Changelog#
The section provides the changelog for Nubus for Kubernetes. You find each version in a separate section. The heading contains the version information together with the release date.
Version 1.10.2 - 2025-06-06#
This is the twelfth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.10.2, your deployment must run on version 1.9.0 to 1.9.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Follow and apply the migration steps outlined in v1.10.0 - Migration steps.
Changes#
Correct the behavior of two Helm variables in the UDM REST API
univentionObjectIdentifiermigration job: The variablesnubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.imagePullPolicyandnubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.registryare now effective at controlling the image registry and pull policy for the container image used in the job.
Version 1.10.1 - 2025-06-02#
This is the eleventh production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.10.1, your deployment must run on version 1.9.0 to 1.9.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Follow and apply the migration steps outlined in v1.10.0 - Migration steps.
Changes#
Remove quotes from additional annotations in UDM REST API Blocklists cleanup job.
Version 1.10.0 - 2025-05-27#
This is the tenth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.10.0, your deployment must run on version 1.9.0 to 1.9.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration-steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Operators have to delete the following Keycloak clients from the Keycloak Admin Console before upgrading due to a wrong configuration that prohibited access to the Guardian:
guardian-scriptsguardian-management-apiguardian-ui
The upgrade process recreates the proper client configuration in Keycloak.
It’s necessary for operators to trigger the generation of the
univentionObjectIdentifierfor existing UDM objects and directory objects, because future releases of Nubus for Kubernetes rely on it.- Recommendation:
The Helm chart already creates a migration job in a suspended state. Run the migration job as shown in listing Listing 1 at a time with low system load on the cluster. It takes around 6 minutes per 100.000 LDAP objects.
After a successful run, set
nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.enabledtofalseso that Kubernetes doesn’t create the job again.
After a successful run, you must deactivate the job by setting
nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.enabledtofalse.$ kubectl patch job/<JOB_NAME> \ --type=strategic \ --patch '{"spec":{"suspend":false}}'
Operators that make use of the following UDM Listener secrets variables, need to adjust these accordingly:
Rename
nubusUdmListener.ldap.credentialSecret.*tonubusUdmListener.ldap.auth.existingSecret.*.Rename
nubusUdmListener.nats.auth.credentialSecret.*tonubusUdmListener.nats.auth.existingSecret.*Rename
nubusUdmListener.provisioningApi.auth.credentialSecret.*tonubusUdmListener.provisioningApi.auth.existingSecret.*Move Provisioning username sourced from secret key in
nubusUdmListener.provisioningApi.auth.credentialSecret.userNameKeyto a non-secret valuenubusUdmListener.provisioningApi.auth.username.
For the structure of
existingSecret, see Listing 2.
Changes#
The UMC Server initialization containers now run as non-root.
The Portal Consumer initialization containers now run as non-root and with a read-only file system.
The Guardian initialization containers now run as non-root and with a read-only file system.
Fix Authorization Service
guardian-uiKeycloak client missing redirect URL and scopes, which caused the login flow at the Guardian API to fail.Remove the pre-configured report generation from the menu in the user accounts view of the UMC Server of the Management UI.
Fix warnings on the ingress controller by adjusting Nginx annotations.
Refactor UDM secret configuration for Stack Data job at
nubusStackDataUms.udm.auth.existingSecret.*with the structure outlined in Listing 2. The default values remain the same. No migration steps are necessary.existingSecret: name: "" keyMapping: password: ""
Enable Blocklists by default. Blocklists allow administrators to block values, such as email addresses, from being re-used until an expiration date.
Add the following Helm Chart variables at
nubusUdmRestApi.blocklistCleanup.*:
Allow configuration of the size and storage class of the persistent volume in UDM Listener, for example, to allow importing large amounts of users.
Add
univentionObjectIdentifierto all UDM object types.The
univentionObjectIdentifieris a uniqueUUID4identifier for objects in the Directory Service. Operators can use it when connecting Nubus to other systems, to uniquely identify objects across the different systems and services.Add the following Helm Chart variables at
nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.*:nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.enablednubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.suspendnubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.pythonLogLevelnubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.imagePullPolicynubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.registrynubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.repositorynubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.tag
Starting with this version of Nubus for Kubernetes, UDM HTTP REST API and UMC create UDM objects with
univentionObjectIdentifier. If not explicitly configured otherwise, they use a UUID4 to generate the identifier.
Version 1.9.2 - 2025-05-14#
This is the ninth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.9.2, your deployment must run on version 1.8.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration-steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Follow and apply the migration steps outlined in v1.9.1 - Migration steps and in v1.9.0 - Migration steps.
Changes#
Fix an issue for handling existing custom secrets from
nubusPortalConsumer.objectStorage.auth.accessKeyIdandnubusPortalConsumer.objectStorage.auth.secretAccessKeyin the Portal Consumer. Affected installation specified those secrets in the custom values. Because of wrong keys, Nubus generated secrets itself instead of using the existing secret values.Fix icons in the Portal displaying icons of Management UI with question mark (
?) instead of the icon. The UMC Gateway has the icons for UMC in the correct location.
Version 1.9.1 - 2025-05-07#
This is the eight production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.9.1, your deployment must run on version 1.8.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
If you defined custom values for security contexts
nubusGuardian.*.securityContext.enabledin the Guardian apply the renames listed in the v1.9.1 - Changes.Follow and apply the migration steps outlined in v1.9.0 - Migration steps.
Changes#
In the UMC Server of the Management UI, remove the Helm Chart value
nubusUmcServer.containerSecurityContextSssd.supplementalGroups.Fix warnings in the Portal Consumer and the UMC Server in the Management UI related to the generated Kubernetes manifests.
The Guardian Helm Chart contained unexpected keys, because of mistaking the container security context for the pod security context.
Add the following Helm Chart variables:
nubusGuardian.managementUi.*:nubusGuardian.openPolicyAgent.*:Rename the following Helm Chart variables:
nubusGuardian.authorizationApi.*:nubusGuardian.authorizationApi.securityContext.allowPrivilegeEscalationtonubusGuardian.authorizationApi.containerSecurityContext.allowPrivilegeEscalation.nubusGuardian.authorizationApi.securityContext.capabilities.droptonubusGuardian.authorizationApi.containerSecurityContext.capabilities.drop.nubusGuardian.authorizationApi.securityContext.enabledtonubusGuardian.authorizationApi.containerSecurityContext.enabled.nubusGuardian.authorizationApi.securityContext.privilegedtonubusGuardian.authorizationApi.containerSecurityContext.privileged.nubusGuardian.authorizationApi.securityContext.readOnlyRootFilesystemtonubusGuardian.authorizationApi.containerSecurityContext.readOnlyRootFilesystem.nubusGuardian.authorizationApi.securityContext.runAsGrouptonubusGuardian.authorizationApi.containerSecurityContext.runAsGroup.nubusGuardian.authorizationApi.securityContext.runAsNonRoottonubusGuardian.authorizationApi.containerSecurityContext.runAsNonRoot.nubusGuardian.authorizationApi.securityContext.runAsUsertonubusGuardian.authorizationApi.containerSecurityContext.runAsUser.nubusGuardian.authorizationApi.securityContext.seccompProfile.typetonubusGuardian.authorizationApi.containerSecurityContext.seccompProfile.type.
nubusGuardian.managementApi.*:nubusGuardian.managementApi.securityContext.allowPrivilegeEscalationtonubusGuardian.managementApi.containerSecurityContext.allowPrivilegeEscalation.nubusGuardian.managementApi.securityContext.capabilities.droptonubusGuardian.managementApi.containerSecurityContext.capabilities.drop.nubusGuardian.managementApi.securityContext.enabledtonubusGuardian.managementApi.containerSecurityContext.enabled.nubusGuardian.managementApi.securityContext.privilegedtonubusGuardian.managementApi.containerSecurityContext.privileged.nubusGuardian.managementApi.securityContext.readOnlyRootFilesystemtonubusGuardian.managementApi.containerSecurityContext.readOnlyRootFilesystem.nubusGuardian.managementApi.securityContext.runAsGrouptonubusGuardian.managementApi.containerSecurityContext.runAsGroup.nubusGuardian.managementApi.securityContext.runAsNonRoottonubusGuardian.managementApi.containerSecurityContext.runAsNonRoot.nubusGuardian.managementApi.securityContext.runAsUsertonubusGuardian.managementApi.containerSecurityContext.runAsUser.nubusGuardian.managementApi.securityContext.seccompProfile.typetonubusGuardian.managementApi.containerSecurityContext.seccompProfile.type.
nubusGuardian.managementUi.*:nubusGuardian.managementUi.securityContext.allowPrivilegeEscalationtonubusGuardian.managementUi.containerSecurityContext.allowPrivilegeEscalation.nubusGuardian.managementUi.securityContext.capabilities.droptonubusGuardian.managementUi.containerSecurityContext.capabilities.drop.nubusGuardian.managementUi.securityContext.privilegedtonubusGuardian.managementUi.containerSecurityContext.privileged.nubusGuardian.managementUi.securityContext.readOnlyRootFilesystemtonubusGuardian.managementUi.containerSecurityContext.readOnlyRootFilesystem.nubusGuardian.managementUi.securityContext.runAsGrouptonubusGuardian.managementUi.containerSecurityContext.runAsGroup.nubusGuardian.managementUi.securityContext.runAsNonRoottonubusGuardian.managementUi.containerSecurityContext.runAsNonRoot.nubusGuardian.managementUi.securityContext.runAsUsertonubusGuardian.managementUi.containerSecurityContext.runAsUser.nubusGuardian.managementUi.securityContext.seccompProfile.typetonubusGuardian.managementUi.containerSecurityContext.seccompProfile.type.nubusGuardian.managementUi.podSecurityContexttonubusGuardian.managementUi.containerSecurityContext.enabled.
nubusGuardian.openPolicyAgent.*:nubusGuardian.openPolicyAgent.securityContext.allowPrivilegeEscalationtonubusGuardian.openPolicyAgent.containerSecurityContext.allowPrivilegeEscalation.nubusGuardian.openPolicyAgent.securityContext.capabilities.droptonubusGuardian.openPolicyAgent.containerSecurityContext.capabilities.drop.nubusGuardian.openPolicyAgent.securityContext.privilegedtonubusGuardian.openPolicyAgent.containerSecurityContext.privileged.nubusGuardian.openPolicyAgent.securityContext.readOnlyRootFilesystemtonubusGuardian.openPolicyAgent.containerSecurityContext.readOnlyRootFilesystem.nubusGuardian.openPolicyAgent.securityContext.runAsGrouptonubusGuardian.openPolicyAgent.containerSecurityContext.runAsGroup.nubusGuardian.openPolicyAgent.securityContext.runAsNonRoottonubusGuardian.openPolicyAgent.containerSecurityContext.runAsNonRoot.nubusGuardian.openPolicyAgent.securityContext.runAsUsertonubusGuardian.openPolicyAgent.containerSecurityContext.runAsUser.nubusGuardian.openPolicyAgent.securityContext.seccompProfile.typetonubusGuardian.openPolicyAgent.containerSecurityContext.seccompProfile.type.
nubusGuardian.provisioning.*:nubusGuardian.provisioning.securityContext.allowPrivilegeEscalationtonubusGuardian.provisioning.containerSecurityContext.allowPrivilegeEscalation.nubusGuardian.provisioning.securityContext.enabledtonubusGuardian.provisioning.containerSecurityContext.enabled.nubusGuardian.provisioning.securityContext.privilegedtonubusGuardian.provisioning.containerSecurityContext.privileged.nubusGuardian.provisioning.securityContext.readOnlyRootFilesystemtonubusGuardian.provisioning.containerSecurityContext.readOnlyRootFilesystem.nubusGuardian.provisioning.securityContext.runAsGrouptonubusGuardian.provisioning.containerSecurityContext.runAsGroup.nubusGuardian.provisioning.securityContext.runAsNonRoottonubusGuardian.provisioning.containerSecurityContext.runAsNonRoot.nubusGuardian.provisioning.securityContext.runAsUsertonubusGuardian.provisioning.containerSecurityContext.runAsUser.nubusGuardian.provisioning.securityContext.seccompProfile.typetonubusGuardian.provisioning.containerSecurityContext.seccompProfile.type.
Version 1.9.0 - 2025-05-04#
This is the seventh production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.9.0, your deployment must run on version 1.8.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Release highlights#
Nubus for Kubernetes 1.9.0 provides the following highlights:
Preview feature: News feed integration into the Portal Service supporting the Rich Site Summary (RSS) and Atom specification.
In the Management UI, the UMC Server container and its sidecar container with SSSD run as non-root.
Update Keycloak in the Identity Provider from version 25 to version 26.
Important
With version 1.9.0, Nubus for Kubernetes enforces licenses. If operators already had a license installed, Nubus didn’t enforce the license before. For information about how to add a license to Nubus for Kubernetes, see Nubus license.
To validate if a license is already present, run the command in Listing 3.
$ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace"
$ kubectl exec \
--namespace "$NAMESPACE_FOR_NUBUS" \
-it \
nubus-ldap-server-primary-0 \
-- bash -c "slapcat | sed -nr '/dn:.*?,cn=license/,/^\s*$/p'"
The result looks similar to the output in Listing 4.
In case for a paid-support license,
the field univentionLicenseUsers has an integer number.
Nubus now enforces the given univentionLicenseUsers in the Management UI.
...
univentionLicenseBaseDN: UCS Core Edition
...
univentionLicenseUsers: unlimited
...
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
You need to provide PostgreSQL at least in version 15 or later, because of Keycloak 26.
Operators that use their own secrets in the Portal Consumer, need to adjust to the
existingSecretsettings. For more information, see the documented Helm Chart variable renames in the Portal Consumer section.Operators that use their own secrets for the Guardian, need to adjust to the
existingSecretsettings. For more information, see the documented Helm Chart variable renames in the Guardian Helm chart section.Adjust your branding for the favicon. Nubus supports additional favicons with higher resolution to support, for example, browser preferences and shortcuts on home screens in Android and iOS mobile devices.
Besides
nubusPortalFrontend.portalFrontend.branding.favicon, add the Helm Chart values as outlined the changes for the Portal Frontend.
Changes#
The UMC Server container and the sidecar container to UMC Server with SSSD run as a non-root user.
Add the Helm Chart value
nubusUmcServer.sssd.debugLevel.Packaged integrations continue to work, when Kubernetes restarts pods. Before, packaged integrations only worked when Kubernetes (re)created the pods.
Add license support to Nubus for Kubernetes.
An explicit Helm Chart enables operators to add a license for Nubus. Furthermore, Nubus for Kubernetes enforces license restrictions.
The change adds the following Helm Chart values:
Add Helm Chart values to configure error messages and their translations for Keycloak.
German:
English:
Introduce semantic versioning for the Univention Keycloak container image. The container image version numbering deliberately restarts at 0.0.1, to avoid confusion with the version of Keycloak inside the container, as the image contains more artifacts than just Keycloak.
Update all components in Nubus for Kubernetes to use the UCS 5.2-1 base image and include bug fixes up to the errata update UCS 5.2 erratum 73. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 24. April 2025.
Replace references to the Helm Chart registry
docker.iowithcharts.bitnami.comfor bundled dependencies to avoid rate limits and because Helm doesn’t have a pull proxy option for Helm Charts.Add support to customize the LDAP indexes in the Directory Service during upgrades. The Directory Service identifies the changed indexes at startup time and automatically runs slapindex for all required attributes.
The index customization increases the startup time of the Directory Service for once, at the next start. As a rough estimation, the index creation takes about 2 minutes per attribute per 100,000 users.
Add the
univentionObjectIdentifierLDAP attribute to the default index in the UCR configuration through theglobal.configUcr.ldap.index.eqandglobal.configUcr.ldap.index.presHelm Chart values.Add the following Helm Chart values:
Add the following Helm Chart values related to security:
nubusUmcServer.containerSecurityContextSssd.supplementalGroups
Portal Consumer#
Refactor the Portal Consumer Helm Chart
to follow the strategy for using Kubernetes secrets in Nubus for Kubernetes.
The Portal Consumer allows using existingSecret Helm Chart values for the following items:
LDAP authentication credentials
S3-compatible object storage authentication credentials
Provisioning API authentication credentials
Add the following Helm Chart values:
nubusPortalConsumer.ldap.auth.existingSecret.keyMapping.passwordnubusPortalConsumer.provisioningApi.auth.existingSecret.keyMapping.passwordnubusPortalConsumer.provisioningApi.auth.existingSecret.name
Rename the following Helm Chart values:
nubusPortalConsumer.objectStorage.auth.accessKeytonubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.accessKey.nubusPortalConsumer.objectStorage.auth.secretKeytonubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secretKey.nubusPortalConsumer.containerSecurityContextNonRoot.readOnlyRootFilesystemtonubusPortalConsumer.containerSecurityContext.readOnlyRootFilesystem.nubusPortalConsumer.containerSecurityContextNonRoot.runAsGrouptonubusPortalConsumer.containerSecurityContext.runAsGroup.nubusPortalConsumer.containerSecurityContextNonRoot.runAsNonRoottonubusPortalConsumer.containerSecurityContext.runAsNonRoot.nubusPortalConsumer.containerSecurityContextNonRoot.runAsUsertonubusPortalConsumer.containerSecurityContext.runAsUser.
nubusPortalConsumer.provisioningApi.auth.credentialSecret.nametonubusPortalConsumer.provisioningApi.auth.existingSecret.name.nubusPortalConsumer.provisioningApi.auth.credentialSecret.keytonubusPortalConsumer.provisioningApi.auth.existingSecret.keyMapping.password.
Remove the following Helm Chart values:
nubusPortalConsumer.objectStorage.bucketNamenubusPortalConsumer.portalConsumer.objectStorageAccessKeyIdnubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.accessKeyKeynubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.namenubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.secretKeyKeynubusPortalConsumer.portalConsumer.objectStorageSecretAccessKeynubusPortalConsumer.provisioningApi.auth.existingSecret.name
Guardian Helm chart#
Refactor the Guardian Helm Chart to follow the strategy for using Kubernetes secrets in Nubus for Kubernetes. Fix issues with the security context in the Guardian Helm Chart.
Add the following Helm Chart values:
nubusGuardian.authorizationApi.*:nubusGuardian.managementApi.*:nubusGuardian.managementApi.oauth.auth.existingSecret.keyMapping.clientSecretnubusGuardian.managementApi.securityContext.enabled`
nubusGuardian.provisioning.*:nubusGuardian.provisioning.securityContext.enabled
Rename the following Helm Chart values:
nubusGuardian.provisioning.config.keycloak.realmtonubusGuardian.provisioning.keycloak.realm.nubusGuardian.provisioning.config.keycloak.usernametonubusGuardian.provisioning.keycloak.auth.username.nubusGuardian.provisioning.config.keycloak.passwordtonubusGuardian.provisioning.keycloak.auth.password.nubusGuardian.provisioning.config.keycloak.credentialSecret.nametonubusGuardian.provisioning.keycloak.auth.existingSecret.name.nubusGuardian.provisioning.config.keycloak.credentialSecret.keytonubusGuardian.provisioning.keycloak.auth.existingSecret.keyMapping.password.nubusGuardian.provisioning.config.keycloak.connection.hosttonubusGuardian.provisioning.keycloak.connection.host.nubusGuardian.provisioning.config.keycloak.connection.porttonubusGuardian.provisioning.keycloak.connection.port.nubusGuardian.postgresql.credentialSecret.nametonubusGuardian.postgresql.auth.existingSecret.name.nubusGuardian.postgresql.credentialSecret.keytonubusGuardian.postgresql.auth.existingSecret.keyMapping.password.
Remove the following Helm Chart values:
nubusGuardian.authorizationApi.config.udmDataAdapterUsernamenubusGuardian.authorizationApi.config.udmDataAdapterPasswordnubusGuardian.authorizationApi.config.secretRefReason for removal: Changed to the
existingSecretstrategy in Nubus for Kubernetes.Alternative configuration: See Added helm values
nubusGuardian.managementApi.config.oauthAdapterM2mSecretnubusGuardian.managementApi.config.secretRefReason for removal: Changed to the
existingSecretstrategy in Nubus for Kubernetes.Alternative configuration: See Added helm values
nubusGuardian.provisioning.config.managementApi.clientSecretnubusGuardian.provisioning.config.managementApi.credentialSecret.keyReason for removal: Not used anymore, used the values from
nubusGuardian.managementApi.oauth.authAlternative configuration: See Added helm values
nubusGuardian.postgresql.nameOverridenubusGuardian.postgresql.bundled:Reason for removal: The bundled psql deployment is no longer supported
Alternative configuration: Configure the connection to your psql database using the values of the chart.
Portal Frontend#
Add the following features and fixes to the Portal Frontend:
Fix for handling of translated strings in Portal entries and Portal announcements. The Portal Service now checks for available localization first in the user’s language, then in English, and finally any available language, to avoid empty text in Portal entries and Portal announcements.
Experimental feature to display a news feed from either an RSS or Atom source, such as a XWiki instance or a Wordpress blog. To activate the feature, set
nubusPortalServer.portalServer.featureToggles.newsfeedtotrue. The default value isfalseand deactivates the feature.To configure the news feed, you need to set the Helm Chart values in
nubusPortalServer.portalServer.newsfeed.*:Add support for additional resolutions and formats of the favicon.
Add the following Helm Chart values for the favicon. All values must be a Base64 encoded string of images in PNG format, except the
faviconSvgwhich must be in SVG format.In the quick links, avoid to display a question mark, when a quick link doesn’t have an image configured.
Version 1.8.0 - 2025-04-07#
This is the sixth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.8.0, your deployment must run on version 1.7.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.
If you have services that use the UDM HTTP REST API outside the Kubernetes cluster, you need to explicitly enable the access through the ingress, because the ingress for the UDM HTTP REST API is disabled by default starting with version 1.8.0.
To keep the behavior that services outside the Kubernetes cluster can reach UDM HTTP REST API, you need to set
nubusUdmRestApi.ingress.enabledtotruein your values file.If you configured the container securityContext for the Portal Consumer, you need to rename the Helm Chart values from
nubusPortalConsumer.securityContext.*tonubusPortalConsumer.containerSecurityContext.*. In addition, you may also configure the pod securityContext throughnubusPortalConsumer.podSecurityContext.*. For more information, see the change for the Portal Consumer.If you configured credentials for the
ldap-serverusing existing Kubernetes secret objects, you need to rename the following Helm Chart values sections:nubusLdapServer.ldapServer.credentialSecret.*section tonubusLdapServer.ldapServer.auth.existingSecret.*sectionnubusLdapServer.ldifProducer.nats.auth.credentialSecretNametonubusLdapServer.ldifProducer.nats.auth.existingSecret
For more information, see the change for the Directory Service.
If you configured credentials for the Portal Service using existing Kubernetes secrets, you need to rename the following Helm Chart values sections:
nubusPortalServer.portalServer.objectStorageCredentialSecret.*section tonubusPortalServer.objectStorage.auth.existingSecret.*sectionnubusPortalServer.portalServer.centralNavigation.authenticatorSecretNametonubusPortalServer.portalServer.centralNavigation.existingSecret.name
Note
The secret needs to contain a key called password. If your secret contains a different key, you need to pass the name of the key to
nubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password.If you have configured credentials for the Portal Service connection to the object storage and have set explicit credential values, you need to rename the following sections of Helm Chart values:
nubusPortalServer.objectStorage.auth.accessKeytonubusPortalServer.objectStorage.auth.accessKeyIdnubusPortalServer.objectStorage.auth.secretKeytonubusPortalServer.objectStorage.auth.secretAccessKey
For more information, see the change for the Portal Service.
Added#
Add the plugin type
umc-i18nto enable translation for UMC modules in packaged integrations.Add the following additional elements to the Portal Service:
- Corner Links
Configures a list of portal entries that the Portal Service shows in the lower right corner of the portal.
- Quick Links
Configures a list of portal entries that the Portal Service shows in the Quick Menu. Quick links are a set of tiles that appear above the regular application tiles in the portal. Use the links to present deep-links to commonly used functions directly in the portal, for example Create a document or Create a spreadsheet.
Add dynamic greeting to the Portal Service.
Warning
The dynamic greeting in the Portal Service is an experimental feature. You use it at your own risk.
To activate the feature anyway, set
nubusPortalServer.portalServer.featureToggles.welcome_messagetotrue.
Changed#
Change and improve the error handling in the ad-hoc provisioning plugin for Keycloak.
Change the default setting for reaching the UDM HTTP REST API to
false, because of security concerns.UDM HTTP REST API is now only reachable when explicitly activated. The default value for the Helm Chart value
nubusUdmRestApi.ingress.enabledchanged fromtruetofalse. For more information, see UDM HTTP REST API in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].Change the NATS container image version from
2.10.10to2.10.26to integrate upstream bug fixes. The upstream bug fixes in NATS avoid potential consumer sequence identifier corruptions in queues.Change the LDAP notifier to run on the same Kubernetes node, where the LDAP Primary pod
primary-0runs, so that Kubernetes always schedules it on the same pod, even if there are two LDAP Primary pods running in the cluster.Change the Directory Service to configure existing secrets and password configuration using the values schema under
existingSecretto be in line with the other components.Add the following Helm Chart values:
nubusLdapServer.ldapServer.auth.*nubusLdapServer.ldapServer.tls.*nubusLdapServer.ldifProducer.nats.auth.*
Change and replace the following Helm Chart values:
nubusLdapServer.ldifProducer.nats.auth.credentialSecretNametonubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_PASSWORD.nubus.LdapServer.ldapServer.credentialSecrettonubusLdapServer.ldapServer.auth.existingSecret.name
Change and rename the following Helm Chart values for the Portal Consumer. Reason is a fix for the implementation for the securityContext in the Portal Consumer pod. The Helm Chart template didn’t render the securityContext correctly.
nubusPortalConsumer.securityContext.allowPrivilegeEscalationtonubusPortalConsumer.containerSecurityContext.allowPrivilegeEscalationnubusPortalConsumer.securityContext.capabilities.droptonubusPortalConsumer.containerSecurityContext.capabilities.dropnubusPortalConsumer.securityContext.enabledtonubusPortalConsumer.containerSecurityContext.enablednubusPortalConsumer.securityContext.privilegedtonubusPortalConsumer.containerSecurityContext.privilegednubusPortalConsumer.securityContext.seccompProfile.typetonubusPortalConsumer.containerSecurityContext.seccompProfile.typenubusPortalConsumer.securityContext.readOnlyRootFilesystemtonubusPortalConsumer.containerSecurityContextNonRoot.readOnlyRootFilesystemnubusPortalConsumer.securityContext.runAsGrouptonubusPortalConsumer.containerSecurityContextNonRoot.runAsGroupnubusPortalConsumer.securityContext.runAsNonRoottonubusPortalConsumer.containerSecurityContextNonRoot.runAsNonRootnubusPortalConsumer.securityContext.runAsUsertonubusPortalConsumer.containerSecurityContextNonRoot.runAsUser
Change the Portal Service to use the default schema with
existingSecretfor the central navigation and the object storage configuration. It changes the way how to pass existing secrets and plain credentials to the Portal Server in the Helm Chart.Add the following Helm Chart values for the Central Navigation in the Portal Service:
nubusPortalServer.portalServer.centralNavigation.sharedSecretnubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password
Rename the following Helm Chart values:
Object storage: Unify the configuration of the secrets with
authundernubusPortalServer.objectStoragethat already contains the configuration for the endpoint and the bucket.nubusPortalServer.portalServer.objectStorageCredentialSecret.nametonubusPortalServer.objectStorage.auth.existingSecret.namenubusPortalServer.portalServer.objectStorageCredentialSecret.accessKeyKeytonubusPortalServer.objectStorage.auth.existingSecret.keyMapping.accessKeynubusPortalServer.portalServer.objectStorageCredentialSecret.secretKeyKeytonubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secretKeyConsolidate
nubusPortalServer.portalServer.objectStorageAccessKeyIdandnubusPortalServer.objectStorage.auth.accessKeytonubusPortalServer.objectStorage.auth.accessKeyIdConsolidate
nubusPortalServer.portalServer.objectStorageSecretAccessKeyandnubusPortalServer.objectStorage.auth.secretKeytonubusPortalServer.objectStorage.auth.secretAccessKey
Central Navigation
nubusPortalServer.portalServer.centralNavigation.authenticatorSecretNametonubusPortalServer.portalServer.centralNavigation.existingSecret.name
Fixed#
Fix the behavior of the configuration option
extraEnvVarsin the sub-chart of theportal-server. It works as intended.Fix a template error in the Identity Provider for the Keycloak pod that caused the Keycloak bootstrap pod to start in the default namespace. The pod now starts in the namespace that the operator defined when installing the Helm Chart, and where Kubernetes starts all other pods of Nubus for Kubernetes, as well.
Fix the path to the container image for Keycloak. It now matches the defined path
nubus/images/keycloakand is consistent with the other image paths.Fix the implementation of resources in the Helm Chart for the Directory Service. The Helm Chart template didn’t render the resources correctly.
Fix the behavior of portal folders when removing a portal. When a functional administrator removes a portal the Portal Service also removes their portal folders from the link lists.
Removed#
Remove the groups
DC Backup HostsandDC Slave Hostsfrom the default authorization groups in the UDM HTTP REST API. They come from the UCS appliance deployment and aren’t relevant in Nubus for Kubernetes. For more information about authorization groups in UDM HTTP REST API, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].Remove the following Helm Chart values from the Portal Consumer:
nubusPortalConsumer.securityContext.fsGroupnubusPortalConsumer.mountSecrets
Remove the
nubusPortalServer.portalServer.credentialSecretHelm Chart value from the Portal Server.
Version 1.7.0 - 2025-02-23#
This is the fifth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.7.0, your deployment must run on version 1.6.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.
Change Helm Chart values#
Before you run the upgrade, you need to prepare your values file:
Replace
global.nubusMasterPasswordwithglobal.secrets.masterPassword. If you configure it with the same value, then the generated passwords remain with the same value as before.Cleanup in
nubusStackDataUmsHelm chart values. If you configured custom values, you need to update them. For the affected Helm Chart values, see Changes in nubusStackDataUms.
Recreate Portal Consumer#
The Portal Consumer pod runs as a different, non-root, user and doesn’t have the necessary permissions to modify or create the group cache file. The physical volume claim (PVC) doesn’t contain vital data. Running the upgrade afterwards with helm upgrade … recreates the PVC and the StatefulSet Kubernetes object. The Kubernetes pod for the Portal Consumer recreates the content of the PVC.
You also need to run the following steps before the upgrade:
Set environment variables to identify your Nubus for Kubernetes installation.
Run the commands in Listing 5.
$ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace" $ export RELEASE_NAME="The Helm Chart release name"
Delete the physical volume for the group membership cache and the StatefulSet object of the Portal Consumer.
Run the commands in Listing 6.
$ kubectl \ --namespace "$NAMESPACE_FOR_NUBUS" \ delete pvc \ "group-membership-cache-$RELEASE_NAME-portal-consumer-0" $ kubectl \ --namespace "$NAMESPACE_FOR_NUBUS" \ delete statefulset \ "$RELEASE_NAME-portal-consumer"
Added#
Add the ad hoc provisioning plugin to Keycloak in the Identity Provider. Ad hoc provisioning allows to federate Keycloak with an external identity provider. When users sign in to Nubus for the first time with their external user accounts, Keycloak automatically creates a user account in Nubus.
Add the API endpoint to the Portal Server so that the Portal Frontend fetches and shows details about the signed-in user, such as their profile picture.
Add the
nubusStackDataUms.templateContext.svcPortalServerUserPasswordHelm Chart value. Explicitly configure this value in production deployments. Kubernetes generates a random password, if the setting has no value supplied.To configure the client access of the Portal Service so that it can use the UDM HTTP REST API, use the following values structure.
nubusPortalServer: udm: connection: url: null auth: username: "svc-portal-server" password: null existingSecret: name: null keyMapping: password: null
Add the Helm Chart value
global.udm.connection.url.Add toggles to activate or deactivate specific features in the Portal Service.
Operators can toggle features in the Portal Service through Helm Chart value for the Portal Server. The configuration also applies to the Portal Frontend. The following feature toggles are available:
nubusPortalServer.portalServer.featureToggles.centered_layout.It’s deactivated by default with the value
false.nubusPortalServer.portalServer.featureToggles.notifications_api.It’s activated by default with the value
true.nubusPortalServer.portalServer.featureToggles.umc_session_refresh.It’s activated by default with the value
true.
Add the followings actions to the UDM data loader plugin type:
ensure_list_does_not_containThe companion action to the existing
ensure_list_containsaction. This data loader action allows to enforce, for example, that a user isn’t in a specific user group, without overwriting all other groups.modify_if_existsThis data loader action allows to modify a UDM object without raising an error if that object doesn’t exist.
create_or_modifyThis data loader action now also works for actions for the
users/userUDM module. It handles LDAP distinguished names (DNs) that both start withuid=andcn=.
For more information about UDM data loader actions, see Actions in the data loader in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].
Add the user group
Domain Service Users. It allows its group members to access the UDM HTTP REST API, because it’s part of the authorization groups. The group is for services, for example, the Portal Service to access the UDM HTTP REST API for querying data from the Directory Manager, such as fetching information about the signed-in user. For more information, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].
Changed#
Replace
global.nubusMasterPasswordwithglobal.secrets.masterPassword.Update the container images based on UCS to version
5.2-0.Update Keyclaok from version
25.0.1to25.0.6.
Cleanup in the
nubusStackDataUmspart of the Helm Chart.If you configured any of the following Helm Chart values in your custom values file, you need to update them:
nubusStackDataUms.umcMemcachedHostnametonubusStackDataUms.nubusUmcServer.memcached.connection.hostnubusStackDataUms.umcMemcachedUsernametonubusStackDataUms.nubusUmcServer.memcached.auth.usernamenubusStackDataUms.umcPostgresqlHostnametonubusStackDataUms.nubusUmcServer.postgresql.connection.hostnubusStackDataUms.umcPostgresqlPorttonubusStackDataUms.nubusUmcServer.postgresql.connection.portnubusStackDataUms.umcPostgresqlUsernametonubusStackDataUms.nubusUmcServer.postgresql.auth.usernamenubusStackDataUms.umcPostgresqlDatabasetonubusStackDataUms.nubusUmcServer.postgresql.auth.database
Fixed#
Fix an issue in the username and the password for PostgreSQL database credentials. They didn’t allow special characters for safe passwords, such as
/and@.Fix an issue where Gmail rejected emails from the User Self Service, because of an improper
Message-Idemail header.Fix the security context on the Portal Consumer. The Portal Consumer didn’t apply the security context to run as non-root user with a read-only file system. For the migration steps, see Recreate Portal Consumer.
Fix an issue with the Dispatcher in the Provisioning Service. If the connection to the message queue provided by NATS failed, the Dispatcher tries for 10 seconds and then crashes to hand over to Kubernetes for handling the pod.
Fix for the Authorization Service so that operators can specify resources for the Guardian Kubernetes pods.
Fix the volume mounts in the extension mechanism for using plugin types so that the containers use read-only volume mounts.
Fix a double definition of the
resourceYAML key in the UDM Listener StatefulSet by removing the second unnecessary definition.Fix an issue in the Keycloak Extension Proxy so that it evaluates the PostgreSQL
SSLvariable correctly.Fix an issue in the Keycloak Extension Proxy so that it no longer crashes when Keycloak returns a successful response with JSON Web Token (JWT).
Removed#
Remove the UCR variable umc/module/udm/oxmail/oxcontext/disabled from Stack Data
that loads data to initialize Nubus for Kubernetes.
This fixes an error
where the tile for the OX Context didn’t show up in the Management UI.
If you as operator want to deactivate the tile for the OX Context,
you need to set the following value in your Helm Chart values file:
global.configUcr.umc.module.udm.oxmail.oxcontext.disabled: "True".
Version 1.6.0 - 2025-01-21#
This is the forth production release of Nubus for Kubernetes.
Before you run the upgrade, you need to prepare your values file:
If you explicitly configure
ingress.enabled, replace it with the new variables.If you configured an external, S3-compatible object storage, rename your Helm variables as described in change about the configuration setup for S3-compatible object storage, and remove global variables.
Upgrade path
For the upgrade to version 1.6.0, your deployment must run on version 1.5.1. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Added#
Enable the Authorization Service with the Guardian and upgrade it to version
3.0.0.nubusGuardian.enabledistrueby default. The Guardian3.0.0works with Keycloak>= 25.0.0.Add
nubusStackDataUms.dataLoader.enabledto the Helm Chart values for Stack Data UMS.
Changed#
Change the UCS base image to the version from 2024-12-12.
Change the
keycloak-bootstrapKubernetes pod to no longer use Helm hooks that caused issues with ArgoCD and similar deployment strategies.keycloak-bootstrapuses an initialization container instead to wait for the availability of the Keycloak API.
Change the global ingress configuration and split
ingress.enabledtoingress.favicon.enabledandingress.minio.enabled.If you have
ingress.enabledexplicitly configured in yourcustom_values.yamlvalues file, you need to add the before mentioned values and removeingress.enabledbefore you run the upgrade. If you use an external S3-compatible object storage, you need to setingress.minio.enabledtofalse.
Change the configuration setup for S3-compatible object storage in Portal Consumer, Portal Server, Stack Data UMS. The change now allows to connect to S3-compatible object storage that’s outside the Kubernetes cluster where Nubus runs.
The endpoints refer to the complete URL to the object storage, for example
https://external-storage.example.com:9000, and includes the protocol, host, and port.You may need to change the following Helm Chart values before you run the upgrade.
- Portal Consumer
Rename
nubusPortalConsumer.portalConsumer.objectStorageBuckettonubusPortalConsumer.objectStorage.bucketName.Rename
nubusPortalConsumer.portalConsumer.objectStorageEndpointtonubusPortalConsumer.objectStorage.endpoint.Add
nubusPortalConsumer.portalConsumer.assetsBaseUrl. Define the complete base URL to the assets folder in your S3-compatible object storage, for examplehttps://external-storage.example.com/assets-bucket/.Remove global Helm Chart values for S3-compatible object storage, because the structure was inconsistent and the implementation incomplete:
global.objectStorage.bucketglobal.objectStorage.connection.endpointglobal.objectStorage.connection.hostglobal.objectStorage.connection.portglobal.objectStorage.connection.protocol
The consolidated dictionary is
nubusPortalConsumer.objectStorage.*.- Portal Server
Rename
nubusPortalServer.portalServer.objectStorageBuckettonubusPortalServer.objectStorage.bucketName.Rename
nubusPortalServer.portalServer.objectStorageEndpointtonubusPortalServer.objectStorage.endpoint.- Stack Data UMS
Rename
nubusStackDataUms.nubusPortalConsumer.portalConsumer.objectStorageBuckettonubusStackDataUms.nubusPortalConsumer.objectStorage.bucketName.Rename
nubusStackDataUms.nubusPortalServer.portalServer.objectStorageBuckettonubusStackDataUms.nubusPortalServer.objectStorage.bucketName.Add
nubusStackDataUms.nubusPortalConsumer.objectStorage.endpoint.Add
nubusStackDataUms.nubusPortalServer.objectStorage.endpoint.
See also
- Use external S3-compatible object storage
in Univention Nubus for Kubernetes - Operation Manual [1] for documentation about how to connect Nubus for Kubernetes to an external S3-compatible object storage.
Fixed#
Fix a scenario where primary LDAP server became unreachable after installing on top of an existing installation.
The leader elector sidecar container in the LDAP server primary pods now enforces the right label selector on the LDAP primary Kubernetes Service every 15 seconds after renewing the Kubernetes Lease.
This recovers from a possible
invalidstate after a Helm redeployment that may reset the Kubernetes service to itsinitialandinvalidstate in certain scenarios.Fix a regression in the Nubus 1.5.1 Helm Chart template that caused the
nubusProvisioning.nats.configblock to include an empty authorization block when using the bundled NATS installation.
Version 1.5.1 - 2024-12-11#
This is the third production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.5.1, your deployment must run on version 1.5.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.
Added#
Add explicit security context setting for the Portal Server Kubernetes pod, so that Kubernetes runs the pod in unprivileged mode with the
privileged: falsesetting.Add the following Helm Chart values that allow configuring resource limits on these containers.
See also
- Resource requests and limits of Pod and container
in Kubernetes Documentation [3] for information about available resource limits and requests for the resource management for pods and containers in Kubernetes.
Version 1.5.0 - 2024-12-09#
The highlight of this release is the support for running two LDAP Primary servers in
mirror mode to meet high-availability requirements.
You need to migrate your existing Nubus for Kubernetes environment
before you upgrade Nubus to 1.5.0
to make them mirror-ready and avoid data loss.
For the steps, see Migrate existing LDAP Server to mirror mode readiness.
Upgrade path
For the upgrade to version 1.5.0, your deployment must run on version 1.4.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Added#
Add support for the operation of two LDAP Primaries in mirror mode, satisfying needs of high-availability.
Nubus uses Kubernetes Leases to ensure that only one LDAP Primary is active at a time. It keeps the second LDAP Primary ready to take over. Each of the two LDAP Primary servers adds a leader elector sidecar container that compete for the leases after the servers are ready. If the active LDAP Primary fails to renew its lease, Kubernetes switches over to the other ready LDAP Primary and promotes it as the active node. To configure LDAP Primary high availability, Nubus adds the following Helm Chart value high availability configuration:
You need to migrate your existing Nubus for Kubernetes environment
before you upgrade Nubus to 1.5.0
to make them mirror-ready and avoid data loss.
For the steps, see Migrate existing LDAP Server to mirror mode readiness.
Important
High availability doesn’t replace a backup concept, because it synchronizes the data to the other LDAP Primary as quick as possible. If data gets corrupt, for example through operating errors, only a backup allows restoring clean data.
See also
- LDAP Primary
in Univention Nubus for Kubernetes - Operation Manual [1] for information about how to set up high availability for the LDAP Server.
Changed#
Change the UDM Listener in the Provisioning Service to ensure it always connects to the first LDAP Primary, even in environments with two LDAP Primaries, to keep the listeners state consistent with the LDAP transaction log. If the first LDAP Primary isn’t ready, the UDM Listener doesn’t notify the Provisioning Service of changes to user and group objects until Kubernetes restarts the first LDAP Primary.
See also
- Notify about changes to directory objects
in Univention Nubus for Kubernetes - Architecture Manual [4] for information about the relation between the UDM Listener and the Identity Store and Directory Service.
Migrate existing LDAP Server to mirror mode readiness#
Before you can upgrade to Nubus 1.5.0,
you need to make your LDAP Servers ready for mirror mode
by following these steps.
Mind the optional step after the ConfigMap configuration to activate mirror mode.
Add the configuration
ldap_database_initialized: initializedto indicate a successful LDAP Server setup.Run the command in Listing 7.
$ kubectl \ --namespace "${NAMESPACE_FOR_NUBUS}" \ create configmap \ "${RELEASE_NAME}-ldap-server-status" \ --from-literal=ldap_database_initialized=initialized configmap/nubus-ldap-server-status created
Add the label
app.kubernetes.io/managed-by: ldap-server-evaluate-database-initto the LDAP server status.Run the command in Listing 8.
$ kubectl \ --namespace "${NAMESPACE_FOR_NUBUS}" \ label configmap \ "${RELEASE_NAME}-ldap-server-status" \ app.kubernetes.io/managed-by=ldap-server-evaluate-database-init configmap/nubus-ldap-server-status labeled
Note
The label is the reason, why you can’t use Helm for the ConfigMap, because the LDAP Server manages the ConfigMap itself. Helm mustn’t change the ConfigMap to keep its state across upgrades.
Applying these steps makes your Nubus deployment ready for mirror mode. If you then want activate mirror mode, follow the steps in LDAP Primary in Univention Nubus for Kubernetes - Operation Manual [1].
Version 1.4.0 - 2024-12-02#
This is the second production release of Nubus for Kubernetes. The versions 1.1.0 to 1.3.0 have been technical releases, and weren’t intended for public use. This document includes and lists the changes for the versions 1.1.0 to 1.3.0.
Important
For existing deployments, read the Secret management migration section before you deploy this version and conduct the proper preparation.
Upgrade path
For the upgrade to version 1.4.0, your deployment must run on version 1.0.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Added#
Add support for encrypted connection to the PostgreSQL database in the Keycloak Extensions. The encrypted connection allows the use of custom certificate authority (CA) certificates.
Set these Helm values to configure an encrypted connection to the PostgreSQL database for Keycloak Extensions:
See also
- Enable encrypted connection to database
in Univention Nubus for Kubernetes - Operation Manual [1] for how to configure an encrypted connection to the PostgreSQL database for the Keycloak Extensions.
Changed#
Change the UMC Server and the UMC Gateway in the Management UI to use RollingUpdate as default update strategy for these Kubernetes pods.
Change the default behavior for the following items related to the Management UI:
- Deactivate User template
When creating a user object in the Management UI, the wizard used the Self Service Registration Template.
The wizard now uses no template by default.
- Deactivate email invitation for created user objects
When creating a user object in the Management UI, by default the wizard prompted the administrator for the user’s email address, and activated the checkbox for sending an email invitation.
By default, the wizard now prompts for the initial user password and deactivates the email invitation checkbox. If you want to send an invitation email during the user creation process, you can activate the email invitation checkbox and the wizard prompts for the user’s email address.
- Activate the automatic search
When opening the users module in the Management UI, the module didn’t show any users by default until the first search.
When you open the users module in the Management UI, it now performs a first search by default and displays user objects.
After changing the theme and branding of the Portal Frontend the respective Kubernetes pods reload automatically.
Change the Secret management in Nubus. All components use a standardized Secret management across components with the
existingSecretpattern in Listing 9.To adjust your existing values file, see Secret management migration.
existingSecret: name: "<secret-name>" keyMapping: key1: "<value1>"
Removed#
Remove
releaseNameOverridefrom the Helm Chart.
Secret management migration#
Nubus for Kubernetes version 1.4.0 changed the pattern for the configuration of existing secret objects.
This section describes the needed actions to prepare your Nubus deployment
before you deploy version 1.4.0.
- Auto-generated secrets
You use auto-generated secrets if you haven’t configured any
credentialSecretorexistingSecretsections in yourcustom_values.yamlvalues file.If your deployment falls into this category, you don’t need to change anything regarding secret management.
- Existing secrets
You use existing secrets, if you have configured
credentialSecretsections in yourcustom_values.yamlvalue file. Go through your values file and verify the values.Tip
To keep the listing brief, the following lists show values like
existingSecret.name. They refer to the whole pattern as outlined in Listing 9.And for
credentialSecretit also refers to its subsectioncredentialSecret.key.This version adds the following values to the Helm Chart:
nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.namenubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.namenubusProvisioning.udmTransformer.nats.auth.existingSecret.name
This version changes the following values in the Helm Chart:
keycloak.postgresql.auth.credentialSecrettokeycloak.postgresql.auth.existingSecret.namenubusNotificationsApi.postgresql.auth.credentialSecrettonubusNotificationsApi.postgresql.auth.existingSecret.namenubusProvisioning.dispatcher.nats.connection.password.secretKeyRef.keytonubusProvisioning.dispatcher.nats.auth.existingSecret.namenubusProvisioning.prefill.nats.connection.password.secretKeyRef.keytonubusProvisioning.prefill.nats.auth.existingSecret.namenubusUdmRestApi.ldap.connection.auth.credentialSecret.keytonubusUdmRestApi.udmRestApi.ldap.auth.existingSecret.namenubusUmcServer.postgresl.auth.credentialSecrettonubusUmcServer.postgresql.auth.existingSecret.namenubusUmcServer.memcached.auth.credentialSecrettonubusUmcServer.memcached.auth.existingSecret.namenubusKeycloakExtensions.smtp.auth.credentialSecrettonubusKeycloakExtensions.smtp.auth.existingSecret.namenubusKeycloakExtensions.keycloak.auth.credentialSecrettonubusKeycloakExtensions.keycloak.auth.existingSecret.namenubusKeycloakExtensions.postgresql.auth.credentialSecrettonubusKeycloakExtensions.postgresql.auth.existingSecret.name
See also
- Secrets in Nubus for Kubernetes
in Univention Nubus for Kubernetes - Operation Manual [1] for information about the different options.
Version 1.0.0 - 2024-10-31#
This is the first production release of Nubus for Kubernetes.
Consider all changes as breaking changes,
because no upgrade path exists from the alpha version 0.18.3 to this version.
Changed#
Change openLDAP from version
2.4to2.5.Temporarily deactivate the Authorization Service in Nubus for Kubernetes.
This change doesn’t impact other Nubus components, because no other component uses the Authorization Service yet. For more information, see Authorization Service in Univention Nubus for Kubernetes - Architecture Manual [4].
Replace the listener- / notifier mechanism with the Provisioning Service. Remove the listeners in the Portal Server and the End User Self Service and replace them with Consumers for the Provisioning Service.
The OX Connector also provides a Consumer to the Provisioning Service instead of a listener. However, the OX Connector isn’t part of Nubus for Kubernetes.
Deactivate plain sign-in by default. Instead, activate single sign-on through SAML by default in Keycloak.
Deactivate the Keycloak Extensions for brute force detection and new sign-in notification during the sign-in process by default.
For information about how to manually activate the Keycloak Extensions, see Keycloak Extensions in Univention Nubus for Kubernetes - Operation Manual [1].
Increase the number of available UMC modules in the Management UI. Besides the modules to manage user accounts, the Management UI shows the UMC modules available to Nubus for Kubernetes.
Change the Helm value structure for defining UCR variables under
global.configUcr.Change the format for loading initial data in Nubus for Kubernetes from Helm templates to Jinja2.
For example, setting the browser window title in the Management UI.
Added#
Add Ingress configuration for HTTP traffic routing in Nubus for Kubernetes. Replaces the Stack Gateway Kubernetes pod.
Increase security hardening through the following measures:
- Profile picture upload in End User Self Service
The End User Self Service re-encodes profile pictures of any origin format to JPEG to reduce the risk of malware injection. It also removes any metadata, such es EXIF, for improved privacy.
- Security context for pods
Docker containers run as non-root users.
Exception is the UMC server and its sidecar container with sssd. They still need root privileges.
Docker containers mount their file system in read-only mode.
Processes can’t gain more privileges than their parent process, because of
allowPrivilegeEscalation: falsein the Kubernetes pod configuration.
- Capabilities
All default components of Nubus now use no extra capabilities in their Kubernetes pods.
See also
- Configure a Security Context for a Pod or Container
for information about security context in Kubernetes.
Add interfaces to extend Nubus for Kubernetes, for example with customizations for openDesk.
Add configurable scalability for the following functional components in Nubus for Kubernetes:
UMC Server and UMC Gateway in Management UI.
Keycloak in Identity Provider.
Portal Server and Portal Frontend in the Portal Service.
LDAP Server in Identity Store and Directory Service, especially read-only LDAP secondary servers.
See also
- Directory service high availability and scalability
in Univention Nubus for Kubernetes - Operation Manual [1] for information about the scalability configuration of the Identity Store and Directory Service.
See also
- Scalability
in Univention Nubus for Kubernetes - Operation Manual [1] for information about the scalability configuration in the Management UI, Identity Provider, and the Portal Service.
Add the ability to configure the browser window title of the Management UI.
global: configUcr: umc: web: title: "My custom title for the Management UI"
Add the ability to customize the branding for the Portal and Keycloak, namely the background images, HTML style (CSS) and the favicon.
See also
- Branding and themes
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the branding.
Add the ability to customize the cookie consent banner for the Portal and for Keycloak.
See also
- Consent for using cookies
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the cookie consent banner.
Add the ability to customize the links in the footer of the sign-in in Keycloak.
See also
- Customization of Keycloak sign-in
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the Keycloak sign-in.
Add the ability to configure the email body for the password reset emails.
See also
- Customization of self-service emails
in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the email body text for End User Self Service emails.
Removed#
Remove the hardwired inclusion of the openDesk extensions.
The extensions included the following aspects that moved to an explicit openDesk extension:
LDAP schema.
Custom UDM hooks.
Configuration for tiles in Management UI.
Branding customized to openDesk.
Pre-configured user accounts for ldapsearch for usage in openDesk apps.
Portal content customized to openDesk.
The portal content now corresponds to Univention Corporate Server (UCS).
Additional users
default.adminanddefault.user.The
Administratoruser remains the only administrative user.
Remove the Stack Gateway Kubernetes pod that used to route the traffic within Nubus for Kubernetes.
Remove hard dependency to cert-manager, a certificate manager for Kubernetes clusters.
Operators can now configure their own certificates in their Ingress configuration or use a different certificate manager.
Fixed#
The portal session now automatically refreshes as long as the browser window is open. Before, the portal session would time out after 10 minutes regardless of whether the portal was still in use.
Fix password renewal in Keycloak.
Renewing the user password through Keycloak failed for expired passwords. It works as expected now.
Sending emails for password reset and user invitation now works as expected and correctly.
Init containers no longer print passwords into logging during Kubernetes pod initialization.
Known issues#
The customization of the email body for the user invitation email isn’t possible yet.
For more information, see Bug #57693.