OpenDesk and Nubus for Kubernetes: Differences and Extensions
Summary
OpenDesk does not use a completely independent fork of Nubus for Kubernetes. Instead, it deploys the standard Nubus for Kubernetes umbrella chart provided by Univention and extends it through OpenDesk-specific configuration, additional components, and platform integrations.
The primary difference is therefore not the Nubus core itself, but the OpenDesk-specific integration profile. This includes IAM roles, groups, Keycloak configuration, portal content, application permissions, OIDC clients, provisioning integrations, and the Intercom Service.
At the time of this analysis, OpenDesk references the Nubus chart in version 1.20.1.
Basis of the Analysis
This analysis is based on the public OpenDesk deployment repository:
The following files and directories were particularly relevant:
README.mddocs/architecture.mddocs/permissions.mdhelmfile/apps/nubus/helmfile-child.yaml.gotmplhelmfile/apps/nubus/values-nubus.yaml.gotmplhelmfile/apps/nubus/values-intercom-service.yaml.gotmplhelmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmplhelmfile/environments/default/charts.yaml.gotmplhelmfile/environments/default/images.yaml.gotmpl
Nubus Chart Used
OpenDesk deploys Nubus as a Helmfile release.
- Release name:
ums - Chart:
nubus - Version:
1.20.1 - Repository: OpenDesk mirror of the official Univention artifacts hosted at
registry.opencode.de
The standard Nubus for Kubernetes chart is therefore used without maintaining a separate fork. However, it is deployed with an extensive set of OpenDesk-specific values.
In addition to the Nubus release itself, OpenDesk installs two further releases within the Nubus deployment:
intercom-serviceopendesk-keycloak-bootstrap
These two components are essential for the OpenDesk-specific integration layer.
Additional OpenDesk Components within the Nubus Environment
Intercom Service
The Intercom Service operates within the Nubus environment but plays a central role in OpenDesk integration. Among other capabilities, it provides:
- Silent Login between applications
- Token Exchange with Keycloak
- Central navigation for frontend applications
- Integration with OX App Suite
- Integration with Nextcloud, for example for File Picker scenarios
- Integration with XWiki, for example to provide Newsfeed content
- Integration with Element/Matrix
The Intercom Service acts as a Backend-for-Frontend (BFF) for scenarios in which a browser-based application must access APIs of other applications without implementing the complete authentication flow directly within the frontend.
OpenDesk Keycloak Bootstrap
OpenDesk provides its own Keycloak bootstrap chart, which creates and manages OpenDesk-specific Keycloak configuration, including:
- OIDC clients for OpenDesk applications
- Client scopes
- Access control roles
- Group-based client access restrictions
- Realm configuration
- LDAP federation settings
- Optional SSO federation
- Group configuration related to two-factor authentication (2FA)
Examples of OpenDesk-specific clients include:
opendesk-nextcloudopendesk-openprojectopendesk-xwikiopendesk-matrixopendesk-jitsiopendesk-oxappsuiteopendesk-dovecotopendesk-notesopendesk-intercom
Nubus Extensions in OpenDesk
OpenDesk loads additional extensions into Nubus.
The following extensions are configured as system extensions:
oxopendeskportal
Additionally, the following extension is deployed:
opendesk-a2g-mapper
The corresponding container images are obtained from OpenDesk repositories or mirrored Univention repositories. Of particular importance is the opendesk-nubus image, which provides OpenDesk-specific UDM/LDAP objects, schema extensions, and portal configuration.
IAM Customizations
OpenDesk uses Nubus as its central Identity and Access Management (IAM) platform. However, the IAM environment is preconfigured specifically for OpenDesk.
Role Model
OpenDesk defines two primary roles:
- openDesk User
- openDesk Administrator
These roles are represented through groups and templates within the IAM configuration.
Global Groups
OpenDesk uses and extends several core groups, including:
- Domain Users
- Domain Admins
- 2FA Users
- IAM API - Full Access
The IAM API - Full Access group is granted access to the UDM REST API. In this configuration, the previous default assignment to Domain Admins is explicitly replaced.
Application Groups
To control access to OpenDesk applications, predefined groups are created following the naming convention managed-by-attribute-*.
Examples include:
managed-by-attribute-Groupwaremanaged-by-attribute-Filesharemanaged-by-attribute-Projectmanagementmanaged-by-attribute-Knowledgemanagementmanaged-by-attribute-Livecollaborationmanaged-by-attribute-Videoconferencemanaged-by-attribute-Notes
Additional groups exist for administrative permissions, for example:
managed-by-attribute-FileshareAdminmanaged-by-attribute-ProjectmanagementAdminmanaged-by-attribute-KnowledgemanagementAdmin
Membership in these groups is generally not managed manually. Instead, it is derived automatically from OpenDesk-specific attributes stored on the user object. Manual modifications to automatically managed groups may therefore be overwritten.
Access Control through Keycloak
OpenDesk uses these groups not only to determine the visibility of portal tiles but also as part of its authorization model within Keycloak.
OpenDesk-specific client scopes and roles are created for individual applications. Claims are issued only if the user belongs to the required groups. Consequently, directly accessing an application URL is insufficient if the user does not possess the necessary permissions.
Typical OpenDesk-specific claims include:
opendesk_usernameopendesk_useruuid- Application-specific administrative claims, for example for OpenProject
UDM and UMC Customizations
OpenDesk modifies the Nubus administration environment in several ways.
Examples include:
- openDesk User configured as the default template for newly created users
- Mandatory user attributes such as first name and primary email address
- Modified username syntax
- Invitation workflow and Require password change at next login enabled by default
- OpenDesk-specific user attributes for application permissions
- Disabled or hidden UMC modules, such as Portal Management
- Customized Self-Service configuration
- Customized password complexity messages
These changes tailor Nubus more closely to the administration of OpenDesk users, groups, and application permissions.
Portal Customizations
Within OpenDesk, the Nubus Portal serves as a central integration point. Rather than operating as a standard portal, it is preconfigured with OpenDesk-specific content and functionality.
Portal Branding
OpenDesk provides its own portal assets and branding configuration, including:
- CSS
- Logos
- Favicons
- Background images
- Portal title
- Links to Legal Notice, Privacy Policy, Documentation, Support, and Feedback
Portal Tiles
OpenDesk creates portal tiles for the integrated applications. The visibility of these tiles is controlled through group membership.
Typical target applications include:
- OX App Suite
- Nextcloud
- OpenProject
- XWiki
- Element
- Jitsi
- Notes
Central Navigation
OpenDesk uses the central navigation provided by the Nubus Portal through the endpoint:
/univention/portal/navigation.json
Applications use this endpoint to present a consistent OpenDesk navigation experience. Depending on the integration scenario, applications can either access the endpoint directly or retrieve the navigation through the Intercom Service.
Access to the endpoint requires a shared secret and the username of the user for whom the navigation should be generated.
Newsfeed
OpenDesk integrates a Newsfeed into the portal. The content originates from a predefined XWiki blog. Access is provided through the Intercom Service using Silent Login mechanisms.
Provisioning and Application Integration
OpenDesk uses the Nubus provisioning framework, which consists of components including:
- LDAP Notifier
- UDM Listener
- UDM Transformer
- Provisioning Dispatcher
- Provisioning API
- NATS JetStream
Within the OpenDesk ecosystem, the integration with OX App Suite is particularly significant. OX App Suite is actively provisioned through the OX Connector.
Other applications typically retrieve identity and group information directly from LDAP or consume authentication and authorization information via Keycloak/OIDC.
Keycloak Extensions
The Nubus Keycloak Extensions are enabled in OpenDesk and are used for features including:
- Brute-force protection during authentication
- Notifications when a user signs in from a new device
According to the OpenDesk documentation, the CAPTCHA functionality of the Keycloak Extensions is disabled.
External and OpenDesk-Provided Services
OpenDesk disables several services that can be deployed with Nubus or replaces them with centrally managed platform services.
Examples include:
- PostgreSQL is provided centrally by OpenDesk.
- Object storage is integrated through OpenDesk components such as SeaweedFS or MinIO.
- Shared Redis and Memcached instances are configured centrally across the platform.
- SMTP/Postfix is integrated using OpenDesk-specific infrastructure.
This architecture allows Nubus to integrate seamlessly into the overall OpenDesk platform instead of operating all dependencies exclusively within the Nubus deployment.
Disabled or Unused Nubus Components
Several Nubus components are disabled or not actively used in the analyzed OpenDesk configuration.
Examples include:
nubusGuardianis disabled.nubusTwofaHelpdeskis disabled.nubusNotificationsApiis disabled.
The UDM REST API can optionally be exposed externally. This behavior is controlled through OpenDesk feature flags.
Comparison: Standard Nubus for Kubernetes vs. OpenDesk Deployment
| Area | Standard Nubus for Kubernetes | OpenDesk Deployment |
|---|---|---|
| Chart | Nubus umbrella chart | Standard Nubus chart with OpenDesk-specific configuration |
| IAM | Generic IAM based on LDAP, UDM/UMC, and Keycloak | OpenDesk-specific roles, groups, templates, and user attributes |
| Keycloak | Standard Nubus configuration | Additional OpenDesk clients, scopes, claims, and access restrictions |
| Portal | Standard Nubus Portal | OpenDesk branding, portal tiles, central navigation, and Newsfeed |
| Provisioning | Nubus provisioning framework | Additional OX App Suite integration and OpenDesk-specific consumers |
| Extensions | Deployment-specific Nubus extensions | ox, opendesk, portal, opendesk-a2g-mapper |
| Intercom Service | Part of the Nubus architecture | Deployed separately and extensively used for OpenDesk application integration |
| Administration | Generic Nubus/UMC administration | Customized for OpenDesk administration |
| External Services | Bundled or external depending on deployment | Integrated into the centrally managed OpenDesk platform architecture |
Conclusion
OpenDesk uses Nubus for Kubernetes as the foundation for its Identity and Access Management (IAM) and portal services. The Nubus core remains unchanged and continues to provide components such as Keycloak, OpenLDAP, UDM/UMC, the Portal, Self-Service, and the provisioning framework.
The primary differences compared to a standard Nubus for Kubernetes deployment arise from the OpenDesk-specific integration layer. This includes, in particular:
- Additional Nubus extensions
- A dedicated OpenDesk Keycloak bootstrap
- OpenDesk-specific roles, groups, and user attributes
- Portal branding and application tiles
- Central navigation services
- The Intercom Service for Silent Login and cross-application integration
- Integration with applications such as OX App Suite, Nextcloud, OpenProject, XWiki, Element, and Jitsi
- Platform-wide use of shared databases, caches, object storage, and mail services
OpenDesk should therefore be understood as an integrated collaboration platform built on top of Nubus for Kubernetes rather than as either an unmodified standard Nubus deployment or a completely independent Nubus fork.
Functional Components
You will find in the README.md file the used component versions from the several deployments.
The following applications are currently part of the OpenDesk platform.
| Function | Component | License | Version |
|---|---|---|---|
| Chat & Collaboration | Element with Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | 1.12.6 |
| Collaborative Notes | Notes (Docs) | MIT | 4.4.0 |
| Diagram Editor | CryptPad with diagrams.net | AGPL-3.0-only | 2025.9.0 |
| File Management | Nextcloud | AGPL-3.0-or-later | 32.0.9 |
| Groupware | OX App Suite | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend) | 8.49 |
| Knowledge Management | XWiki | LGPL-2.1-or-later | 17.10.9 |
| Portal & Identity Management | Nubus | AGPL-3.0-or-later | 1.20.1 |
| Project Management | OpenProject | GPL-3.0-only | 17.5.1 |
| Videoconferencing | Jitsi | Apache-2.0 | 2.0.11031 |
| Web Office | Collabora Online | MPL-2.0 | 25.04.10 |