feat(nubus): Update from v1.14.0 to v1.15.1
⬆️ Feature
Expected MR Title and git commit message
feat(nubus): Update from v1.14.0 to v1.15.1
✅ Changes
List the key changes made in this MR:
-
Keycloak v26.3.5
Nubus v1.15.1 ships with Keycloak v26.4.1, but we downgraded it to v26.3.5 from Nubus v1.14.1 in this MR because of a known issue which breaks existing LDAP users with capital letters in usernames. -
OIDC back-channel logout in the Portal
The portal immediately ends active sessions of a user when the Identity Provider sends a back-channel logout request. -
OIDC back-channel logout with federated Identity Provider
Scenarios that use federation with an upstream identity provider (IdP), back-channel logout requests from the upstream IdP trigger back-channel logout requests to clients relying on Keycloak, the local IdP. -
Simplified configuration of dependencies
The Helm Chart provides examples for the installation of Nubus for Kubernetes. The examples include bundled dependencies for test and demonstration purposes, and externally provided dependencies for production scenarios. -
Portal accessibility improvements
Improve UMC tiles and groups accessibility in the Portal, especially when using screen readers. -
Provisioning Service
ThenatsBoxdebug container of the bundled NATS isn’t deployed by default. To explicitly activate the debug container, setnubusProvisioning.nats.natsBox.enabledtotrue.
🧪 Tests
Provide steps for QA or reviewers to test the feature and mention anything reviewers should be aware of:
- ...
🔄 Requirements for migrations
-
Describe manual steps required to update existing deployments. This especially applies if this MR introduces breaking changes: - If you have configured your existing Nubus installation to use a federated upstream Identity Provider, you need to manually enable the Import Users option in the Keycloak Admin Console. Installations of Nubus for Kubernetes starting with version 1.15.0 enable this setting by default. This setting ensures proper support for back-channel logout when federating with an external identity provider and aligns your installation with the supported configuration.
❗ Enabling this setting in existing installations, that use Nubus Keycloak for two-factor authentication, requires users to re-enroll their two-factor authentication. - If you are still using SAML authentication you need to re-enable the SAML endpoint of the UMC Server. Nubus for Kubernetes deactivates it by default for security reasons. To enable it, change the ingress paths of the UMC Server, as shown in the example in Listing 1.
- If you have configured your existing Nubus installation to use a federated upstream Identity Provider, you need to manually enable the Import Users option in the Keycloak Admin Console. Installations of Nubus for Kubernetes starting with version 1.15.0 enable this setting by default. This setting ensures proper support for back-channel logout when federating with an external identity provider and aligns your installation with the supported configuration.
-
Any other considerations in context of the update:
Checklist / Sign-offs
🏷️ Labels
Set labels:
/label ~"MR-Type::Feature"
/label ~"PO::👀"
/label ~"QA::👀"
/label ~"Testautomation::👀"
👷 Developer Checklist
Documentation:
Does this MR introduce changes (e.g., new secrets, configuration options) that require documentation?
-
No -
Yes, and the documentation has been updated accordingly
Quality Assurance:
-
Verified that the feature works as expected, including upgrade scenarios -
Performed regression testing - Link to internal comment(s) with detailed QA results (to avoid exposing infrastructure details):
- ...
Edited by Norbert Tretkowski