Version 1.8.x

This page shows the changelog for Nubus for Kubernetes 1.8.x.

Important

Bundled dependencies using Bitnami images (PostgreSQL, MinIO, Memcached) require configuration changes, because Bitnami migrated their repositories from docker.io/bitnami to docker.io/bitnamilegacy. Deployments that use external dependencies aren’t affected. For more information, see Bitnami GitHub issue #35164.

If you deploy these dependencies with Nubus, override the image repositories in your custom_values.yaml as shown in the following listing.

Listing 12 Adjust image repositories for bundled dependencies

postgresql:
  image:
    repository: bitnamilegacy/postgresql
  provisioning:
    image:
      repository: bitnamilegacy/postgresql
minio:
  image:
    repository: bitnamilegacy/minio
nubusUmcServer:
  memcached:
    image:
      repository: bitnamilegacy/memcached

Version 1.8.0 - 2025-04-07

This is the seventh production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.8.0, your deployment must run on version 1.7.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.

1. If you have services that use the UDM HTTP REST API outside the Kubernetes cluster, you need to explicitly enable the access through the ingress, because the ingress for the UDM HTTP REST API is disabled by default starting with version 1.8.0.

   To keep the behavior that services outside the Kubernetes cluster can reach UDM HTTP REST API, you need to set nubusUdmRestApi.ingress.enabled to true in your values file.

2. If you configured the container securityContext for the Portal Consumer, you need to rename the Helm Chart values from nubusPortalConsumer.securityContext.* to nubusPortalConsumer.containerSecurityContext.*. In addition, you may also configure the pod securityContext through nubusPortalConsumer.podSecurityContext.*. For more information, see the change for the Portal Consumer.

3. If you configured credentials for the ldap-server using existing Kubernetes secret objects, you need to rename the following Helm Chart values sections:

   • nubusLdapServer.ldapServer.credentialSecret.* section to nubusLdapServer.ldapServer.auth.existingSecret.* section

   • nubusLdapServer.ldifProducer.nats.auth.credentialSecretName to nubusLdapServer.ldifProducer.nats.auth.existingSecret

   For more information, see the change for the Directory Service.

4. If you configured credentials for the Portal Service using existing Kubernetes secrets, you need to rename the following Helm Chart values sections:

   • nubusPortalServer.portalServer.objectStorageCredentialSecret.* section to nubusPortalServer.objectStorage.auth.existingSecret.* section

   • nubusPortalServer.portalServer.centralNavigation.authenticatorSecretName to nubusPortalServer.portalServer.centralNavigation.existingSecret.name

   Note

   The secret needs to contain a key called password. If your secret contains a different key, you need to pass the name of the key to nubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password.

5. If you have configured credentials for the Portal Service connection to the object storage and have set explicit credential values, you need to rename the following sections of Helm Chart values:

   • nubusPortalServer.objectStorage.auth.accessKey to nubusPortalServer.objectStorage.auth.accessKeyId

   • nubusPortalServer.objectStorage.auth.secretKey to nubusPortalServer.objectStorage.auth.secretAccessKey

   For more information, see the change for the Portal Service.

Added

• Add the plugin type umc-i18n to enable translation for UMC modules in packaged integrations.

• Add the following additional elements to the Portal Service:

  Corner Links

  Configures a list of portal entries that the Portal Service shows in the lower right corner of the portal.

  Quick Links

  Configures a list of portal entries that the Portal Service shows in the Quick Menu. Quick links are a set of tiles that appear above the regular application tiles in the portal. Use the links to present deep-links to commonly used functions directly in the portal, for example Create a document or Create a spreadsheet.

• Add dynamic greeting to the Portal Service.

  Warning

  The dynamic greeting in the Portal Service is an experimental feature. You use it at your own risk.

  To activate the feature anyway, set nubusPortalServer.portalServer.featureToggles.welcome_message to true.

Changed

• Change and improve the error handling in the ad-hoc provisioning plugin for Keycloak.

• Change the default setting for reaching the UDM HTTP REST API to false, because of security concerns.

  UDM HTTP REST API is now only reachable when explicitly activated. The default value for the Helm Chart value nubusUdmRestApi.ingress.enabled changed from true to false. For more information, see UDM HTTP REST API in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].

• Change the NATS container image version from 2.10.10 to 2.10.26 to integrate upstream bug fixes. The upstream bug fixes in NATS avoid potential consumer sequence identifier corruptions in queues.

• Change the LDAP notifier to run on the same Kubernetes node, where the LDAP Primary pod primary-0 runs, so that Kubernetes always schedules it on the same pod, even if there are two LDAP Primary pods running in the cluster.

• Change the Directory Service to configure existing secrets and password configuration using the values schema under existingSecret to be in line with the other components.

  Add the following Helm Chart values:

  • nubusLdapServer.ldapServer.auth.*

    • nubusLdapServer.ldapServer.auth.password

    • nubusLdapServer.ldapServer.auth.existingSecret.keyMapping.password

  • nubusLdapServer.ldapServer.tls.*

    • nubusLdapServer.ldapServer.tls.dhparam.existingSecret.name

    • nubusLdapServer.ldapServer.tls.dhparam.existingSecret.keyMapping.dhparam.pem

    • nubusLdapServer.ldapServer.tls.existingSecret.keyMapping.ca.crt

    • nubusLdapServer.ldapServer.tls.existingSecret.keyMapping.tls.crt

    • nubusLdapServer.ldapServer.tls.existingSecret.keyMapping.tls.key

    • nubusLdapServer.ldapServer.tls.existingSecret.name

  • nubusLdapServer.ldifProducer.nats.auth.*

    • nubusLdapServer.ldifProducer.nats.auth.existingSecret.name

    • nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_USERNAME

  Change and replace the following Helm Chart values:

  • nubusLdapServer.ldifProducer.nats.auth.credentialSecretName to nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_PASSWORD.

  • nubus.LdapServer.ldapServer.credentialSecret to nubusLdapServer.ldapServer.auth.existingSecret.name

• Change and rename the following Helm Chart values for the Portal Consumer. Reason is a fix for the implementation for the securityContext in the Portal Consumer pod. The Helm Chart template didn’t render the securityContext correctly.

  • nubusPortalConsumer.securityContext.allowPrivilegeEscalation to nubusPortalConsumer.containerSecurityContext.allowPrivilegeEscalation

  • nubusPortalConsumer.securityContext.capabilities.drop to nubusPortalConsumer.containerSecurityContext.capabilities.drop

  • nubusPortalConsumer.securityContext.enabled to nubusPortalConsumer.containerSecurityContext.enabled

  • nubusPortalConsumer.securityContext.privileged to nubusPortalConsumer.containerSecurityContext.privileged

  • nubusPortalConsumer.securityContext.seccompProfile.type to nubusPortalConsumer.containerSecurityContext.seccompProfile.type

  • nubusPortalConsumer.securityContext.readOnlyRootFilesystem to nubusPortalConsumer.containerSecurityContextNonRoot.readOnlyRootFilesystem

  • nubusPortalConsumer.securityContext.runAsGroup to nubusPortalConsumer.containerSecurityContextNonRoot.runAsGroup

  • nubusPortalConsumer.securityContext.runAsNonRoot to nubusPortalConsumer.containerSecurityContextNonRoot.runAsNonRoot

  • nubusPortalConsumer.securityContext.runAsUser to nubusPortalConsumer.containerSecurityContextNonRoot.runAsUser

• Change the Portal Service to use the default schema with existingSecret for the central navigation and the object storage configuration. It changes the way how to pass existing secrets and plain credentials to the Portal Server in the Helm Chart.

  Add the following Helm Chart values for the Central Navigation in the Portal Service:

  • nubusPortalServer.portalServer.centralNavigation.sharedSecret

  • nubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password

  Rename the following Helm Chart values:

  • Object storage: Unify the configuration of the secrets with auth under nubusPortalServer.objectStorage that already contains the configuration for the endpoint and the bucket.

    • nubusPortalServer.portalServer.objectStorageCredentialSecret.name to nubusPortalServer.objectStorage.auth.existingSecret.name

    • nubusPortalServer.portalServer.objectStorageCredentialSecret.accessKeyKey to nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.accessKey

    • nubusPortalServer.portalServer.objectStorageCredentialSecret.secretKeyKey to nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secretKey

    • Consolidate nubusPortalServer.portalServer.objectStorageAccessKeyId and nubusPortalServer.objectStorage.auth.accessKey to nubusPortalServer.objectStorage.auth.accessKeyId

    • Consolidate nubusPortalServer.portalServer.objectStorageSecretAccessKey and nubusPortalServer.objectStorage.auth.secretKey to nubusPortalServer.objectStorage.auth.secretAccessKey

  • Central Navigation

    • nubusPortalServer.portalServer.centralNavigation.authenticatorSecretName to nubusPortalServer.portalServer.centralNavigation.existingSecret.name

Fixed

• Fix the behavior of the configuration option extraEnvVars in the sub-chart of the portal-server. It works as intended.

• Fix a template error in the Identity Provider for the Keycloak pod that caused the Keycloak bootstrap pod to start in the default namespace. The pod now starts in the namespace that the operator defined when installing the Helm Chart, and where Kubernetes starts all other pods of Nubus for Kubernetes, as well.

• Fix the path to the container image for Keycloak. It now matches the defined path nubus/images/keycloak and is consistent with the other image paths.

• Fix the implementation of resources in the Helm Chart for the Directory Service. The Helm Chart template didn’t render the resources correctly.

• Fix the behavior of portal folders when removing a portal. When a functional administrator removes a portal the Portal Service also removes their portal folders from the link lists.

Removed

• Remove the groups DC Backup Hosts and DC Slave Hosts from the default authorization groups in the UDM HTTP REST API. They come from the Nubus for UCS deployment and aren’t relevant in Nubus for Kubernetes. For more information about authorization groups in UDM HTTP REST API, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].

• Remove the following Helm Chart values from the Portal Consumer:

  • nubusPortalConsumer.securityContext.fsGroup

  • nubusPortalConsumer.mountSecrets

• Remove the nubusPortalServer.portalServer.credentialSecret Helm Chart value from the Portal Server.