Nubus for Kubernetes - Release Notes for 1.0.0

Changelog

2. Changelog#

2.1. Version 1.0.0 - 2024-10-31#

This is the first production release of Nubus for Kubernetes.

Consider all changes as breaking changes, because no upgrade path exists from the alpha version 0.18.3 to this version.

2.1.1. Changed#

  • Change openLDAP from version 2.4 to 2.5.

  • Temporarily deactivate the Authorization Service in Nubus for Kubernetes.

    This change doesn’t impact other Nubus components, because no other component uses the Authorization Service yet. For more information, see Authorization Service in Univention Nubus for Kubernetes - Architecture Manual [2].

  • Replace the listener- / notifier mechanism with the Provisioning Service. Remove the listeners in the Portal Server and the End User Self Service and replace them with Consumers for the Provisioning Service.

    The OX Connector also provides a Consumer to the Provisioning Service instead of a listener. However, the OX Connector isn’t part of Nubus for Kubernetes.

  • Deactivate plain sign-in by default. Instead, activate single sign-on through SAML by default in Keycloak.

  • Deactivate the Keycloak Extensions for brute force detection and new sign-in notification during the sign-in process by default.

    For information about how to manually activate the Keycloak Extensions, see Keycloak Extensions in Univention Nubus for Kubernetes - Operation Manual [1].

  • Increase the number of available UMC modules in the Management UI. Besides the modules to manage user accounts, the Management UI shows the UMC modules available to Nubus for Kubernetes.

  • Change the Helm value structure for defining UCR variables under global.configUcr.

  • Change the format for loading initial data in Nubus for Kubernetes from Helm templates to Jinja2.

    For example, setting the browser window title in the Management UI.

2.1.2. Added#

  • Add Ingress configuration for HTTP traffic routing in Nubus for Kubernetes. Replaces the Stack Gateway Kubernetes pod.

  • Increase security hardening through the following measures:

    Profile picture upload in End User Self Service

    The End User Self Service re-encodes profile pictures of any origin format to JPEG to reduce the risk of malware injection. It also removes any metadata, such es EXIF, for improved privacy.

    Security context for pods

    • Docker containers run as non-root users.

      Exception is the UMC server and its sidecar container with sssd. They still need root privileges.

    • Docker containers mount their file system in read-only mode.

    • Processes can’t gain more privileges than their parent process, because of allowPrivilegeEscalation: false in the Kubernetes pod configuration.

    Capabilities

    All default components of Nubus now use no extra capabilities in their Kubernetes pods.

    See also

    Configure a Security Context for a Pod or Container

    for information about security context in Kubernetes.

  • Add interfaces to extend Nubus for Kubernetes, for example with customizations for openDesk.

  • Add configurable scalability for the following functional components in Nubus for Kubernetes:

    • UMC Server and UMC Gateway in Management UI.

    • Keycloak in Identity Provider.

    • Portal Server and Portal Frontend in the Portal Service.

    • LDAP Server in Identity Store and Directory Service, especially read-only LDAP secondary servers.

      See also

      Directory service high availability and scalability

      in Univention Nubus for Kubernetes - Operation Manual [1] for information about the configuration,

  • Add the ability to configure the browser window title of the Management UI.

    Listing 2.1 Example for custom_values.yaml deployment file to change title of the Management UI#
    global:
  configUcr:
    umc:
      web:
        title: "My custom title for the Management UI"

  • Add the ability to customize the branding for the Portal and Keycloak, namely the background images, HTML style (CSS) and the favicon.

    See also

    Branding and themes

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the branding.

  • Add the ability to customize the cookie consent banner for the Portal and for Keycloak.

    See also

    Consent for using cookies

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the cookie consent banner.

  • Add the ability to customize the links in the footer of the sign-in in Keycloak.

    See also

    Customization of Keycloak sign-in

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the Keycloak sign-in.

  • Add the ability to configure the email body for the password reset emails.

    See also

    Customization of self service emails

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the email body text for End User Self Service emails.

2.1.3. Removed#

  • Remove the hardwired inclusion of the openDesk extensions.

    The extensions included the following aspects that moved to an explicit openDesk extension:

    • LDAP schema.

    • Custom UDM hooks.

    • Configuration for tiles in Management UI.

    • Branding customized to openDesk.

    • Pre-configured user accounts for ldapsearch for usage in openDesk apps.

    • Portal content customized to openDesk.

      The portal content now corresponds to Univention Corporate Server (UCS).

    • Additional users default.admin and default.user.

      The Administrator user remains the only administrative user.

  • Remove the Stack Gateway Kubernetes pod that used to route the traffic within Nubus for Kubernetes.

  • Remove hard dependency to cert-manager, a certificate manager for Kubernetes clusters.

    Operators can now configure their own certificates in their Ingress configuration or use a different certificate manager.

2.1.4. Fixed#

  • The portal session now automatically refreshes as long as the browser window is open. Before, the portal session would time out after 10 minutes regardless of whether the portal was still in use.

  • Fix password renewal in Keycloak.

    Renewing the user password through Keycloak failed for expired passwords. It works as expected now.

  • Sending emails for password reset and user invitation now works as expected and correctly.

  • Init containers no longer print passwords into logging during Kubernetes pod initialization.

2.1.5. Known issues#

  • The customization of the email body for the user invitation email isn’t possible yet.

    For more information, see Bug #57693.

2.2. Version 0.18.3 (Alpha) - 2024-05-31#

This is the initial release of Nubus for Kubernetes intended for evaluation purposes. For more information about the product context, see Nubus – Identity & Access Management for Sovereign Cloud Suites in Kubernetes. However, your feedback is welcome.

This is the first release that you can install on its own, outside of the openDesk context that Nubus for Kubernetes comes from. It still includes the look-and-feel and third-party integrations from openDesk. In future releases, the look-and-feel and third-party integrations will be moved to packaged integrations.

The release schedule includes additional alpha versions of Nubus for Kubernetes. Interfaces, features, and data structures may change until the version of Nubus for Kubernetes reaches production-ready status. As long as the product version is in alpha status, the product doesn’t promise migration paths or the ability to upgrade to future versions.

2.2.1. Changed#

Planned deprecations for a future release

  • Move the default integrations for third-party applications from the core product to packaged integrations.

  • Remove the hard-coded openDesk theme.

  • Remove the LDAP notifier service.

On this page