Version 1.15.x

This page shows the changelog for Nubus for Kubernetes 1.15.x:

• Version 1.15.0 - 2025-11-11

• Version 1.15.1 - 2025-11-13

Version 1.15.1 - 2025-11-13

This is the twenty-second production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.15.1, your deployment must run on version 1.14.0 to 1.15.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

There are no necessary migration steps for this release.

Changes

This section lists the changes in 1.15.1 grouped by component in Nubus for Kubernetes.

Keycloak Extensions

• Fix invalid probe syntax in the deployment configuration.

Version 1.15.0 - 2025-11-11

This is the twenty-first production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.15.0, your deployment must run on version 1.14.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights

OIDC back-channel logout in the Portal

The portal immediately ends active sessions of a user when the Identity Provider sends a back-channel logout request.

OIDC back-channel logout with federated Identity Provider

Scenarios that use federation with an upstream identity provider (IdP), back-channel logout requests from the upstream IdP trigger back-channel logout requests to clients relying on Keycloak, the local IdP.

Simplified configuration of dependencies

The Helm Chart provides examples for the installation of Nubus for Kubernetes. The examples include bundled dependencies for test and demonstration purposes, and externally provided dependencies for production scenarios.

Portal accessibility improvements

Improve UMC tiles and groups accessibility in the Portal, especially when using screen readers.

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. Operators who customize the resources in the Self Service Consumer need to move the configuration of resource dependencies to the following property:

   • Move nubusSelfServiceConsumer.resourcesWaitForDependency.* to nubusSelfServiceConsumer.initResources.*.

2. Operators who customize the resources in the Portal Consumer need to move the configuration of resource dependencies to the following property:

   • Move nubusPortalConsumer.resourcesWaitForDependency.* to nubusPortalConsumer.initResources.*.

3. Operators who configure the username of the NATS user for the components in the Provisioning Service need to adapt their configuration.

   For each component provisioningApi, dispatcher, udmTransformer, prefill, udmListener you need to adapt the existing secrets:

   • Move nubusProvisioning.nats.config.createUsers.<component>.user to nubusProvisioning.nats.config.createUsers.<component>.auth.username.

4. Operators who use existing secrets to configure NATS passwords in the Provisioning Service need to adapt their configuration.

   • In the previous configuration, nubusProvisioning.nats.config.createUsers.<component>.password contained a template string referencing an environment variable. Find the corresponding entry in nubusProvisioning.nats.extraEnvVars where the name field matches the environment variable.

   • Move valueFrom.secretKeyRef.name from that extraEnvVars entry to nubusProvisioning.nats.config.createUsers.<component>.auth.existingSecret.name.

   • Move valueFrom.secretKeyRef.key from that extraEnvVars entry to nubusProvisioning.nats.config.createUsers.<component>.auth.existingSecret.keyMapping.password.

   • Remove the entry from nubusProvisioning.nats.extraEnvVars.

   For detailed examples, see Provisioning Service secrets in Univention Nubus for Kubernetes - Operation Manual [1].

5. Operators who use a provided secret value for the NATS administrator password need to adapt their configuration:

   • Move nubusProvisioning.nats.auth.adminPassword to nubusProvisioning.nats.config.createUsers.adminUser.auth.password.

6. Operators who use existing secrets for the NATS administrator password need to adapt their configuration.

   • Move nubusProvisioning.nats.extraEnvVars['NATS_PASSWORD'].valueFrom.secretKeyRef.name to nubusProvisioning.nats.config.createUsers.adminUser.auth.existingSecret.name

   • Move nubusProvisioning.nats.extraEnvVars['NATS_PASSWORD'].valueFrom.secretKeyRef.key to nubusProvisioning.nats.config.createUsers.adminUser.auth.existingSecret.keyMapping.password

7. Operators who configure any imagePullPolicy need to rename the key to pullPolicy. You can use the global configuration through global.imagePullPolicy.

8. Operators who configure additionalAnnotations or additionalLabels need to move the configuration to the root of the respective component.

9. Operators who configure any image.imagePullSecrets need to move the imagePullSecrets to the root of the respective component. You can use the global configuration through global.imagePullSecrets.

10. Operators who configure an OIDC relying party client secret for the UMC Server in Keycloak Bootstrap need to adjust the following variables:

    • Move node nubusKeycloakBootstrap.oidc.rp.umcserver.* to nubusKeycloakBootstrap.oidc.relyingParty.umcServer.*.

11. If you are still using SAML authentication you need to re-enable the SAML endpoint of the UMC Server. Nubus for Kubernetes deactivates it by default for security reasons. To enable it, change the ingress paths of the UMC Server, as shown in the example in Listing 1.

    Listing 1 Re-enable UMC Server SAML endpoint

    nubusUmcServer:
      ingress:
        paths:
          - path: /(univention)/(auth|logout|saml|oidc|get|set|command|upload)(.*)$
            pathType: ImplementationSpecific
    

12. If you have configured your existing Nubus installation to use a federated upstream Identity Provider, you need to manually enable the Import Users option in the Keycloak Admin Console. Installations of Nubus for Kubernetes starting with version 1.15.0 enable this setting by default.

    This setting ensures proper support for back-channel logout when federating with an external identity provider and aligns your installation with the supported configuration.

    Warning

    Enabling this setting in existing installations, that use Nubus Keycloak for two-factor authentication, requires users to re-enroll their two-factor authentication.

    To enable the import users option, use the following steps:

    1. Sign in to the Keycloak Admin Console.

    2. Select Manage realms in the left sidebar.

    3. Select the realm nubus.

    4. Select User federation in the left sidebar.

    5. Select the ldap-provider entry.

    6. In the Synchronization settings, enable Import users.

    7. Click Save.

Changes

This section lists the changes in 1.15.0 grouped by component in Nubus for Kubernetes.

Keycloak

• Update Keycloak to version 26.4.2, which includes security fixes for CVE-2025-48924, CVE-2025-7962 and CVE-2025-11429.

• Bundled Keycloak allows configuring custom secrets and existing secrets:

  • Add keycloak.keycloak.auth.password

  • Add keycloak.postgresql.auth.password

• Bundled Keycloak allows configuring imagePullPolicy globally:

  • Add keycloak.global.imagePullPolicy

Keycloak Extensions

• Keycloak Extensions allow the configuration of custom secrets and existing secrets:

  • Add nubusKeycloakExtensions.keycloak.auth.password

  • Add nubusKeycloakExtensions.postgresql.auth.password

• Keycloak Extensions implement the standard Helm Chart configuration options:

  • Add nubusKeycloakExtensions.additionalAnnotations

  • Add nubusKeycloakExtensions.additionalLabels

  • Add nubusKeycloakExtensions.imagePullSecrets

Keycloak Bootstrap

• Keycloak Bootstrap allows configuring custom secrets and existing secrets:

  • Add nubusKeycloakBootstrap.keycloak.auth.password

  • Add nubusKeycloakBootstrap.ldap.auth.password

  • Add nubusKeycloakBootstrap.ldap.auth.existingSecret.name

  • Add nubusKeycloakBootstrap.ldap.auth.existingSecret.keyMapping.password

• Keycloak Bootstrap allows configuring imagePullPolicy globally:

  • Add nubusKeycloakBootstrap.global.imagePullPolicy

• Add nubusKeycloakBootstrap.bootstrap.userFederation.ldapImportUsers to enable the Import users option of the ldap-provider in the User federation in Keycloak. The default value is true. The setting only takes effect on the first deployment.

2FA Helpdesk

Add nubusTwofaHelpdesk.keycloak.auth.password to allow configuring the plain secret value directly.

Guardian

• The Guardian implements the standard Helm Chart configuration options:

  • Add nubusGuardian.additionalAnnotations

  • Add nubusGuardian.additionalLabels

  • Add nubusGuardian.imagePullSecrets

• You can specify the Guardian OAuth secret as a custom secret value through nubusGuardian.managementApi.oauth.auth.clientSecret.

• Add nubusGuardian.provisioning.keycloak.auth.password to allow configuring the plain secret value directly.

• Move nubusGuardian.provisioning.keycloak.auth.existingSecret.keyMapping.password to nubusGuardian.provisioning.keycloak.auth.existingSecret.keyMapping.adminPassword.

Portal Service

• Add automatic sign-out of portal sessions across all open tabs when Keycloak detects a sign-out. Nubus for Kubernetes activates automatic sign-out by default. For configuration options and performance considerations, see Automatic sign-out from the Portal.

• Improve performance when using the user enrichment endpoint.

• Improve accessibility for UMC folder dialogs.

Portal Consumer

• Move nubusPortalConsumer.resourcesWaitForDependency.* to nubusPortalConsumer.initResources.*.

UDM HTTP REST API

• Several performance improvements during user searches.

Self Service Consumer

• Move nubusSelfServiceConsumer.resourcesWaitForDependency.* to nubusSelfServiceConsumer.initResources.*.

Provisioning Service

• Improve secret configuration for the bundled NATS. The NATS user passwords follow the general secrets structure outlined in Listing 9.

• The bundled NATS respects the global image pull policy configured through global.imagePullPolicy.

• The natsBox debug container of the bundled NATS isn’t deployed by default. To explicitly activate the debug container, set nubusProvisioning.nats.natsBox.enabled to true.

Included errata updates

Update all components in Nubus for Kubernetes to use the UCS 5.2-3 base image and include bug fixes up to UCS 5.2 erratum 270. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 30. October 2025.

The errata updates contain fixes for the following CVEs:

libxslt

• CVE-2024-55549, CVE-2025-7424, CVE-2025-24855

• CVE-2023-40403

curl

• CVE-2024-9681

• CVE-2023-27534

• CVE-2024-11053, CVE-2025-0167

expat

• CVE-2023-52425, CVE-2024-8176

• CVE-2024-50602

glibc

• CVE-2025-8058

• CVE-2025-4802

• CVE-2025-0395

imagemagick

• CVE-2025-55154

• CVE-2025-55298, CVE-2025-57803

• CVE-2025-53101

• CVE-2025-57807

• CVE-2025-53019, CVE-2025-55212

• CVE-2025-53014

• CVE-2025-43965

krb5

• CVE-2025-24528

• CVE-2025-3576

• CVE-2024-26462

libarchive

• CVE-2025-5914

• CVE-2025-5915, CVE-2025-5916

• CVE-2025-5917

openjpeg

• CVE-2025-50952

openssl

• CVE-2025-9230

• CVE-2025-9232

• CVE-2024-13176

sqlite3

• CVE-2025-6965

openjdk-17

• CVE-2025-50059

• CVE-2025-30749

• CVE-2025-53066

• CVE-2025-21587

• CVE-2025-53057

• CVE-2025-30698

• CVE-2025-30691, CVE-2025-30754

• CVE-2025-5010

apache2

• CVE-2025-23048

• CVE-2025-49630

• CVE-2024-42516

• CVE-2024-43394

• CVE-2025-49812

• CVE-2025-54090