Version 1.12.x#

This page shows the changelog for Nubus for Kubernetes 1.12.x:

Version 1.12.0 - 2025-07-31

Warning

Univention recommends operators to update directly to version Version 1.14.0 - 2025-09-18, because of a bug in keycloak-bootstrap that affects Version 1.12.x and Version 1.13.x. Version 1.14.0 supports upgrades directly from Version 1.11.2 - 2025-07-10.

The bug resets all two-factor authentication tokens and forces users to set up two-factor authentication for their accounts again. Version 1.14.x resolves this issue.

Important

Bundled dependencies using Bitnami images (PostgreSQL, MinIO, Memcached) require configuration changes, because Bitnami migrated their repositories from docker.io/bitnami to docker.io/bitnamilegacy. Deployments that use external dependencies aren’t affected. For more information, see Bitnami GitHub issue #35164.

If you deploy these dependencies with Nubus, override the image repositories in your custom_values.yaml as shown in the following listing.

Listing 1 Adjust image repositories for bundled dependencies#

postgresql:
  image:
    repository: bitnamilegacy/postgresql
  provisioning:
    image:
      repository: bitnamilegacy/postgresql
minio:
  image:
    repository: bitnamilegacy/minio
nubusUmcServer:
  memcached:
    image:
      repository: bitnamilegacy/memcached

Version 1.12.0 - 2025-07-31#

This is the seventeenth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.12.0, your deployment must run on version 1.11.0 to 1.11.2. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps#

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

Operators that have enabled the 2FA Helpdesk before this release need to perform the following steps:
1. Visit Keycloak Admin Console and switch to the Nubus realm.
2. Navigate to Client Scopes in the sidebar.
3. Select twofa-default and open the Mappers tab.
4. Open the groups-mapper entry.
5. Set Full group path to off and save the changes.
See also

Keycloak Admin Console
in Univention Nubus for Kubernetes - Operation Manual [1] for information about where to find the Keycloak Admin Console.
Operators that have configured the pullPolicy for the 2FA Helpdesk container images need to adjust the following variables:
- Move nubusTwofaHelpdesk.provisioning.image.imagePullPolicy to nubusTwofaHelpdesk.waitForDependency.image.pullPolicy.
- Move nubusTwofaHelpdesk.provisioningImage.imagePullPolicy to nubusTwofaHelpdesk.keycloakBootstrap.image.pullPolicy.
- Move nubusTwofaHelpdesk.twofaHelpdeskBackend.image.imagePullPolicy to nubusTwofaHelpdesk.twofaHelpdeskBackend.image.pullPolicy.
- Move nubusTwofaHelpdesk.twofaHelpdeskFrontend.image.imagePullPolicy to nubusTwofaHelpdesk.twofaHelpdeskFrontend.image.pullPolicy

Changes#

This section lists the changes in 1.12.0 grouped by component in Nubus for Kubernetes.

Portal Service#

Fix Portal frontend integration with the Intercom Service. Nubus for Kubernetes only loads the Intercom Service silent login and the news feed after user sign-in.
Add feature toggle nubusPortalServer.portalServer.featureToggles.api_me in the Portal Server to deactivate enrichment of user information in the Portal Frontend, such as display name. The activated API me feature can cause longer sign-in times.
Add feature flag in the Portal Frontend to improve the accessibility of lists. You can toggle it through the nubusPortalServer.portalServer.featureToggles.native_html_list Helm Chart value. The default value is false and deactivates the feature.

Operators that activate the toggle, need to review their custom CSS selectors for the Portal theme and verify if the custom theme still produces the expected results. For more information, see Customization of portal theme.
Portal HTML content in tooltips and notifications is now sanitized to prevent XSS vulnerabilities.

Keycloak#

Update Keycloak to version 26.3.1, which includes security fixes for CVE-2025-7365 and CVE-2025-7784.
Keycloak now runs with a read-only file-system.

2FA Helpdesk#

Activate the 2FA Administrator Helpdesk feature by default, allowing administrators to manage two-factor authentication for users from a web interface.
- Add nubusTwofaHelpdesk.twofaHelpdeskFrontend.config.enableSelfService.
- Add nubusTwofaHelpdesk.twofaHelpdeskFrontend.config.enableAdminHelpdesk.
- Add nubusStackDataUms.templateContext.twofaAdminHelpdeskActivated.
- Add nubusStackDataUms.templateContext.twofaSelfServiceActivated.
- Add nubusStackDataUms.templateContext.keycloakTwofaGroup.
- The value in nubusKeycloakBootstrap.bootstrap.twoFactorAuthentication.group was previously set to 2fa-users. The default value changed to 2FA Users. The 2fa-users user group remains functional to enforce two-factor authentication for users who are members of this user group.
Refactor container image values in 2FA Helpdesk Keycloak bootstrap:
- Move nubusTwofaHelpdesk.provisioning.image.* to nubusTwofaHelpdesk.waitForDependency.image.*
- Move nubusTwofaHelpdesk.provisioning.provisioningImage.* to nubusTwofaHelpdesk.keycloakBootstrap.image.*
- Move nubusTwofaHelpdesk.provisioning.* to nubusTwofaHelpdesk.keycloakBootstrap.*
Adhere 2FA Helpdesk Helm chart to best practices:
- Fix behavior for Kubernetes objects *.labels and .additionalLabels to make them uniform across all objects.
- Fix *.service.annotations, .additionalAnnotations, now included in the Kubernetes objects uniformly.
- Fix container images’ pullPolicy, which now defaults to null. See default Kubernetes behavior.
Remove leading slash from access token for 2FA Administrator Helpdesk.
Add token refreshing for 2FA Helpdesk.
Add nubusTwofaHelpdesk.twofaHelpdeskFrontend.config.postLogoutRedirectURI to configure the URI to redirect to after resetting a 2FA token in the 2FA Helpdesk. Nubus for Kubernetes redirects users to this URI who reset their 2FA token in the 2FA Self-service. The redirection ends their session through front-channel logout.

Provisioning Service#

Update NATS to version 2.11.6, which includes improvements for the sequence number handling.
Improve robustness of Provisioning Prefill with retries. The following variables allow configuring the retry behavior:

SCIM#

SCIM Server now restarts if the ConfigMap changes.
Fix SCIM user’s name formatting which caused None to be part of the generated user’s name if display name wasn’t present.
Rename SCIM Provisioning to SCIM Client.
SCIM wait for Keycloak no longer needs the /admin endpoint to be available.
SCIM Server allows unsetting of extended attributes.

Management UI#

You can hide potentially sensitive data in the UMC’s meta.json file using the experimental UCR variable global.configUcr.umc.web.meta.hide-sensible-data. Additionally, meta.json file no longer includes the server’s address by default. It’s now only visible during system setup.
Fix UMC ingress annotations that prevented the UMC deployment with nginx-ingress controller 1.12 and later.

LDAP directory service#

Fix LDAP Secondary configuration that prevented the component from scaling more than 8 replicas.

Others#

Update all components in Nubus for Kubernetes to use the UCS 5.2-2 base image and include bug fixes up to UCS 5.2 erratum 130. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 26. June 2025.

You can configure the primary groups for users and computers at the parent container objects where Nubus creates an object.
You can now deactivate the default global search container, that is All containers, through the UCR variable global.configUcr.directory.manager.web.modules.search.default-search. If deactivated, you can enable the UCR variable global.configUcr.directory.manager.web.modules.search.default-search to limit searches to module-specific default containers. This improves search performance and result relevance, especially in large environments with many objects.

Nubus for Kubernetes - Release Notes for 1.x

Version 1.12.x

Contents