Version 1.8.x#
This page shows the changelog for Nubus for Kubernetes 1.8.x.
Version 1.8.0 - 2025-04-07#
This is the sixth production release of Nubus for Kubernetes.
Upgrade path
For the upgrade to version 1.8.0, your deployment must run on version 1.7.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].
Migration steps#
This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.
If you have services that use the UDM HTTP REST API outside the Kubernetes cluster, you need to explicitly enable the access through the ingress, because the ingress for the UDM HTTP REST API is disabled by default starting with version 1.8.0.
To keep the behavior that services outside the Kubernetes cluster can reach UDM HTTP REST API, you need to set
nubusUdmRestApi.ingress.enabledtotruein your values file.If you configured the container securityContext for the Portal Consumer, you need to rename the Helm Chart values from
nubusPortalConsumer.securityContext.*tonubusPortalConsumer.containerSecurityContext.*. In addition, you may also configure the pod securityContext throughnubusPortalConsumer.podSecurityContext.*. For more information, see the change for the Portal Consumer.If you configured credentials for the
ldap-serverusing existing Kubernetes secret objects, you need to rename the following Helm Chart values sections:nubusLdapServer.ldapServer.credentialSecret.*section tonubusLdapServer.ldapServer.auth.existingSecret.*sectionnubusLdapServer.ldifProducer.nats.auth.credentialSecretNametonubusLdapServer.ldifProducer.nats.auth.existingSecret
For more information, see the change for the Directory Service.
If you configured credentials for the Portal Service using existing Kubernetes secrets, you need to rename the following Helm Chart values sections:
nubusPortalServer.portalServer.objectStorageCredentialSecret.*section tonubusPortalServer.objectStorage.auth.existingSecret.*sectionnubusPortalServer.portalServer.centralNavigation.authenticatorSecretNametonubusPortalServer.portalServer.centralNavigation.existingSecret.name
Note
The secret needs to contain a key called password. If your secret contains a different key, you need to pass the name of the key to
nubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password.If you have configured credentials for the Portal Service connection to the object storage and have set explicit credential values, you need to rename the following sections of Helm Chart values:
nubusPortalServer.objectStorage.auth.accessKeytonubusPortalServer.objectStorage.auth.accessKeyIdnubusPortalServer.objectStorage.auth.secretKeytonubusPortalServer.objectStorage.auth.secretAccessKey
For more information, see the change for the Portal Service.
Added#
Add the plugin type
umc-i18nto enable translation for UMC modules in packaged integrations.Add the following additional elements to the Portal Service:
- Corner Links
Configures a list of portal entries that the Portal Service shows in the lower right corner of the portal.
- Quick Links
Configures a list of portal entries that the Portal Service shows in the Quick Menu. Quick links are a set of tiles that appear above the regular application tiles in the portal. Use the links to present deep-links to commonly used functions directly in the portal, for example Create a document or Create a spreadsheet.
Add dynamic greeting to the Portal Service.
Warning
The dynamic greeting in the Portal Service is an experimental feature. You use it at your own risk.
To activate the feature anyway, set
nubusPortalServer.portalServer.featureToggles.welcome_messagetotrue.
Changed#
Change and improve the error handling in the ad-hoc provisioning plugin for Keycloak.
Change the default setting for reaching the UDM HTTP REST API to
false, because of security concerns.UDM HTTP REST API is now only reachable when explicitly activated. The default value for the Helm Chart value
nubusUdmRestApi.ingress.enabledchanged fromtruetofalse. For more information, see UDM HTTP REST API in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].Change the NATS container image version from
2.10.10to2.10.26to integrate upstream bug fixes. The upstream bug fixes in NATS avoid potential consumer sequence identifier corruptions in queues.Change the LDAP notifier to run on the same Kubernetes node, where the LDAP Primary pod
primary-0runs, so that Kubernetes always schedules it on the same pod, even if there are two LDAP Primary pods running in the cluster.Change the Directory Service to configure existing secrets and password configuration using the values schema under
existingSecretto be in line with the other components.Add the following Helm Chart values:
nubusLdapServer.ldapServer.auth.*nubusLdapServer.ldapServer.tls.*nubusLdapServer.ldifProducer.nats.auth.*nubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_USERNAME
Change and replace the following Helm Chart values:
nubusLdapServer.ldifProducer.nats.auth.credentialSecretNametonubusLdapServer.ldifProducer.nats.auth.existingSecret.keyMapping.NATS_PASSWORD.nubus.LdapServer.ldapServer.credentialSecrettonubusLdapServer.ldapServer.auth.existingSecret.name
Change and rename the following Helm Chart values for the Portal Consumer. Reason is a fix for the implementation for the securityContext in the Portal Consumer pod. The Helm Chart template didn’t render the securityContext correctly.
nubusPortalConsumer.securityContext.allowPrivilegeEscalationtonubusPortalConsumer.containerSecurityContext.allowPrivilegeEscalationnubusPortalConsumer.securityContext.capabilities.droptonubusPortalConsumer.containerSecurityContext.capabilities.dropnubusPortalConsumer.securityContext.enabledtonubusPortalConsumer.containerSecurityContext.enablednubusPortalConsumer.securityContext.privilegedtonubusPortalConsumer.containerSecurityContext.privilegednubusPortalConsumer.securityContext.seccompProfile.typetonubusPortalConsumer.containerSecurityContext.seccompProfile.typenubusPortalConsumer.securityContext.readOnlyRootFilesystemtonubusPortalConsumer.containerSecurityContextNonRoot.readOnlyRootFilesystemnubusPortalConsumer.securityContext.runAsGrouptonubusPortalConsumer.containerSecurityContextNonRoot.runAsGroupnubusPortalConsumer.securityContext.runAsNonRoottonubusPortalConsumer.containerSecurityContextNonRoot.runAsNonRootnubusPortalConsumer.securityContext.runAsUsertonubusPortalConsumer.containerSecurityContextNonRoot.runAsUser
Change the Portal Service to use the default schema with
existingSecretfor the central navigation and the object storage configuration. It changes the way how to pass existing secrets and plain credentials to the Portal Server in the Helm Chart.Add the following Helm Chart values for the Central Navigation in the Portal Service:
nubusPortalServer.portalServer.centralNavigation.sharedSecretnubusPortalServer.portalServer.centralNavigation.existingSecret.keyMapping.password
Rename the following Helm Chart values:
Object storage: Unify the configuration of the secrets with
authundernubusPortalServer.objectStoragethat already contains the configuration for the endpoint and the bucket.nubusPortalServer.portalServer.objectStorageCredentialSecret.nametonubusPortalServer.objectStorage.auth.existingSecret.namenubusPortalServer.portalServer.objectStorageCredentialSecret.accessKeyKeytonubusPortalServer.objectStorage.auth.existingSecret.keyMapping.accessKeynubusPortalServer.portalServer.objectStorageCredentialSecret.secretKeyKeytonubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secretKeyConsolidate
nubusPortalServer.portalServer.objectStorageAccessKeyIdandnubusPortalServer.objectStorage.auth.accessKeytonubusPortalServer.objectStorage.auth.accessKeyIdConsolidate
nubusPortalServer.portalServer.objectStorageSecretAccessKeyandnubusPortalServer.objectStorage.auth.secretKeytonubusPortalServer.objectStorage.auth.secretAccessKey
Central Navigation
nubusPortalServer.portalServer.centralNavigation.authenticatorSecretNametonubusPortalServer.portalServer.centralNavigation.existingSecret.name
Fixed#
Fix the behavior of the configuration option
extraEnvVarsin the sub-chart of theportal-server. It works as intended.Fix a template error in the Identity Provider for the Keycloak pod that caused the Keycloak bootstrap pod to start in the default namespace. The pod now starts in the namespace that the operator defined when installing the Helm Chart, and where Kubernetes starts all other pods of Nubus for Kubernetes, as well.
Fix the path to the container image for Keycloak. It now matches the defined path
nubus/images/keycloakand is consistent with the other image paths.Fix the implementation of resources in the Helm Chart for the Directory Service. The Helm Chart template didn’t render the resources correctly.
Fix the behavior of portal folders when removing a portal. When a functional administrator removes a portal the Portal Service also removes their portal folders from the link lists.
Removed#
Remove the groups
DC Backup HostsandDC Slave Hostsfrom the default authorization groups in the UDM HTTP REST API. They come from the UCS appliance deployment and aren’t relevant in Nubus for Kubernetes. For more information about authorization groups in UDM HTTP REST API, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].Remove the following Helm Chart values from the Portal Consumer:
nubusPortalConsumer.securityContext.fsGroupnubusPortalConsumer.mountSecrets
Remove the
nubusPortalServer.portalServer.credentialSecretHelm Chart value from the Portal Server.