Version 1.11.x#
This page shows the changelog for Nubus for Kubernetes 1.11.x:
Version 1.11.2 - 2025-07-10#
This is the fifteenth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.11.2, your deployment must run on version 1.9.0 to 1.11.1. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade. Follow and apply the migration steps outlined in v1.11.0 - Migration steps.
Changes#
Increase resilience of the UDM Listener in the Provision Service and its queues managed by NATS through the following changes:
The UDM Listener container in the Provisioning Service automatically terminates and restarts in case of errors, for example, if the NATS system isn’t reachable.
The UDM Listener logs verbosely in case of errors to facilitate future troubleshooting.
The UDM Listener Helm chart provides an init container to wait until NATS is available before starting message processing.
The UDM Listener container retries sending messages to NATS to mitigate short network disruptions.
New configuration parameters:
nubusUdmListener.config.natsRetryDelayDefines the delay between a retry to connect to the NATS server. The default value is 10 seconds.
nubusUdmListener.config.natsMaxRetryCountDefines the maximum number of retry attempts for interacting with the NATS server. The default value is 3.
Version 1.11.1 - 2025-07-02#
This is the fourteenth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.11.1, your deployment must run on version 1.9.0 to 1.11.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade. Follow and apply the migration steps outlined in v1.11.0 - Migration steps.
Changes#
The wait-for-ldap init container of the update-univention-object-identifier now correctly uses the nubusUdmRestApi.initResources value.
Version 1.11.0 - 2025-06-30#
This is the thirteenth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.11.0, your deployment must run on version 1.9.0 to 1.10.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Release highlights#
Nubus for Kubernetes 1.11.0 provides the following highlights:
Integration of a SCIM server for standardized user and group provisioning through the SCIM 2.0 protocol.
Important
The status of the Nubus SCIM Server is experimental. Nubus for Kubernetes deactivates it by default. To use the Nubus SCIM Server, consult the Univention Support first.
Integration of a 2FA Helpdesk which allows administrators to manage two-factor authentication methods for users.
Important
The 2FA Helpdesk feature is in preview status. Nubus for Kubernetes deactivates it by default.
Major refactoring of secrets management across all components in Nubus for Kubernetes to improve consistency, security, and ease of configuration. Sub-charts now manage their own secrets using a standardized pattern.
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Depending on your starting version for the update, follow the migration steps in ascending order.
If your starting point is 1.9.x:
Migration steps up to 1.9.2.
Migration steps for 1.10.0 to 1.10.2.
Migration steps for 1.11.0.
Run the upgrade.
If your starting point is 1.10.x:
Migration steps for up to 1.10.2.
Migration steps for 1.11.0.
Run the upgrade.
Operators using the Notifications API must explicitly set the database username in your values file, because the default database username changed from
notificationsapi_usertonotificationsapi.nubusNotificationsApi: postgresql: auth: username: "notificationsapi_user"
Rename the Helm Chart value
image.imagePullPolicytoimage.pullPolicyin many sub-charts for consistency. The Helm Chart no longer sets their values toIfNotPresentby default. Instead, the Helm Chart now unsets them to allow the Kubernetes default behavior.- UDM REST API
Rename
nubusUdmRestApi.blocklistCleanup.image.imagePullPolicytonubusUdmRestApi.blocklistCleanup.image.pullPolicy.Rename
nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.imagePullPolicytonubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.pullPolicy.Rename
nubusUdmRestApi.udmRestApi.image.imagePullPolicytonubusUdmRestApi.udmRestApi.image.pullPolicy.
- LDAP server
Rename
nubusLdapServer.dhInitContainer.image.imagePullPolicytonubusLdapServer.dhInitContainer.image.pullPolicy.Rename
nubusLdapServer.ldapServer.image.imagePullPolicytonubusLdapServer.ldapServer.image.pullPolicy.Rename
nubusLdapServer.ldifProducer.image.imagePullPolicytonubusLdapServer.ldifProducer.image.pullPolicy.Rename
nubusLdapServer.waitForDependency.image.imagePullPolicytonubusLdapServer.waitForDependency.image.pullPolicy.
- Notifications API
Rename
nubusNotificationsApi.image.imagePullPolicytonubusNotificationsApi.image.pullPolicy.
- Portal Consumer
Rename
nubusPortalConsumer.portalConsumer.image.imagePullPolicytonubusPortalConsumer.portalConsumer.image.pullPolicy.Rename
nubusPortalConsumer.waitForDependency.image.imagePullPolicytonubusPortalConsumer.waitForDependency.image.pullPolicy.Rename
nubusPortalFrontend.image.imagePullPolicytonubusPortalFrontend.image.pullPolicy.
- Provisioning
Rename
nubusPortalServer.image.imagePullPolicytonubusPortalServer.image.pullPolicy.Rename
nubusProvisioning.api.image.imagePullPolicytonubusProvisioning.api.image.pullPolicy.Rename
nubusProvisioning.dispatcher.image.imagePullPolicytonubusProvisioning.dispatcher.image.pullPolicy.Rename
nubusProvisioning.prefill.image.imagePullPolicytonubusProvisioning.prefill.image.pullPolicy.Rename
nubusProvisioning.registerConsumers.image.imagePullPolicytonubusProvisioning.registerConsumers.image.pullPolicy.Rename
nubusProvisioning.udmTransformer.image.imagePullPolicytonubusProvisioning.udmTransformer.image.pullPolicy.
- Stack Data
Rename
nubusStackDataUms.image.imagePullPolicytonubusStackDataUms.image.pullPolicy.
- Self Service Consumer
Rename
nubusSelfServiceConsumer.image.imagePullPolicytonubusSelfServiceConsumer.image.pullPolicy.Rename
nubusSelfServiceConsumer.waitForDependency.image.imagePullPolicytonubusSelfServiceConsumer.waitForDependency.image.pullPolicy.
- UMC gateway
Rename
nubusUmcGateway.image.imagePullPolicytonubusUmcGateway.image.pullPolicy.
- UMC server
Rename
nubusUmcServer.image.imagePullPolicytonubusUmcServer.image.pullPolicy.
Refactor secrets across more components in Nubus for Kubernetes. Operators that customize any of the following Helm Chart values, need to migrate their values to the new structure.
Operators using the master password
global.secrets.masterPasswordand the Nubus secret generation don’t need to migrate. Listing 3 outlines the refactored secrets structure.- Global
Move LDAP server plain password from global values
global.ldap.auth.cnAdmin.passwordto the sub-chart that owns this secretnubusLdapServer.ldapServer.auth.password.Migrate
global.ldap.auth.cnAdmin.existingSecret.*to the new secret structure underglobal.ldap.auth.admin.existingSecret.*. You can no longer specify the plain secret globally, but only through the LDAP server sub-chart.
- LDAP server
Move
nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_USERNAMEout of the secret. Specify the username now throughnubusLdapServer.ldifProducer.nats.auth.username.Rename
nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_PASSWORDtonubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.password.
- License Import
Move
nubusLicenseImport.ldap.auth.usernametonubusLicenseImport.ldap.auth.bindDn.
- Portal Consumer
Move
nubusPortalConsumer.portalConsumer.udmApiUsernametonubusPortalConsumer.udm.auth.username.Rename
nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.accessKeytonubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.access_key_id.Rename
nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secretKeytonubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secret_access_key.Migrate
nubusPortalConsumer.portalConsumer.machineSecretto the new secret structure undernubusPortalConsumer.udm.auth.*.
- Portal server
Move
nubusPortalServer.portalServer.centralNavigation.sharedSecrettonubusPortalServer.portalServer.centralNavigation.auth.sharedSecret.Move
nubusPortalServer.portalServer.centralNavigation.existingSecret.nameto the new secret structure undernubusPortalServer.portalServer.centralNavigation.auth.existingSecret.name.Move
nubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.passwordtonubusPortalServer.portalServer.centralNavigation.auth.existingSecret.keyMapping.shared_secret.Rename
nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.accessKeytonubusPortalServer.objectStorage.auth.existingSecret.keyMapping.access_key_id.Rename
nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secretKeytonubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secret_access_key.
- Provisioning
Move
nubusProvisioning.api.auth.adminPasswordtonubusProvisioning.api.auth.admin.password.Move
nubusProvisioning.api.auth.prefillPasswordtonubusProvisioning.api.auth.prefill.password.Move
nubusProvisioning.api.nats.auth.existingSecret.keyMapping.provisioningApiPasswordtonubusProvisioning.api.nats.auth.existingSecret.keyMapping.password.Move
nubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.dispatcherPasswordtonubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.password.Move
nubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.prefillPasswordtonubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.password.Move
nubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.udmTransformerPasswordtonubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.password.Move
nubusProvisioning.ldap.auth.*tonubusProvisioning.udmTransformer.ldap.auth.*
- Self Service Consumer
Remove unused variable
nubusSelfServiceConsumer.nats.auth.password.
- Stack Data
Migrate
nubusStackDataUms.stackDataUms.udmApiUserandnubusStackDataUms.stackDataUms.udmApiPasswordto the new secret structure undernubusStackDataUms.udm.auth.*.
- UDM Listener
Migrate
nubusUdmListener.config.ldapPasswordto the new secret structure undernubusUdmListener.ldap.auth.*.Migrate
nubusUdmListener.config.eventsUsernameUdmandnubusUdmListener.config.eventsPasswordUdmto the new secret structure undernubusUdmListener.provisioningApi.auth.*.Migrate
nubusUdmListener.config.natsUserandnubusUdmListener.config.natsPasswordto the new secret structure undernubusUdmListener.nats.auth.*.
- UDM REST API
Move
nubusUdmRestApi.udmRestApi.ldap.auth.*tonubusUdmRestApi.ldap.auth.*.
- UMC server
Migrate
nubusUmcServer.ldap.existingSecret.nameto the new secret structure undernubusUmcServer.ldap.auth.existingSecret.name.Migrate
nubusUmcServer.ldap.existingSecret.keyMapping.ldapPasswordKeyto the new secret structure undernubusUmcServer.ldap.auth.existingSecret.keyMapping.password.Migrate
nubusUmcServer.smtp.existingSecret.nameto the new secret structure undernubusUmcServer.smtp.auth.existingSecret.name.Migrate
nubusUmcServer.umcServer.smtpSecretto the new secret structure undernubusUmcServer.smtp.auth.password.
Changes#
Univention Object Identifier migration job waits for the LDAP server to be ready before starting the migration.
Fix typo in
nubusPortalServer.portalServer.newsfeed.feedtypetonubusPortalServer.portalServer.newsfeed.feedType.Fix UMC policy that caused the UMC LDAP browser to throw an error when accessing Policies within certain groups such as Domain Admins.
Use default cluster Ingress class when not specified under
global.ingressClassUpdate Keycloak to version 26.2.5.
LDAP objects which exist from scratch and are not created by UDM now include the
univentionObjectIdentifier.New Device Login email notifications from the Keycloak Extensions now include a configurable timezone that you can configure through the
nubusKeycloakExtensions.handler.appConfig.emailNotificationTimezoneHelm Chart value. Valid values are IANA Timezones.Integrate Nubus SCIM Server component. Nubus for Kubernetes deactivates it by default. It provides a standardized API for user and group management. For information how to activate it and its setup, see Nubus SCIM in [1].
Important
The status of the Nubus SCIM Server is experimental. Nubus for Kubernetes deactivates it by default. To use the Nubus SCIM Server, consult the Univention Support first.
Integrate 2FA Helpdesk in the Management UI. 2FA Helpdesk provides a user interface for administrators to manage 2FA tokens for users, and adds a tile to the portal for users and administrators. You can enable it by setting the following Helm Chart values to
true:Important
The 2FA Helpdesk feature is in preview status. Nubus for Kubernetes deactivates it by default.
Update all components in Nubus for Kubernetes to use the UCS 5.2-2 base image and include bug fixes up UCS 5.2 erratum 117 with the reference date is 12. June 2025. For UCS errata updates,