Version 1.14.x#
This page shows the changelog for Nubus for Kubernetes 1.14.x:
Version 1.14.0 - 2025-09-18#
This is the twentieth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.14.0, your deployment must run on version 1.11.2 to 1.13.1. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Release highlights#
- OIDC in the Portal
Use OIDC by default for authentication in the Portal.
Migration steps#
This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.
Operators using an external PostgreSQL database for the UMC Server need to:
Move
nubusUmcServer.umcServer.postgresql.connection.*
tonubusUmcServer.umcServer.postgresql.selfservice.connection.*
.Move
nubusUmcServer.umcServer.postgresql.auth.*
tonubusUmcServer.umcServer.postgresql.selfservice.auth.*
.Add
nubusUmcServer.postgresql.authSession.connection.auth.*
with the structure outlined in Nubus general secret structure.
Operators upgrading from 1.11.2 need to follow and apply the migration steps outlined in v1.12.0 - Migration steps and in v1.13.0 - Migration steps.
Operators upgrading from 1.11.2 need to manually enable the front-channel logout on the UMC SAML client in the Keycloak Admin Console.
Sign in to the Keycloak Admin Console.
Select Manage realms in the left sidebar.
Select the realm
nubus
.Select Clients in the left sidebar.
Select the client
UMC SAML
.Enable
Front channel logout
in the Logout settings.Click Save.
Changes#
This section lists the changes in 1.14.0 grouped by component in Nubus for Kubernetes.
Portal Service#
Use OIDC by default for authentication in the Portal. Operators using OIDC get back-channel logout support.
Add OIDC login tile to the Portal login page.
SAML is still supported and you can re-enable it. Existing SAML sessions will continue to work while Nubus for Kubernetes still has the SAML UMC Server ingress enabled. This release deactivates the SAML login tile.
nubusPortalServer.portalServer.authMode
is now oidc. This enables OIDC authentication in the Portal.
Keycloak bootstrap#
Fix recreation of the LDAP federation in Keycloak, which caused users’ TOTP to be lost on updates to Nubus 1.12.0 and onward.
Add UMC OIDC client to Keycloak.
Add
nubusKeycloakBootstrap.oidc.rp.umcserver.clientSecret.*
with the structure outlined in Nubus general secret structure, allowing configuration for the client secret for the UMC OIDC client in Keycloak.
UMC Server#
Modified the following configuration variables:
Add
nubusUmcServer.umcServer.oidcClient.auth.*
with the structure outlined in Nubus general secret structure.Add
nubusUmcServer.postgresql.authSession.config.maxOverflow
.Add
nubusUmcServer.postgresql.authSession.config.poolTimeout
.Add
nubusUmcServer.postgresql.authSession.config.poolRecycle
.