Version 1.7.x#
This page shows the changelog for Nubus for Kubernetes 1.7.x.
Version 1.7.0 - 2025-02-23#
This is the fifth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.7.0, your deployment must run on version 1.6.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.
Change Helm Chart values#
Before you run the upgrade, you need to prepare your values file:
Replace
global.nubusMasterPassword
withglobal.secrets.masterPassword
. If you configure it with the same value, then the generated passwords remain with the same value as before.Cleanup in
nubusStackDataUms
Helm chart values. If you configured custom values, you need to update them. For the affected Helm Chart values, see Changes in nubusStackDataUms.
Recreate Portal Consumer#
The Portal Consumer pod runs as a different, non-root, user and doesn’t have the necessary permissions to modify or create the group cache file. The physical volume claim (PVC) doesn’t contain vital data. Running the upgrade afterwards with helm upgrade … recreates the PVC and the StatefulSet Kubernetes object. The Kubernetes pod for the Portal Consumer recreates the content of the PVC.
You also need to run the following steps before the upgrade:
Set environment variables to identify your Nubus for Kubernetes installation.
Run the commands in Listing 6.
$ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace" $ export RELEASE_NAME="The Helm Chart release name"
Delete the physical volume for the group membership cache and the StatefulSet object of the Portal Consumer.
Run the commands in Listing 7.
$ kubectl \ --namespace "$NAMESPACE_FOR_NUBUS" \ delete pvc \ "group-membership-cache-$RELEASE_NAME-portal-consumer-0" $ kubectl \ --namespace "$NAMESPACE_FOR_NUBUS" \ delete statefulset \ "$RELEASE_NAME-portal-consumer"
Added#
Add the ad hoc provisioning plugin to Keycloak in the Identity Provider. Ad hoc provisioning allows to federate Keycloak with an external identity provider. When users sign in to Nubus for the first time with their external user accounts, Keycloak automatically creates a user account in Nubus.
Add the API endpoint to the Portal Server so that the Portal Frontend fetches and shows details about the signed-in user, such as their profile picture.
Add the
nubusStackDataUms.templateContext.svcPortalServerUserPassword
Helm Chart value. Explicitly configure this value in production deployments. Kubernetes generates a random password, if the setting has no value supplied.To configure the client access of the Portal Service so that it can use the UDM HTTP REST API, use the following values structure.
nubusPortalServer: udm: connection: url: null auth: username: "svc-portal-server" password: null existingSecret: name: null keyMapping: password: null
Add the Helm Chart value
global.udm.connection.url
.Add toggles to activate or deactivate specific features in the Portal Service.
Operators can toggle features in the Portal Service through Helm Chart value for the Portal Server. The configuration also applies to the Portal Frontend. The following feature toggles are available:
nubusPortalServer.portalServer.featureToggles.centered_layout
.It’s deactivated by default with the value
false
.nubusPortalServer.portalServer.featureToggles.notifications_api
.It’s activated by default with the value
true
.nubusPortalServer.portalServer.featureToggles.umc_session_refresh
.It’s activated by default with the value
true
.
Add the followings actions to the UDM data loader plugin type:
ensure_list_does_not_contain
The companion action to the existing
ensure_list_contains
action. This data loader action allows to enforce, for example, that a user isn’t in a specific user group, without overwriting all other groups.modify_if_exists
This data loader action allows to modify a UDM object without raising an error if that object doesn’t exist.
create_or_modify
This data loader action now also works for actions for the
users/user
UDM module. It handles LDAP distinguished names (DNs) that both start withuid=
andcn=
.
For more information about UDM data loader actions, see Actions in the data loader in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].
Add the user group
Domain Service Users
. It allows its group members to access the UDM HTTP REST API, because it’s part of the authorization groups. The group is for services, for example, the Portal Service to access the UDM HTTP REST API for querying data from the Directory Manager, such as fetching information about the signed-in user. For more information, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].
Changed#
Replace
global.nubusMasterPassword
withglobal.secrets.masterPassword
.Update the container images based on UCS to version
5.2-0
.Update Keyclaok from version
25.0.1
to25.0.6
.
Cleanup in the
nubusStackDataUms
part of the Helm Chart.If you configured any of the following Helm Chart values in your custom values file, you need to update them:
nubusStackDataUms.umcMemcachedHostname
tonubusStackDataUms.nubusUmcServer.memcached.connection.host
nubusStackDataUms.umcMemcachedUsername
tonubusStackDataUms.nubusUmcServer.memcached.auth.username
nubusStackDataUms.umcPostgresqlHostname
tonubusStackDataUms.nubusUmcServer.postgresql.connection.host
nubusStackDataUms.umcPostgresqlPort
tonubusStackDataUms.nubusUmcServer.postgresql.connection.port
nubusStackDataUms.umcPostgresqlUsername
tonubusStackDataUms.nubusUmcServer.postgresql.auth.username
nubusStackDataUms.umcPostgresqlDatabase
tonubusStackDataUms.nubusUmcServer.postgresql.auth.database
Fixed#
Fix an issue in the username and the password for PostgreSQL database credentials. They didn’t allow special characters for safe passwords, such as
/
and@
.Fix an issue where Gmail rejected emails from the User Self Service, because of an improper
Message-Id
email header.Fix the security context on the Portal Consumer. The Portal Consumer didn’t apply the security context to run as non-root user with a read-only file system. For the migration steps, see Recreate Portal Consumer.
Fix an issue with the Dispatcher in the Provisioning Service. If the connection to the message queue provided by NATS failed, the Dispatcher tries for 10 seconds and then crashes to hand over to Kubernetes for handling the pod.
Fix for the Authorization Service so that operators can specify resources for the Guardian Kubernetes pods.
Fix the volume mounts in the extension mechanism for using plugin types so that the containers use read-only volume mounts.
Fix a double definition of the
resource
YAML key in the UDM Listener StatefulSet by removing the second unnecessary definition.Fix an issue in the Keycloak Extension Proxy so that it evaluates the PostgreSQL
SSL
variable correctly.Fix an issue in the Keycloak Extension Proxy so that it no longer crashes when Keycloak returns a successful response with JSON Web Token (JWT).
Removed#
Remove the UCR variable umc/module/udm/oxmail/oxcontext/disabled
from Stack Data
that loads data to initialize Nubus for Kubernetes.
This fixes an error
where the tile for the OX Context didn’t show up in the Management UI.
If you as operator want to deactivate the tile for the OX Context,
you need to set the following value in your Helm Chart values file:
global.configUcr.umc.module.udm.oxmail.oxcontext.disabled: "True"
.