Nubus for Kubernetes 1.18 Released

With version 1.18, we are releasing the second Nubus for Kubernetes update of this year. The focus of this release is to reduce dependencies on specific conditions within a Kubernetes cluster, making Nubus easier and more flexible to deploy.

The “Ingress Controller” in a Kubernetes cluster manages access to the interfaces of deployed applications. In the case of Nubus, this includes, for example, the accessibility of the login and portal web services through users’ browsers. Kubernetes operators can choose between several Ingress implementations, each with its own advantages and disadvantages.

Previously, Nubus for Kubernetes shipped with a fixed preconfiguration (so-called “annotations”) for the ingress-nginx implementation, and only this Ingress controller was officially supported. However, this widely used implementation has recently been deprecated and should no longer be used.

We already introduced initial improvements in this area with Nubus 1.17. With Nubus 1.18, we have completed the planned changes. This required us to remove several configuration options in the annotations that were only supported by ingress-nginx and instead implement the necessary adjustments directly within the Nubus components.

For example, all so-called “rewrites” within the web service URLs have now been removed from the Nubus components. As a result, Nubus no longer depends on a specific Ingress implementation and can be used with any Ingress controller. We have tested this with the “haproxy-ingress” and “traefik” implementations. Future releases will be tested primarily with “traefik”.

Another reduction of dependencies within the Kubernetes cluster concerns certificate handling. Previously, Nubus had a fixed dependency on the widely used “cert-manager”, which is commonly responsible for issuing SSL certificates in Kubernetes clusters. Univention continues to recommend and test with “cert-manager”. However, thanks to the removal of dependencies on a specific Ingress implementation, other certificate management solutions within the cluster can now also be used.

We have also reduced dependencies in the area of S3 storage. Nubus stores several binary assets in S3 buckets, including static files used by the portal. Previously, parts of these S3 buckets had to be publicly accessible so that users’ browsers could retrieve these files.

With Nubus 1.18, access to these files is now handled directly through the web services integrated into Nubus. This significantly simplifies the S3 configuration.

As usual, the Nubus for Kubernetes release also includes many improvements to Nubus components that are already known from UCS errata published in recent weeks. In addition to security updates and bug fixes, there are also a few noteworthy changes:

• An error message indicating expired certificates has been removed from the UMC management UI. The underlying check is only relevant for Nubus for UCS and is not required for Kubernetes.
• Installing or updating UDM extensions — for example when defining new extended attributes — no longer requires restarting the UDM REST API.
• Keycloak is now configured to update user information from LDAP at every login. This ensures that any changes to user accounts take effect the next time a user logs in.

As documented in the Operation Manual, Nubus 1.18 is available for download via our OCI registry. Further details about the included changes can be found in the release notes.