Version 1.7.x#

This page shows the changelog for Nubus for Kubernetes 1.7.x.

Version 1.7.0 - 2025-02-23#

This is the fifth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.7.0, your deployment must run on version 1.6.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps#

This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.

Change Helm Chart values#

Before you run the upgrade, you need to prepare your values file:

  1. Replace global.nubusMasterPassword with global.secrets.masterPassword. If you configure it with the same value, then the generated passwords remain with the same value as before.

  2. Cleanup in nubusStackDataUms Helm chart values. If you configured custom values, you need to update them. For the affected Helm Chart values, see Changes in nubusStackDataUms.

Recreate Portal Consumer#

The Portal Consumer pod runs as a different, non-root, user and doesn’t have the necessary permissions to modify or create the group cache file. The physical volume claim (PVC) doesn’t contain vital data. Running the upgrade afterwards with helm upgrade … recreates the PVC and the StatefulSet Kubernetes object. The Kubernetes pod for the Portal Consumer recreates the content of the PVC.

You also need to run the following steps before the upgrade:

  1. Set environment variables to identify your Nubus for Kubernetes installation.

    Run the commands in Listing 6.

    Listing 6 Initialize environment variables#
    $ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace"
    $ export RELEASE_NAME="The Helm Chart release name"
    
  2. Delete the physical volume for the group membership cache and the StatefulSet object of the Portal Consumer.

    Run the commands in Listing 7.

    Listing 7 Delete volume and StatefulSet of the Portal Consumer#
    $ kubectl \
       --namespace "$NAMESPACE_FOR_NUBUS" \
       delete pvc \
       "group-membership-cache-$RELEASE_NAME-portal-consumer-0"
    $ kubectl \
       --namespace "$NAMESPACE_FOR_NUBUS" \
       delete statefulset \
       "$RELEASE_NAME-portal-consumer"
    

Added#

  • Add the ad hoc provisioning plugin to Keycloak in the Identity Provider. Ad hoc provisioning allows to federate Keycloak with an external identity provider. When users sign in to Nubus for the first time with their external user accounts, Keycloak automatically creates a user account in Nubus.

  • Add the API endpoint to the Portal Server so that the Portal Frontend fetches and shows details about the signed-in user, such as their profile picture.

    Add the nubusStackDataUms.templateContext.svcPortalServerUserPassword Helm Chart value. Explicitly configure this value in production deployments. Kubernetes generates a random password, if the setting has no value supplied.

    To configure the client access of the Portal Service so that it can use the UDM HTTP REST API, use the following values structure.

    nubusPortalServer:
      udm:
        connection:
          url: null
        auth:
          username: "svc-portal-server"
          password: null
          existingSecret:
            name: null
            keyMapping:
              password: null
    
  • Add the Helm Chart value global.udm.connection.url.

  • Add toggles to activate or deactivate specific features in the Portal Service.

    Operators can toggle features in the Portal Service through Helm Chart value for the Portal Server. The configuration also applies to the Portal Frontend. The following feature toggles are available:

    nubusPortalServer.portalServer.featureToggles.centered_layout.

    It’s deactivated by default with the value false.

    nubusPortalServer.portalServer.featureToggles.notifications_api.

    It’s activated by default with the value true.

    nubusPortalServer.portalServer.featureToggles.umc_session_refresh.

    It’s activated by default with the value true.

  • Add the followings actions to the UDM data loader plugin type:

    ensure_list_does_not_contain

    The companion action to the existing ensure_list_contains action. This data loader action allows to enforce, for example, that a user isn’t in a specific user group, without overwriting all other groups.

    modify_if_exists

    This data loader action allows to modify a UDM object without raising an error if that object doesn’t exist.

    create_or_modify

    This data loader action now also works for actions for the users/user UDM module. It handles LDAP distinguished names (DNs) that both start with uid= and cn=.

    For more information about UDM data loader actions, see Actions in the data loader in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].

  • Add the user group Domain Service Users. It allows its group members to access the UDM HTTP REST API, because it’s part of the authorization groups. The group is for services, for example, the Portal Service to access the UDM HTTP REST API for querying data from the Directory Manager, such as fetching information about the signed-in user. For more information, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].

Changed#

  • Replace global.nubusMasterPassword with global.secrets.masterPassword.

  • Update the container images based on UCS to version 5.2-0.

  • Update Keyclaok from version 25.0.1 to 25.0.6.

Fixed#

  • Fix an issue in the username and the password for PostgreSQL database credentials. They didn’t allow special characters for safe passwords, such as / and @.

  • Fix an issue where Gmail rejected emails from the User Self Service, because of an improper Message-Id email header.

  • Fix the security context on the Portal Consumer. The Portal Consumer didn’t apply the security context to run as non-root user with a read-only file system. For the migration steps, see Recreate Portal Consumer.

  • Fix an issue with the Dispatcher in the Provisioning Service. If the connection to the message queue provided by NATS failed, the Dispatcher tries for 10 seconds and then crashes to hand over to Kubernetes for handling the pod.

  • Fix for the Authorization Service so that operators can specify resources for the Guardian Kubernetes pods.

  • Fix the volume mounts in the extension mechanism for using plugin types so that the containers use read-only volume mounts.

  • Fix a double definition of the resource YAML key in the UDM Listener StatefulSet by removing the second unnecessary definition.

  • Fix an issue in the Keycloak Extension Proxy so that it evaluates the PostgreSQL SSL variable correctly.

  • Fix an issue in the Keycloak Extension Proxy so that it no longer crashes when Keycloak returns a successful response with JSON Web Token (JWT).

Removed#

Remove the UCR variable umc/module/udm/oxmail/oxcontext/disabled from Stack Data that loads data to initialize Nubus for Kubernetes. This fixes an error where the tile for the OX Context didn’t show up in the Management UI.

If you as operator want to deactivate the tile for the OX Context, you need to set the following value in your Helm Chart values file: global.configUcr.umc.module.udm.oxmail.oxcontext.disabled: "True".