Version 1.9.x

This page shows the changelog for Nubus for Kubernetes 1.9.x:

• Version 1.9.2 - 2025-05-14

• Version 1.9.1 - 2025-05-07

• Version 1.9.0 - 2025-05-04

Important

Bundled dependencies using Bitnami images (PostgreSQL, MinIO, Memcached) require configuration changes, because Bitnami migrated their repositories from docker.io/bitnami to docker.io/bitnamilegacy. Deployments that use external dependencies aren’t affected. For more information, see Bitnami GitHub issue #35164.

If you deploy these dependencies with Nubus, override the image repositories in your custom_values.yaml as shown in the following listing.

Listing 7 Adjust image repositories for bundled dependencies

postgresql:
  image:
    repository: bitnamilegacy/postgresql
  provisioning:
    image:
      repository: bitnamilegacy/postgresql
minio:
  image:
    repository: bitnamilegacy/minio
nubusUmcServer:
  memcached:
    image:
      repository: bitnamilegacy/memcached

Version 1.9.2 - 2025-05-14

This is the tenth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.9.2, your deployment must run on version 1.8.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration-steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

Follow and apply the migration steps outlined in v1.9.1 - Migration steps and in v1.9.0 - Migration steps.

Changes

• Fix an issue for handling existing custom secrets from nubusPortalConsumer.objectStorage.auth.accessKeyId and nubusPortalConsumer.objectStorage.auth.secretAccessKey in the Portal Consumer. Affected installation specified those secrets in the custom values. Because of wrong keys, Nubus generated secrets itself instead of using the existing secret values.

• Fix icons in the Portal displaying icons of Management UI with question mark (?) instead of the icon. The UMC Gateway has the icons for UMC in the correct location.

Version 1.9.1 - 2025-05-07

This is the ninth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.9.1, your deployment must run on version 1.8.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. If you defined custom values for security contexts nubusGuardian.*.securityContext.enabled in the Guardian apply the renames listed in the v1.9.1 - Changes.

2. Follow and apply the migration steps outlined in v1.9.0 - Migration steps.

Changes

• In the UMC Server of the Management UI, remove the Helm Chart value nubusUmcServer.containerSecurityContextSssd.supplementalGroups.

• Fix warnings in the Portal Consumer and the UMC Server in the Management UI related to the generated Kubernetes manifests.

• The Guardian Helm Chart contained unexpected keys, because of mistaking the container security context for the pod security context.

  • Add the following Helm Chart variables:

    nubusGuardian.managementUi.*:

    • nubusGuardian.managementUi.podSecurityContext.fsGroup

    • nubusGuardian.managementUi.podSecurityContext.runAsGroup

    • nubusGuardian.managementUi.podSecurityContext.runAsUser

    nubusGuardian.openPolicyAgent.*:

    • nubusGuardian.openPolicyAgent.containerSecurityContext.enabled

    • nubusGuardian.openPolicyAgent.podSecurityContext.enabled

  • Rename the following Helm Chart variables:

    nubusGuardian.authorizationApi.*:

    • nubusGuardian.authorizationApi.securityContext.allowPrivilegeEscalation to nubusGuardian.authorizationApi.containerSecurityContext.allowPrivilegeEscalation.

    • nubusGuardian.authorizationApi.securityContext.capabilities.drop to nubusGuardian.authorizationApi.containerSecurityContext.capabilities.drop.

    • nubusGuardian.authorizationApi.securityContext.enabled to nubusGuardian.authorizationApi.containerSecurityContext.enabled.

    • nubusGuardian.authorizationApi.securityContext.privileged to nubusGuardian.authorizationApi.containerSecurityContext.privileged.

    • nubusGuardian.authorizationApi.securityContext.readOnlyRootFilesystem to nubusGuardian.authorizationApi.containerSecurityContext.readOnlyRootFilesystem.

    • nubusGuardian.authorizationApi.securityContext.runAsGroup to nubusGuardian.authorizationApi.containerSecurityContext.runAsGroup.

    • nubusGuardian.authorizationApi.securityContext.runAsNonRoot to nubusGuardian.authorizationApi.containerSecurityContext.runAsNonRoot.

    • nubusGuardian.authorizationApi.securityContext.runAsUser to nubusGuardian.authorizationApi.containerSecurityContext.runAsUser.

    • nubusGuardian.authorizationApi.securityContext.seccompProfile.type to nubusGuardian.authorizationApi.containerSecurityContext.seccompProfile.type.

    nubusGuardian.managementApi.*:

    • nubusGuardian.managementApi.securityContext.allowPrivilegeEscalation to nubusGuardian.managementApi.containerSecurityContext.allowPrivilegeEscalation.

    • nubusGuardian.managementApi.securityContext.capabilities.drop to nubusGuardian.managementApi.containerSecurityContext.capabilities.drop.

    • nubusGuardian.managementApi.securityContext.enabled to nubusGuardian.managementApi.containerSecurityContext.enabled.

    • nubusGuardian.managementApi.securityContext.privileged to nubusGuardian.managementApi.containerSecurityContext.privileged.

    • nubusGuardian.managementApi.securityContext.readOnlyRootFilesystem to nubusGuardian.managementApi.containerSecurityContext.readOnlyRootFilesystem.

    • nubusGuardian.managementApi.securityContext.runAsGroup to nubusGuardian.managementApi.containerSecurityContext.runAsGroup.

    • nubusGuardian.managementApi.securityContext.runAsNonRoot to nubusGuardian.managementApi.containerSecurityContext.runAsNonRoot.

    • nubusGuardian.managementApi.securityContext.runAsUser to nubusGuardian.managementApi.containerSecurityContext.runAsUser.

    • nubusGuardian.managementApi.securityContext.seccompProfile.type to nubusGuardian.managementApi.containerSecurityContext.seccompProfile.type.

    nubusGuardian.managementUi.*:

    • nubusGuardian.managementUi.securityContext.allowPrivilegeEscalation to nubusGuardian.managementUi.containerSecurityContext.allowPrivilegeEscalation.

    • nubusGuardian.managementUi.securityContext.capabilities.drop to nubusGuardian.managementUi.containerSecurityContext.capabilities.drop.

    • nubusGuardian.managementUi.securityContext.privileged to nubusGuardian.managementUi.containerSecurityContext.privileged.

    • nubusGuardian.managementUi.securityContext.readOnlyRootFilesystem to nubusGuardian.managementUi.containerSecurityContext.readOnlyRootFilesystem.

    • nubusGuardian.managementUi.securityContext.runAsGroup to nubusGuardian.managementUi.containerSecurityContext.runAsGroup.

    • nubusGuardian.managementUi.securityContext.runAsNonRoot to nubusGuardian.managementUi.containerSecurityContext.runAsNonRoot.

    • nubusGuardian.managementUi.securityContext.runAsUser to nubusGuardian.managementUi.containerSecurityContext.runAsUser.

    • nubusGuardian.managementUi.securityContext.seccompProfile.type to nubusGuardian.managementUi.containerSecurityContext.seccompProfile.type.

    • nubusGuardian.managementUi.podSecurityContext to nubusGuardian.managementUi.containerSecurityContext.enabled.

    nubusGuardian.openPolicyAgent.*:

    • nubusGuardian.openPolicyAgent.securityContext.allowPrivilegeEscalation to nubusGuardian.openPolicyAgent.containerSecurityContext.allowPrivilegeEscalation.

    • nubusGuardian.openPolicyAgent.securityContext.capabilities.drop to nubusGuardian.openPolicyAgent.containerSecurityContext.capabilities.drop.

    • nubusGuardian.openPolicyAgent.securityContext.privileged to nubusGuardian.openPolicyAgent.containerSecurityContext.privileged.

    • nubusGuardian.openPolicyAgent.securityContext.readOnlyRootFilesystem to nubusGuardian.openPolicyAgent.containerSecurityContext.readOnlyRootFilesystem.

    • nubusGuardian.openPolicyAgent.securityContext.runAsGroup to nubusGuardian.openPolicyAgent.containerSecurityContext.runAsGroup.

    • nubusGuardian.openPolicyAgent.securityContext.runAsNonRoot to nubusGuardian.openPolicyAgent.containerSecurityContext.runAsNonRoot.

    • nubusGuardian.openPolicyAgent.securityContext.runAsUser to nubusGuardian.openPolicyAgent.containerSecurityContext.runAsUser.

    • nubusGuardian.openPolicyAgent.securityContext.seccompProfile.type to nubusGuardian.openPolicyAgent.containerSecurityContext.seccompProfile.type.

    nubusGuardian.provisioning.*:

    • nubusGuardian.provisioning.securityContext.allowPrivilegeEscalation to nubusGuardian.provisioning.containerSecurityContext.allowPrivilegeEscalation.

    • nubusGuardian.provisioning.securityContext.enabled to nubusGuardian.provisioning.containerSecurityContext.enabled.

    • nubusGuardian.provisioning.securityContext.privileged to nubusGuardian.provisioning.containerSecurityContext.privileged.

    • nubusGuardian.provisioning.securityContext.readOnlyRootFilesystem to nubusGuardian.provisioning.containerSecurityContext.readOnlyRootFilesystem.

    • nubusGuardian.provisioning.securityContext.runAsGroup to nubusGuardian.provisioning.containerSecurityContext.runAsGroup.

    • nubusGuardian.provisioning.securityContext.runAsNonRoot to nubusGuardian.provisioning.containerSecurityContext.runAsNonRoot.

    • nubusGuardian.provisioning.securityContext.runAsUser to nubusGuardian.provisioning.containerSecurityContext.runAsUser.

    • nubusGuardian.provisioning.securityContext.seccompProfile.type to nubusGuardian.provisioning.containerSecurityContext.seccompProfile.type.

Version 1.9.0 - 2025-05-04

This is the eighth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.9.0, your deployment must run on version 1.8.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights

Nubus for Kubernetes 1.9.0 provides the following highlights:

1. Preview feature: News feed integration into the Portal Service supporting the Rich Site Summary (RSS) and Atom specification.

2. In the Management UI, the UMC Server container and its sidecar container with SSSD run as non-root.

3. Update Keycloak in the Identity Provider from version 25 to version 26.

Important

With version 1.9.0, Nubus for Kubernetes enforces licenses. If operators already had a license installed, Nubus didn’t enforce the license before. For information about how to add a license to Nubus for Kubernetes, see Nubus license.

To validate if a license is already present, run the command in Listing 8.

Listing 8 Command to validate for a license present in Nubus

$ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace"
$ kubectl exec \
    --namespace "$NAMESPACE_FOR_NUBUS" \
    -it \
    nubus-ldap-server-primary-0 \
    -- bash -c "slapcat | sed -nr '/dn:.*?,cn=license/,/^\s*$/p'"

The result looks similar to the output in Listing 9. In case for a paid-support license, the field univentionLicenseUsers has an integer number. Nubus now enforces the given univentionLicenseUsers in the Management UI.

Listing 9 Example output for a license in a un-paid and no support scenario

...
univentionLicenseBaseDN: UCS Core Edition
...
univentionLicenseUsers: unlimited
...

Migration steps

This section lists necessary migration steps that may apply to you. You need to run them before the upgrade.

1. You need to provide PostgreSQL at least in version 15 or later, because of Keycloak 26.

2. Operators that use their own secrets in the Portal Consumer, need to adjust to the existingSecret settings. For more information, see the documented Helm Chart variable renames in the Portal Consumer section.

3. Operators that use their own secrets for the Guardian, need to adjust to the existingSecret settings. For more information, see the documented Helm Chart variable renames in the Guardian Helm chart section.

4. Adjust your branding for the favicon. Nubus supports additional favicons with higher resolution to support, for example, browser preferences and shortcuts on home screens in Android and iOS mobile devices.

   Besides nubusPortalFrontend.portalFrontend.branding.favicon, add the Helm Chart values as outlined the changes for the Portal Frontend.

Changes

• The UMC Server container and the sidecar container to UMC Server with SSSD run as a non-root user.

  Add the Helm Chart value nubusUmcServer.sssd.debugLevel.

• Packaged integrations continue to work, when Kubernetes restarts pods. Before, packaged integrations only worked when Kubernetes (re)created the pods.

• Add license support to Nubus for Kubernetes.

  An explicit Helm Chart enables operators to add a license for Nubus. Furthermore, Nubus for Kubernetes enforces license restrictions.

  The change adds the following Helm Chart values:

  • nubusLicenseImport.enabled

  • nubusLicenseImport.ldap.auth.existingSecret.keyMapping.password

  • nubusLicenseImport.ldap.auth.existingSecret.name

  • nubusLicenseImport.ldap.auth.password

  • nubusLicenseImport.ldap.auth.username

  • nubusLicenseImport.ldap.baseDn

  • nubusLicenseImport.ldap.connection.host

  • nubusLicenseImport.license

  • nubusLicenseImport.nameOverride

  • nubusLicenseImport.podSecurityContext.enabled

  • nubusLicenseImport.podSecurityContext.fsGroup

  • nubusLicenseImport.waitForDependency.extraEnvVars

  • nubusLicenseImport.waitForDependency.extraVolumeMounts

  • nubusLicenseImport.waitForDependency.extraVolumes

  • nubusLicenseImport.waitForDependency.image.imagePullPolicy

  • nubusLicenseImport.waitForDependency.image.registry

  • nubusLicenseImport.waitForDependency.image.repository

  • nubusLicenseImport.waitForDependency.image.tag

• Add Helm Chart values to configure error messages and their translations for Keycloak.

  • German:

    • keycloak.keycloak.login.messages.de.accountDisabled

    • keycloak.keycloak.login.messages.de.accountExpired

    • keycloak.keycloak.login.messages.de.accountLocked

    • keycloak.keycloak.login.messages.de.loginTitleHtml

    • keycloak.keycloak.login.messages.de.loginTitle

    • keycloak.keycloak.login.messages.de.tryAgain

    • keycloak.keycloak.login.messages.de.updatePasswordTitle

  • English:

    • keycloak.keycloak.login.messages.en.accountDisabled

    • keycloak.keycloak.login.messages.en.accountExpired

    • keycloak.keycloak.login.messages.en.accountLocked

    • keycloak.keycloak.login.messages.en.loginTitleHtml

    • keycloak.keycloak.login.messages.en.loginTitle

    • keycloak.keycloak.login.messages.en.tryAgain

    • keycloak.keycloak.login.messages.en.updatePasswordTitle

• Introduce semantic versioning for the Univention Keycloak container image. The container image version numbering deliberately restarts at 0.0.1, to avoid confusion with the version of Keycloak inside the container, as the image contains more artifacts than just Keycloak.

• Update all components in Nubus for Kubernetes to use the UCS 5.2-1 base image and include bug fixes up to the errata update UCS 5.2 erratum 73. For UCS errata updates, see Security and bugfix errata for UCS 5.2. Reference date is 24. April 2025.

• Replace references to the Helm Chart registry docker.io with charts.bitnami.com for bundled dependencies to avoid rate limits and because Helm doesn’t have a pull proxy option for Helm Charts.

• Add support to customize the LDAP indexes in the Directory Service during upgrades. The Directory Service identifies the changed indexes at startup time and automatically runs slapindex for all required attributes.

  The index customization increases the startup time of the Directory Service for once, at the next start. As a rough estimation, the index creation takes about 2 minutes per attribute per 100,000 users.

  Add the univentionObjectIdentifier LDAP attribute to the default index in the UCR configuration through the global.configUcr.ldap.index.eq and global.configUcr.ldap.index.pres Helm Chart values.

  Add the following Helm Chart values:

  • global.configUcr.ldap.index.approx

  • global.configUcr.ldap.index.eq

  • global.configUcr.ldap.index.pres

  • global.configUcr.ldap.index.sub

  • nubusLdapServer.ldapServer.config.pythonLogLevel

• Add the following Helm Chart values related to security:

  • nubusUmcServer.containerSecurityContextSssd.supplementalGroups

  • nubusUmcServer.global.security.allowInsecureImages

Portal Consumer

Refactor the Portal Consumer Helm Chart to follow the strategy for using Kubernetes secrets in Nubus for Kubernetes. The Portal Consumer allows using existingSecret Helm Chart values for the following items:

• LDAP authentication credentials

• S3-compatible object storage authentication credentials

• Provisioning API authentication credentials

Add the following Helm Chart values:

• nubusPortalConsumer.ldap.auth.existingSecret.name

• nubusPortalConsumer.ldap.auth.existingSecret.keyMapping.password

• nubusPortalConsumer.objectStorage.auth.accessKeyId

• nubusPortalConsumer.objectStorage.auth.secretAccessKey

• nubusPortalConsumer.objectStorage.auth.existingSecret.name

• nubusPortalConsumer.provisioningApi.connection.baseUrl

• nubusPortalConsumer.provisioningApi.auth.password

• nubusPortalConsumer.provisioningApi.auth.username

• nubusPortalConsumer.provisioningApi.auth.existingSecret.keyMapping.password

• nubusPortalConsumer.provisioningApi.auth.existingSecret.name

Rename the following Helm Chart values:

• nubusPortalConsumer.objectStorage.auth.accessKey to nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.accessKey.

• nubusPortalConsumer.objectStorage.auth.secretKey to nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secretKey.

• nubusPortalConsumer.containerSecurityContextNonRoot.readOnlyRootFilesystem to nubusPortalConsumer.containerSecurityContext.readOnlyRootFilesystem.

• nubusPortalConsumer.containerSecurityContextNonRoot.runAsGroup to nubusPortalConsumer.containerSecurityContext.runAsGroup.

• nubusPortalConsumer.containerSecurityContextNonRoot.runAsNonRoot to nubusPortalConsumer.containerSecurityContext.runAsNonRoot.

• nubusPortalConsumer.containerSecurityContextNonRoot.runAsUser to nubusPortalConsumer.containerSecurityContext.runAsUser.

• nubusPortalConsumer.provisioningApi.auth.credentialSecret.name to nubusPortalConsumer.provisioningApi.auth.existingSecret.name.

• nubusPortalConsumer.provisioningApi.auth.credentialSecret.key to nubusPortalConsumer.provisioningApi.auth.existingSecret.keyMapping.password.

Remove the following Helm Chart values:

• nubusPortalConsumer.objectStorage.bucketName

• nubusPortalConsumer.portalConsumer.objectStorageAccessKeyId

• nubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.accessKeyKey

• nubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.name

• nubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.secretKeyKey

• nubusPortalConsumer.portalConsumer.objectStorageSecretAccessKey

• nubusPortalConsumer.provisioningApi.auth.existingSecret.name

Guardian Helm chart

Refactor the Guardian Helm Chart to follow the strategy for using Kubernetes secrets in Nubus for Kubernetes. Fix issues with the security context in the Guardian Helm Chart.

Add the following Helm Chart values:

• nubusGuardian.authorizationApi.*:

  • nubusGuardian.authorizationApi.podSecurityContext.enabled

  • nubusGuardian.authorizationApi.udm.auth.username

  • nubusGuardian.authorizationApi.udm.auth.existingSecret.name

  • nubusGuardian.authorizationApi.udm.auth.existingSecret.keyMapping.password

  • nubusGuardian.authorizationApi.securityContext.enabled

• nubusGuardian.managementApi.*:

  • nubusGuardian.managementApi.podSecurityContext.enabled

  • nubusGuardian.managementApi.oauth.auth.existingSecret.name

  • nubusGuardian.managementApi.oauth.auth.existingSecret.keyMapping.clientSecret

  • nubusGuardian.managementApi.securityContext.enabled`

• nubusGuardian.provisioning.*:

  • nubusGuardian.provisioning.podSecurityContext.enabled

  • nubusGuardian.provisioning.securityContext.enabled

Rename the following Helm Chart values:

• nubusGuardian.provisioning.config.keycloak.realm to nubusGuardian.provisioning.keycloak.realm.

• nubusGuardian.provisioning.config.keycloak.username to nubusGuardian.provisioning.keycloak.auth.username.

• nubusGuardian.provisioning.config.keycloak.password to nubusGuardian.provisioning.keycloak.auth.password.

• nubusGuardian.provisioning.config.keycloak.credentialSecret.name to nubusGuardian.provisioning.keycloak.auth.existingSecret.name.

• nubusGuardian.provisioning.config.keycloak.credentialSecret.key to nubusGuardian.provisioning.keycloak.auth.existingSecret.keyMapping.password.

• nubusGuardian.provisioning.config.keycloak.connection.host to nubusGuardian.provisioning.keycloak.connection.host.

• nubusGuardian.provisioning.config.keycloak.connection.port to nubusGuardian.provisioning.keycloak.connection.port.

• nubusGuardian.postgresql.credentialSecret.name to nubusGuardian.postgresql.auth.existingSecret.name.

• nubusGuardian.postgresql.credentialSecret.key to nubusGuardian.postgresql.auth.existingSecret.keyMapping.password.

Remove the following Helm Chart values:

• nubusGuardian.authorizationApi.config.udmDataAdapterUsername

• nubusGuardian.authorizationApi.config.udmDataAdapterPassword

• nubusGuardian.authorizationApi.config.secretRef

  • Reason for removal: Changed to the existingSecret strategy in Nubus for Kubernetes.

  • Alternative configuration: See Added helm values

• nubusGuardian.managementApi.config.oauthAdapterM2mSecret

• nubusGuardian.managementApi.config.secretRef

  • Reason for removal: Changed to the existingSecret strategy in Nubus for Kubernetes.

  • Alternative configuration: See Added helm values

• nubusGuardian.provisioning.config.managementApi.clientSecret

• nubusGuardian.provisioning.config.managementApi.credentialSecret.key

  • Reason for removal: Not used anymore, used the values from nubusGuardian.managementApi.oauth.auth

  • Alternative configuration: See Added helm values

• nubusGuardian.postgresql.nameOverride

• nubusGuardian.postgresql.bundled:

  • Reason for removal: The bundled psql deployment is no longer supported

  • Alternative configuration: Configure the connection to your psql database using the values of the chart.

Portal Frontend

Add the following features and fixes to the Portal Frontend:

• Fix for handling of translated strings in Portal entries and Portal announcements. The Portal Service now checks for available localization first in the user’s language, then in English, and finally any available language, to avoid empty text in Portal entries and Portal announcements.

• Experimental feature to display a news feed from either an RSS or Atom source, such as a XWiki instance or a Wordpress blog. To activate the feature, set nubusPortalServer.portalServer.featureToggles.newsfeed to true. The default value is false and deactivates the feature.

  To configure the news feed, you need to set the Helm Chart values in nubusPortalServer.portalServer.newsfeed.*:

  • nubusPortalServer.portalServer.newsfeed.feedUrl

  • nubusPortalServer.portalServer.newsfeed.feedtype

  • nubusPortalServer.portalServer.newsfeed.homeUrl

  • nubusPortalServer.portalServer.newsfeed.icsSilentLoginUrl

• Add support for additional resolutions and formats of the favicon.

  Add the following Helm Chart values for the favicon. All values must be a Base64 encoded string of images in PNG format, except the faviconSvg which must be in SVG format.

  • nubusPortalFrontend.portalFrontend.branding.favicon96Png

  • nubusPortalFrontend.portalFrontend.branding.faviconSvg

  • nubusPortalFrontend.portalFrontend.branding.appleTouchIcon

  • nubusPortalFrontend.portalFrontend.branding.webManifestIcon192

  • nubusPortalFrontend.portalFrontend.branding.webManifestIcon512

• In the quick links, avoid to display a question mark, when a quick link doesn’t have an image configured.