Version 1.5.x#
This page shows the changelog for Nubus for Kubernetes 1.5.x:
Version 1.5.1 - 2024-12-11#
This is the third production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.5.1, your deployment must run on version 1.5.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.
Added#
Add explicit security context setting for the Portal Server Kubernetes pod, so that Kubernetes runs the pod in unprivileged mode with the
privileged: false
setting.Add the following Helm Chart values that allow configuring resource limits on these containers.
See also
- Resource requests and limits of Pod and container
in Kubernetes Documentation [3] for information about available resource limits and requests for the resource management for pods and containers in Kubernetes.
Version 1.5.0 - 2024-12-09#
The highlight of this release is the support for running two LDAP Primary servers in
mirror mode to meet high-availability requirements.
You need to migrate your existing Nubus for Kubernetes environment
before you upgrade Nubus to 1.5.0
to make them mirror-ready and avoid data loss.
For the steps, see Migrate existing LDAP Server to mirror mode readiness.
Upgrade path
For the upgrade to version 1.5.0, your deployment must run on version 1.4.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Added#
Add support for the operation of two LDAP Primaries in mirror mode, satisfying needs of high-availability.
Nubus uses Kubernetes Leases to ensure that only one LDAP Primary is active at a time. It keeps the second LDAP Primary ready to take over. Each of the two LDAP Primary servers adds a leader elector sidecar container that compete for the leases after the servers are ready. If the active LDAP Primary fails to renew its lease, Kubernetes switches over to the other ready LDAP Primary and promotes it as the active node. To configure LDAP Primary high availability, Nubus adds the following Helm Chart value high availability configuration:
You need to migrate your existing Nubus for Kubernetes environment
before you upgrade Nubus to 1.5.0
to make them mirror-ready and avoid data loss.
For the steps, see Migrate existing LDAP Server to mirror mode readiness.
Important
High availability doesn’t replace a backup concept, because it synchronizes the data to the other LDAP Primary as quick as possible. If data gets corrupt, for example through operating errors, only a backup allows restoring clean data.
See also
- LDAP Primary
in Univention Nubus for Kubernetes - Operation Manual [1] for information about how to set up high availability for the LDAP Server.
Changed#
Change the UDM Listener in the Provisioning Service to ensure it always connects to the first LDAP Primary, even in environments with two LDAP Primaries, to keep the listeners state consistent with the LDAP transaction log. If the first LDAP Primary isn’t ready, the UDM Listener doesn’t notify the Provisioning Service of changes to user and group objects until Kubernetes restarts the first LDAP Primary.
See also
- Notify about changes to directory objects
in Univention Nubus for Kubernetes - Architecture Manual [4] for information about the relation between the UDM Listener and the Identity Store and Directory Service.
Migrate existing LDAP Server to mirror mode readiness#
Before you can upgrade to Nubus 1.5.0
,
you need to make your LDAP Servers ready for mirror mode
by following these steps.
Mind the optional step after the ConfigMap configuration to activate mirror mode.
Add the configuration
ldap_database_initialized: initialized
to indicate a successful LDAP Server setup.Run the command in Listing 8.
$ kubectl \ --namespace "${NAMESPACE_FOR_NUBUS}" \ create configmap \ "${RELEASE_NAME}-ldap-server-status" \ --from-literal=ldap_database_initialized=initialized configmap/nubus-ldap-server-status created
Add the label
app.kubernetes.io/managed-by: ldap-server-evaluate-database-init
to the LDAP server status.Run the command in Listing 9.
$ kubectl \ --namespace "${NAMESPACE_FOR_NUBUS}" \ label configmap \ "${RELEASE_NAME}-ldap-server-status" \ app.kubernetes.io/managed-by=ldap-server-evaluate-database-init configmap/nubus-ldap-server-status labeled
Note
The label is the reason, why you can’t use Helm for the ConfigMap, because the LDAP Server manages the ConfigMap itself. Helm mustn’t change the ConfigMap to keep its state across upgrades.
Applying these steps makes your Nubus deployment ready for mirror mode. If you then want activate mirror mode, follow the steps in LDAP Primary in Univention Nubus for Kubernetes - Operation Manual [1].