Version 1.5.x#

This page shows the changelog for Nubus for Kubernetes 1.5.x:

Version 1.5.1 - 2024-12-11#

This is the third production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.5.1, your deployment must run on version 1.5.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.

Added#

Version 1.5.0 - 2024-12-09#

The highlight of this release is the support for running two LDAP Primary servers in mirror mode to meet high-availability requirements. You need to migrate your existing Nubus for Kubernetes environment before you upgrade Nubus to 1.5.0 to make them mirror-ready and avoid data loss. For the steps, see Migrate existing LDAP Server to mirror mode readiness.

Upgrade path

For the upgrade to version 1.5.0, your deployment must run on version 1.4.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Added#

Add support for the operation of two LDAP Primaries in mirror mode, satisfying needs of high-availability.

Nubus uses Kubernetes Leases to ensure that only one LDAP Primary is active at a time. It keeps the second LDAP Primary ready to take over. Each of the two LDAP Primary servers adds a leader elector sidecar container that compete for the leases after the servers are ready. If the active LDAP Primary fails to renew its lease, Kubernetes switches over to the other ready LDAP Primary and promotes it as the active node. To configure LDAP Primary high availability, Nubus adds the following Helm Chart value high availability configuration:

You need to migrate your existing Nubus for Kubernetes environment before you upgrade Nubus to 1.5.0 to make them mirror-ready and avoid data loss. For the steps, see Migrate existing LDAP Server to mirror mode readiness.

Important

High availability doesn’t replace a backup concept, because it synchronizes the data to the other LDAP Primary as quick as possible. If data gets corrupt, for example through operating errors, only a backup allows restoring clean data.

See also

LDAP Primary

in Univention Nubus for Kubernetes - Operation Manual [1] for information about how to set up high availability for the LDAP Server.

Changed#

Change the UDM Listener in the Provisioning Service to ensure it always connects to the first LDAP Primary, even in environments with two LDAP Primaries, to keep the listeners state consistent with the LDAP transaction log. If the first LDAP Primary isn’t ready, the UDM Listener doesn’t notify the Provisioning Service of changes to user and group objects until Kubernetes restarts the first LDAP Primary.

See also

Notify about changes to directory objects

in Univention Nubus for Kubernetes - Architecture Manual [4] for information about the relation between the UDM Listener and the Identity Store and Directory Service.

Migrate existing LDAP Server to mirror mode readiness#

Before you can upgrade to Nubus 1.5.0, you need to make your LDAP Servers ready for mirror mode by following these steps. Mind the optional step after the ConfigMap configuration to activate mirror mode.

  1. Add the configuration ldap_database_initialized: initialized to indicate a successful LDAP Server setup.

    Run the command in Listing 8.

    Listing 8 Add data to ConfigMap to indicate successful LDAP Server setup#
    $ kubectl \
       --namespace "${NAMESPACE_FOR_NUBUS}" \
       create configmap \
       "${RELEASE_NAME}-ldap-server-status" \
       --from-literal=ldap_database_initialized=initialized
    configmap/nubus-ldap-server-status created
    
  2. Add the label app.kubernetes.io/managed-by: ldap-server-evaluate-database-init to the LDAP server status.

    Run the command in Listing 9.

    Listing 9 Add label to LDAP Server ConfigMap#
    $ kubectl \
       --namespace "${NAMESPACE_FOR_NUBUS}" \
       label configmap \
       "${RELEASE_NAME}-ldap-server-status" \
       app.kubernetes.io/managed-by=ldap-server-evaluate-database-init
    configmap/nubus-ldap-server-status labeled
    

    Note

    The label is the reason, why you can’t use Helm for the ConfigMap, because the LDAP Server manages the ConfigMap itself. Helm mustn’t change the ConfigMap to keep its state across upgrades.

Applying these steps makes your Nubus deployment ready for mirror mode. If you then want activate mirror mode, follow the steps in LDAP Primary in Univention Nubus for Kubernetes - Operation Manual [1].