2. Changelog#

The section provides the changelog for Nubus for Kubernetes. You find each version in a separate section.

2.1. Version 1.5.1 - 2024-12-11#

This is the third production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.5.1, your deployment must run on version 1.5.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.

2.1.1. Added#

2.2. Version 1.5.0 - 2024-12-09#

The highlight of this release is the support for running two LDAP Primary servers in mirror mode to meet high-availability requirements. You need to migrate your existing Nubus for Kubernetes environment before you upgrade Nubus to 1.5.0 to make them mirror-ready and avoid data loss. For the steps, see Migrate existing LDAP Server to mirror mode readiness.

Upgrade path

For the upgrade to version 1.5.0, your deployment must run on version 1.4.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.

2.2.1. Added#

Add support for the operation of two LDAP Primaries in mirror mode, satisfying needs of high-availability.

Nubus uses Kubernetes Leases to ensure that only one LDAP Primary is active at a time. It keeps the second LDAP Primary ready to take over. Each of the two LDAP Primary servers adds a leader elector sidecar container that compete for the leases after the servers are ready. If the active LDAP Primary fails to renew its lease, Kubernetes switches over to the other ready LDAP Primary and promotes it as the active node. To configure LDAP Primary high availability, Nubus adds the following Helm Chart value high availability configuration:

You need to migrate your existing Nubus for Kubernetes environment before you upgrade Nubus to 1.5.0 to make them mirror-ready and avoid data loss. For the steps, see Migrate existing LDAP Server to mirror mode readiness.

Important

High availability doesn’t replace a backup concept, because it synchronizes the data to the other LDAP Primary as quick as possible. If data gets corrupt, for example through operating errors, only a backup allows restoring clean data.

See also

LDAP Primary

in Univention Nubus for Kubernetes - Operation Manual [1] for information about how to set up high availability for the LDAP Server.

2.2.2. Changed#

Change the UDM Listener in the Provisioning Service to ensure it always connects to the first LDAP Primary, even in environments with two LDAP Primaries, to keep the listeners state consistent with the LDAP transaction log. If the first LDAP Primary isn’t ready, the UDM Listener doesn’t notify the Provisioning Service of changes to user and group objects until Kubernetes restarts the first LDAP Primary.

See also

Notify about changes to directory objects

in Univention Nubus for Kubernetes - Architecture Manual [3] for information about the relation between the UDM Listener and the Identity Store and Directory Service.

2.2.3. Migrate existing LDAP Server to mirror mode readiness#

Before you can upgrade to Nubus 1.5.0, you need to make your LDAP Servers ready for mirror mode by following these steps. Mind the optional step after the ConfigMap configuration to activate mirror mode.

  1. Add the configuration ldap_database_initialized: initialized to indicate a successful LDAP Server setup.

    Run the command in Listing 2.1.

    Listing 2.1 Add data to ConfigMap to indicate successful LDAP Server setup#
    $ kubectl \
       --namespace "${NAMESPACE_FOR_NUBUS}" \
       create configmap \
       "${RELEASE_NAME}-ldap-server-status" \
       --from-literal=ldap_database_initialized=initialized
    configmap/nubus-ldap-server-status created
    
  2. Add the label app.kubernetes.io/managed-by: ldap-server-evaluate-database-init to the LDAP server status.

    Run the command in Listing 2.2.

    Listing 2.2 Add label to LDAP Server ConfigMap#
    $ kubectl \
       --namespace "${NAMESPACE_FOR_NUBUS}" \
       label configmap \
       "${RELEASE_NAME}-ldap-server-status" \
       app.kubernetes.io/managed-by=ldap-server-evaluate-database-init
    configmap/nubus-ldap-server-status labeled
    

    Note

    The label is the reason, why you can’t use Helm for the ConfigMap, because the LDAP Server manages the ConfigMap itself. Helm mustn’t change the ConfigMap to keep its state across upgrades.

Applying these steps makes your Nubus deployment ready for mirror mode. If you then want activate mirror mode, follow the steps in LDAP Primary in Univention Nubus for Kubernetes - Operation Manual [1].

2.3. Version 1.4.0 - 2024-12-02#

This is the second production release of Nubus for Kubernetes. The versions 1.1.0 to 1.3.0 have been technical releases, and weren’t intended for public use. This document includes and lists the changes for the versions 1.1.0 to 1.3.0.

Important

For existing deployments, read the Secret management migration section before you deploy this version and conduct the proper preparation.

Upgrade path

For the upgrade to version 1.4.0, your deployment must run on version 1.0.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.

2.3.1. Added#

Add support for encrypted connection to the PostgreSQL database in the Keycloak Extensions. The encrypted connection allows the use of custom certificate authority (CA) certificates.

Set these Helm values to configure an encrypted connection to the PostgreSQL database for Keycloak Extensions:

See also

Enable encrypted connection to database

in Univention Nubus for Kubernetes - Operation Manual [1] for how to configure an encrypted connection to the PostgreSQL database for the Keycloak Extensions.

2.3.2. Changed#

  • Change the UMC Server and the UMC Gateway in the Management UI to use RollingUpdate as default update strategy for these Kubernetes pods.

  • Change the default behavior for the following items related to the Management UI:

    Deactivate User template

    When creating a user object in the Management UI, the wizard used the Self Service Registration Template.

    The wizard now uses no template by default.

    Deactivate email invitation for created user objects

    When creating a user object in the Management UI, by default the wizard prompted the administrator for the user’s email address, and activated the checkbox for sending an email invitation.

    By default, the wizard now prompts for the initial user password and deactivates the email invitation checkbox. If you want to send an invitation email during the user creation process, you can activate the email invitation checkbox and the wizard prompts for the user’s email address.

    Activate the automatic search

    When opening the users module in the Management UI, the module didn’t show any users by default until the first search.

    When you open the users module in the Management UI, it now performs a first search by default and displays user objects.

  • After changing the theme and branding of the Portal Frontend the respective Kubernetes pods reload automatically.

  • Change the Secret management in Nubus. All components use a standardized Secret management across components with the existingSecret pattern in Listing 2.3.

    To adjust your existing values file, see Secret management migration.

    Listing 2.3 Configuration pattern for secrets using existingSecret#
    existingSecret:
      name: "<secret-name>"
      keyMapping:
        key1: "<value1>"
    

2.3.3. Removed#

  • Remove releaseNameOverride from the Helm Chart.

2.3.4. Secret management migration#

Nubus for Kubernetes version 1.4.0 changed the pattern for the configuration of existing secret objects. This section describes the needed actions to prepare your Nubus deployment before you deploy version 1.4.0.

Auto-generated secrets

You use auto-generated secrets if you haven’t configured any credentialSecret or existingSecret sections in your custom_values.yaml values file.

If your deployment falls into this category, you don’t need to change anything regarding secret management.

Existing secrets

You use existing secrets, if you have configured credentialSecret sections in your custom_values.yaml value file. Go through your values file and verify the values.

Tip

To keep the listing brief, the following lists show values like existingSecret.name. They refer to the whole pattern as outlined in Listing 2.3.

And for credentialSecret it also refers to its subsection credentialSecret.key.

This version adds the following values to the Helm Chart:

This version changes the following values in the Helm Chart:

See also

Secrets in Nubus for Kubernetes

in Univention Nubus for Kubernetes - Operation Manual [1] for information about the different options.

2.4. Version 1.0.0 - 2024-10-31#

This is the first production release of Nubus for Kubernetes.

Consider all changes as breaking changes, because no upgrade path exists from the alpha version 0.18.3 to this version.

2.4.1. Changed#

  • Change openLDAP from version 2.4 to 2.5.

  • Temporarily deactivate the Authorization Service in Nubus for Kubernetes.

    This change doesn’t impact other Nubus components, because no other component uses the Authorization Service yet. For more information, see Authorization Service in Univention Nubus for Kubernetes - Architecture Manual [3].

  • Replace the listener- / notifier mechanism with the Provisioning Service. Remove the listeners in the Portal Server and the End User Self Service and replace them with Consumers for the Provisioning Service.

    The OX Connector also provides a Consumer to the Provisioning Service instead of a listener. However, the OX Connector isn’t part of Nubus for Kubernetes.

  • Deactivate plain sign-in by default. Instead, activate single sign-on through SAML by default in Keycloak.

  • Deactivate the Keycloak Extensions for brute force detection and new sign-in notification during the sign-in process by default.

    For information about how to manually activate the Keycloak Extensions, see Keycloak Extensions in Univention Nubus for Kubernetes - Operation Manual [1].

  • Increase the number of available UMC modules in the Management UI. Besides the modules to manage user accounts, the Management UI shows the UMC modules available to Nubus for Kubernetes.

  • Change the Helm value structure for defining UCR variables under global.configUcr.

  • Change the format for loading initial data in Nubus for Kubernetes from Helm templates to Jinja2.

    For example, setting the browser window title in the Management UI.

2.4.2. Added#

  • Add Ingress configuration for HTTP traffic routing in Nubus for Kubernetes. Replaces the Stack Gateway Kubernetes pod.

  • Increase security hardening through the following measures:

    Profile picture upload in End User Self Service

    The End User Self Service re-encodes profile pictures of any origin format to JPEG to reduce the risk of malware injection. It also removes any metadata, such es EXIF, for improved privacy.

    Security context for pods
    • Docker containers run as non-root users.

      Exception is the UMC server and its sidecar container with sssd. They still need root privileges.

    • Docker containers mount their file system in read-only mode.

    • Processes can’t gain more privileges than their parent process, because of allowPrivilegeEscalation: false in the Kubernetes pod configuration.

    Capabilities

    All default components of Nubus now use no extra capabilities in their Kubernetes pods.

    See also

    Configure a Security Context for a Pod or Container

    for information about security context in Kubernetes.

  • Add interfaces to extend Nubus for Kubernetes, for example with customizations for openDesk.

  • Add configurable scalability for the following functional components in Nubus for Kubernetes:

    • UMC Server and UMC Gateway in Management UI.

    • Keycloak in Identity Provider.

    • Portal Server and Portal Frontend in the Portal Service.

    • LDAP Server in Identity Store and Directory Service, especially read-only LDAP secondary servers.

      See also

      Directory service high availability and scalability

      in Univention Nubus for Kubernetes - Operation Manual [1] for information about the scalability configuration of the Identity Store and Directory Service.

    See also

    Scalability

    in Univention Nubus for Kubernetes - Operation Manual [1] for information about the scalability configuration in the Management UI, Identity Provider, and the Portal Service.

  • Add the ability to configure the browser window title of the Management UI.

    Listing 2.4 Example for custom_values.yaml deployment file to change title of the Management UI#
    global:
      configUcr:
        umc:
          web:
            title: "My custom title for the Management UI"
    
  • Add the ability to customize the branding for the Portal and Keycloak, namely the background images, HTML style (CSS) and the favicon.

    See also

    Branding and themes

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [4] for information about how to customize the branding.

  • Add the ability to customize the cookie consent banner for the Portal and for Keycloak.

    See also

    Consent for using cookies

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [4] for information about how to customize the cookie consent banner.

  • Add the ability to customize the links in the footer of the sign-in in Keycloak.

    See also

    Customization of Keycloak sign-in

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [4] for information about how to customize the Keycloak sign-in.

  • Add the ability to configure the email body for the password reset emails.

    See also

    Customization of self service emails

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [4] for information about how to customize the email body text for End User Self Service emails.

2.4.3. Removed#

  • Remove the hardwired inclusion of the openDesk extensions.

    The extensions included the following aspects that moved to an explicit openDesk extension:

    • LDAP schema.

    • Custom UDM hooks.

    • Configuration for tiles in Management UI.

    • Branding customized to openDesk.

    • Pre-configured user accounts for ldapsearch for usage in openDesk apps.

    • Portal content customized to openDesk.

      The portal content now corresponds to Univention Corporate Server (UCS).

    • Additional users default.admin and default.user.

      The Administrator user remains the only administrative user.

  • Remove the Stack Gateway Kubernetes pod that used to route the traffic within Nubus for Kubernetes.

  • Remove hard dependency to cert-manager, a certificate manager for Kubernetes clusters.

    Operators can now configure their own certificates in their Ingress configuration or use a different certificate manager.

2.4.4. Fixed#

  • The portal session now automatically refreshes as long as the browser window is open. Before, the portal session would time out after 10 minutes regardless of whether the portal was still in use.

  • Fix password renewal in Keycloak.

    Renewing the user password through Keycloak failed for expired passwords. It works as expected now.

  • Sending emails for password reset and user invitation now works as expected and correctly.

  • Init containers no longer print passwords into logging during Kubernetes pod initialization.

2.4.5. Known issues#

  • The customization of the email body for the user invitation email isn’t possible yet.

    For more information, see Bug #57693.

2.5. Version 0.18.3 (Alpha) - 2024-05-31#

This is the initial release of Nubus for Kubernetes intended for evaluation purposes. For more information about the product context, see Identity & Access Management for Sovereign Cloud Suites in Kubernetes. However, your feedback is welcome.

This is the first release that you can install on its own, outside of the openDesk context that Nubus for Kubernetes comes from. It still includes the look-and-feel and third-party integrations from openDesk. In future releases, the look-and-feel and third-party integrations will be moved to packaged integrations.

The release schedule includes additional alpha versions of Nubus for Kubernetes. Interfaces, features, and data structures may change until the version of Nubus for Kubernetes reaches production-ready status.

Important

As long as the product version is in alpha status, the product doesn’t promise migration paths or the ability to upgrade to future versions.

2.5.1. Changed#

Planned deprecations for a future release
  • Move the default integrations for third-party applications from the core product to packaged integrations.

  • Remove the hard-coded openDesk theme.

  • Remove the LDAP notifier service.