.. SPDX-FileCopyrightText: 2025 Univention GmbH .. .. SPDX-License-Identifier: AGPL-3.0-only .. _v1.14.x: ************** Version 1.14.x ************** This page shows the changelog for Nubus for Kubernetes 1.14.x: * :ref:`v1.14.0` * :ref:`v1.14.1` .. include:: ./bitnami-migration-warning.rst .. _v1.14.1: Version 1.14.1 - 2025-10-21 =========================== This is the twenty-first production release of Nubus for Kubernetes. .. admonition:: Upgrade path For the upgrade to version 1.14.1, your deployment must run on version :ref:`1.14.0 `. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see :external+uv-nubus-kubernetes-operation:ref:`nubus-upgrade` in :cite:t:`uv-nubus-kubernetes-operation`. .. _v1.14.1-migration-steps: Migration steps --------------- There are no necessary migration steps for this release. .. _v1.14.1-changes: Changes ------- This section lists the changes in 1.14.1 grouped by component in Nubus for Kubernetes. * Update Keycloak to version 26.3.5, which includes security fixes for :uv:cve:`2025-58057` and :uv:cve:`2025-58056`. .. _v1.14.0: Version 1.14.0 - 2025-09-18 =========================== This is the twentieth production release of Nubus for Kubernetes. .. admonition:: Upgrade path For the upgrade to version 1.14.0, your deployment must run on version :ref:`1.11.2 ` to :ref:`1.13.1 `. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see :external+uv-nubus-kubernetes-operation:ref:`nubus-upgrade` in :cite:t:`uv-nubus-kubernetes-operation`. .. _v1.14.0-highlights: Release highlights ------------------ OIDC in the Portal Use OIDC by default for authentication in the Portal. .. _v1.14.0-migration-steps: Migration steps --------------- This section lists necessary migration steps that may apply to you. You need to run them **before** the upgrade. #. Operators using an external PostgreSQL database for the *UMC Server* need to: * Move ``nubusUmcServer.umcServer.postgresql.connection.*`` to ``nubusUmcServer.umcServer.postgresql.selfservice.connection.*``. * Move ``nubusUmcServer.umcServer.postgresql.auth.*`` to ``nubusUmcServer.umcServer.postgresql.selfservice.auth.*``. * Add :envvar:`nubusUmcServer.postgresql.authSession.connection.host`. * Add :envvar:`nubusUmcServer.postgresql.authSession.connection.port`. * Add ``nubusUmcServer.postgresql.authSession.connection.auth.*`` with the structure outlined in :ref:`v1.10.0-nubus-general-secret-structure-listing`. #. Operators upgrading from 1.11.2 need to follow and apply the migration steps outlined in :ref:`v1.12.0 - Migration steps ` and in :ref:`v1.13.0 - Migration steps `. #. Operators upgrading from 1.11.2 need to manually enable the front-channel logout on the UMC SAML client in the *Keycloak Admin Console*. 1. Sign in to the :external+uv-nubus-kubernetes-operation:ref:`getting-started-keycloak-admin-console`. 2. Select *Manage realms* in the left sidebar. 3. Select the *realm* ``nubus``. 4. Select *Clients* in the left sidebar. 5. Select the client ``UMC SAML``. 6. Enable ``Front channel logout`` in the *Logout settings*. 7. Click :guilabel:`Save`. .. _v1.14.0-changes: Changes ------- This section lists the changes in 1.14.0 grouped by component in Nubus for Kubernetes. .. _v1.14.0-changes-portal: Portal Service ~~~~~~~~~~~~~~ * Use OIDC by default for authentication in the Portal. Operators using OIDC get back-channel logout support. * Add OIDC login tile to the *Portal* login page. * SAML is still supported and you can re-enable it. Existing SAML sessions will continue to work while Nubus for Kubernetes still has the SAML *UMC Server* ingress enabled. This release deactivates the SAML login tile. * :envvar:`nubusPortalServer.portalServer.authMode` is now `oidc`. This enables OIDC authentication in the Portal. .. _v1.14.0-changes-keycloak-bootstrap: Keycloak bootstrap ~~~~~~~~~~~~~~~~~~ * Fix recreation of the LDAP federation in Keycloak, which caused users' TOTP to be lost on updates to Nubus 1.12.0 and onward. * Add UMC OIDC client to Keycloak. * Add ``nubusKeycloakBootstrap.oidc.rp.umcserver.clientSecret.*`` with the structure outlined in :ref:`v1.10.0-nubus-general-secret-structure-listing`, allowing configuration for the client secret for the UMC OIDC client in Keycloak. .. _v1.14.0-changes-umc-server: UMC Server ~~~~~~~~~~ Modified the following configuration variables: * Add ``nubusUmcServer.umcServer.oidcClient.auth.*`` with the structure outlined in :ref:`v1.10.0-nubus-general-secret-structure-listing`. * Add :envvar:`nubusUmcServer.postgresql.authSession.config.poolSize`. * Add :envvar:`nubusUmcServer.postgresql.authSession.config.maxOverflow`. * Add :envvar:`nubusUmcServer.postgresql.authSession.config.poolTimeout`. * Add :envvar:`nubusUmcServer.postgresql.authSession.config.poolRecycle`.