fix(helmfile): YAML handling of seLinuxOptions and align overall toYaml syntax

2025-12-08 16:28:36 +01:00 · 2024-03-08 10:39:16 +01:00
parent 6c8d5d5945
commit 655e27452c
53 changed files with 83 additions and 83 deletions
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -19,9 +19,9 @@ grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
-      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
+      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
    annotations:
-      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
+      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}

 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -90,11 +90,11 @@ prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}

 replicaCount: {{ .Values.replicas.collabora }}

@@ -126,7 +126,7 @@ securityContext:
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
-  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -70,7 +70,7 @@ securityContext:
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
-  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}

 serviceAccount:
  create: true
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -107,7 +107,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -35,6 +35,6 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -35,7 +35,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}

 extraEnvVars:
  - name: "ACCESS_TOKEN"
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -18,7 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -35,5 +35,5 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
  runAsUser: 0
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}

 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -79,7 +79,7 @@ containerSecurityContext:
  runAsGroup: 10991
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -18,7 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -23,7 +23,7 @@ containerSecurityContext:
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}

 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -75,7 +75,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -123,7 +123,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -145,7 +145,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
@@ -168,7 +168,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -206,7 +206,7 @@ patchJVB:
    runAsNonRoot: true
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -95,7 +95,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}

 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -25,7 +25,7 @@ exporter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -35,11 +35,11 @@ exporter:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -78,7 +78,7 @@ php:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
@@ -92,11 +92,11 @@ php:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
@@ -118,7 +118,7 @@ apache2:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -66,7 +66,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}

 podSecurityContext:
  enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -40,7 +40,7 @@ nextcloud-integration-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}

 public-sector-ui:
  image:
@@ -67,7 +67,7 @@ public-sector-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}

 appsuite:
  appsuite-toolkit:
@@ -131,7 +131,7 @@ appsuite:
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
-        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
+        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
@@ -356,7 +356,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}

  core-ui-middleware:
    enabled: true
@@ -398,7 +398,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
  core-cacheservice:
    enabled: false

@@ -428,7 +428,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}

  core-documents-collaboration:
    enabled: false
@@ -470,7 +470,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}

  core-imageconverter:
    enabled: true
@@ -500,7 +500,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}

  guard-ui:
    enabled: true
@@ -526,7 +526,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
  core-spellcheck:
    enabled: false

@@ -555,5 +555,5 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
 ...
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -38,7 +38,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -20,7 +20,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}

 environment:
 # For more details and more options see
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -85,7 +85,7 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}

 serviceAccount:
  create: true
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -15,7 +15,7 @@ clamd:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
@@ -41,7 +41,7 @@ containerSecurityContext:
  capabilities:
    drop: []
  privileged: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}

 freshclam:
  containerSecurityContext:
@@ -57,7 +57,7 @@ freshclam:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
@@ -89,7 +89,7 @@ icap:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
@@ -117,7 +117,7 @@ milter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -17,7 +17,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -16,7 +16,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -29,7 +29,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: false
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}

 defaultBuckets: "openproject,openxchange,ums,nextcloud"

@@ -68,7 +68,7 @@ metrics:
  serviceMonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}

 networkPolicy:
  enabled: false
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -17,7 +17,7 @@ containerSecurityContext:
  runAsUser: 0
  runAsGroup: 0
  privileged: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -14,7 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}

 job:

--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -30,7 +30,7 @@ master:
    capabilities:
      drop:
        - "ALL"
-    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -55,6 +55,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -73,6 +73,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -46,6 +46,6 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -27,7 +27,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}

 volumes:
  claims:
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -76,7 +76,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}

 service:
  type: "ClusterIP"
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -44,6 +44,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -46,6 +46,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -597,7 +597,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}

 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -112,5 +112,5 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -79,6 +79,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -56,6 +56,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -73,6 +73,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -29,7 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}

 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -29,7 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}

 stackDataContext:
  idpSamlMetadataUrlInternal: null
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -53,7 +53,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}

 storeDav:
  auth:
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -53,7 +53,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}

 udmRestApi:
  # TODO: Stub value currently
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -58,6 +58,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -94,7 +94,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}

 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -66,7 +66,7 @@ containerSecurityContext:
  runAsUser: 1000
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}

 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -48,7 +48,7 @@ handler:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
 postgresql:
@@ -103,7 +103,7 @@ proxy:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -44,7 +44,7 @@ containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}

 podSecurityContext:
  fsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -45,7 +45,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}

 service:
  type: "ClusterIP"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -36,7 +36,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}

 customConfigs:
  xwiki.cfg: