.. SPDX-FileCopyrightText: 2024-2025 Univention GmbH .. .. SPDX-License-Identifier: AGPL-3.0-only .. _v1.7.x: ************* Version 1.7.x ************* This page shows the changelog for Nubus for Kubernetes 1.7.x. .. include:: ./bitnami-migration-warning.rst .. _v1.7.0: Version 1.7.0 - 2025-02-23 ========================== This is the sixth production release of Nubus for Kubernetes. .. admonition:: Upgrade path For the upgrade to version 1.7.0, your deployment must run on version 1.6.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see :external+uv-nubus-kubernetes-operation:ref:`nubus-upgrade` in :cite:t:`uv-nubus-kubernetes-operation`. .. _v1.7.0-migration-steps: Migration steps --------------- This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them **before** the upgrade. Change Helm Chart values ~~~~~~~~~~~~~~~~~~~~~~~~ **Before** you run the upgrade, you need to prepare your values file: #. Replace ``global.nubusMasterPassword`` with :envvar:`global.secrets.masterPassword`. If you configure it with the same value, then the generated passwords remain with the same value as before. #. Cleanup in ``nubusStackDataUms`` Helm chart values. If you configured custom values, you need to update them. For the affected Helm Chart values, see :ref:`Changes in nubusStackDataUms `. .. _v1.7.0-migration-pvc: Recreate Portal Consumer ~~~~~~~~~~~~~~~~~~~~~~~~ The *Portal Consumer* pod runs as a different, non-root, user and doesn't have the necessary permissions to modify or create the group cache file. The physical volume claim (PVC) doesn't contain vital data. Running the upgrade afterwards with :command:`helm upgrade …` recreates the PVC and the *StatefulSet* Kubernetes object. The Kubernetes pod for the *Portal Consumer* recreates the content of the PVC. You also need to run the following steps **before** the upgrade: #. Set environment variables to identify your Nubus for Kubernetes installation. Run the commands in :numref:`v1.7.0-migration-step-initialization-listing`. .. code-block:: console :caption: Initialize environment variables :name: v1.7.0-migration-step-initialization-listing $ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace" $ export RELEASE_NAME="The Helm Chart release name" #. Delete the physical volume for the group membership cache and the *StatefulSet* object of the *Portal Consumer*. Run the commands in :numref:`v1.7.0-migration-remove-portal-consumer-listing`. .. code-block:: console :caption: Delete volume and *StatefulSet* of the *Portal Consumer* :name: v1.7.0-migration-remove-portal-consumer-listing $ kubectl \ --namespace "$NAMESPACE_FOR_NUBUS" \ delete pvc \ "group-membership-cache-$RELEASE_NAME-portal-consumer-0" $ kubectl \ --namespace "$NAMESPACE_FOR_NUBUS" \ delete statefulset \ "$RELEASE_NAME-portal-consumer" .. _v1.7.0-added: Added ----- * Add the ad hoc provisioning plugin to *Keycloak* in the *Identity Provider*. Ad hoc provisioning allows to federate *Keycloak* with an external identity provider. When users sign in to Nubus for the first time with their external user accounts, Keycloak automatically creates a user account in Nubus. * Add the API endpoint to the *Portal Server* so that the *Portal Frontend* fetches and shows details about the signed-in user, such as their profile picture. Add the ``nubusStackDataUms.templateContext.svcPortalServerUserPassword`` Helm Chart value. Explicitly configure this value in production deployments. Kubernetes generates a random password, if the setting has no value supplied. To configure the client access of the *Portal Service* so that it can use the *UDM HTTP REST API*, use the following values structure. .. code-block:: yaml nubusPortalServer: udm: connection: url: null auth: username: "svc-portal-server" password: null existingSecret: name: null keyMapping: password: null * Add the Helm Chart value :envvar:`global.udm.connection.url`. * Add toggles to activate or deactivate specific features in the *Portal Service*. Operators can toggle features in the *Portal Service* through Helm Chart value for the *Portal Server*. The configuration also applies to the *Portal Frontend*. The following feature toggles are available: :envvar:`nubusPortalServer.portalServer.featureToggles.centered_layout`. It's deactivated by default with the value ``false``. :envvar:`nubusPortalServer.portalServer.featureToggles.notifications_api`. It's activated by default with the value ``true``. :envvar:`nubusPortalServer.portalServer.featureToggles.umc_session_refresh`. It's activated by default with the value ``true``. * Add the followings actions to the *UDM data loader* plugin type: ``ensure_list_does_not_contain`` The companion action to the existing ``ensure_list_contains`` action. This data loader action allows to enforce, for example, that a user isn't in a specific user group, without overwriting all other groups. ``modify_if_exists`` This data loader action allows to modify a UDM object without raising an error if that object doesn't exist. ``create_or_modify`` This data loader action now also works for actions for the ``users/user`` *UDM module*. It handles LDAP distinguished names (DNs) that both start with ``uid=`` and ``cn=``. For more information about *UDM data loader* actions, see :external+uv-nubus-customization:ref:`nubus-packaged-integrations-udm-data-loader-actions` in :cite:t:`uv-nubus-customization`. * Add the user group ``Domain Service Users``. It allows its group members to access the *UDM HTTP REST API*, because it's part of the authorization groups. The group is for services, for example, the *Portal Service* to access the *UDM HTTP REST API* for querying data from the *Directory Manager*, such as fetching information about the signed-in user. For more information, see :external+uv-nubus-customization:ref:`customization-api-udm-rest-auth-group` in :cite:t:`uv-nubus-customization`. .. _v1.7.0-changed: Changed ------- * Replace ``global.nubusMasterPassword`` with :envvar:`global.secrets.masterPassword`. * Update the container images based on UCS to version ``5.2-0``. * Update *Keyclaok* from version ``25.0.1`` to ``25.0.6``. .. _v1.7.0-changed-stack-data-ums: * Cleanup in the ``nubusStackDataUms`` part of the Helm Chart. If you configured any of the following Helm Chart values in your custom values file, you need to update them: - ``nubusStackDataUms.umcMemcachedHostname`` to :envvar:`nubusStackDataUms.nubusUmcServer.memcached.connection.host` - ``nubusStackDataUms.umcMemcachedUsername`` to :envvar:`nubusStackDataUms.nubusUmcServer.memcached.auth.username` - ``nubusStackDataUms.umcPostgresqlHostname`` to :envvar:`nubusStackDataUms.nubusUmcServer.postgresql.connection.host` - ``nubusStackDataUms.umcPostgresqlPort`` to :envvar:`nubusStackDataUms.nubusUmcServer.postgresql.connection.port` - ``nubusStackDataUms.umcPostgresqlUsername`` to :envvar:`nubusStackDataUms.nubusUmcServer.postgresql.auth.username` - ``nubusStackDataUms.umcPostgresqlDatabase`` to :envvar:`nubusStackDataUms.nubusUmcServer.postgresql.auth.database` .. _v1.7.0-fixed: Fixed ----- * Fix an issue in the username and the password for PostgreSQL database credentials. They didn't allow special characters for safe passwords, such as ``/`` and ``@``. * Fix an issue where Gmail rejected emails from the *User Self Service*, because of an improper ``Message-Id`` email header. * Fix the security context on the *Portal Consumer*. The *Portal Consumer* didn't apply the security context to run as non-root user with a read-only file system. For the migration steps, see :ref:`v1.7.0-migration-pvc`. * Fix an issue with the *Dispatcher* in the *Provisioning Service*. If the connection to the message queue provided by *NATS* failed, the *Dispatcher* tries for 10 seconds and then crashes to hand over to Kubernetes for handling the pod. * Fix for the *Authorization Service* so that operators can specify resources for the *Guardian* Kubernetes pods. * Fix the volume mounts in the extension mechanism for using plugin types so that the containers use read-only volume mounts. * Fix a double definition of the ``resource`` YAML key in the *UDM Listener* *StatefulSet* by removing the second unnecessary definition. * Fix an issue in the *Keycloak Extension Proxy* so that it evaluates the PostgreSQL ``SSL`` variable correctly. * Fix an issue in the *Keycloak Extension Proxy* so that it no longer crashes when *Keycloak* returns a successful response with JSON Web Token (JWT). .. _v1.7.0-removed: Removed ------- Remove the UCR variable ``umc/module/udm/oxmail/oxcontext/disabled`` from *Stack Data* that loads data to initialize Nubus for Kubernetes. This fixes an error where the tile for the *OX Context* didn't show up in the *Management UI*. If you as operator want to deactivate the tile for the *OX Context*, you need to set the following value in your Helm Chart values file: ``global.configUcr.umc.module.udm.oxmail.oxcontext.disabled: "True"``.