #. :ref:`requirements-rdbms` #. :ref:`requirements-message-queue` #. :ref:`requirements-object-store` #. :ref:`requirements-kubernetes-certificates` #. :ref:`requirements-smtp` .. important:: Univention support covers Univention Nubus. Univention **doesn't** provide support offerings for additional services outside of Nubus. .. TODO : For more information, see the content in the Univention Nubus support section on the product website. .. _requirements-kubernetes: Kubernetes cluster ================== You need a Kubernetes cluster to deploy and run Univention Nubus. For the Kubernetes cluster, you must ensure the following aspects: #. The clients and users that want to use the services of Univention Nubus need network access to Nubus through the Kubernetes cluster. #. The minimum required version of Kubernetes is ``1.26``. #. A dedicated namespace for the deployment of Univention Nubus. You don't have to limit the namespace to Nubus only. You can also deploy other services there, as well. However, Nubus is the primary tenant of the namespace. #. Install :ref:`requirements-kubernetes-tools`. Univention Nubus recommends to ensure :ref:`requirements-kubernetes-ingress-controller`. .. seealso:: `Patch Releases `_ in :cite:t:`kubernetes-docs` for information about schedule and cadence of Kubernetes releases. `Namespaces in Kubernetes `_ in :cite:t:`kubernetes-docs` for information about the mechanism for isolating groups of resources within a single cluster. .. _requirements-kubernetes-managed: Production environment - managed or self-managed ------------------------------------------------ You can choose between a managed and a self-managed Kubernetes cluster. Managed production environment If you don't want to manage a Kubernetes cluster yourself, you can use a managed service provider or certified platforms. Depending on the amount of management you want to take on or leave to others, you need to consider how availability, scale, security, and access management affect your requirements for a Kubernetes cluster. At a minimum, you need access to a Kubernetes namespace and the permissions to deploy resources within that namespace. And the production environment must provide the services listed in the :ref:`nubus-requirements` section of this page. Self-managed production environment To run a self-managed Kubernetes cluster, you need to take care of the maintenance, security, and resources. You need to provide the services listed in :ref:`nubus-requirements` on this page. You also need expertise in running and managing a Kubernetes cluster. .. seealso:: Consider consulting the following resources from the :cite:t:`kubernetes-docs` during your decision-making process. They provide links to additional resources. * `Getting started `_ * `Production environment `_ .. _requirements-kubernetes-tools: Tools to manage Kubernetes clusters ----------------------------------- Regardless of who manages the Kubernetes cluster, you need to install :program:`kubectl` to run commands against Kubernetes clusters. To install :program:`kubectl`, refer to `kubectl - Install Tools `_. The deployment of Univention Nubus requires Helm, the package manager for Kubernetes. Helm uses the packaging format *Chart*. A chart is a collection of files that describe a related set of Kubernetes resources. To install Helm, refer to `Installing Helm `_. .. seealso:: :program:`kubctl` * `Command line tool (kubectl) `_ for a reference. Helm * `Helm `_ for more information about Helm and Charts. * `Helm Docs `_ for the documentation of Helm and the package format Helm Charts. .. _requirements-kubernetes-ingress-controller: External access to cluster services ----------------------------------- Univention Nubus recommends a running *Ingress Controller* to provide external access to the services within Nubus. Nubus provides configuration for *Ingress*, an API object in Kubernetes that manages external access to services in a cluster. Nubus has no ingress dependencies and should work with any ingress implementation. Univention actively tests with `NGINX Ingress Controller `_ and `Traefik Ingress Controller `_. .. seealso:: From :cite:t:`kubernetes-docs`, see the following resources: * Concepts: `Services, Load Balancing, and Networking `_ * `Ingress `_ * `Ingress Controllers `_ .. _requirements-kubernetes-certificates: Certificate manager =================== Kubernetes requires certificates for secure communication between different components in a Kubernetes cluster. Univention Nubus also needs certificates, at least on the endpoint, for secure communication with clients and services outside of the cluster network. A certificate manager creates TLS certificates for workloads in Kubernetes. It obtains certificates from a variety of certificate authorities, such as *Let's Encrypt* and private PKI. Nubus for Kubernetes recommends :program:`cert-manager` as certificate manager. However, you can configure your own certificates at the Ingress configuration. .. seealso:: Kubernetes documentation Best practices: `PKI certificates and requirements `_ in :cite:t:`kubernetes-docs`. `cert-manager Documentation `_ for getting started with :program:`cert-manager`, installation, and handling certificates. * `List of known issuer integrations `_ * `Tutorials `_ * Tutorial for deploying :program:`cert-manager` and how to configure it to get certificates for the *NGINX Ingress controller* from *Let's Encrypt*, see `Securing NGINX-ingress `_ .. _requirements-rdbms: Relational database =================== Univention Nubus requires a relational database management system (RDBMS). Such a database system can be :program:`PostgreSQL`. Use an existing PostgreSQL deployment with implemented concepts for backup, restore, redundancy, failover, and security for Nubus. You only need to provide the location and respective credentials to the Nubus configuration. Using an existing PostgreSQL deployment for Nubus is a clear recommendation. For more information, see :ref:`conf-external-postgresql`. If you don't have a PostgreSQL deployment, you can enable PostgreSQL in the configuration for a demonstration deployment of Univention Nubus. .. important:: The PostgreSQL deployment within Nubus **doesn't** provide concepts for backup, restore, and redundancy. Use it only for demonstration purposes. ⚠️ **Univention doesn't provide support for the PostgreSQL deployment** within Nubus. .. seealso:: `Kubegres `_ is a Kubernetes operator allowing to deploy clusters of PostgreSQL instances. `How to Deploy Postgres to Kubernetes Cluster | DigitalOcean `_ for a step-by-step tutorial about deploying PostgreSQL on a Kubernetes cluster. .. _requirements-message-queue: Message queue ============= Univention Nubus requires the message queue system :program:`NATS`. NATS is a connectivity technology, and is responsible for addressing, discovering, and exchanging messages between distributed systems. For example, NATS provides M:N connectivity. Univention Nubus provides a configuration for a NATS deployment. Using the NATS deployment within Nubus is a clear recommendation and supported by Univention. If you have an existing NATS deployment, you can use it for Nubus. For more information, refer to :ref:`conf-nats`. .. seealso:: `NATS Docs `_ for more information about the software, including the following: * `Overview `_ * `What is NATS `_ * `NATS and Kubernetes `_ .. _requirements-object-store: S3-compatible object storage ============================ Univention Nubus requires an S3-compatible object storage. Such object storage is :program:`Amazon Simple Storage Service (S3)` or :program:`MinIO`. MinIO is an open source object storage solution that provides an S3-compatible API and supports all core S3 features. Univention Nubus provides an example configuration for a MinIO deployment. If you have an existing S3-compatible object storage deployment, you can use it for Nubus. For information about how to use an existing S3-compatible object storage deployment, refer to :ref:`conf-external-s3`. .. important:: The MinIO deployment within Nubus **doesn't** provide concepts for backup, restore, and redundancy. Use it only for demonstration purposes. ⚠️ **Univention doesn't provide support for the MinIO deployment* within Nubus**. .. seealso:: `Installation and Management - MinIO Object Storage `_ for getting started with :program:`MinIO` through a quickstart for Kubernetes, deployment, concepts, and administration. .. _requirements-smtp: SMTP server =========== Nubus for Kubernetes requires an SMTP (Simple Mail Transfer Protocol) server for sending email notifications and messages. Various components in Nubus for Kubernetes use SMTP including the following: *UMC Server* For password reset emails and administrative notifications. *Keycloak Extensions* For user account verification and authentication-related emails. You must provide an external SMTP server that Nubus for Kubernetes can connect to. This can be an existing mail server in your infrastructure, or a dedicated SMTP service provider. The SMTP server must support the following: * Standard SMTP connection through port 25, 587, or custom port. * Optional TLS/SSL encryption for secure communication. * Optional SMTP authentication through username and password. * Recommendation: StartTLS support For information about how to configure the SMTP server connection in Nubus, refer to :ref:`conf-smtp`. .. important:: Univention **doesn't** provide an SMTP server as part of Nubus for Kubernetes. You must provide and maintain your own SMTP server or use an external mail service provider.