Version 1.14.x

This page shows the changelog for Nubus for Kubernetes 1.14.x:

• Version 1.14.0 - 2025-09-18

• Version 1.14.1 - 2025-10-21

Version 1.14.1 - 2025-10-21

This is the twenty-first production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.14.1, your deployment must run on version 1.14.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

There are no necessary migration steps for this release.

Changes

This section lists the changes in 1.14.1 grouped by component in Nubus for Kubernetes.

Keycloak

• Update Keycloak to version 26.3.5, which includes security fixes for CVE-2025-58057 and CVE-2025-58056.

Version 1.14.0 - 2025-09-18

This is the twentieth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.14.0, your deployment must run on version 1.11.2 to 1.13.1. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights

OIDC in the Portal

Use OIDC by default for authentication in the Portal.

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. Operators using an external PostgreSQL database for the UMC Server need to:

   • Move nubusUmcServer.umcServer.postgresql.connection.* to nubusUmcServer.umcServer.postgresql.selfservice.connection.*.

   • Move nubusUmcServer.umcServer.postgresql.auth.* to nubusUmcServer.umcServer.postgresql.selfservice.auth.*.

   • Add nubusUmcServer.postgresql.authSession.connection.host.

   • Add nubusUmcServer.postgresql.authSession.connection.port.

   • Add nubusUmcServer.postgresql.authSession.connection.auth.* with the structure outlined in Nubus general secret structure.

2. Operators upgrading from 1.11.2 need to follow and apply the migration steps outlined in v1.12.0 - Migration steps and in v1.13.0 - Migration steps.

3. Operators upgrading from 1.11.2 need to manually enable the front-channel logout on the UMC SAML client in the Keycloak Admin Console.

   1. Sign in to the Keycloak Admin Console.

   2. Select Manage realms in the left sidebar.

   3. Select the realm nubus.

   4. Select Clients in the left sidebar.

   5. Select the client UMC SAML.

   6. Enable Front channel logout in the Logout settings.

   7. Click Save.

Changes

This section lists the changes in 1.14.0 grouped by component in Nubus for Kubernetes.

Portal Service

• Use OIDC by default for authentication in the Portal. Operators using OIDC get back-channel logout support.

• Add OIDC login tile to the Portal login page.

• SAML is still supported and you can re-enable it. Existing SAML sessions will continue to work while Nubus for Kubernetes still has the SAML UMC Server ingress enabled. This release deactivates the SAML login tile.

• nubusPortalServer.portalServer.authMode is now oidc. This enables OIDC authentication in the Portal.

Keycloak bootstrap

• Fix recreation of the LDAP federation in Keycloak, which caused users’ TOTP to be lost on updates to Nubus 1.12.0 and onward.

• Add UMC OIDC client to Keycloak.

• Add nubusKeycloakBootstrap.oidc.rp.umcserver.clientSecret.* with the structure outlined in Nubus general secret structure, allowing configuration for the client secret for the UMC OIDC client in Keycloak.

UMC Server

Modified the following configuration variables:

• Add nubusUmcServer.umcServer.oidcClient.auth.* with the structure outlined in Nubus general secret structure.

• Add nubusUmcServer.postgresql.authSession.config.poolSize.

• Add nubusUmcServer.postgresql.authSession.config.maxOverflow.

• Add nubusUmcServer.postgresql.authSession.config.poolTimeout.

• Add nubusUmcServer.postgresql.authSession.config.poolRecycle.