Version 1.10.x

This page shows the changelog for Nubus for Kubernetes 1.10.x:

• Version 1.10.2 - 2025-06-06

• Version 1.10.1 - 2025-06-02

• Version 1.10.0 - 2025-05-27

Version 1.10.2 - 2025-06-06

This is the twelfth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.10.2, your deployment must run on version 1.9.0 to 1.9.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. Follow and apply the migration steps outlined in v1.10.0 - Migration steps.

Changes

• Correct the behavior of two Helm variables in the UDM REST API univentionObjectIdentifier migration job: The variables nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.imagePullPolicy and nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.registry are now effective at controlling the image registry and pull policy for the container image used in the job.

Version 1.10.1 - 2025-06-02

This is the eleventh production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.10.1, your deployment must run on version 1.9.0 to 1.9.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. Follow and apply the migration steps outlined in v1.10.0 - Migration steps.

Changes

• Remove quotes from additional annotations in UDM REST API Blocklists cleanup job.

Version 1.10.0 - 2025-05-27

This is the tenth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.10.0, your deployment must run on version 1.9.0 to 1.9.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration-steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. Operators have to delete the following Keycloak clients from the Keycloak Admin Console before upgrading due to a wrong configuration that prohibited access to the Guardian:

   • guardian-scripts

   • guardian-management-api

   • guardian-ui

   The upgrade process recreates the proper client configuration in Keycloak.

2. It’s necessary for operators to trigger the generation of the univentionObjectIdentifier for existing UDM objects and directory objects, because future releases of Nubus for Kubernetes rely on it.

   Recommendation:

   The Helm chart already creates a migration job in a suspended state. Run the migration job as shown in listing Listing 2 at a time with low system load on the cluster. It takes around 6 minutes per 100.000 LDAP objects.

   After a successful run, you can optionally deactivate the job by setting nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.enabled to false so that Kubernetes doesn’t create the job again. If you keep the job activated, it doesn’t have a negative impact.

   Listing 2 Run the migration job for univentionObjectIdentifier

   $ kubectl patch job/<JOB_NAME> \
       --type=strategic \
       --patch '{"spec":{"suspend":false}}'
   

3. Operators that make use of the following UDM Listener secrets variables, need to adjust these accordingly:

   • Rename nubusUdmListener.ldap.credentialSecret.* to nubusUdmListener.ldap.auth.existingSecret.*.

   • Rename nubusUdmListener.nats.auth.credentialSecret.* to nubusUdmListener.nats.auth.existingSecret.*

   • Rename nubusUdmListener.provisioningApi.auth.credentialSecret.* to nubusUdmListener.provisioningApi.auth.existingSecret.*

   • Move Provisioning username sourced from secret key in nubusUdmListener.provisioningApi.auth.credentialSecret.userNameKey to a non-secret value nubusUdmListener.provisioningApi.auth.username.

   For the structure of existingSecret, see Listing 3.

Changes

• The UMC Server initialization containers now run as non-root.

• The Portal Consumer initialization containers now run as non-root and with a read-only file system.

• The Guardian initialization containers now run as non-root and with a read-only file system.

• Fix Authorization Service guardian-ui Keycloak client missing redirect URL and scopes, which caused the login flow at the Guardian API to fail.

• Remove the pre-configured report generation from the menu in the user accounts view of the UMC Server of the Management UI.

• Fix warnings on the ingress controller by adjusting Nginx annotations.

• Refactor UDM secret configuration for Stack Data job at nubusStackDataUms.udm.auth.existingSecret.* with the structure outlined in Listing 3. The default values remain the same. No migration steps are necessary.

  Listing 3 Nubus general secret structure

  auth:
    # If we support configuring the username for a secret, username will be present.
    username: ""
    # Password may be called differently for different components
    # such as object storage and portal central navigation.
    password: ""
    existingSecret:
      name: ""
      keyMapping:
        password: ""
  

• Enable Blocklists by default. Blocklists allow administrators to block values, such as email addresses, from being re-used until an expiration date.

  • Add the following Helm Chart variables at nubusUdmRestApi.blocklistCleanup.*:

    • nubusUdmRestApi.blocklistCleanup.enabled

    • nubusUdmRestApi.blocklistCleanup.schedule

    • nubusUdmRestApi.blocklistCleanup.image.repository

    • nubusUdmRestApi.blocklistCleanup.image.registry

    • nubusUdmRestApi.blocklistCleanup.image.imagePullPolicy

    • nubusUdmRestApi.blocklistCleanup.image.tag

• Allow configuration of the size and storage class of the persistent volume in UDM Listener, for example, to allow importing large amounts of users.

  • nubusUdmListener.persistence.storageClass

  • nubusUdmListener.persistence.size

• Add univentionObjectIdentifier to all UDM object types.

  The univentionObjectIdentifier is a unique UUID4 identifier for objects in the Directory Service. Operators can use it when connecting Nubus to other systems, to uniquely identify objects across the different systems and services.

  • Add the following Helm Chart variables at nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.*:

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.enabled

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.suspend

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.pythonLogLevel

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.imagePullPolicy

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.registry

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.repository

    • nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.tag

• Starting with this version of Nubus for Kubernetes, UDM HTTP REST API and UMC create UDM objects with univentionObjectIdentifier. If not explicitly configured otherwise, they use a UUID4 to generate the identifier.