fix(univention-management-stack): Update LDAP server for BSI base security compliance

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl

@@ -16,9 +16,6 @@ resources:
 
 securityContext:
   allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
   privileged: false
   seccompProfile:
     type: "RuntimeDefault"

helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl

@@ -23,70 +23,70 @@ extraVolumeMounts:
     mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
     subPath: "opendeskProjectmanagement.schema"
 
-image:
+extraSecrets:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
+  - name: ums-stack-openldap-credentials
-  repository: {{ .Values.images.umsLdapServer.repository | quote }}
+    stringData:
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  tag: {{ .Values.images.umsLdapServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
 
-  waitForDependency:
+waitForDependency:
+  image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
     repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
 ldapServer:
-  caCert: "Cg=="
+  image:
-  certPem: "Cg=="
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-  privateKey: "Cg=="
+    repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  dhParam: "Cg=="
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForSamlMetadata: true
+    tag: {{ .Values.images.umsLdapServer.tag | quote }}
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+    pullSecrets:
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
 
+  config:
+    domainName: "univention-organization.intranet"
+    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+    samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+    samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+    samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
+  credentialSecret:
+    name: ums-stack-openldap-credentials
+    key: adminPassword
+      
 persistence:
-  sharedData:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
+legacy:
-  sharedRun:
+  sharedRunSize: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}
-
-service:
-  type: "ClusterIP"
 
 resources:
   {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
 
+initResources:
+  {{ .Values.resources.umsLdapServerInit | toYaml | nindent 2 }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 102
+  fsGroupChangePolicy: "Always"
+  sysctls:
+    - name: "net.ipv4.ip_unprivileged_port_start"
+      value: "1"
+
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  runAsUser: 101
+  runAsGroup: 102
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 ...

helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl

@@ -28,6 +28,7 @@ postgresql:
     username: {{ .Values.databases.umsNotificationsApi.username | quote }}
     database: {{ .Values.databases.umsNotificationsApi.name | quote }}
     password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+    existingSecret: "ums-notifications-api-postgresql-credentials"
 
 resources:
   {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
@@ -47,4 +48,8 @@ securityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
 
+extraSecrets:
+  - name: ums-notifications-api-postgresql-credentials
+    stringData:
+      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 ...

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -21,42 +21,43 @@ portalServer:
   ucsInternalPath: "portal-data"
   objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
   objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
   centralNavigation:
     enabled: true
     authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  credentialSecret:
+    name: "ums-portal-server-minio-credentials"
 
 replicaCount: {{ .Values.replicas.umsPortalServer }}
 
 resources:
   {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
 
-securityContext:
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+  sysctls:
+    - name: "net.ipv4.ip_unprivileged_port_start"
+      value: "1"
+
+containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-    add:
+  enabled: true
-      - "CHOWN"
+  runAsUser: 1000
-      - "DAC_OVERRIDE"
+  runAsGroup: 1000
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
   seccompProfile:
     type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
-  runAsUser: 0
+  runAsNonRoot: true
-  runAsGroup: 0
+
-  runAsNonRoot: false
+
-  seLinuxOptions:
+extraSecrets:
-    {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}
+  - name: ums-portal-server-minio-credentials
+    stringData:
+      accessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+      secretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
 
 ...

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -49,6 +49,10 @@ stackDataContext:
   ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
   initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
   initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
+  umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
+  umcPostgresqUsername: {{ .Values.databases.umsSelfservice.username | quote }}
+  umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
+  umcMemcachedUsername: "selfservice"
 
 stackDataUms:
   loadDevData: true

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl

@@ -14,54 +14,51 @@ extraVolumeMounts:
     mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
     subPath: "flag_to_group_mapping.json"
 
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
-  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
 resources:
   {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
 
+initResources:
+  {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 2 }}
+
 replicaCount: {{ .Values.replicas.umsUdmRestApi }}
 
-securityContext:
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+
+containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-    add:
+  enabled: true
-      - "CHOWN"
+  runAsUser: 1000
-      - "DAC_OVERRIDE"
+  runAsGroup: 1000
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
   seccompProfile:
     type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
-  runAsUser: 0
+  runAsNonRoot: true
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}
 
 udmRestApi:
-  # TODO: Stub value currently
+  secretRef: ums-udm-rest-api-credentials
-  caCert: ""
+  ldap:
-  # TODO: Secret should be entered without b64enc
+    uri: "ldap://{{ .Values.ldap.host }}:389"      
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+    baseDN: {{ .Values.ldap.baseDn | quote }}
-  # TODO: Secret should be entered without b64enc
+  image:
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
+    repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+
+extraSecrets:
+  - name: ums-udm-rest-api-credentials
+    stringData:
+      ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 
 ...

helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl

@@ -53,7 +53,8 @@ memcached:
   bundled: false
   auth:
     username: null
-    password: null
+    # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
+    password: "password"
   server: {{ .Values.cache.umsSelfservice.host | quote }}
 
 postgresql:
@@ -102,10 +103,8 @@ umcServer:
   caCert: "Cg=="
   certPem: "Cg=="
   privateKey: "Cg=="
-  # TODO: Secret should be entered without b64enc
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   smtpSecret: {{ .Values.smtp.password | quote }}
   privateKeyFile: "/var/secrets/ssl/tls.key"
 

helmfile/environments/default/charts.yaml

@@ -450,7 +450,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ldap-notifier"
-    version: "0.8.2"
+    version: "0.10.0"
     verify: true
   umsLdapServer:
     # providerCategory: 'Supplier'
@@ -462,7 +462,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ldap-server"
-    version: "0.8.2"
+    version: "0.10.0"
     verify: true
   umsNotificationsApi:
     # providerCategory: 'Supplier'
@@ -474,7 +474,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "notifications-api"
-    version: "0.9.2"
+    version: "0.20.1"
     verify: true
   umsOpenPolicyAgent:
     # providerCategory: 'Supplier'
@@ -498,7 +498,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "portal-frontend"
-    version: "0.14.0"
+    version: "0.20.1"
     verify: true
   umsPortalListener:
     # providerCategory: 'Supplier'
@@ -510,7 +510,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "portal-listener"
-    version: "0.14.0"
+    version: "0.20.1"
     verify: true
   umsPortalServer:
     # providerCategory: 'Supplier'
@@ -522,7 +522,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "portal-server"
-    version: "0.14.0"
+    version: "0.20.1"
     verify: true
   umsProvisioning:
     # providerCategory: 'Supplier'
@@ -570,7 +570,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "stack-data-swp"
-    version: "0.44.0"
+    version: "0.45.1"
     verify: true
   umsStackDataUms:
     # providerCategory: 'Supplier'
@@ -582,7 +582,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "stack-data-ums"
-    version: "0.44.0"
+    version: "0.45.1"
     verify: true
   umsUdmRestApi:
     # providerCategory: 'Supplier'
@@ -594,7 +594,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "udm-rest-api"
-    version: "0.5.2"
+    version: "0.9.0"
     verify: true
   umsUmcGateway:
     # providerCategory: 'Supplier'
@@ -606,7 +606,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "umc-gateway"
-    version: "0.6.4"
+    version: "0.11.2"
     verify: true
   umsUmcServer:
     # providerCategory: 'Supplier'
@@ -618,7 +618,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "umc-server"
-    version: "0.6.4"
+    version: "0.11.2"
     verify: true
   xwiki:
     # providerCategory: 'Supplier'

helmfile/environments/default/images.yaml

@@ -566,7 +566,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '8', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
+    tag: "0.10.0@sha256:c2532b7a0920f49c115a58f1660cb7af495ebbb0e2eac0bb5f6723c59633a019"
   umsLdapServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -576,7 +576,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '8', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
+    tag: "0.10.0@sha256:ee54a0c6bf2e1d24fa04e7487cbebdec0a344f5db8f9a706db2b982fd07bc720"
   umsNotificationsApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -586,7 +586,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.9.4@sha256:f058398d68c38039bb168af6d60d016f66fffde83a02f0b8f62124ebf2fed4d9"
+    tag: "0.20.1@sha256:c1176da0ecd3d964b7caaea0d9e583d7644c7a7dbdb08c0ecd85df88e0f27321"
   umsOpenPolicyAgent:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -606,7 +606,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.19.0@sha256:7c80f703faf720da159c405a140c1029fd8c12def61653737e2a772982012d5c"
+    tag: "0.20.1@sha256:fc7d1d7b22b83037ac6d54b2cc1baaefc78175cdc86557cfc121eda469832b59"
   umsPortalListener:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -616,7 +616,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.19.0@sha256:7fff6db5151b9aecffdfcd429b6eefb36a96ca14c5384183aa4246b5c0c8b133"
+    tag: "0.20.1@sha256:e93f256f736223edceaac50831cee062b4b8fee0a46f27175e6ea0c506620358"
   umsPortalServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -626,7 +626,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.19.0@sha256:9a19e3a0990fba1dd2cdb1fd96ab53dcfba23717291ca1b0c87d8ed19b4c2c46"
+    tag: "0.20.1@sha256:db5d79b64dc1b8678401d32a1a695b217d7677e7578738f0eec90467c7b5ae05"
   umsProvisioningDispatcher:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -704,7 +704,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '5', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
+    tag: "0.9.0@sha256:f5589a1a885e9f96d98304148bac5a40dfd4350ee40205a29b8798b29ae0a7db"
   umsUmcGateway:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -714,7 +714,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '7', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
+    tag: "0.11.2@sha256:13edaa88ded4b3389ef36d0215ad19ea093ae962f8de9b4b178550e02de06277"
   umsUmcServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -724,7 +724,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '7', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
+    tag: "0.11.2@sha256:866b8c3d2845653c68316458d7a24901b0493d2e2b83d50e0932adc42cda1706"
   umsWaitForDependency:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -734,7 +734,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
+    tag: "0.20.1@sha256:8b3d7195223de10ce6ac2649a363eed073dad9bb277c0d8d2d1c0f1613e0d5a7"
   wellKnown:
     # providerCategory: 'Community'
     # providerResponsible: 'Element'

helmfile/environments/default/resources.yaml

@@ -396,6 +396,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsLdapServerInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsNotificationsApi:
     limits:
       cpu: 99
@@ -501,6 +508,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsUmcGateway:
     limits:
       cpu: 99