Version 1.12.x#
This page shows the changelog for Nubus for Kubernetes 1.12.x:
Version 1.12.0 - 2025-07-31#
This is the sixteenth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.12.0, your deployment must run on version 1.11.0 to 1.11.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Operators that have enabled the 2FA Helpdesk before this release need to perform the following steps:
Visit Keycloak Admin UI and switch to the Nubus realm.
Navigate to Client Scopes in the sidebar.
Select
twofa-default, then go to the Mappers tab.Open the
groups-mapperentry.Set
Full group pathtooffand save the changes.
Operators that configure the
pullPolicyfor the 2FA Helpdesk images need to adjust the following variables:Move
nubusTwofaHelpdesk.provisioning.image.imagePullPolicytonubusTwofaHelpdesk.provisioning.image.pullPolicy.Move
nubusTwofaHelpdesk.provisioningImage.imagePullPolicytonubusTwofaHelpdesk.provisioningImage.pullPolicy.Move
nubusTwofaHelpdesk.twofaHelpdeskBackend.image.imagePullPolicytonubusTwofaHelpdesk.twofaHelpdeskBackend.image.pullPolicy.Move
nubusTwofaHelpdesk.twofaHelpdeskFrontend.image.imagePullPolicytonubusTwofaHelpdesk.twofaHelpdeskFrontend.image.pullPolicy
Changes#
Portal#
Fix Portal frontend integration with the Intercom Service, only loading the Intercom Service silent login and the news feed after user login.
Add feature toggle
nubusPortalServer.portalServer.featureToggles.api_mein the Portal Server to deactivate enrichment of user information in the Portal Frontend, such as display name, which can cause slower login times.New Portal frontend feature flag to improve the accessibility of lists. It can be toggled under
nubusPortalServer.portalServer.featureToggles.native_html_list.Portal HTML content in tooltips and notifications is now sanitized to prevent XSS vulnerabilities.
Keycloak#
Update Keycloak to version 26.3.1, which includes security fixes for CVE-2025-7365 and CVE-2025-7784.
Keycloak now runs with a read-only file-system.
2FA Helpdesk#
Activate the 2FA Admin Helpdesk feature by default, allowing administrators to manage two-factor authentication for users from a web interface.
Add
nubusTwofaHelpdesk.twofaHelpdeskFrontend.enableSelfService.Add
nubusTwofaHelpdesk.twofaHelpdeskFrontend.enableAdminHelpdesk.Add
nubusStackDataUms.templateContext.twofaAdminHelpdeskActivated.Add
nubusStackDataUms.templateContext.twofaSelfServiceActivated.nubusKeycloakBootstrap.bootstrap.twoFactorAuthentication.grouppreviously set to2fa-usersis now called2FA Users. The2fa-usersgroup will continue to work enforcing two-factor authentication for users who are members of this group.
Refactor image values in 2FA Helpdesk Keycloak bootstrap:
Move
nubusTwofaHelpdesk.provisioning.image.*tonubusTwofaHelpdesk.waitForDependency.image.*Move
nubusTwofaHelpdesk.provisioning.provisioningImage.*tonubusTwofaHelpdesk.keycloakBootstrap.image.*Move
nubusTwofaHelpdesk.provisioning.*tonubusTwofaHelpdesk.keycloakBootstrap.*
Adhere 2FA Helpdesk Helm chart to best practices:
Fix behavior for Kubernetes object
*.labels,.additionalLabels, uniform across all objects.Fix
*.service.annotations,.additionalAnnotations, now included in the Kubernetes objects uniformly.Fix images’
pullPolicy, which now defaults tonull. See default Kubernetes behavior.
Remove leading slash from access token for 2FA Admin Helpdesk.
Add token refreshing for the 2FA Helpdesk.
Add
nubusTwofaHelpdesk.twofaHelpdeskFrontend.config.postLogoutRedirectURIto configure the URI to redirect to after resetting a 2FA token in self-service. Users who reset their 2FA token from the 2FA Self-service Helpdesk will be redirected to this URI, ending their session through front-channel logout.
Provisioning#
Update NATS to version 2.11.6, which includes improvements for the sequence number handling.
Improve robustness of Provisioning Prefill with retries. The following variables allow configuring the retry behavior:
SCIM#
SCIM server now restarts when changes to the ConfigMap take place.
Fix SCIM user’s name formatting which caused
Noneto be part of the generated user’s name if display name was not present.Rename SCIM Provisioning to SCIM Client.
SCIM wait for Keycloak no longer needs the
/adminendpoint to be available.SCIM server allows unsetting of extended attributes.
Univention Management Console#
Potentially sensitive data in the UMC’s
meta.jsonfile can now be hidden using the experimental UCR variableumc/web/meta/hide-sensible-data. Additionally, the server’s address is no longer included in the meta.json file by default. It is now only visible during system setup.Fix UMC ingress annotations that prevented the UMC deployment with
nginx-ingresscontroller 1.12 and later.
LDAP#
Fix LDAP Server secondaries configuration that prevented the component from scaling above 8 replicas.
Others#
Update all components in Nubus for Kubernetes to use the UCS 5.2-2 base image and include bug fixes up to the errata update UCS 5.2 erratum 130. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 26. June 2025.
The primary groups for users and computers are now configurable at the parent container objects where an object is going to be created.
The default global search container (that is, All containers) can now be disabled via the UCR variable
directory/manager/web/modules/search/global-search. When disabled, the UCR variabledirectory/manager/web/modules/search/default-searchcan be enabled to limit searches to module-specific default containers. This improves search performance and result relevance, especially in large environments with many objects.