Release Notes 4.12.0¶

Overview¶

This document outlines the updates, improvements, and fixes introduced between versions 4.11.0 (released on Jul 28, 2025) and 4.12.0 (released on Aug 25, 2025) of the Excalibur v4 software.

New Features¶

Introducing Helm Charts¶

Possibility to manually deploy and manage Excalibur on Kubernetes clusters using Helm charts. With preconfigured container images and Helm CLI, you can:

Retrieve Helm charts from the version-controlled repository.
Configure environment-specific values (values.yaml or CLI overrides).
Deploy applications to development, staging, or production clusters using helm install.
Verify deployment status and application functionality.
Apply updates with helm upgrade or revert to a previous release using helm rollback.

This process ensures that deployments are consistent, traceable, and recoverable across environments. A detailed step-by-step guide is provided below and also available at Installation and implementation guide

Prerequisites¶

A running Kubernetes cluster (version 1.20 or newer recommended)
Helm 3.x installed on your workstation
Access to the Excalibur Helm repository and container registry

Installing Helm¶

If you do not have Helm installed, run:

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Or use your package manager, e.g.:
sudo apt update && sudo apt install helm

Verify installation:

helm version

Add the Excalibur Helm Repository¶

helm repo add xclbr https://helm.xclbr.com
helm repo update

Download and Prepare the Configuration File¶

# Administrator credentials for accessing the Excalibur dashboard (Grafana)
admin:
  email: 'admin@xclbr.com' # Email address for the admin user
  userName: 'admin' # Username for the admin user
  password: '<strong-password>' # Password for the admin user (choose a strong password)

# Password used to encrypt backups of your data
backup:
  repository:
    password: '<strong-password>' # Encryption password for backup repository

# Database settings for Excalibur
# Set the root password and choose the type of database deployment
# By default, a 3-node cluster is used for high availability
# You can switch to a single database instance for simpler setups
#  type: single                    # Uncomment to use a single database instance
#  type: cluster                   # Default: 3-node Galera cluster

database:
  password: '<strong-password>' # Root password for the database
  # type: single                  # (Optional) Use 'single' for a single MariaDB instance

# Ingress (external access) settings for Excalibur
# This section controls how users access Excalibur from outside the cluster.
# If you use cert-manager for automatic HTTPS certificates, keep the annotations and TLS settings.
# If not, you can remove or adjust these sections.
ingress:
  annotations:
    cert-manager.io/acme-challenge-type: http01 # Use HTTP-01 challenge for Let's Encrypt
    cert-manager.io/cluster-issuer: letsencrypt-production # Use the production issuer for certificates
  className: 'nginx' # Ingress controller class (usually 'nginx')
  hostName: excalibur.xclbr.com # Public hostname for Excalibur
  tls:
    enabled: true # Enable HTTPS (recommended)
    letsEncryptEnabled: true # Use Let's Encrypt for certificates

# Enable integrity check for Google Play
# If enabled, paste your private key for Google Play integration
# Set to false if not required
integrity_check:
  enabled: true
  private_key: |
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----

# Enable proxy URL for internet access
# Comment out or set to an empty string if not required
# internet_proxy: 'http://proxy.example.com:8080'

# GitHub Container Registry settings
# Used to pull Excalibur images from GitHub's registry
# Provide a Personal Access Token (PAT) with the correct permissions
registry:
  token: '<github-PAT>' # GitHub PAT for registry access

# ServiceAccount settings for Kubernetes
# Controls which account Excalibur uses to run in the cluster
# Set 'create' to true to create a new account, or false to use an existing one
serviceAccount:
  create: true # Create a new ServiceAccount (recommended)
  name: excalibur # Name of the ServiceAccount

# (Optional) Advanced pod scheduling settings
# Use these to control which nodes Excalibur runs on, or to tolerate special node conditions
# By default, these are not set. Uncomment and adjust if needed.
# spec:
#   affinity: {}                                  # Node affinity rules
#   nodeSelector: {}                              # Node selection by label
#   tolerations: []                               # Tolerations for taints

# Storage class settings for persistent data
# 'standardClass' is used for general files, 'databaseClass' for database storage (faster disks)
storageClasses:
  standardClass: standard # Default storage class for general files
  databaseClass: standard # Storage class for database (can be different for performance)

# (Optional) Persistent volume sizes for Excalibur data
# Uncomment and adjust the sizes as needed for your deployment
# volumes:
#   backup-repository: '10Gi'                     # Size for backup storage
#   certificates: '10Mi'                          # Size for certificate storage
#   dashboard-static-files: '100Mi'               # Size for dashboard static files
#   database-data: '10Gi'                         # Size for database data
#   grafana-data: '100Mi'                         # Size for Grafana data
#   keystore: '10Mi'                              # Size for keystore
#   loki-data: '1Gi'                              # Size for Loki logs
#   pam-recordings: '5Gi'                         # Size for PAM recordings
#   prometheus-data: '1Gi'                        # Size for Prometheus data
#   shared-drive: '1Gi'                           # Size for shared drive
#   squid-spool: '100Mi'                          # Size for Squid cache
#   vitro-client-static-files: '1Gi'              # Size for Vitro client static files

Copy the example configuration file and edit it to fit your environment:

cp example.values.yaml .values.yaml
# Edit .values.yaml with your preferred editor

Set administrator credentials, database passwords, and other required values.
Review all comments in .values.yaml for guidance on each setting.

Install the Excalibur Application¶

Install Excalibur into your Kubernetes cluster. In the example below, the application name installed in your cluster is excalibur-v4 but you can choose any other name, or have the name generated automatically using --generate-name switch. The name of the repository xclbr and name of the application excalibur are given. Replace <namespace> and <version> as needed:

helm install excalibur-v4 xclbr/excalibur -f .values.yaml --namespace <namespace> --create-namespace --version <version>

<namespace>: The Kubernetes namespace to use (e.g., excalibur)
<version>: The chart version to install (see available versions with helm search repo xclbr --versions)

Upgrade or Update Excalibur¶

To upgrade to a new version or update your configuration:

helm repo update
helm search repo xclbr/excalibur --versions
helm upgrade excalibur-v4 xclbr/excalibur -f .values.yaml --namespace <namespace> --version <new-version>

Uninstall Excalibur¶

To remove Excalibur from your cluster:

helm uninstall excalibur-v4 --namespace <namespace>

Troubleshooting & Support¶

For configuration details, see the comments in example.values.yaml.
For advanced options, see the chart documentation in charts/excalibur-v4/README.md.
If you encounter issues, contact your support representative or the Excalibur DevOps team.

Tunnel Support for Identity Stores¶

Tunnel support for identity stores has been added with full configuration and monitoring capabilities:

Configuration Options: Admins can enable or disable tunnelling per identity store, configure tunnel parameters (host, port, protocol), and optionally apply tunnelling to each host in multi-store setups.
Supported Protocols: Secure tunnelling via SSH, VPN, or TLS-based proxies is supported.
Authentication and Key Management: Admins can provide credentials or key pairs to securely authenticate tunnel connections.
Connection Health Monitoring: Tunnelling connection status is logged, and alerts are generated for failures or timeouts.
Security Compliance: All tunnelling uses encrypted channels and adheres to internal security policies and best practices.

Figure 1. Tunnel & Identity Store (IS View)

Figure 2. Tunnel & Identity Store (Tunnel View)

Support for tunnelID Field in PAM Imports¶

The PAM import process now supports the tunnelID field, allowing this information to be imported along with other PAM data for more complete and accurate configuration.

Quick Access to Error and Warning Logs¶

A new Logs menu item has been added to the profile menu, providing visibility into error and warning logs:

Badge on the Logs menu item shows the number of current logs.
Clicking the Logs menu item opens a drawer displaying only error and warning logs.
Logs are stored in the browser with persistence, keeping them available even after page reloads.
Users can filter the view to show only errors or only warnings.
Each log entry includes copy and delete buttons.
Logs older than 30 days are automatically cleared.
A "Clear" button at the bottom allows manual removal of all logs.

Mobile Application¶

Offline Deletion Requests Now Automatically Queued¶

User deletions made while offline are now automatically stored and queued for later processing. The system detects when network connectivity is restored and safely completes the pending deletions, ensuring that actions taken offline are never lost.

Improved User Management in Mobile App¶

The mobile application now includes several enhancements for easier user management:

Users can be copied to the clipboard for quick sharing.
Users are now sorted by tenant for better organization.
The user interface has been redesigned for a cleaner and more intuitive experience.

Usability Improvements¶

Geofence Radius Values Now Clearly Labeled with Units¶

Geofence radius values now display with units (m) for better clarity on the Geofences page and in related audit logs ('Geofence Audit Logs' and 'User Audit Logs')

Improved Table Readability with Tooltips for Long Content¶

Columns with content too long to fit in a row will now be shortened with “...”. The full content can be viewed by hovering over the value, which shows it in a tooltip. Tooltips appear only when content is cut off, keeping tables cleaner and easier to read.

Improved Email Configuration¶

When creating email configurations:

The first configuration is now automatically set as active.
Additional configurations are not automatically activated if at least one existing configuration is already active.
Each row now displays an icon for quick configuration recognition, with a tooltip appearing on hover for additional details.

This ensures that only the intended configuration remains active and prevents accidental activation of new email settings.

New Tooltips for User Registration Status on Create Invitations Page¶

The Create Invitations page now includes a tooltip for the icon next to each user name, helping you quickly identify registration status:

Green icon – "User is already registered"
Grey icon – "User is not registered"

Figure 10. Invitation Registration Status Tooltips

Changed Default Sorting for Invitations and Users¶

The default sorting on key pages has been updated for better usability:

New Invitations page: Users are now sorted by Name in ascending order by default.
User page: Users are now sorted by Last Logged In in descending order by default.

Added Huawei AppGallery Download Option¶

A Download on Huawei AppGallery button is now displayed alongside the existing iOS and Google Play buttons, providing users with an additional platform to access the mobile application.