OpenDesk and Nubus for Kubernetes: Differences and Extensions

OpenDesk and Nubus for Kubernetes: Differences and Extensions

Summary

OpenDesk does not use a completely independent fork of Nubus for Kubernetes. Instead, it deploys the standard Nubus for Kubernetes umbrella chart provided by Univention and extends it through OpenDesk-specific configuration, additional components, and platform integrations.

The primary difference is therefore not the Nubus core itself, but the OpenDesk-specific integration profile. This includes IAM roles, groups, Keycloak configuration, portal content, application permissions, OIDC clients, provisioning integrations, and the Intercom Service.

At the time of this analysis, OpenDesk references the Nubus chart in version 1.20.1.


Basis of the Analysis

This analysis is based on the public OpenDesk deployment repository:

The following files and directories were particularly relevant:

  • README.md
  • docs/architecture.md
  • docs/permissions.md
  • helmfile/apps/nubus/helmfile-child.yaml.gotmpl
  • helmfile/apps/nubus/values-nubus.yaml.gotmpl
  • helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
  • helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
  • helmfile/environments/default/charts.yaml.gotmpl
  • helmfile/environments/default/images.yaml.gotmpl

Nubus Chart Used

OpenDesk deploys Nubus as a Helmfile release.

  • Release name: ums
  • Chart: nubus
  • Version: 1.20.1
  • Repository: OpenDesk mirror of the official Univention artifacts hosted at registry.opencode.de

The standard Nubus for Kubernetes chart is therefore used without maintaining a separate fork. However, it is deployed with an extensive set of OpenDesk-specific values.

In addition to the Nubus release itself, OpenDesk installs two further releases within the Nubus deployment:

  • intercom-service
  • opendesk-keycloak-bootstrap

These two components are essential for the OpenDesk-specific integration layer.


Additional OpenDesk Components within the Nubus Environment

Intercom Service

The Intercom Service operates within the Nubus environment but plays a central role in OpenDesk integration. Among other capabilities, it provides:

  • Silent Login between applications
  • Token Exchange with Keycloak
  • Central navigation for frontend applications
  • Integration with OX App Suite
  • Integration with Nextcloud, for example for File Picker scenarios
  • Integration with XWiki, for example to provide Newsfeed content
  • Integration with Element/Matrix

The Intercom Service acts as a Backend-for-Frontend (BFF) for scenarios in which a browser-based application must access APIs of other applications without implementing the complete authentication flow directly within the frontend.


OpenDesk Keycloak Bootstrap

OpenDesk provides its own Keycloak bootstrap chart, which creates and manages OpenDesk-specific Keycloak configuration, including:

  • OIDC clients for OpenDesk applications
  • Client scopes
  • Access control roles
  • Group-based client access restrictions
  • Realm configuration
  • LDAP federation settings
  • Optional SSO federation
  • Group configuration related to two-factor authentication (2FA)

Examples of OpenDesk-specific clients include:

  • opendesk-nextcloud
  • opendesk-openproject
  • opendesk-xwiki
  • opendesk-matrix
  • opendesk-jitsi
  • opendesk-oxappsuite
  • opendesk-dovecot
  • opendesk-notes
  • opendesk-intercom

Nubus Extensions in OpenDesk

OpenDesk loads additional extensions into Nubus.

The following extensions are configured as system extensions:

  • ox
  • opendesk
  • portal

Additionally, the following extension is deployed:

  • opendesk-a2g-mapper

The corresponding container images are obtained from OpenDesk repositories or mirrored Univention repositories. Of particular importance is the opendesk-nubus image, which provides OpenDesk-specific UDM/LDAP objects, schema extensions, and portal configuration.


IAM Customizations

OpenDesk uses Nubus as its central Identity and Access Management (IAM) platform. However, the IAM environment is preconfigured specifically for OpenDesk.

Role Model

OpenDesk defines two primary roles:

  • openDesk User
  • openDesk Administrator

These roles are represented through groups and templates within the IAM configuration.


Global Groups

OpenDesk uses and extends several core groups, including:

  • Domain Users
  • Domain Admins
  • 2FA Users
  • IAM API - Full Access

The IAM API - Full Access group is granted access to the UDM REST API. In this configuration, the previous default assignment to Domain Admins is explicitly replaced.


Application Groups

To control access to OpenDesk applications, predefined groups are created following the naming convention managed-by-attribute-*.

Examples include:

  • managed-by-attribute-Groupware
  • managed-by-attribute-Fileshare
  • managed-by-attribute-Projectmanagement
  • managed-by-attribute-Knowledgemanagement
  • managed-by-attribute-Livecollaboration
  • managed-by-attribute-Videoconference
  • managed-by-attribute-Notes

Additional groups exist for administrative permissions, for example:

  • managed-by-attribute-FileshareAdmin
  • managed-by-attribute-ProjectmanagementAdmin
  • managed-by-attribute-KnowledgemanagementAdmin

Membership in these groups is generally not managed manually. Instead, it is derived automatically from OpenDesk-specific attributes stored on the user object. Manual modifications to automatically managed groups may therefore be overwritten.


Access Control through Keycloak

OpenDesk uses these groups not only to determine the visibility of portal tiles but also as part of its authorization model within Keycloak.

OpenDesk-specific client scopes and roles are created for individual applications. Claims are issued only if the user belongs to the required groups. Consequently, directly accessing an application URL is insufficient if the user does not possess the necessary permissions.

Typical OpenDesk-specific claims include:

  • opendesk_username
  • opendesk_useruuid
  • Application-specific administrative claims, for example for OpenProject

UDM and UMC Customizations

OpenDesk modifies the Nubus administration environment in several ways.

Examples include:

  • openDesk User configured as the default template for newly created users
  • Mandatory user attributes such as first name and primary email address
  • Modified username syntax
  • Invitation workflow and Require password change at next login enabled by default
  • OpenDesk-specific user attributes for application permissions
  • Disabled or hidden UMC modules, such as Portal Management
  • Customized Self-Service configuration
  • Customized password complexity messages

These changes tailor Nubus more closely to the administration of OpenDesk users, groups, and application permissions.

Portal Customizations

Within OpenDesk, the Nubus Portal serves as a central integration point. Rather than operating as a standard portal, it is preconfigured with OpenDesk-specific content and functionality.

Portal Branding

OpenDesk provides its own portal assets and branding configuration, including:

  • CSS
  • Logos
  • Favicons
  • Background images
  • Portal title
  • Links to Legal Notice, Privacy Policy, Documentation, Support, and Feedback

Portal Tiles

OpenDesk creates portal tiles for the integrated applications. The visibility of these tiles is controlled through group membership.

Typical target applications include:

  • OX App Suite
  • Nextcloud
  • OpenProject
  • XWiki
  • Element
  • Jitsi
  • Notes

Central Navigation

OpenDesk uses the central navigation provided by the Nubus Portal through the endpoint:

/univention/portal/navigation.json

Applications use this endpoint to present a consistent OpenDesk navigation experience. Depending on the integration scenario, applications can either access the endpoint directly or retrieve the navigation through the Intercom Service.

Access to the endpoint requires a shared secret and the username of the user for whom the navigation should be generated.


Newsfeed

OpenDesk integrates a Newsfeed into the portal. The content originates from a predefined XWiki blog. Access is provided through the Intercom Service using Silent Login mechanisms.


Provisioning and Application Integration

OpenDesk uses the Nubus provisioning framework, which consists of components including:

  • LDAP Notifier
  • UDM Listener
  • UDM Transformer
  • Provisioning Dispatcher
  • Provisioning API
  • NATS JetStream

Within the OpenDesk ecosystem, the integration with OX App Suite is particularly significant. OX App Suite is actively provisioned through the OX Connector.

Other applications typically retrieve identity and group information directly from LDAP or consume authentication and authorization information via Keycloak/OIDC.


Keycloak Extensions

The Nubus Keycloak Extensions are enabled in OpenDesk and are used for features including:

  • Brute-force protection during authentication
  • Notifications when a user signs in from a new device

According to the OpenDesk documentation, the CAPTCHA functionality of the Keycloak Extensions is disabled.


External and OpenDesk-Provided Services

OpenDesk disables several services that can be deployed with Nubus or replaces them with centrally managed platform services.

Examples include:

  • PostgreSQL is provided centrally by OpenDesk.
  • Object storage is integrated through OpenDesk components such as SeaweedFS or MinIO.
  • Shared Redis and Memcached instances are configured centrally across the platform.
  • SMTP/Postfix is integrated using OpenDesk-specific infrastructure.

This architecture allows Nubus to integrate seamlessly into the overall OpenDesk platform instead of operating all dependencies exclusively within the Nubus deployment.


Disabled or Unused Nubus Components

Several Nubus components are disabled or not actively used in the analyzed OpenDesk configuration.

Examples include:

  • nubusGuardian is disabled.
  • nubusTwofaHelpdesk is disabled.
  • nubusNotificationsApi is disabled.

The UDM REST API can optionally be exposed externally. This behavior is controlled through OpenDesk feature flags.


Comparison: Standard Nubus for Kubernetes vs. OpenDesk Deployment

Area Standard Nubus for Kubernetes OpenDesk Deployment
Chart Nubus umbrella chart Standard Nubus chart with OpenDesk-specific configuration
IAM Generic IAM based on LDAP, UDM/UMC, and Keycloak OpenDesk-specific roles, groups, templates, and user attributes
Keycloak Standard Nubus configuration Additional OpenDesk clients, scopes, claims, and access restrictions
Portal Standard Nubus Portal OpenDesk branding, portal tiles, central navigation, and Newsfeed
Provisioning Nubus provisioning framework Additional OX App Suite integration and OpenDesk-specific consumers
Extensions Deployment-specific Nubus extensions ox, opendesk, portal, opendesk-a2g-mapper
Intercom Service Part of the Nubus architecture Deployed separately and extensively used for OpenDesk application integration
Administration Generic Nubus/UMC administration Customized for OpenDesk administration
External Services Bundled or external depending on deployment Integrated into the centrally managed OpenDesk platform architecture

Conclusion

OpenDesk uses Nubus for Kubernetes as the foundation for its Identity and Access Management (IAM) and portal services. The Nubus core remains unchanged and continues to provide components such as Keycloak, OpenLDAP, UDM/UMC, the Portal, Self-Service, and the provisioning framework.

The primary differences compared to a standard Nubus for Kubernetes deployment arise from the OpenDesk-specific integration layer. This includes, in particular:

  • Additional Nubus extensions
  • A dedicated OpenDesk Keycloak bootstrap
  • OpenDesk-specific roles, groups, and user attributes
  • Portal branding and application tiles
  • Central navigation services
  • The Intercom Service for Silent Login and cross-application integration
  • Integration with applications such as OX App Suite, Nextcloud, OpenProject, XWiki, Element, and Jitsi
  • Platform-wide use of shared databases, caches, object storage, and mail services

OpenDesk should therefore be understood as an integrated collaboration platform built on top of Nubus for Kubernetes rather than as either an unmodified standard Nubus deployment or a completely independent Nubus fork.


Functional Components

You will find in the README.md file the used component versions from the several deployments.

The following applications are currently part of the OpenDesk platform.

Function Component License Version
Chat & Collaboration Element with Nordeck widgets AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) 1.12.6
Collaborative Notes Notes (Docs) MIT 4.4.0
Diagram Editor CryptPad with diagrams.net AGPL-3.0-only 2025.9.0
File Management Nextcloud AGPL-3.0-or-later 32.0.9
Groupware OX App Suite GPL-2.0-only (backend), AGPL-3.0-or-later (frontend) 8.49
Knowledge Management XWiki LGPL-2.1-or-later 17.10.9
Portal & Identity Management Nubus AGPL-3.0-or-later 1.20.1
Project Management OpenProject GPL-3.0-only 17.5.1
Videoconferencing Jitsi Apache-2.0 2.0.11031
Web Office Collabora Online MPL-2.0 25.04.10