Important Changes

This release contains breaking changes that require attention before updating.

JWT Authentication Migration

The Core UI service now handles JWT issuing, replacing Switchboard for this functionality. This affects multiple components:

  • Core UI: Takes over JWT issuing from Switchboard via new JWKS support
  • Switchboard: Token and JWKS endpoints are deprecated in favor of Core UI
  • AI Service 5.x: Now uses getJWT() from Core UI instead of Switchboard; Switchboard is no longer a dependency

Core UI Configuration

To enable JWT issuing in Core UI, configure the following Helm values:

jwt:
  enabled: true
  hostname: "your-appsuite-domain.example.com"
appsuite:
  api: "http://main-core-mw-http-api/<appRoot>/api"
  • jwt.hostname: The public hostname of your App Suite deployment
  • appsuite.api: Must point to the middleware HTTP API service (include appRoot if configured)
  • The appRoot setting is also respected. If your App Suite is deployed under a subpath, include it in your configuration.

Middleware Configuration

The middleware property com.openexchange.tokenlogin.applications must include core-ui as an additional application.

Custom VirtualService Route

If you are using a custom VirtualService, add a new route for the Core UI service:

- match:
  - uri:
      prefix: /<appRoot>/ui
  name: core-ui
  rewrite:
    uri: /ui  # only needed when appRoot is set
  route:
  - destination:
      host: main-core-ui.<namespace>.svc.cluster.local
      port:
        number: 80

Service Configuration

All services that consume JWTs must include the appRoot in their oidc.issuer configuration:

ComponentConfiguration
Core UIjwt.enabled: true, jwt.hostname, appsuite.api
AI Serviceoidc.issuer: "https://<hostname>/<appRoot>" (renamed from jwks.domain)
Switchboardoidc.issuer: "https://<hostname>/<appRoot>"

Multiple issuers can be comma-separated. Services automatically discover JWKS endpoints via OpenID Configuration and refresh keys periodically. Wildcard subdomain support is now available for OIDC issuers.

For detailed migration steps, see the migration guide.

Core UI Service Architecture Change

The Core UI has migrated from a static nginx-based container to a dynamic Node.js service. This enables new features like BIMI but requires resource adjustments:

  • Memory limits: The Node.js service requires more memory than the previous nginx container. Default is now 256Mi (for both request and limit).
  • Instance count: By default, the Helm chart starts two instances. For just serving static files, you can reduce to one instance.
  • BIMI feature: When enabled, requires a database to cache BIMI records and logos.

Pre-Information - Support for Ingress NGINX will cease at the end of March

As mentioned in the blog post, upstream support for Ingress NGINX will cease at the end of March, and the project will be retired. Please note, our support for Ingress NGINX in OX App Suite v8 will also be discontinued at the same time.