2. Changelog#
The section provides the changelog for Nubus for Kubernetes from version 1.0.0 onward to 1.4.0. You find each version in a separate section.
2.1. Version 1.4.0 - 2024-12-02#
This is the second production release of Nubus for Kubernetes. The versions 1.1.0 to 1.3.0 have been technical releases, and weren’t intended for public use. This document includes and lists the changes for the versions 1.1.0 to 1.3.0.
Important
For existing deployments, read the Secret management migration section before you deploy this version and conduct the proper preparation.
Upgrade path
For the upgrade to version 1.4.0, your deployment must run on version 1.0.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.
2.1.1. Added#
Add support for encrypted connection to the PostgreSQL database in the Keycloak Extensions. The encrypted connection allows the use of custom certificate authority (CA) certificates.
Set these Helm values to configure an encrypted connection to the PostgreSQL database for Keycloak Extensions:
See also
- Enable encrypted connection to database
in Univention Nubus for Kubernetes - Operation Manual [1] for how to configure an encrypted connection to the PostgreSQL database for the Keycloak Extensions.
2.1.2. Changed#
Change the UMC Server and the UMC Gateway in the Management UI to use RollingUpdate as default update strategy for these Kubernetes pods.
Change the default behavior for the following items related to the Management UI:
- Deactivate User template
When creating a user object in the Management UI, the wizard used the Self Service Registration Template.
The wizard now uses no template by default.
- Deactivate email invitation for created user objects
When creating a user object in the Management UI, by default the wizard prompted the administrator for the user’s email address, and activated the checkbox for sending an email invitation.
By default, the wizard now prompts for the initial user password and deactivates the email invitation checkbox. If you want to send an invitation email during the user creation process, you can activate the email invitation checkbox and the wizard prompts for the user’s email address.
- Activate the automatic search
When opening the users module in the Management UI, the module didn’t show any users by default until the first search.
When you open the users module in the Management UI, it now performs a first search by default and displays user objects.
After changing the theme and branding of the Portal Frontend the respective Kubernetes pods reload automatically.
Change the Secret management in Nubus. All components use a standardized Secret management across components with the
existingSecret
pattern in Listing 2.1.To adjust your existing values file, see Secret management migration.
existingSecret: name: "<secret-name>" keyMapping: key1: "<value1>"
2.1.3. Removed#
Remove
releaseNameOverride
from the Helm Chart.
2.1.4. Secret management migration#
Nubus for Kubernetes version 1.4.0
changed the pattern for the configuration of existing secret objects.
This section describes the needed actions to prepare your Nubus deployment
before you deploy version 1.4.0
.
- Auto-generated secrets
You use auto-generated secrets if you haven’t configured any
credentialSecret
orexistingSecret
sections in yourcustom_values.yaml
values file.If your deployment falls into this category, you don’t need to change anything regarding secret management.
- Existing secrets
You use existing secrets, if you have configured
credentialSecret
sections in yourcustom_values.yaml
value file. Go through your values file and verify the values.Tip
To keep the listing brief, the following lists show values like
existingSecret.name
. They refer to the whole pattern as outlined in Listing 2.1.And for
credentialSecret
it also refers to its subsectioncredentialSecret.key
.This version adds the following values to the Helm Chart:
nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.name
nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.name
nubusProvisioning.udmTransformer.nats.auth.existingSecret.name
This version changes the following values in the Helm Chart:
keycloak.postgresql.auth.credentialSecret
tokeycloak.postgresql.auth.existingSecret.name
nubusNotificationsApi.postgresql.auth.credentialSecret
tonubusNotificationsApi.postgresql.auth.existingSecret.name
nubusProvisioning.dispatcher.nats.connection.password.secretKeyRef.key
tonubusProvisioning.dispatcher.nats.auth.existingSecret.name
nubusProvisioning.prefill.nats.connection.password.secretKeyRef.key
tonubusProvisioning.prefill.nats.auth.existingSecret.name
nubusUdmRestApi.ldap.connection.auth.credentialSecret.key
tonubusUdmRestApi.udmRestApi.ldap.auth.existingSecret.name
nubusUmcServer.postgresl.auth.credentialSecret
tonubusUmcServer.postgresql.auth.existingSecret.name
nubusUmcServer.memcached.auth.credentialSecret
tonubusUmcServer.memcached.auth.existingSecret.name
nubusKeycloakExtensions.smtp.auth.credentialSecret
tonubusKeycloakExtensions.smtp.auth.existingSecret.name
nubusKeycloakExtensions.keycloak.auth.credentialSecret
tonubusKeycloakExtensions.keycloak.auth.existingSecret.name
nubusKeycloakExtensions.postgresql.auth.credentialSecret
tonubusKeycloakExtensions.postgresql.auth.existingSecret.name
See also
- Secrets in Nubus for Kubernetes
in Univention Nubus for Kubernetes - Operation Manual [1] for information about the different options.
2.2. Version 1.0.0 - 2024-10-31#
This is the first production release of Nubus for Kubernetes.
Consider all changes as breaking changes,
because no upgrade path exists from the alpha version 0.18.3
to this version.
2.2.1. Changed#
Change openLDAP from version
2.4
to2.5
.Temporarily deactivate the Authorization Service in Nubus for Kubernetes.
This change doesn’t impact other Nubus components, because no other component uses the Authorization Service yet. For more information, see Authorization Service in Univention Nubus for Kubernetes - Architecture Manual [2].
Replace the listener- / notifier mechanism with the Provisioning Service. Remove the listeners in the Portal Server and the End User Self Service and replace them with Consumers for the Provisioning Service.
The OX Connector also provides a Consumer to the Provisioning Service instead of a listener. However, the OX Connector isn’t part of Nubus for Kubernetes.
Deactivate plain sign-in by default. Instead, activate single sign-on through SAML by default in Keycloak.
Deactivate the Keycloak Extensions for brute force detection and new sign-in notification during the sign-in process by default.
For information about how to manually activate the Keycloak Extensions, see Keycloak Extensions in Univention Nubus for Kubernetes - Operation Manual [1].
Increase the number of available UMC modules in the Management UI. Besides the modules to manage user accounts, the Management UI shows the UMC modules available to Nubus for Kubernetes.
Change the Helm value structure for defining UCR variables under
global.configUcr
.Change the format for loading initial data in Nubus for Kubernetes from Helm templates to Jinja2.
For example, setting the browser window title in the Management UI.
2.2.2. Added#
Add Ingress configuration for HTTP traffic routing in Nubus for Kubernetes. Replaces the Stack Gateway Kubernetes pod.
Increase security hardening through the following measures:
- Profile picture upload in End User Self Service
The End User Self Service re-encodes profile pictures of any origin format to JPEG to reduce the risk of malware injection. It also removes any metadata, such es EXIF, for improved privacy.
- Security context for pods
Docker containers run as non-root users.
Exception is the UMC server and its sidecar container with sssd. They still need root privileges.
Docker containers mount their file system in read-only mode.
Processes can’t gain more privileges than their parent process, because of
allowPrivilegeEscalation: false
in the Kubernetes pod configuration.
- Capabilities
All default components of Nubus now use no extra capabilities in their Kubernetes pods.
See also
- Configure a Security Context for a Pod or Container
for information about security context in Kubernetes.
Add interfaces to extend Nubus for Kubernetes, for example with customizations for openDesk.
Add configurable scalability for the following functional components in Nubus for Kubernetes:
UMC Server and UMC Gateway in Management UI.
Keycloak in Identity Provider.
Portal Server and Portal Frontend in the Portal Service.
LDAP Server in Identity Store and Directory Service, especially read-only LDAP secondary servers.
See also
- Directory service high availability and scalability
in Univention Nubus for Kubernetes - Operation Manual [1] for information about the configuration,
Add the ability to configure the browser window title of the Management UI.
global: configUcr: umc: web: title: "My custom title for the Management UI"
Add the ability to customize the branding for the Portal and Keycloak, namely the background images, HTML style (CSS) and the favicon.
See also
- Branding and themes
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the branding.
Add the ability to customize the cookie consent banner for the Portal and for Keycloak.
See also
- Consent for using cookies
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the cookie consent banner.
Add the ability to customize the links in the footer of the sign-in in Keycloak.
See also
- Customization of Keycloak sign-in
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the Keycloak sign-in.
Add the ability to configure the email body for the password reset emails.
See also
- Customization of self service emails
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about how to customize the email body text for End User Self Service emails.
2.2.3. Removed#
Remove the hardwired inclusion of the openDesk extensions.
The extensions included the following aspects that moved to an explicit openDesk extension:
LDAP schema.
Custom UDM hooks.
Configuration for tiles in Management UI.
Branding customized to openDesk.
Pre-configured user accounts for ldapsearch for usage in openDesk apps.
Portal content customized to openDesk.
The portal content now corresponds to Univention Corporate Server (UCS).
Additional users
default.admin
anddefault.user
.The
Administrator
user remains the only administrative user.
Remove the Stack Gateway Kubernetes pod that used to route the traffic within Nubus for Kubernetes.
Remove hard dependency to cert-manager, a certificate manager for Kubernetes clusters.
Operators can now configure their own certificates in their Ingress configuration or use a different certificate manager.
2.2.4. Fixed#
The portal session now automatically refreshes as long as the browser window is open. Before, the portal session would time out after 10 minutes regardless of whether the portal was still in use.
Fix password renewal in Keycloak.
Renewing the user password through Keycloak failed for expired passwords. It works as expected now.
Sending emails for password reset and user invitation now works as expected and correctly.
Init containers no longer print passwords into logging during Kubernetes pod initialization.
2.2.5. Known issues#
The customization of the email body for the user invitation email isn’t possible yet.
For more information, see Bug #57693.
2.3. Version 0.18.3 (Alpha) - 2024-05-31#
This is the initial release of Nubus for Kubernetes intended for evaluation purposes. For more information about the product context, see Nubus: Identity & Access Management for Sovereign Cloud Suites in Kubernetes. However, your feedback is welcome.
This is the first release that you can install on its own, outside of the openDesk context that Nubus for Kubernetes comes from. It still includes the look-and-feel and third-party integrations from openDesk. In future releases, the look-and-feel and third-party integrations will be moved to packaged integrations.
The release schedule includes additional alpha versions of Nubus for Kubernetes. Interfaces, features, and data structures may change until the version of Nubus for Kubernetes reaches production-ready status.
Important
As long as the product version is in alpha status, the product doesn’t promise migration paths or the ability to upgrade to future versions.
2.3.1. Changed#
- Planned deprecations for a future release
Move the default integrations for third-party applications from the core product to packaged integrations.
Remove the hard-coded openDesk theme.
Remove the LDAP notifier service.