Nubus for Kubernetes - Release Notes for 1.7.0

Changelog

Changelog#

The section provides the changelog for Nubus for Kubernetes. You find each version in a separate section.

Version 1.7.0 - 2025-02-23#

This is the fifth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.7.0, your deployment must run on version 1.6.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps#

This section outlines the steps that apply to existing Nubus for Kubernetes installations. You need to run them before the upgrade.

Change Helm Chart values#

Before you run the upgrade, you need to prepare your values file:

  1. Replace global.nubusMasterPassword with global.secrets.masterPassword. If you configure it with the same value, then the generated passwords remain with the same value as before.

  2. Cleanup in nubusStackDataUms Helm chart values. If you configured custom values, you need to update them. For the affected Helm Chart values, see Changes in nubusStackDataUms.

Recreate Portal Consumer#

The Portal Consumer pod runs as a different, non-root, user and doesn’t have the necessary permissions to modify or create the group cache file. The physical volume claim (PVC) doesn’t contain vital data. Running the upgrade afterwards with helm upgrade … recreates the PVC and the StatefulSet Kubernetes object. The Kubernetes pod for the Portal Consumer recreates the content of the PVC.

You also need to run the following steps before the upgrade:

  1. Set environment variables to identify your Nubus for Kubernetes installation.

    Run the commands in Listing 1.

    Listing 1 Initialize environment variables#
    $ export NAMESPACE_FOR_NUBUS="Set to your Kubernetes namespace"
$ export RELEASE_NAME="The Helm Chart release name"

  2. Delete the physical volume for the group membership cache and the StatefulSet object of the Portal Consumer.

    Run the commands in Listing 2.

    Listing 2 Delete volume and StatefulSet of the Portal Consumer#
    $ kubectl \
   --namespace "$NAMESPACE_FOR_NUBUS" \
   delete pvc \
   "group-membership-cache-$RELEASE_NAME-portal-consumer-0"
$ kubectl \
   --namespace "$NAMESPACE_FOR_NUBUS" \
   delete statefulset \
   "$RELEASE_NAME-portal-consumer"

Added#

  • Add the ad hoc provisioning plugin to Keycloak in the Identity Provider. Ad hoc provisioning allows to federate Keycloak with an external identity provider. When users sign in to Nubus for the first time with their external user accounts, Keycloak automatically creates a user account in Nubus.

  • Add the API endpoint to the Portal Server so that the Portal Frontend fetches and shows details about the signed-in user, such as their profile picture.

    Add the nubusStackDataUms.templateContext.svcPortalServerUserPassword Helm Chart value. Explicitly configure this value in production deployments. Kubernetes generates a random password, if the setting has no value supplied.

    To configure the client access of the Portal Service so that it can use the UDM HTTP REST API, use the following values structure.

    nubusPortalServer:
  udm:
    connection:
      url: null
    auth:
      username: "svc-portal-server"
      password: null
      existingSecret:
        name: null
        keyMapping:
          password: null

  • Add the Helm Chart value global.udm.connection.url.

  • Add toggles to activate or deactivate specific features in the Portal Service.

    Operators can toggle features in the Portal Service through Helm Chart value for the Portal Server. The configuration also applies to the Portal Frontend. The following feature toggles are available:

    nubusPortalServer.portalServer.featureToggles.centered_layout.

    It’s deactivated by default with the value false.

    nubusPortalServer.portalServer.featureToggles.notifications_api.

    It’s activated by default with the value true.

    nubusPortalServer.portalServer.featureToggles.umc_session_refresh.

    It’s activated by default with the value true.

  • Add the followings actions to the UDM data loader plugin type:

    ensure_list_does_not_contain

    The companion action to the existing ensure_list_contains action. This data loader action allows to enforce, for example, that a user isn’t in a specific user group, without overwriting all other groups.

    modify_if_exists

    This data loader action allows to modify a UDM object without raising an error if that object doesn’t exist.

    create_or_modify

    This data loader action now also works for actions for the users/user UDM module. It handles LDAP distinguished names (DNs) that both start with uid= and cn=.

    For more information about UDM data loader actions, see Actions in the data loader in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].

  • Add the user group Domain Service Users. It allows its group members to access the UDM HTTP REST API, because it’s part of the authorization groups. The group is for services, for example, the Portal Service to access the UDM HTTP REST API for querying data from the Directory Manager, such as fetching information about the signed-in user. For more information, see Authorization groups in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2].

Changed#

  • Replace global.nubusMasterPassword with global.secrets.masterPassword.

  • Update the container images based on UCS to version 5.2-0.

  • Update Keyclaok from version 25.0.1 to 25.0.6.

Fixed#

  • Fix an issue in the username and the password for PostgreSQL database credentials. They didn’t allow special characters for safe passwords, such as / and @.

  • Fix an issue where Gmail rejected emails from the User Self Service, because of an improper Message-Id email header.

  • Fix the security context on the Portal Consumer. The Portal Consumer didn’t apply the security context to run as non-root user with a read-only file system. For the migration steps, see Recreate Portal Consumer.

  • Fix an issue with the Dispatcher in the Provisioning Service. If the connection to the message queue provided by NATS failed, the Dispatcher tries for 10 seconds and then crashes to hand over to Kubernetes for handling the pod.

  • Fix for the Authorization Service so that operators can specify resources for the Guardian Kubernetes pods.

  • Fix the volume mounts in the extension mechanism for using plugin types so that the containers use read-only volume mounts.

  • Fix a double definition of the resource YAML key in the UDM Listener StatefulSet by removing the second unnecessary definition.

  • Fix an issue in the Keycloak Extension Proxy so that it evaluates the PostgreSQL SSL variable correctly.

  • Fix an issue in the Keycloak Extension Proxy so that it no longer crashes when Keycloak returns a successful response with JSON Web Token (JWT).

Removed#

Remove the UCR variable umc/module/udm/oxmail/oxcontext/disabled from Stack Data that loads data to initialize Nubus for Kubernetes. This fixes an error where the tile for the OX Context didn’t show up in the Management UI.

If you as operator want to deactivate the tile for the OX Context, you need to set the following value in your Helm Chart values file: global.configUcr.umc.module.udm.oxmail.oxcontext.disabled: "True".

Version 1.6.0 - 2025-01-21#

This is the forth production release of Nubus for Kubernetes.

Before you run the upgrade, you need to prepare your values file:

  1. If you explicitly configure ingress.enabled, replace it with the new variables.

  2. If you configured an external, S3-compatible object storage, rename your Helm variables as described in change about the configuration setup for S3-compatible object storage, and remove global variables.

Upgrade path

For the upgrade to version 1.6.0, your deployment must run on version 1.5.1. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Added#

Changed#

  • Change the UCS base image to the version from 2024-12-12.

  • Change the keycloak-bootstrap Kubernetes pod to no longer use Helm hooks that caused issues with ArgoCD and similar deployment strategies. keycloak-bootstrap uses an initialization container instead to wait for the availability of the Keycloak API.

  • Change the global ingress configuration and split ingress.enabled to ingress.favicon.enabled and ingress.minio.enabled.

    If you have ingress.enabled explicitly configured in your custom_values.yaml values file, you need to add the before mentioned values and remove ingress.enabled before you run the upgrade. If you use an external S3-compatible object storage, you need to set ingress.minio.enabled to false.

  • Change the configuration setup for S3-compatible object storage in Portal Consumer, Portal Server, Stack Data UMS. The change now allows to connect to S3-compatible object storage that’s outside the Kubernetes cluster where Nubus runs.

    The endpoints refer to the complete URL to the object storage, for example https://external-storage.example.com:9000, and includes the protocol, host, and port.

    You may need to change the following Helm Chart values before you run the upgrade.

    Portal Consumer

    Rename nubusPortalConsumer.portalConsumer.objectStorageBucket to nubusPortalConsumer.objectStorage.bucketName.

    Rename nubusPortalConsumer.portalConsumer.objectStorageEndpoint to nubusPortalConsumer.objectStorage.endpoint.

    Add nubusPortalConsumer.portalConsumer.assetsBaseUrl. Define the complete base URL to the assets folder in your S3-compatible object storage, for example https://external-storage.example.com/assets-bucket/.

    Remove global Helm Chart values for S3-compatible object storage, because the structure was inconsistent and the implementation incomplete:

    • global.objectStorage.bucket

    • global.objectStorage.connection.endpoint

    • global.objectStorage.connection.host

    • global.objectStorage.connection.port

    • global.objectStorage.connection.protocol

    The consolidated dictionary is nubusPortalConsumer.objectStorage.*.

    Portal Server

    Rename nubusPortalServer.portalServer.objectStorageBucket to nubusPortalServer.objectStorage.bucketName.

    Rename nubusPortalServer.portalServer.objectStorageEndpoint to nubusPortalServer.objectStorage.endpoint.

    Stack Data UMS

    Rename nubusStackDataUms.nubusPortalConsumer.portalConsumer.objectStorageBucket to nubusStackDataUms.nubusPortalConsumer.objectStorage.bucketName.

    Rename nubusStackDataUms.nubusPortalServer.portalServer.objectStorageBucket to nubusStackDataUms.nubusPortalServer.objectStorage.bucketName.

    Add nubusStackDataUms.nubusPortalConsumer.objectStorage.endpoint.

    Add nubusStackDataUms.nubusPortalServer.objectStorage.endpoint.

    See also

    Use external S3-compatible object storage

    in Univention Nubus for Kubernetes - Operation Manual [1] for documentation about how to connect Nubus for Kubernetes to an external S3-compatible object storage.

Fixed#

  • Fix a scenario where primary LDAP server became unreachable after installing on top of an existing installation.

    The leader elector sidecar container in the LDAP server primary pods now enforces the right label selector on the LDAP primary Kubernetes Service every 15 seconds after renewing the Kubernetes Lease.

    This recovers from a possible invalid state after a Helm redeployment that may reset the Kubernetes service to its initial and invalid state in certain scenarios.

  • Fix a regression in the Nubus 1.5.1 Helm Chart template that caused the nubusProvisioning.nats.config block to include an empty authorization block when using the bundled NATS installation.

Version 1.5.1 - 2024-12-11#

This is the third production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.5.1, your deployment must run on version 1.5.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade.

Added#

Version 1.5.0 - 2024-12-09#

The highlight of this release is the support for running two LDAP Primary servers in mirror mode to meet high-availability requirements. You need to migrate your existing Nubus for Kubernetes environment before you upgrade Nubus to 1.5.0 to make them mirror-ready and avoid data loss. For the steps, see Migrate existing LDAP Server to mirror mode readiness.

Upgrade path

For the upgrade to version 1.5.0, your deployment must run on version 1.4.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Added#

Add support for the operation of two LDAP Primaries in mirror mode, satisfying needs of high-availability.

Nubus uses Kubernetes Leases to ensure that only one LDAP Primary is active at a time. It keeps the second LDAP Primary ready to take over. Each of the two LDAP Primary servers adds a leader elector sidecar container that compete for the leases after the servers are ready. If the active LDAP Primary fails to renew its lease, Kubernetes switches over to the other ready LDAP Primary and promotes it as the active node. To configure LDAP Primary high availability, Nubus adds the following Helm Chart value high availability configuration:

You need to migrate your existing Nubus for Kubernetes environment before you upgrade Nubus to 1.5.0 to make them mirror-ready and avoid data loss. For the steps, see Migrate existing LDAP Server to mirror mode readiness.

Important

High availability doesn’t replace a backup concept, because it synchronizes the data to the other LDAP Primary as quick as possible. If data gets corrupt, for example through operating errors, only a backup allows restoring clean data.

See also

LDAP Primary

in Univention Nubus for Kubernetes - Operation Manual [1] for information about how to set up high availability for the LDAP Server.

Changed#

Change the UDM Listener in the Provisioning Service to ensure it always connects to the first LDAP Primary, even in environments with two LDAP Primaries, to keep the listeners state consistent with the LDAP transaction log. If the first LDAP Primary isn’t ready, the UDM Listener doesn’t notify the Provisioning Service of changes to user and group objects until Kubernetes restarts the first LDAP Primary.

See also

Notify about changes to directory objects

in Univention Nubus for Kubernetes - Architecture Manual [4] for information about the relation between the UDM Listener and the Identity Store and Directory Service.

Migrate existing LDAP Server to mirror mode readiness#

Before you can upgrade to Nubus 1.5.0, you need to make your LDAP Servers ready for mirror mode by following these steps. Mind the optional step after the ConfigMap configuration to activate mirror mode.

  1. Add the configuration ldap_database_initialized: initialized to indicate a successful LDAP Server setup.

    Run the command in Listing 3.

    Listing 3 Add data to ConfigMap to indicate successful LDAP Server setup#
    $ kubectl \
   --namespace "${NAMESPACE_FOR_NUBUS}" \
   create configmap \
   "${RELEASE_NAME}-ldap-server-status" \
   --from-literal=ldap_database_initialized=initialized
configmap/nubus-ldap-server-status created

  2. Add the label app.kubernetes.io/managed-by: ldap-server-evaluate-database-init to the LDAP server status.

    Run the command in Listing 4.

    Listing 4 Add label to LDAP Server ConfigMap#
    $ kubectl \
   --namespace "${NAMESPACE_FOR_NUBUS}" \
   label configmap \
   "${RELEASE_NAME}-ldap-server-status" \
   app.kubernetes.io/managed-by=ldap-server-evaluate-database-init
configmap/nubus-ldap-server-status labeled

    Note

    The label is the reason, why you can’t use Helm for the ConfigMap, because the LDAP Server manages the ConfigMap itself. Helm mustn’t change the ConfigMap to keep its state across upgrades.

Applying these steps makes your Nubus deployment ready for mirror mode. If you then want activate mirror mode, follow the steps in LDAP Primary in Univention Nubus for Kubernetes - Operation Manual [1].

Version 1.4.0 - 2024-12-02#

This is the second production release of Nubus for Kubernetes. The versions 1.1.0 to 1.3.0 have been technical releases, and weren’t intended for public use. This document includes and lists the changes for the versions 1.1.0 to 1.3.0.

Important

For existing deployments, read the Secret management migration section before you deploy this version and conduct the proper preparation.

Upgrade path

For the upgrade to version 1.4.0, your deployment must run on version 1.0.0. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Added#

Add support for encrypted connection to the PostgreSQL database in the Keycloak Extensions. The encrypted connection allows the use of custom certificate authority (CA) certificates.

Set these Helm values to configure an encrypted connection to the PostgreSQL database for Keycloak Extensions:

See also

Enable encrypted connection to database

in Univention Nubus for Kubernetes - Operation Manual [1] for how to configure an encrypted connection to the PostgreSQL database for the Keycloak Extensions.

Changed#

  • Change the UMC Server and the UMC Gateway in the Management UI to use RollingUpdate as default update strategy for these Kubernetes pods.

  • Change the default behavior for the following items related to the Management UI:

    Deactivate User template

    When creating a user object in the Management UI, the wizard used the Self Service Registration Template.

    The wizard now uses no template by default.

    Deactivate email invitation for created user objects

    When creating a user object in the Management UI, by default the wizard prompted the administrator for the user’s email address, and activated the checkbox for sending an email invitation.

    By default, the wizard now prompts for the initial user password and deactivates the email invitation checkbox. If you want to send an invitation email during the user creation process, you can activate the email invitation checkbox and the wizard prompts for the user’s email address.

    Activate the automatic search

    When opening the users module in the Management UI, the module didn’t show any users by default until the first search.

    When you open the users module in the Management UI, it now performs a first search by default and displays user objects.

  • After changing the theme and branding of the Portal Frontend the respective Kubernetes pods reload automatically.

  • Change the Secret management in Nubus. All components use a standardized Secret management across components with the existingSecret pattern in Listing 5.

    To adjust your existing values file, see Secret management migration.

    Listing 5 Configuration pattern for secrets using existingSecret#
    existingSecret:
  name: "<secret-name>"
  keyMapping:
    key1: "<value1>"

Removed#

  • Remove releaseNameOverride from the Helm Chart.

Secret management migration#

Nubus for Kubernetes version 1.4.0 changed the pattern for the configuration of existing secret objects. This section describes the needed actions to prepare your Nubus deployment before you deploy version 1.4.0.

Auto-generated secrets

You use auto-generated secrets if you haven’t configured any credentialSecret or existingSecret sections in your custom_values.yaml values file.

If your deployment falls into this category, you don’t need to change anything regarding secret management.

Existing secrets

You use existing secrets, if you have configured credentialSecret sections in your custom_values.yaml value file. Go through your values file and verify the values.

Tip

To keep the listing brief, the following lists show values like existingSecret.name. They refer to the whole pattern as outlined in Listing 5.

And for credentialSecret it also refers to its subsection credentialSecret.key.

This version adds the following values to the Helm Chart:

This version changes the following values in the Helm Chart:

See also

Secrets in Nubus for Kubernetes

in Univention Nubus for Kubernetes - Operation Manual [1] for information about the different options.

Version 1.0.0 - 2024-10-31#

This is the first production release of Nubus for Kubernetes.

Consider all changes as breaking changes, because no upgrade path exists from the alpha version 0.18.3 to this version.

Changed#

  • Change openLDAP from version 2.4 to 2.5.

  • Temporarily deactivate the Authorization Service in Nubus for Kubernetes.

    This change doesn’t impact other Nubus components, because no other component uses the Authorization Service yet. For more information, see Authorization Service in Univention Nubus for Kubernetes - Architecture Manual [4].

  • Replace the listener- / notifier mechanism with the Provisioning Service. Remove the listeners in the Portal Server and the End User Self Service and replace them with Consumers for the Provisioning Service.

    The OX Connector also provides a Consumer to the Provisioning Service instead of a listener. However, the OX Connector isn’t part of Nubus for Kubernetes.

  • Deactivate plain sign-in by default. Instead, activate single sign-on through SAML by default in Keycloak.

  • Deactivate the Keycloak Extensions for brute force detection and new sign-in notification during the sign-in process by default.

    For information about how to manually activate the Keycloak Extensions, see Keycloak Extensions in Univention Nubus for Kubernetes - Operation Manual [1].

  • Increase the number of available UMC modules in the Management UI. Besides the modules to manage user accounts, the Management UI shows the UMC modules available to Nubus for Kubernetes.

  • Change the Helm value structure for defining UCR variables under global.configUcr.

  • Change the format for loading initial data in Nubus for Kubernetes from Helm templates to Jinja2.

    For example, setting the browser window title in the Management UI.

Added#

  • Add Ingress configuration for HTTP traffic routing in Nubus for Kubernetes. Replaces the Stack Gateway Kubernetes pod.

  • Increase security hardening through the following measures:

    Profile picture upload in End User Self Service

    The End User Self Service re-encodes profile pictures of any origin format to JPEG to reduce the risk of malware injection. It also removes any metadata, such es EXIF, for improved privacy.

    Security context for pods

    • Docker containers run as non-root users.

      Exception is the UMC server and its sidecar container with sssd. They still need root privileges.

    • Docker containers mount their file system in read-only mode.

    • Processes can’t gain more privileges than their parent process, because of allowPrivilegeEscalation: false in the Kubernetes pod configuration.

    Capabilities

    All default components of Nubus now use no extra capabilities in their Kubernetes pods.

    See also

    Configure a Security Context for a Pod or Container

    for information about security context in Kubernetes.

  • Add interfaces to extend Nubus for Kubernetes, for example with customizations for openDesk.

  • Add configurable scalability for the following functional components in Nubus for Kubernetes:

    • UMC Server and UMC Gateway in Management UI.

    • Keycloak in Identity Provider.

    • Portal Server and Portal Frontend in the Portal Service.

    • LDAP Server in Identity Store and Directory Service, especially read-only LDAP secondary servers.

      See also

      Directory service high availability and scalability

      in Univention Nubus for Kubernetes - Operation Manual [1] for information about the scalability configuration of the Identity Store and Directory Service.

    See also

    Scalability

    in Univention Nubus for Kubernetes - Operation Manual [1] for information about the scalability configuration in the Management UI, Identity Provider, and the Portal Service.

  • Add the ability to configure the browser window title of the Management UI.

    Listing 6 Example for custom_values.yaml deployment file to change title of the Management UI#
    global:
  configUcr:
    umc:
      web:
        title: "My custom title for the Management UI"

  • Add the ability to customize the branding for the Portal and Keycloak, namely the background images, HTML style (CSS) and the favicon.

    See also

    Branding and themes

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the branding.

  • Add the ability to customize the cookie consent banner for the Portal and for Keycloak.

    See also

    Consent for using cookies

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the cookie consent banner.

  • Add the ability to customize the links in the footer of the sign-in in Keycloak.

    See also

    Customization of Keycloak sign-in

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the Keycloak sign-in.

  • Add the ability to configure the email body for the password reset emails.

    See also

    Customization of self-service emails

    in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [2] for information about how to customize the email body text for End User Self Service emails.

Removed#

  • Remove the hardwired inclusion of the openDesk extensions.

    The extensions included the following aspects that moved to an explicit openDesk extension:

    • LDAP schema.

    • Custom UDM hooks.

    • Configuration for tiles in Management UI.

    • Branding customized to openDesk.

    • Pre-configured user accounts for ldapsearch for usage in openDesk apps.

    • Portal content customized to openDesk.

      The portal content now corresponds to Univention Corporate Server (UCS).

    • Additional users default.admin and default.user.

      The Administrator user remains the only administrative user.

  • Remove the Stack Gateway Kubernetes pod that used to route the traffic within Nubus for Kubernetes.

  • Remove hard dependency to cert-manager, a certificate manager for Kubernetes clusters.

    Operators can now configure their own certificates in their Ingress configuration or use a different certificate manager.

Fixed#

  • The portal session now automatically refreshes as long as the browser window is open. Before, the portal session would time out after 10 minutes regardless of whether the portal was still in use.

  • Fix password renewal in Keycloak.

    Renewing the user password through Keycloak failed for expired passwords. It works as expected now.

  • Sending emails for password reset and user invitation now works as expected and correctly.

  • Init containers no longer print passwords into logging during Kubernetes pod initialization.

Known issues#

  • The customization of the email body for the user invitation email isn’t possible yet.

    For more information, see Bug #57693.

Version 0.18.3 (Alpha) - 2024-05-31#

This is the initial release of Nubus for Kubernetes intended for evaluation purposes. For more information about the product context, see Identity & Access Management for Sovereign Cloud Suites in Kubernetes. However, your feedback is welcome.

This is the first release that you can install on its own, outside of the openDesk context that Nubus for Kubernetes comes from. It still includes the look-and-feel and third-party integrations from openDesk. In future releases, the look-and-feel and third-party integrations will be moved to packaged integrations.

The release schedule includes additional alpha versions of Nubus for Kubernetes. Interfaces, features, and data structures may change until the version of Nubus for Kubernetes reaches production-ready status.

Important

As long as the product version is in alpha status, the product doesn’t promise migration paths or the ability to upgrade to future versions.

Changed#

Planned deprecations for a future release

  • Move the default integrations for third-party applications from the core product to packaged integrations.

  • Remove the hard-coded openDesk theme.

  • Remove the LDAP notifier service.

On this page