Version 1.11.x

This page shows the changelog for Nubus for Kubernetes 1.11.x:

• Version 1.11.2 - 2025-07-10

• Version 1.11.1 - 2025-07-02

• Version 1.11.0 - 2025-06-30

Important

Bundled dependencies using Bitnami images (PostgreSQL, MinIO, Memcached) require configuration changes, because Bitnami migrated their repositories from docker.io/bitnami to docker.io/bitnamilegacy. Deployments that use external dependencies aren’t affected. For more information, see Bitnami GitHub issue #35164.

If you deploy these dependencies with Nubus, override the image repositories in your custom_values.yaml as shown in the following listing.

Listing 2 Adjust image repositories for bundled dependencies

postgresql:
  image:
    repository: bitnamilegacy/postgresql
  provisioning:
    image:
      repository: bitnamilegacy/postgresql
minio:
  image:
    repository: bitnamilegacy/minio
nubusUmcServer:
  memcached:
    image:
      repository: bitnamilegacy/memcached

Version 1.11.2 - 2025-07-10

This is the sixteenth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.11.2, your deployment must run on version 1.9.0 to 1.11.1. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade. Follow and apply the migration steps outlined in v1.11.0 - Migration steps.

Changes

Increase resilience of the UDM Listener in the Provision Service and its queues managed by NATS through the following changes:

• The UDM Listener container in the Provisioning Service automatically terminates and restarts in case of errors, for example, if the NATS system isn’t reachable.

• The UDM Listener logs verbosely in case of errors to facilitate future troubleshooting.

• The UDM Listener Helm chart provides an init container to wait until NATS is available before starting message processing.

• The UDM Listener container retries sending messages to NATS to mitigate short network disruptions.

• New configuration parameters:

  nubusUdmListener.config.natsRetryDelay

  Defines the delay between a retry to connect to the NATS server. The default value is 10 seconds.

  nubusUdmListener.config.natsMaxRetryCount

  Defines the maximum number of retry attempts for interacting with the NATS server. The default value is 3.

Version 1.11.1 - 2025-07-02

This is the fifteenth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.11.1, your deployment must run on version 1.9.0 to 1.11.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade. Follow and apply the migration steps outlined in v1.11.0 - Migration steps.

Changes

The wait-for-ldap init container of the update-univention-object-identifier now correctly uses the nubusUdmRestApi.initResources value.

Version 1.11.0 - 2025-06-30

This is the fourteenth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.11.0, your deployment must run on version 1.9.0 to 1.10.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights

Nubus for Kubernetes 1.11.0 provides the following highlights:

1. Integration of a SCIM server for standardized user and group provisioning through the SCIM 2.0 protocol.

   Important

   The status of the Nubus SCIM Server is experimental. Nubus for Kubernetes deactivates it by default. To use the Nubus SCIM Server, consult the Univention Support first.

2. Integration of a 2FA Helpdesk which allows administrators to manage two-factor authentication methods for users.

   Important

   The 2FA Helpdesk feature is in preview status. Nubus for Kubernetes deactivates it by default.

3. Major refactoring of secrets management across all components in Nubus for Kubernetes to improve consistency, security, and ease of configuration. Sub-charts now manage their own secrets using a standardized pattern.

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. Depending on your starting version for the update, follow the migration steps in ascending order.

   • If your starting point is 1.9.x:

     • Migration steps up to 1.9.2.

     • Migration steps for 1.10.0 to 1.10.2.

     • Migration steps for 1.11.0.

     • Run the upgrade.

   • If your starting point is 1.10.x:

     • Migration steps for up to 1.10.2.

     • Migration steps for 1.11.0.

     • Run the upgrade.

2. Operators using the Notifications API must explicitly set the database username in your values file, because the default database username changed from notificationsapi_user to notificationsapi.

   Listing 3 Migration for Notifications API database username

   nubusNotificationsApi:
     postgresql:
       auth:
         username: "notificationsapi_user"
   

3. Rename the Helm Chart value image.imagePullPolicy to image.pullPolicy in many sub-charts for consistency. The Helm Chart no longer sets their values to IfNotPresent by default. Instead, the Helm Chart now unsets them to allow the Kubernetes default behavior.

   UDM REST API

   • Add nubusUdmRestApi.waitForDependency.image.pullPolicy.

   • Rename nubusUdmRestApi.blocklistCleanup.image.imagePullPolicy to nubusUdmRestApi.blocklistCleanup.image.pullPolicy.

   • Rename nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.imagePullPolicy to nubusUdmRestApi.ldapUpdateUniventionObjectIdentifier.image.pullPolicy.

   • Rename nubusUdmRestApi.udmRestApi.image.imagePullPolicy to nubusUdmRestApi.udmRestApi.image.pullPolicy.

   LDAP server

   • Rename nubusLdapServer.dhInitContainer.image.imagePullPolicy to nubusLdapServer.dhInitContainer.image.pullPolicy.

   • Rename nubusLdapServer.ldapServer.image.imagePullPolicy to nubusLdapServer.ldapServer.image.pullPolicy.

   • Rename nubusLdapServer.ldifProducer.image.imagePullPolicy to nubusLdapServer.ldifProducer.image.pullPolicy.

   • Rename nubusLdapServer.waitForDependency.image.imagePullPolicy to nubusLdapServer.waitForDependency.image.pullPolicy.

   Notifications API

   • Rename nubusNotificationsApi.image.imagePullPolicy to nubusNotificationsApi.image.pullPolicy.

   Portal Consumer

   • Rename nubusPortalConsumer.portalConsumer.image.imagePullPolicy to nubusPortalConsumer.portalConsumer.image.pullPolicy.

   • Rename nubusPortalConsumer.waitForDependency.image.imagePullPolicy to nubusPortalConsumer.waitForDependency.image.pullPolicy.

   • Rename nubusPortalFrontend.image.imagePullPolicy to nubusPortalFrontend.image.pullPolicy.

   Provisioning

   • Rename nubusPortalServer.image.imagePullPolicy to nubusPortalServer.image.pullPolicy.

   • Rename nubusProvisioning.api.image.imagePullPolicy to nubusProvisioning.api.image.pullPolicy.

   • Rename nubusProvisioning.dispatcher.image.imagePullPolicy to nubusProvisioning.dispatcher.image.pullPolicy.

   • Rename nubusProvisioning.prefill.image.imagePullPolicy to nubusProvisioning.prefill.image.pullPolicy.

   • Rename nubusProvisioning.registerConsumers.image.imagePullPolicy to nubusProvisioning.registerConsumers.image.pullPolicy.

   • Rename nubusProvisioning.udmTransformer.image.imagePullPolicy to nubusProvisioning.udmTransformer.image.pullPolicy.

   Stack Data

   • Rename nubusStackDataUms.image.imagePullPolicy to nubusStackDataUms.image.pullPolicy.

   Self Service Consumer

   • Rename nubusSelfServiceConsumer.image.imagePullPolicy to nubusSelfServiceConsumer.image.pullPolicy.

   • Rename nubusSelfServiceConsumer.waitForDependency.image.imagePullPolicy to nubusSelfServiceConsumer.waitForDependency.image.pullPolicy.

   UMC gateway

   • Rename nubusUmcGateway.image.imagePullPolicy to nubusUmcGateway.image.pullPolicy.

   UMC server

   • Rename nubusUmcServer.image.imagePullPolicy to nubusUmcServer.image.pullPolicy.

4. Refactor secrets across more components in Nubus for Kubernetes. Operators that customize any of the following Helm Chart values, need to migrate their values to the new structure.

   Operators using the master password global.secrets.masterPassword and the Nubus secret generation don’t need to migrate. Listing 6 outlines the refactored secrets structure.

   Global

   • Move LDAP server plain password from global values global.ldap.auth.cnAdmin.password to the sub-chart that owns this secret nubusLdapServer.ldapServer.auth.password.

   • Migrate global.ldap.auth.cnAdmin.existingSecret.* to the new secret structure under global.ldap.auth.admin.existingSecret.*. You can no longer specify the plain secret globally, but only through the LDAP server sub-chart.

   LDAP server

   • Move nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_USERNAME out of the secret. Specify the username now through nubusLdapServer.ldifProducer.nats.auth.username.

   • Rename nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_PASSWORD to nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.password.

   License Import

   • Move nubusLicenseImport.ldap.auth.username to nubusLicenseImport.ldap.auth.bindDn.

   Portal Consumer

   • Move nubusPortalConsumer.portalConsumer.udmApiUsername to nubusPortalConsumer.udm.auth.username.

   • Rename nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.accessKey to nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.access_key_id.

   • Rename nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secretKey to nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secret_access_key.

   • Migrate nubusPortalConsumer.portalConsumer.machineSecret to the new secret structure under nubusPortalConsumer.udm.auth.*.

   Portal server

   • Move nubusPortalServer.portalServer.centralNavigation.sharedSecret to nubusPortalServer.portalServer.centralNavigation.auth.sharedSecret.

   • Move nubusPortalServer.portalServer.centralNavigation.existingSecret.name to the new secret structure under nubusPortalServer.portalServer.centralNavigation.auth.existingSecret.name.

   • Move nubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password to nubusPortalServer.portalServer.centralNavigation.auth.existingSecret.keyMapping.shared_secret.

   • Rename nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.accessKey to nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.access_key_id.

   • Rename nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secretKey to nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secret_access_key.

   Provisioning

   • Move nubusProvisioning.api.auth.adminPassword to nubusProvisioning.api.auth.admin.password.

   • Move nubusProvisioning.api.auth.prefillPassword to nubusProvisioning.api.auth.prefill.password.

   • Move nubusProvisioning.api.nats.auth.existingSecret.keyMapping.provisioningApiPassword to nubusProvisioning.api.nats.auth.existingSecret.keyMapping.password.

   • Move nubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.dispatcherPassword to nubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.password.

   • Move nubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.prefillPassword to nubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.password.

   • Move nubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.udmTransformerPassword to nubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.password.

   • Move nubusProvisioning.ldap.auth.* to nubusProvisioning.udmTransformer.ldap.auth.*

   Self Service Consumer

   • Remove unused variable nubusSelfServiceConsumer.nats.auth.password.

   Stack Data

   • Migrate nubusStackDataUms.stackDataUms.udmApiUser and nubusStackDataUms.stackDataUms.udmApiPassword to the new secret structure under nubusStackDataUms.udm.auth.*.

   UDM Listener

   • Migrate nubusUdmListener.config.ldapPassword to the new secret structure under nubusUdmListener.ldap.auth.*.

   • Migrate nubusUdmListener.config.eventsUsernameUdm and nubusUdmListener.config.eventsPasswordUdm to the new secret structure under nubusUdmListener.provisioningApi.auth.*.

   • Migrate nubusUdmListener.config.natsUser and nubusUdmListener.config.natsPassword to the new secret structure under nubusUdmListener.nats.auth.*.

   UDM REST API

   • Move nubusUdmRestApi.udmRestApi.ldap.auth.* to nubusUdmRestApi.ldap.auth.*.

   UMC server

   • Migrate nubusUmcServer.ldap.existingSecret.name to the new secret structure under nubusUmcServer.ldap.auth.existingSecret.name.

   • Migrate nubusUmcServer.ldap.existingSecret.keyMapping.ldapPasswordKey to the new secret structure under nubusUmcServer.ldap.auth.existingSecret.keyMapping.password.

   • Migrate nubusUmcServer.smtp.existingSecret.name to the new secret structure under nubusUmcServer.smtp.auth.existingSecret.name.

   • Migrate nubusUmcServer.umcServer.smtpSecret to the new secret structure under nubusUmcServer.smtp.auth.password.

Changes

• Univention Object Identifier migration job waits for the LDAP server to be ready before starting the migration.

• Fix typo in nubusPortalServer.portalServer.newsfeed.feedtype to nubusPortalServer.portalServer.newsfeed.feedType.

• Fix UMC policy that caused the UMC LDAP browser to throw an error when accessing Policies within certain groups such as Domain Admins.

• Use default cluster Ingress class when not specified under global.ingressClass

• Update Keycloak to version 26.2.5.

• LDAP objects which exist from scratch and are not created by UDM now include the univentionObjectIdentifier.

• New Device Login email notifications from the Keycloak Extensions now include a configurable timezone that you can configure through the nubusKeycloakExtensions.handler.appConfig.emailNotificationTimezone Helm Chart value. Valid values are IANA Timezones.

• Integrate Nubus SCIM Server component. Nubus for Kubernetes deactivates it by default. It provides a standardized API for user and group management. For information how to activate it and its setup, see Nubus SCIM in [1].

  Important

  The status of the Nubus SCIM Server is experimental. Nubus for Kubernetes deactivates it by default. To use the Nubus SCIM Server, consult the Univention Support first.

• Integrate 2FA Helpdesk in the Management UI. 2FA Helpdesk provides a user interface for administrators to manage 2FA tokens for users, and adds a tile to the portal for users and administrators. You can enable it by setting the following Helm Chart values to true:

  • nubusTwofaHelpdesk.enabled

  • nubusTwofaHelpdesk.twofaHelpdeskFrontend.enableSelfService

  • nubusTwofaHelpdesk.twofaHelpdeskFrontend.enableAdminHelpdesk

  • nubusStackDataUms.templateContext.twofaAdminHelpdeskActivated

  • nubusStackDataUms.templateContext.twofaSelfServiceActivated

  Important

  The 2FA Helpdesk feature is in preview status. Nubus for Kubernetes deactivates it by default.

• Update all components in Nubus for Kubernetes to use the UCS 5.2-2 base image and include bug fixes up UCS 5.2 erratum 117 with the reference date is 12. June 2025. For UCS errata updates,