feat(helmfile): Add template support for annotations

2025-12-08 00:11:38 +01:00 · 2024-11-26 13:24:14 +01:00
parent cf750a8ddb
commit 9cde57d74b
47 changed files with 1603 additions and 58 deletions
--- a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
@@ -33,6 +33,8 @@ imagePullSecrets:
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  annotations:
    {{ .Values.annotations.coco.ingress | toYaml | nindent 4 }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
@@ -44,7 +46,8 @@ ingress:
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.coco.pod | toYaml | nindent 2 }}
 securityContext:
  allowPrivilegeEscalation: false
@@ -65,4 +68,7 @@ replicaCount: {{ .Values.replicas.collaboraController }}
 resources:
  {{ .Values.resources.collaboraController | toYaml | nindent 2 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.coco.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -65,6 +65,35 @@ ingress:
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # NGINX
    nginx.org/websocket-services: "collabora"
    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
    nginx.org/server-snippets: |
      # block admin and metrics endpoint from outside by default
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # HAProxy
    haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    haproxy.org/backend-config-snippet: |
       balance url_param WOPISrc check_post
       hash-type consistent
    # HAProxy - Community: https://haproxy-ingress.github.io/
    haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
    haproxy-ingress.github.io/config-backend: |
      hash-type consistent
      # block admin urls from outside
      acl admin_url path_beg /cool/getMetrics
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
   {{- with .Values.annotations.collabora.ingress }}
   {{ . | toYaml | nindent 4 }}
   {{- end }}
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
@@ -77,7 +106,8 @@ ingress:
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.collabora.pod | toYaml | nindent 2 }}
 podSecurityContext:
  fsGroup: 1001
@@ -116,6 +146,13 @@ securityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:
  create: true
  annotations:
    {{ .Values.annotations.collabora.serviceAccount | toYaml | nindent 4 }}
 service:
  annotations:
    {{ .Values.annotations.collabora.service | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -39,6 +39,9 @@ ingress:
  enabled: {{ .Values.ingress.enabled }}
  annotations:
    nginx.org/websocket-services: "cryptpad"
   {{- with .Values.annotations.cryptpad.ingress }}
   {{ . | toYaml | nindent 4 }}
   {{- end }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
@@ -53,7 +56,8 @@ ingress:
 persistence:
  enabled: false
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.cryptpad.pod | toYaml | nindent 2 }}
 podSecurityContext:
  fsGroup: 4001
@@ -80,6 +84,8 @@ securityContext:
 serviceAccount:
  create: true
  annotations:
    {{ .Values.annotations.cryptpad.serviceAccount | toYaml | nindent 4 }}
 workloadStateful: false
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.element.common | toYaml | nindent 2 }}
 configuration:
  endToEndEncryption: true
  additionalConfiguration:
@@ -136,8 +139,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.element.ingress | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.element.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -148,6 +154,14 @@ replicaCount: {{ .Values.replicas.element }}
 resources:
  {{ .Values.resources.element | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.element.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.element.serviceAccount | toYaml | nindent 4 }}
 theme:
  title: "Chat - {{ .Values.theme.texts.productName }}"
  {{ .Values.theme | toYaml | nindent 2 }}
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.elementMatrixNeoboardWidget.additional | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -39,8 +42,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.elementMatrixNeoboardWidget.ingress | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixNeoboardWidget.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -51,6 +57,14 @@ replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
 resources:
  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementMatrixNeoboardWidget.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementMatrixNeoboardWidget.serviceAccount | toYaml | nindent 4 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.elementMatrixNeochoiceWidget.additional | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -39,8 +42,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.elementMatrixNeochoiceWidget.ingress | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixNeochoiceWidget.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -48,6 +54,14 @@ podSecurityContext:
 replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
 service:
  annotations:
    {{ .Values.annotations.elementMatrixNeochoiceWidget.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementMatrixNeochoiceWidget.serviceAccount | toYaml | nindent 4 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -26,7 +26,8 @@ image:
 fullnameOverride: "matrix-neodatefix-bot-bootstrap"
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.pod | toYaml | nindent 2 }}
 securityContext:
  allowPrivilegeEscalation: false
@@ -43,4 +44,7 @@ securityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 podAnnotations:
  {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.serviceAccount | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.elementMatrixNeodatefixBot.additional | toYaml | nindent 2 }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -76,6 +79,8 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixBot.ingress | toYaml | nindent 4 }}
 liveness sample:
  enabled: true
@@ -83,8 +88,11 @@ liveness sample:
 persistence:
  size: {{ .Values.persistence.storages.matrixNeoDateFixBot.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.matrixNeoDateFixBot.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixBot.persistence | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixNeodatefixBot.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -98,4 +106,12 @@ replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
 resources:
  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixBot.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixBot.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.elementMatrixNeodatefixWidget.additional | toYaml | nindent 2 }}
 configuration:
  bot:
    username: "meetings-bot"
@@ -44,8 +47,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixWidget.ingress | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixNeodatefixWidget.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -59,6 +65,14 @@ resources:
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixWidget.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementMatrixNeodatefixWidget.serviceAccount | toYaml | nindent 4 }}
 nginx:
  ipv4Only: {{ if eq .Values.cluster.networking.ipFamilies "IPv4" }}true{{ else }}false{{ end }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -26,7 +26,8 @@ image:
 fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixUserVerificationServiceBootstrap.pod | toYaml | nindent 2 }}
 securityContext:
  allowPrivilegeEscalation: false
@@ -42,4 +43,10 @@ securityContext:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementMatrixUserVerificationServiceBootstrap.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.elementMatrixUserVerificationService.additional | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -42,7 +45,8 @@ image:
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementMatrixUserVerificationService.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -53,4 +57,12 @@ replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
 resources:
  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementMatrixUserVerificationService.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementMatrixUserVerificationService.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.elementSynapseWeb.common | toYaml | nindent 2 }}
 clusterDomain: {{ .Values.cluster.networking.domain }}
 containerSecurityContext:
@@ -44,6 +47,9 @@ ingress:
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.element }}"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.element }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.element }}s"
    {{- with .Values.annotations.elementSynapseWeb.ingress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -51,7 +57,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementSynapseWeb.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -62,4 +69,12 @@ replicaCount: {{ .Values.replicas.synapseWeb }}
 resources:
  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementSynapseWeb.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementSynapseWeb.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.elementSynapse.common | toYaml | nindent 2 }}
 configuration:
  additionalConfiguration:
    user_directory:
@@ -217,6 +220,8 @@ federation:
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
    annotations:
      {{ .Values.annotations.elementSynapse.federationIngress | toYaml | nindent 6 }}
 global:
  domain: {{ .Values.global.domain | quote }}
@@ -234,8 +239,11 @@ image:
 persistence:
  size: {{ .Values.persistence.storages.synapse.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.synapse.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.elementSynapse.persistence | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementSynapse.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -250,6 +258,14 @@ replicaCount: {{ .Values.replicas.synapse }}
 resources:
  {{ .Values.resources.synapse | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementSynapse.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementSynapse.serviceAccount | toYaml | nindent 4 }}
 tls:
  secretName: {{ if .Values.global.matrixDomain }}"opendesk-certificates-synapse-tls"{{ else }}"opendesk-certificates-tls"{{ end }}
 ...
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.elementWellKnown.common | toYaml | nindent 2 }}
 configuration:
  e2ee:
    forceDisable: false
@@ -44,8 +47,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.elementWellKnown.ingress | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.elementWellKnown.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -56,4 +62,11 @@ replicaCount: {{ .Values.replicas.wellKnown }}
 resources:
  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.elementWellKnown.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.elementWellKnown.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -10,7 +10,8 @@ global:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.jitsiGlobal.pod | toYaml | nindent 4}}
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -77,6 +78,10 @@ jitsi:
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
      annotations:
        {{- with .Values.annotations.jitsiWeb.ingress }}
        {{ . | toYaml | nindent 8 }}
        {{- end }}
      ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
      hosts:
        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
@@ -104,6 +109,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
    podAnnotations:
      {{ .Values.annotations.jitsiWeb.pod | toYaml | nindent 6 }}
  prosody:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -153,6 +160,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
    podAnnotations:
      {{ .Values.annotations.jitsiProsody.pod | toYaml | nindent 6 }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -176,6 +185,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
    podAnnotations:
      {{ .Values.annotations.jitsiJicofo.pod | toYaml | nindent 6 }}
  jigasi:
    replicaCount: {{ .Values.replicas.jigasi }}
    enabled: {{ .Values.sip.jigasi.enabled }}
@@ -205,6 +216,8 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
    podAnnotations:
      {{ .Values.annotations.jitsiJigasi.pod | toYaml | nindent 6 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
@@ -221,6 +234,8 @@ jitsi:
      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
      type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
      annotations:
        {{ .Values.annotations.jitsiJvb.service | toYaml | nindent 8 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
@@ -233,6 +248,14 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
    podAnnotations:
      {{ .Values.annotations.jitsiJvb.pod | toYaml | nindent 6 }}
    metrics:
      prometheusAnnotations:
        {{ .Values.annotations.jitsiJvb.metricsPrometheus | toYaml | nindent 8 }}
      grafanaDashboards:
        annotations:
          {{ .Values.annotations.jitsiJvb.metricsGrafana | toYaml | nindent 10 }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -249,10 +272,16 @@ jitsi:
      # Chart does not allow to template more
      capabilities:
        add: ["SYS_ADMIN"]
    podAnnotations:
      {{ .Values.annotations.jitsiJibri.pod | toYaml | nindent 6 }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.jitsi.serviceAccount | toYaml | nindent 6 }}
 patchJVB:
  configuration:
@@ -279,10 +308,15 @@ patchJVB:
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.jitsi.pod | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
 resources:
  {{ .Values.resources.jitsiKeycloakAdapter | toYaml | nindent 2 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.jitsi.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -12,7 +12,10 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 additionalAnnotations:
-  intents.otterize.com/service-name: "opendesk-nextcloud-management"
+  intents.otterize.com/service-name: "opendesk-nextcloud-php"
  {{- with .Values.annotations.nextcloudNextcloudMgmt.additional }}
  {{ . | toYaml | nindent 2}}
  {{- end }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
@@ -184,8 +187,6 @@ containerSecurityContext:
  runAsNonRoot: true
  seLinuxOptions:
    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 podSecurityContext:
  fsGroup: 101
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
@@ -214,10 +215,20 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloud.tag | quote }}
-theme:
+podAnnotations:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  {{ .Values.annotations.nextcloudNextcloudMgmt.pod | toYaml | nindent 2 }}
 podSecurityContext:
  fsGroup: 101
 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.nextcloudNextcloudMgmt.serviceAccount | toYaml | nindent 4 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -9,6 +9,13 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 exporter:
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
    {{- with .Values.annotations.nextcloudExporter.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  enabled: true
  configuration:
    server: "http://opendesk-nextcloud-aio"
@@ -34,7 +41,8 @@ exporter:
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.nextcloudExporter.pod | toYaml | nindent 4 }}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -48,9 +56,17 @@ exporter:
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nextcloudExporter.serviceAccount | toYaml | nindent 6 }}
 aio:
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
    {{- with .Values.annotations.nextcloudAio.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  configuration:
    cache:
      auth:
@@ -139,11 +155,15 @@ aio:
      nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.nextcloud }}"
      nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.nextcloud }}s"
      nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.nextcloud }}s"
      {{- with .Values.annotations.nextcloudAio.ingress }}
        {{ . | toYaml | nindent 6 }}
      {{- end }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.nextcloudAio.pod | toYaml | nindent 4 }}
  podSecurityContext:
    fsGroup: 101
  prometheus:
@@ -159,4 +179,12 @@ aio:
  resources:
    {{ .Values.resources.nextcloud | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.nextcloudAio.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nextcloudAio.serviceAccount | toYaml | nindent 6 }}
 ...
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -33,6 +33,9 @@ ingressCollaborationWS:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
    nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
    {{- with .Values.annotations.notes.ingressCollaborationWS }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
 ingressAdmin:
  enabled: {{ .Values.ingress.enabled }}
@@ -41,6 +44,8 @@ ingressAdmin:
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.notes.ingressAdmin | toYaml | nindent 4 }}
 ingressMedia:
  enabled: {{ .Values.ingress.enabled }}
@@ -54,6 +59,9 @@ ingressMedia:
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1
    nginx.ingress.kubernetes.io/session-cookie-path: /media
    {{- with .Values.annotations.notes.ingressMedia }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -66,11 +74,14 @@ ingressCollaborationApi:
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
+  annotations:
    {{ .Values.annotations.notes.ingressCollaborationAPI | toYaml | nindent 4 }}
 serviceMedia:
  host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  port: {{ .Values.objectstores.notes.port | default 443 }}
  annotations:
    {{ .Values.annotations.notes.serviceMedia | toYaml | nindent 4 }}
 frontend:
  image:
@@ -103,6 +114,13 @@ frontend:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
 yProvider:
  image:
    repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }}
@@ -131,6 +149,13 @@ yProvider:
    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
    Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
  podAnnotations:
    {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.notesYProvider.service | toYaml | nindent 6 }}
 oidc:
  clientId: "opendesk-notes"
  clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
@@ -215,6 +240,9 @@ backend:
        python manage.py migrate --no-input
    restartPolicy: Never
  migrateJobAnnotations:
    {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
  createsuperuser:
    command:
      - "/bin/sh"
@@ -223,6 +251,9 @@ backend:
        python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }}
    restartPolicy: Never
  podAnnotations:
    {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
  resources:
    {{ .Values.resources.notesBackend | toYaml | nindent 4 }}
  securityContext:
@@ -239,4 +270,9 @@ backend:
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
  service:
    annotations:
      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
 ...
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.nubusIntercomService.additional | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -99,8 +102,11 @@ ingress:
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.nubusIntercomService.ingress | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.nubusIntercomService.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -150,4 +156,11 @@ replicaCount: {{ .Values.replicas.intercomService }}
 resources:
  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.nubusIntercomService.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.nubusIntercomService.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -7,6 +7,9 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 additionalAnnotations:
  {{ .Values.annotations.nubusNginxS3Gateway.additional | toYaml | nindent 2 }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nginxS3Gateway.registry | quote }}
  repository: {{ .Values.images.nginxS3Gateway.repository | quote }}
@@ -20,6 +23,10 @@ ingress:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: "/portal-assets/icons/$2/$3"
    nginx.ingress.kubernetes.io/use-regex: "true"
    {{- with .Values.annotations.nubusNginxS3Gateway.ingress }}
    {{. | toYaml | nindent 4 }}
    {{- end }}
  path: "/univention/(portal|selfservice)/icons/(logos|entries)/(.*)$"
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -36,8 +43,20 @@ configuration:
    secretKey:
      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
 podAnnotations:
  {{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }}
 resources:
  {{ .Values.resources.nginxS3Gateway | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.nginxS3Gateway }}
 service:
  annotations:
    {{ .Values.annotations.nubusNginxS3Gateway.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.nubusNginxS3Gateway.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -3,6 +3,9 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.nubus.additional | toYaml | nindent 2 }}
 global:
  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
  domain: {{ .Values.global.domain | quote }}
@@ -119,6 +122,22 @@ global:
            groups: __DELETE_KEY__
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "128k"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "128k"
    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
    nginx.ingress.kubernetes.io/proxy-set-headers: |
      Host $http_host;
      X-Forwarded-For $proxy_add_x_forwarded_for;
      X-Forwarded-Host $http_x_forwarded_host;
      X-Forwarded-Port $http_x_forwarded_port;
      X-Forwarded-Proto $http_x_forwarded_proto;
    nginx.ingress.kubernetes.io/use-regex: "true"
    {{- with .Values.annotations.nubus.ingress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  # temporary fix
  {{- if not .Values.apps.minio.enabled }}
  enabled: false
@@ -160,6 +179,8 @@ keycloak:
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
  commonAnnotations:
    {{ .Values.annotations.nubusKeycloak.common | toYaml | nindent 4 }}
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
@@ -178,6 +199,9 @@ keycloak:
          adminPassword: "admin_password"
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
    {{- with .Values.annotations.nubusKeycloak.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  postgresql:
    connection:
      host: {{ .Values.databases.keycloak.host | quote }}
@@ -192,6 +216,12 @@ keycloak:
  replicaCount: {{ .Values.replicas.keycloak }}
  resources:
    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.nubusKeycloak.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusKeycloak.serviceAccount | toYaml | nindent 6 }}
  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
    - name: "trusted-cert-crt-secret-volume"
@@ -233,6 +263,9 @@ nubusGuardian:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-authorization-api"
      {{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
@@ -253,12 +286,67 @@ nubusGuardian:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
  global:
    podAnnotations:
      {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
  ingress:
    annotations:
      {{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
    items:
      - name: management-ui
        host: ""
        # -- Define the Ingress paths.
        paths:
          - path: /univention/guardian/management-ui
            pathType: Prefix
            backend:
              service:
                name: guardian-management-ui
                port:
                  number: 80
        ingressClassName: ""
        annotations:
          {{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
        tls:
          # enabled: true
          secretName: ""
      - name: management-api
        host: ""
        paths:
          - path: /guardian/management
            pathType: Prefix
            backend:
              service:
                name: guardian-management-api
                port:
                  number: 80
        ingressClassName: ""
        annotations:
          {{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
        tls:
          # enabled: true
          secretName: ""
      - name: authorization-api
        host: ""
        paths:
          - path: /guardian/authorization
            pathType: Prefix
            backend:
              service:
                name: guardian-authorization-api
                port:
                  number: 80
        ingressClassName: ""
        annotations:
          {{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
        tls:
          # enabled: true
          secretName: ""
  managementApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
@@ -269,6 +357,9 @@ nubusGuardian:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-api"
      {{- with .Values.annotations.nubusGuardian.managementApiPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
@@ -299,6 +390,9 @@ nubusGuardian:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-ui"
      {{- with .Values.annotations.nubusGuardian.managementUiPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
    resources:
      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
@@ -378,11 +472,17 @@ nubusGuardian:
      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
 nubusNotificationsApi:
  enabled: false
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
    {{- with .Values.annotations.nubusNotificationsApi.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -405,11 +505,22 @@ nubusNotificationsApi:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
      nginx.ingress.kubernetes.io/use-regex: "true"
      {{- with .Values.annotations.nubusNotificationsApi.ingress }}
      {{. | toYaml | nindent 6 }}
      {{- end }}
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  persistence:
    annotations:
      {{ .Values.annotations.nubusNotificationsApi.persistence | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.nubusNotificationsApi.pod | toYaml | nindent 4 }}
  postgresql:
    connection:
      host: {{ .Values.databases.umsNotificationsApi.host | quote }}
@@ -419,7 +530,12 @@ nubusNotificationsApi:
      database: {{ .Values.databases.umsNotificationsApi.name | quote }}
      existingSecret:
        name: "ums-notifications-api-postgresql-opendesk-credentials"
  service:
    annotations:
      {{ .Values.annotations.nubusNotificationsApi.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusNotificationsApi.serviceAccount | toYaml | nindent 6 }}
    create: true
  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
  resources:
@@ -428,6 +544,9 @@ nubusNotificationsApi:
 nubusPortalFrontend:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-frontend"
    {{- with .Values.annotations.nubusPortalFrontend.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -450,11 +569,60 @@ nubusPortalFrontend:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    annotations:
      {{ .Values.annotations.nubusPortalFrontend.ingressIngress | toYaml | nindent 6 }}
    certManager:
      enabled: false
    items:
      - name: rewrites
        host: ""
        paths:
          - path: /univention/(portal|selfservice)/$
            pathType: ImplementationSpecific
          - path: /univention/(portal|selfservice)/index.html$
            pathType: ImplementationSpecific
          - path: /univention/(portal|selfservice)/(css|fonts|i18n|media|js|oidc|custom)(/.*)$
            pathType: ImplementationSpecific
          - path: /univention/(portal)/(icons)(/.*)$
            pathType: ImplementationSpecific
        ingressClassName: ""
        annotations:
          nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
          nginx.ingress.kubernetes.io/use-regex: "true"
          {{- with .Values.annotations.nubusPortalFrontend.ingressRewrites }}
          {{ . | toYaml | nindent 10 }}
          {{- end }}
        tls:
          secretName: ""
      - name: redirects
        host: ""
        paths:
          - pathType: ImplementationSpecific
            path: /$
          - pathType: ImplementationSpecific
            path: /univention$
          - pathType: ImplementationSpecific
            path: /univention/$
          - pathType: ImplementationSpecific
            path: /univention/portal$
          - pathType: ImplementationSpecific
            path: /univention/selfservice$
        ingressClassName: ""
        annotations:
          nginx.ingress.kubernetes.io/permanent-redirect: "/univention/portal/"
          {{- with .Values.annotations.nubusPortalFrontend.ingressRedirects }}
          {{ . | toYaml | nindent 10 }}
          {{- end }}
        tls:
          secretName: ""
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName }}
  persistence:
    annotations:
      {{ .Values.annotations.nubusPortalFrontend.persistence | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.nubusPortalFrontend.pod | toYaml | nindent 4 }}
  portalFrontend:
    branding:
      css: {{ .Values.theme.styles.portal.main | toJson }}
@@ -463,7 +631,12 @@ nubusPortalFrontend:
      # The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
      logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }}
      backgroundImage: {{ .Values.theme.imagery.portal.backgroundSvg | toJson }}
  service:
    annotations:
      {{ .Values.annotations.nubusPortalFrontend.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusPortalFrontend.serviceAccount | toYaml | nindent 6 }}
    create: true
  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
  resources:
@@ -479,6 +652,8 @@ nubusKeycloakExtensions:
        keyMapping:
          adminPassword: "admin_password"
  proxy:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
@@ -487,6 +662,12 @@ nubusKeycloakExtensions:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    ingress:
      annotations:
        nginx.org/proxy-buffer-size: "8k"
        nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
        {{- with .Values.annotations.nubusKeycloakExtensions.proxyIngress }}
        {{ . | toYaml | nindent 8 }}
        {{- end }}
      paths:
        {{- if .Values.debug.enabled }}
        - pathType: "Prefix"
@@ -507,6 +688,9 @@ nubusKeycloakExtensions:
        secretName: {{ .Values.ingress.tls.secretName | quote }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
      {{- with .Values.annotations.nubusKeycloakExtensions.proxyPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
@@ -515,6 +699,12 @@ nubusKeycloakExtensions:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
    service:
      annotations:
        {{ .Values.annotations.nubusKeycloakExtensions.proxyService | toYaml | nindent 8 }}
    serviceAccount:
      annotations:
        {{ .Values.annotations.nubusKeycloakExtensions.proxyServiceAccount | toYaml | nindent 8 }}
  postgresql:
    connection:
      host: {{ .Values.databases.keycloakExtension.host | quote }}
@@ -542,6 +732,8 @@ nubusKeycloakExtensions:
        keyMapping:
          password: "umcKeycloakExtensionsSmtpPassword"
  handler:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.handlerAdditional | toYaml | nindent 6 }}
    appConfig:
      newDeviceLoginNotificationEnable: {{ if .Values.functional.authentication.newDeviceLoginNotification.enabled }}"True"{{ else }}"False"{{ end }}
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
@@ -556,6 +748,9 @@ nubusKeycloakExtensions:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
      {{- with .Values.annotations.nubusKeycloakExtensions.handlerPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
    resources:
      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
@@ -564,6 +759,12 @@ nubusKeycloakExtensions:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
    service:
      annotations:
        {{ .Values.annotations.nubusKeycloakExtensions.handlerService | toYaml | nindent 8 }}
    serviceAccount:
      annotations:
        {{ .Values.annotations.nubusKeycloakExtensions.handlerServiceAccount | toYaml | nindent 8 }}
 nubusPortalListener:
  enabled: false
@@ -594,6 +795,9 @@ nubusPortalConsumer:
      storageClass: {{ coalesce .Values.persistence.storages.nubusPortalConsumer.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-portal-consumer"
    {{- with .Values.annotations.nubusPortalConsumer.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  provisioningApi:
    auth:
      username: "portal-consumer"
@@ -650,6 +854,9 @@ nubusPortalConsumer:
 nubusPortalServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-server"
    {{- with .Values.annotations.nubusPortalServer.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -672,6 +879,13 @@ nubusPortalServer:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    annotations:
        nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
        nginx.ingress.kubernetes.io/use-regex: "true"
        {{- with .Values.annotations.nubusPortalServer.ingress }}
        {{ . | toYaml | nindent 8 }}
        {{- end }}
    certManager:
      enabled: false
    tls:
@@ -683,6 +897,14 @@ nubusPortalServer:
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
    annotations:
      {{ .Values.annotations.nubusPortalServer.persistence | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.nubusPortalServer.pod | toYaml | nindent 4 }}
  portalServer:
    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
    objectStorageCredentialSecret:
      name: "ums-portal-server-minio-opendesk-credentials"
      accessKeyKey: "access-key-id"
@@ -697,7 +919,12 @@ nubusPortalServer:
  replicaCount: {{ .Values.replicas.umsPortalServer }}
  resources:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.nubusPortalServer.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusPortalServer.serviceAccount | toYaml | nindent 6 }}
    create: true
  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
@@ -731,6 +958,9 @@ nubusPortalServer:
 nubusUdmRestApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-udm-rest-api"
    {{- with .Values.annotations.nubusUdmRestApi.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -749,6 +979,15 @@ nubusUdmRestApi:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
    annotations:
      nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
      nginx.ingress.kubernetes.io/configuration-snippet-disabled: |
        rewrite ^/univention(/udm/.*)$ $1 break;
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
      {{- with .Values.annotations.nubusUdmRestApi.ingress }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    certManager:
      enabled: false
    tls:
@@ -756,12 +995,23 @@ nubusUdmRestApi:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  initResources:
    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
  persistence:
    annotations:
      {{ .Values.annotations.nubusUdmRestApi.persistence | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.nubusUdmRestApi.pod | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
  resources:
    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.nubusUdmRestApi.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      intended.usage: "compliance"
      {{- with .Values.annotations.nubusUdmRestApi.serviceAccount }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
  udmRestApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
@@ -770,6 +1020,8 @@ nubusUdmRestApi:
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapNotifier:
  additionalAnnotations:
    {{ .Values.annotations.nubusLdapNotifier.additional | toYaml | nindent 4 }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -793,11 +1045,22 @@ nubusLdapNotifier:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-ldap-notifier"
    {{- with .Values.annotations.nubusLdapNotifier.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
  resources:
    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
 service:
    annotations:
      {{ .Values.annotations.nubusLdapNotifier.service | toYaml | nindent 6 }}
 serviceAccount:
    annotations:
      {{ .Values.annotations.nubusLdapNotifier.serviceAccount | toYaml | nindent 6 }}
 nubusLdapServer:
  additionalAnnotations:
    {{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }}
  global:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
@@ -826,13 +1089,20 @@ nubusLdapServer:
  persistence:
    size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }}
    storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  podAnnotations:
    {{ .Values.annotations.nubusLdapServer.pod | toYaml | nindent 4 }}
  replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
  replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
  replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  resourcesPrimary: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  resourcesSecondary: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.nubusLdapServer.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusLdapServer.serviceAccount | toYaml | nindent 6 }}
    create: true
  waitForDependency:
    image:
@@ -843,9 +1113,14 @@ nubusLdapServer:
 nubusProvisioning:
  enabled: true
  additionalAnnotations:
    {{ .Values.annotations.nubusProvisioning.additional | toYaml | nindent 4 }}
  api:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-api"
      {{- with .Values.annotations.nubusProvisioning.apiAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    auth:
      adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote }}
      prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
@@ -858,6 +1133,8 @@ nubusProvisioning:
    nats:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
    podAnnotations:
      {{ .Values.annotations.nubusProvisioning.apiPod | toYaml | nindent 6 }}
    resources:
      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
  containerSecurityContext:
@@ -877,6 +1154,9 @@ nubusProvisioning:
  dispatcher:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
      {{- with .Values.annotations.nubusProvisioning.dispatcherAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
@@ -885,6 +1165,8 @@ nubusProvisioning:
    nats:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
    podAnnotations:
      {{ .Values.annotations.nubusProvisioning.dispatcherPod | toYaml | nindent 6 }}
    resources:
      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
  imagePullSecrets:
@@ -895,6 +1177,9 @@ nubusProvisioning:
  nats:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-nats"
      {{- with .Values.annotations.nubusProvisioning.natsAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    auth:
      adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote }}
    config:
@@ -941,9 +1226,14 @@ nubusProvisioning:
      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
    serviceAccount:
      create: true
  podAnnotations:
    {{ .Values.annotations.nubusProvisioning.pod | toYaml | nindent 4 }}
  prefill:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-prefill"
      {{- with .Values.annotations.nubusProvisioning.prefillAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
@@ -952,11 +1242,16 @@ nubusProvisioning:
    nats:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
    podAnnotations:
      {{ .Values.annotations.nubusProvisioning.prefillPod | toYaml | nindent 6 }}
    resources:
      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
  udmTransformer:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
      {{- with .Values.annotations.nubusProvisioning.udmTransformerAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
@@ -965,6 +1260,8 @@ nubusProvisioning:
    nats:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
    podAnnotations:
      {{ .Values.annotations.nubusProvisioning.udmTransformerPod | toYaml | nindent 6 }}
    resources:
      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
  replicaCount:
@@ -975,6 +1272,9 @@ nubusProvisioning:
  registerConsumers:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
      {{- with .Values.annotations.nubusProvisioning.registerConsumersAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    {{- if .Values.apps.oxAppSuite.enabled }}
    createUsers:
      oxConsumer:
@@ -990,10 +1290,18 @@ nubusProvisioning:
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
      {{- with .Values.annotations.nubusProvisioning.registerConsumersPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
  resources:
    registerConsumers:
      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
  service:
    annotations:
      {{ .Values.annotations.nubusProvisioning.service | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusProvisioning.serviceAccount | toYaml | nindent 6 }}
    create: true
 nubusUdmListener:
@@ -1019,12 +1327,17 @@ nubusUdmListener:
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    {{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmListener }}
  resources:
    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
  nats:
    auth:
      password: {{ .Values.secrets.nubus.provisioning.udmListenerNatsPassword | quote}}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusUdmListener.serviceAccount | toYaml | nindent 6 }}
 nubusSelfServiceListener:
  enabled: false
@@ -1058,6 +1371,9 @@ nubusSelfServiceConsumer:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
    {{- with .Values.annotations.nubusSelfserviceConsumer.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  provisioningApi:
    auth:
      password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
@@ -1066,6 +1382,9 @@ nubusSelfServiceConsumer:
  resourcesWaitForDependency:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusSelfserviceConsumer.serviceAccount | toYaml | nindent 6 }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -1079,6 +1398,9 @@ nubusStackDataUms:
    argocd.argoproj.io/hook: "Sync"
    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
    intents.otterize.com/service-name: "ums-stack-data-ums"
    {{- with .Values.annotations.nubusStackDataUms.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -1121,6 +1443,8 @@ nubusStackDataUms:
        username: {{ .Values.databases.umsSelfservice.username | quote }}
      connection:
        host: {{ .Values.databases.umsSelfservice.host | quote }}
  podAnnotations:
    {{ .Values.annotations.nubusStackDataUms.pod | toYaml | nindent 4 }}
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  resources:
@@ -1137,6 +1461,9 @@ nubusStackDataUms:
    smtpUser: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
    smtpStartTls: false
    ldapBase: {{ .Values.ldap.baseDn }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusStackDataUms.serviceAccount | toYaml | nindent 6 }}
  templateContext:
    initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
    apps: {{ .Values.apps | toYaml | nindent 6 }}
@@ -1209,6 +1536,9 @@ nubusStackDataUms:
 nubusUmcServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-umc-server"
    {{- with .Values.annotations.nubusUmcServer.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
@@ -1273,6 +1603,14 @@ nubusUmcServer:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
      nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_set_header X-UMC-HTTPS 'on';
      {{- with .Values.annotations.nubusUmcServer.ingress }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    certManager:
      enabled: false
    tls:
@@ -1286,6 +1624,8 @@ nubusUmcServer:
        name: "ums-umc-server-memcached-opendesk-credentials"
        keyMapping:
          memcached-password: "umcServerMemcachedPassword"
  podAnnotations:
    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
  postgresql:
    bundled: false
    connection:
@@ -1324,6 +1664,9 @@ nubusUmcServer:
        Mit freundlichen Grüßen
        Ihr {domainname} Passwort-Service
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusUmcServer.serviceAccount | toYaml | nindent 6 }}
  smtp:
    existingSecret:
      name: "ums-umc-server-smtp-credentials-custom"
@@ -1352,6 +1695,12 @@ nubusUmcGateway:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
    {{- with .Values.annotations.nubusUmcGateway.ingress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
    certManager:
      enabled: false
    tls:
@@ -1359,13 +1708,21 @@ nubusUmcGateway:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  initResources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
  podAnnotations:
    {{ .Values.annotations.nubusUmcGateway.pod | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusUmcGateway.serviceAccount | toYaml | nindent 6 }}
  resources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
 nubusKeycloakBootstrap:
  additionalAnnotations:
    argocd.argoproj.io/hook: "Sync"
    {{- with .Values.annotations.nubusKeycloakBootstrapNubus.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  bootstrap:
    ldapMappers:
      - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
@@ -1406,6 +1763,9 @@ nubusKeycloakBootstrap:
        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
    {{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  resources:
    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
  waitForDependency:
@@ -1414,6 +1774,9 @@ nubusKeycloakBootstrap:
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.nubusKeycloakBootstrapNubus.serviceAccount | toYaml | nindent 6 }}
 # Credential secrets for accessing customer supplied services
 extraSecrets:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -759,11 +759,17 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
 additionalAnnotations:
-    argocd.argoproj.io/hook: "Sync"
+  argocd.argoproj.io/hook: "Sync"
-    argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
+  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
  {{- with .Values.annotations.nubusKeycloakBootstrap.additional }}
  {{. | toYaml | nindent 2 }}
  {{- end }}
 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
  {{- with .Values.annotations.nubusKeycloakBootstrap.pod }}
  {{. | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
@@ -773,6 +779,10 @@ podSecurityContext:
 resources:
  {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.nubusKeycloakBootstrap.serviceAccount | toYaml | nindent 4 }}
 {{- if .Values.certificate.selfSigned }}
 extraVolumes:
  - name: "trusted-cert-secret-volume"
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.openxchangeDovecot.common | toYaml | nindent 2 }}
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
  repository: {{ .Values.images.dovecot.repository | quote }}
@@ -79,9 +82,6 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 podAnnotations: {}
 {{- if .Values.certificate.selfSigned }}
 extraVolumes:
  - name: "trusted-cert-secret-volume"
@@ -111,14 +111,26 @@ persistence:
    - "ReadWriteOnce"
  {{- end }}
  size: {{ .Values.persistence.storages.dovecot.size | quote }}
  annotations:
    {{ .Values.annotations.openxchangeDovecot.persistence | toYaml | nindent 4 }}
 podAnnotations:
  {{ .Values.annotations.openxchangeDovecot.pod | toYaml | nindent 2 }}
 resources:
  {{ .Values.resources.dovecot | toYaml | nindent 2 }}
 {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
 service:
  annotations:
    {{ .Values.annotations.openxchangeDovecot.service | toYaml | nindent 4 }}
  external:
    enabled: true
    type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
 {{- end }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.openxchangeDovecot.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -4,6 +4,13 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  argocd.argoproj.io/hook: "Sync"
  argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
  {{- with .Values.annotations.openxchangeBootstrap.additional }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
@@ -31,7 +38,8 @@ image:
 imagePullSecrets:
  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
-additionalAnnotations:
+serviceAccount:
-  argocd.argoproj.io/hook: "Sync"
+  annotations:
-  argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
+    {{ .Values.annotations.openxchangeBootstrap.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
@@ -6,7 +6,11 @@ SPDX-License-Identifier: Apache-2.0
 ---
 appsuite:
  core-mw:
-
+    podAnnotations:
      logging.open-xchange.com/format: "appsuite-json"
      {{- with .Values.annotations.openxchangeEnterpriseContactPicker.appsuiteCoreMwPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    properties:
      # Enterprise contact picker
      com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
@@ -28,6 +32,10 @@ appsuite:
              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
              password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
    serviceAccount:
      annotations:
        {{ .Values.annotations.openxchangeEnterpriseContactPicker.appsuiteCoreMwServiceAccount | toYaml | nindent 8 }}
    uiSettings:
      # Enterprise contact picker
      io.ox/core//features/enterprisePicker/enabled: "true"
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -32,7 +32,8 @@ nextcloud-integration-ui:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.openxchangeNextcloudIntegrationUi.pod | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
@@ -66,7 +67,8 @@ public-sector-ui:
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.openxchangePublicSectorUi.pod | toYaml | nindent 4 }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
@@ -95,6 +97,8 @@ appsuite:
  istio:
    enabled: false
  ingress:
    annotations:
      {{ .Values.annotations.openxchangeAppsuiteIngress.ingress | toYaml | nindent 6 }}
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    tls:
@@ -107,11 +111,101 @@ appsuite:
      hosts:
        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    routes:
      appsuite-base:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.appsuitebase | toYaml | nindent 10 }}
      rootredirect:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.rootredirect | toYaml | nindent 10 }}
      trailslash:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.trailslash | toYaml | nindent 10 }}
      rest-routes-admin:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.restRoutesAdmin | toYaml | nindent 10 }}
      rest-routes-advertisement:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.restRoutesAdvertisement | toYaml | nindent 10 }}
      rest-routes-chronos:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.restRoutesChronos | toYaml | nindent 10 }}
      rest-routes-preliminary:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.restRoutesPreliminary | toYaml | nindent 10 }}
      rest-routes-userfeedback:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.restRoutesUserfeedback | toYaml | nindent 10 }}
      static-routes-servlet:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.staticRoutesServlet | toYaml | nindent 10 }}
      static-routes-realtime:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.staticRoutesRealtime | toYaml | nindent 10 }}
      static-routes-infostore:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.staticRoutesInfostore | toYaml | nindent 10 }}
      static-routes-webservices:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.staticRoutesWebservices | toYaml | nindent 10 }}
      drive-client-windows-ox-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.driveClientWindowsOxRoute | toYaml | nindent 10 }}
      guard-api-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.guardApiRoute | toYaml | nindent 10 }}
      guard-support-api-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.guardSupportApiRoute | toYaml | nindent 10 }}
      guard-pgp-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.guardPgpRoute | toYaml | nindent 10 }}
      http-api-routes-api:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.httpApiRoutesApi | toYaml | nindent 10 }}
      http-api-routes-ajax:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.httpApiRoutesAjax | toYaml | nindent 10 }}
      http-api-routes-appsuite-api:
        annotations:
          nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.oxAppSuite }}"
          nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.oxAppSuite }}"
          nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.oxAppSuite }}"
          {{- with .Values.annotations.openxchangeAppsuiteIngress.httpApiRoutesAppsuiteApi }}
          {{ . | toYaml | nindent 10 }}
          {{- end }}
      http-api-routes-app-root-api:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.httpApiRoutesAppRootApi | toYaml | nindent 10 }}
      rt2-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.rt2Route | toYaml | nindent 10 }}
      documents-help-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.documentsHelpRoute | toYaml | nindent 10 }}
      drive-help-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.driveHelpRoute | toYaml | nindent 10 }}
      core-help-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.coreHelpRoute | toYaml | nindent 10 }}
      office-web-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.officeWebRoute | toYaml | nindent 10 }}
      caldav-well-known-redirect:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.caldavWellKnownRedirect | toYaml | nindent 10 }}
      carddav-well-known-redirect:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.carddavWellKnownRedirect | toYaml | nindent 10 }}
      dav-infostore-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.davInfostoreRoute | toYaml | nindent 10 }}
      dav-root-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.davRootRoute | toYaml | nindent 10 }}
      wopi-server-route:
        annotations:
          {{ .Values.annotations.openxchangeAppsuiteIngress.wopiServerRoute | toYaml | nindent 10 }}
      trailslash:
        enabled: false
  core-mw:
@@ -131,8 +225,11 @@ appsuite:
    jolokiaLogin: "jolokia"
    jolokiaPassword: {{ .Values.secrets.oxAppSuite.jolokiaPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreMw.pod | toYaml | nindent 6 }}
    serviceAccount:
      annotations:
        {{ .Values.annotations.openxchangeAppsuiteCoreMw.serviceAccount | toYaml | nindent 8 }}
      create: true
    features:
      status:
@@ -151,7 +248,8 @@ appsuite:
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      replicaCount: {{ .Values.replicas.openxchangeGotenberg }}
-      podAnnotations: {}
+      podAnnotations:
        {{ .Values.annotations.openxchangeAppsuiteCoreMw.gotenbergPod | toYaml | nindent 8 }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
@@ -421,6 +519,8 @@ appsuite:
    # podSecurityContext: {}
    # securityContext: {}
    update:
      podAnnotations:
        {{ .Values.annotations.openxchangeAppsuiteCoreMw.updatePod | toYaml | nindent 8 }}
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
@@ -447,7 +547,8 @@ appsuite:
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    replicaCount: {{ .Values.replicas.openxchangeCoreUI }}
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreUi.pod | toYaml | nindent 6 }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
@@ -483,7 +584,8 @@ appsuite:
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreUiMiddleware.pod | toYaml | nindent 6 }}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }}
    resources:
@@ -526,7 +628,8 @@ appsuite:
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod | toYaml | nindent 6 }}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
    resources:
@@ -576,7 +679,8 @@ appsuite:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreGuidedtours.pod | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
@@ -614,7 +718,8 @@ appsuite:
          endpoint: "."
          accessKey: "."
          secretKey: "."
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod | toYaml | nindent 6 }}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
    resources:
@@ -683,7 +788,8 @@ appsuite:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
-    podAnnotations: {}
+    podAnnotations:
      {{ .Values.annotations.openxchangeAppsuiteCoreUserGuide.pod | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -69,7 +69,8 @@ persistence:
  size: {{ .Values.persistence.storages.oxConnector.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.nubusOxConnector.pod | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.oxConnector }}
@@ -92,6 +93,8 @@ securityContext:
    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.nubusOxConnector.serviceAccount | toYaml | nindent 4 }}
  create: true
 ...
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -84,7 +84,8 @@ postfix:
  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
  virtualTransport: "lmtps:dovecot:24"
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.openxchangePostfix.pod | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.postfix }}
@@ -93,6 +94,8 @@ resources:
 {{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
 service:
  annotations:
    {{ .Values.annotations.openxchangePostfix.service | toYaml | nindent 4 }}
  external:
    enabled: true
    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
--- a/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl
@@ -3,7 +3,15 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-podAnnotations: {}
+additionalAnnotations:
  {{ .Values.annotations.opendeskMigrationsPost.additional | toYaml | nindent 2 }}
 podAnnotations:
  {{ .Values.annotations.opendeskMigrationsPost.pod | toYaml | nindent 2 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.opendeskMigrationsPost.serviceAccount | toYaml | nindent 4 }}
 migrations:
  stage: "POST"
--- a/helmfile/apps/opendesk-migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-pre/values.yaml.gotmpl
@@ -3,7 +3,15 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-podAnnotations: {}
+additionalAnnotations:
  {{ .Values.annotations.opendeskMigrationsPre.additional | toYaml | nindent 2 }}
 podAnnotations:
  {{ .Values.annotations.opendeskMigrationsPre.pod | toYaml | nindent 2 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.opendeskMigrationsPre.serviceAccount | toYaml | nindent 4 }}
 migrations:
  stage: "PRE"
--- a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
@@ -11,6 +11,9 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 additionalAnnotations:
  {{ .Values.annotations.openprojectBootstrap.additional | toYaml | nindent 2 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
@@ -72,6 +75,9 @@ image:
 job:
  enabled: true
 podAnnotations:
  {{ .Values.annotations.openprojectBootstrap.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/opendesk-services/values-home.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-home.yaml.gotmpl
@@ -3,6 +3,9 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.opendeskServicesHome.additional | toYaml | nindent 2 }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -12,4 +15,6 @@ ingress:
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.opendeskServicesHome.ingress | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -10,6 +10,9 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 additionalAnnotations:
  {{ .Values.annotations.opendeskServicesStaticFiles.additional | toYaml | nindent 2 }}
 assets:
  element:
    subdomain: {{ .Values.global.hosts.element }}
@@ -96,6 +99,8 @@ ingress:
  host: "{{ .Values.global.hosts.static }}.{{ .Values.global.domain }}"
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    {{ .Values.annotations.opendeskServicesStaticFiles.ingress | toYaml | nindent 4 }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.opendeskStaticFiles.registry | quote }}
@@ -103,6 +108,8 @@ image:
  tag: {{ .Values.images.opendeskStaticFiles.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations:
  {{ .Values.annotations.opendeskServicesStaticFiles.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -116,4 +123,11 @@ resources:
 service:
  type: "ClusterIP"
  annotations:
    {{ .Values.annotations.opendeskServicesStaticFiles.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.opendeskServicesStaticFiles.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
@@ -8,6 +8,9 @@ global:
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
 additionalAnnotations:
  {{ .Values.annotations.opendeskServicesOtterize.additional | toYaml | nindent 2 }}
 apps:
  clamavDistributed:
    enabled: {{ .Values.apps.clamavDistributed.enabled }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -131,7 +131,8 @@ memcached:
 persistence:
  enabled: false
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.openproject.pod | toYaml | nindent 2 }}
 postgresql:
  bundled: false
@@ -179,6 +180,12 @@ openproject:
      login: "opendesk_username"
      admin: "openproject_admin"
  useTmpVolumes: true
  tmpVolumesAnnotations:
    {{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.openproject.serviceAccount | toYaml | nindent 4 }}
 ingress:
  annotations:
@@ -188,6 +195,9 @@ ingress:
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.openproject }}"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.openproject }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.openproject }}s"
    {{- with .Values.annotations.openproject.ingress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -221,6 +231,9 @@ seederJob:
    intents.otterize.com/service-name: "openproject-seeder"
    argocd.argoproj.io/hook: "Sync"
    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
    {{- with .Values.annotations.openproject.seederJob }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  resources:
    {{ .Values.resources.openprojectSeederJob | toYaml | nindent 4 }}
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -33,6 +33,10 @@ image:
  tag: {{ .Values.images.cassandra.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ingress:
  annotations:
    {{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
 initDB:
  initUserData.cql: >
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -70,7 +74,8 @@ persistence:
  size: {{ .Values.persistence.storages.cassandra.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.cassandra.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.cassandra.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -92,6 +97,10 @@ replicaCount: {{ .Values.replicas.cassandra }}
 resources:
  {{ .Values.resources.cassandra | toYaml | nindent 2 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.cassandra.serviceAccount | toYaml | nindent 4 }}
 startupProbe:
  enabled: false
  initialDelaySeconds: 0
--- a/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl
@@ -5,6 +5,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 clamd:
  commonAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.clamdCommon | toYaml | nindent 4 }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -25,7 +27,8 @@ clamd:
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.clamdPod | toYaml | nindent 4 }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -33,6 +36,13 @@ clamd:
  replicaCount: {{ .Values.replicas.clamd }}
  resources:
    {{ .Values.resources.clamd | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.clamdService | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.clamdServiceAccount | toYaml | nindent 6 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -50,6 +60,8 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
 freshclam:
  commonAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.freshclamCommon | toYaml | nindent 4 }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -70,7 +82,8 @@ freshclam:
    repository: {{ .Values.images.freshclam.repository | quote }}
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.freshclamPod | toYaml | nindent 4 }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -78,6 +91,9 @@ freshclam:
  replicaCount: {{ .Values.replicas.freshclam }}
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.freshclamServiceAccount | toYaml | nindent 6 }}
  settings:
    database:
      auth:
@@ -92,6 +108,8 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 icap:
  commonAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.icapCommon | toYaml | nindent 4 }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -112,7 +130,8 @@ icap:
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.icapPod | toYaml | nindent 4 }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -120,8 +139,17 @@ icap:
  replicaCount: {{ .Values.replicas.icap }}
  resources:
    {{ .Values.resources.icap | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.icapService | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.icapServiceAccount | toYaml | nindent 6 }}
 milter:
  commonAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.milterCommon | toYaml | nindent 4 }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -142,7 +170,8 @@ milter:
    repository: {{ .Values.images.milter.repository | quote }}
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
+  podAnnotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.milterPod | toYaml | nindent 4 }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -150,8 +179,17 @@ milter:
  replicaCount: {{ .Values.replicas.milter }}
  resources:
    {{ .Values.resources.milter | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.milterService | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.servicesExternalClamavDistributed.milterServiceAccount | toYaml | nindent 6 }}
 persistence:
  size: {{ .Values.persistence.storages.clamav.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.clamav.storageClassName .Values.persistence.storageClassNames.RWX | quote }}
  annotations:
    {{ .Values.annotations.servicesExternalClamavDistributed.persistence | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.servicesExternalClamavSimple.common | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -39,8 +42,11 @@ image:
 persistence:
  size: {{ .Values.persistence.storages.clamav.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.clamav.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.servicesExternalClamavSimple.persistence | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.servicesExternalClamavSimple.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -62,4 +68,13 @@ settings:
        url: {{ .Values.repositories.clamav.mirror.url | quote }}
      customURLs:
        {{ .Values.repositories.clamav.customURLs | toYaml | nindent 8 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalClamavSimple.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.servicesExternalClamavSimple.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.annotations.servicesExternalDkimpy.additional | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: true
  capabilities: {}
@@ -28,6 +31,9 @@ image:
  tag: {{ .Values.images.dkimpy.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations:
  {{ .Values.annotations.servicesExternalDkimpy.service | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
@@ -44,4 +50,13 @@ replicaCount: {{ .Values.replicas.dkimpy }}
 resources:
  {{ .Values.resources.dkimpy | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalDkimpy.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.servicesExternalDkimpy.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-mariadb.yaml.gotmpl
@@ -8,6 +8,9 @@ cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalMariadb.common | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -73,10 +76,15 @@ mariadb:
 persistence:
  size: {{ .Values.persistence.storages.mariadb.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.mariadb.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.servicesExternalMariadb.persistence | toYaml | nindent 4 }}
 podAnnotations:
  argocd.argoproj.io/hook: "PostSync"
  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
  {{- with .Values.annotations.servicesExternalMariadb.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
@@ -88,4 +96,12 @@ replicaCount: {{ .Values.replicas.mariadb }}
 resources:
  {{ .Values.resources.mariadb | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalMariadb.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.servicesExternalMariadb.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-memcached.yaml.gotmpl
@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 ---
 architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalMemcached.common | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -32,13 +35,21 @@ image:
  tag: {{ .Values.images.memcached.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.servicesExternalMemcached.pod | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.memcached }}
 resources:
  {{ .Values.resources.memcached | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalMemcached.service | toYaml | nindent 4 }}
 serviceAccount:
  create: true
  annotations:
    {{ .Values.annotations.servicesExternalMemcached.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -15,10 +15,16 @@ apiIngress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
    {{- with .Values.annotations.servicesExternalMinio.apiIngress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
 auth:
  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalMinio.common | toYaml | nindent 2 }}
 containerSecurityContext:
  enabled: true
  allowPrivilegeEscalation: false
@@ -66,6 +72,9 @@ ingress:
      secretName: "{{ .Values.ingress.tls.secretName }}"
  annotations:
    nginx.org/websocket-services: "minio"
    {{- with .Values.annotations.servicesExternalMinio.ingress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
 {{- end }}
 livenessProbe:
@@ -92,6 +101,8 @@ podSecurityContext:
 persistence:
  size: {{ .Values.persistence.storages.minio.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.minio.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.servicesExternalMinio.persistence | toYaml | nindent 4 }}
 provisioning:
  enabled: true
@@ -121,6 +132,8 @@ provisioning:
      versioning: "Suspended"
      withLock: false
    {{- end }}
  podAnnotations:
    {{ .Values.annotations.servicesExternalMinio.provisioningPod | toYaml | nindent 4 }}
  policies:
    - name: "migrations-bucket-policy"
      statements:
@@ -238,7 +251,8 @@ provisioning:
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
-podAnnotations: {}
+podAnnotations:
  {{ .Values.annotations.servicesExternalMinio.pod | toYaml | nindent 2 }}
 readinessProbe:
  enabled: true
@@ -249,6 +263,17 @@ readinessProbe:
 resources:
  {{ .Values.resources.minio | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalMinio.serviceService | toYaml | nindent 4 }}
  headless:
    annotations:
      {{ .Values.annotations.servicesExternalMinio.serviceHeadless | toYaml | nindent 6 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.servicesExternalMinio.serviceAccount | toYaml | nindent 4 }}
 startupProbe:
  enabled: true
  periodSeconds: 10
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -9,6 +9,9 @@ certificate:
  request:
    enabled: false
 commonAnnotations:
  {{ .Values.annotations.servicesExternalPostfix.common | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: true
  capabilities: {}
@@ -36,6 +39,11 @@ image:
 persistence:
  size: {{ .Values.persistence.storages.postfix.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.postfix.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.servicesExternalPostfix.persistence | toYaml | nindent 4 }}
 podAnnotations:
  {{ .Values.annotations.servicesExternalPostfix.pod | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
@@ -99,6 +107,12 @@ resources:
  {{ .Values.resources.postfix | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalPostfix.service | toYaml | nindent 4 }}
  external:
    enabled: false
 serviceAccount:
  annotations:
    {{ .Values.annotations.servicesExternalPostfix.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
@@ -8,6 +8,9 @@ cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalPostgresql.common | toYaml | nindent 2 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -110,10 +113,15 @@ job:
 persistence:
  size: {{ .Values.persistence.storages.postgresql.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.postgresql.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  annotations:
    {{ .Values.annotations.servicesExternalPostgresql.persistence | toYaml | nindent 4 }}
 podAnnotations:
  argocd.argoproj.io/hook: "PostSync"
  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
  {{- with .Values.annotations.servicesExternalPostgresql.pod}}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 postgres:
  user: "postgres"
@@ -121,4 +129,13 @@ postgres:
 resources:
  {{ .Values.resources.postgresql | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.servicesExternalPostgresql.service | toYaml | nindent 4 }}
 serviceAccount:
  annotations:
    {{ .Values.annotations.servicesExternalPostgresql.serviceAccount | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/services-external/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-redis.yaml.gotmpl
@@ -9,6 +9,9 @@ architecture: "standalone"
 auth:
  password: {{ .Values.secrets.redis.password | quote }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalRedis.common | toYaml | nindent 2 }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -21,6 +24,8 @@ image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 master:
  annotations:
    {{ .Values.annotations.servicesExternalRedis.masterMaster | toYaml | nindent 4 }}
  containerSecurityContext:
    privileged: false
    readOnlyRootFilesystem: true
@@ -38,13 +43,40 @@ master:
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.storages.redis.size | quote }}
-  podAnnotations: {}
+    annotations:
      {{ .Values.annotations.servicesExternalRedis.masterPersistence | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.servicesExternalRedis.masterPod | toYaml | nindent 4 }}
  resources:
    {{ .Values.resources.redis | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.servicesExternalRedis.masterService | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.servicesExternalRedis.masterServiceAccount | toYaml | nindent 6 }}
 metrics:
  enabled: false
 replica:
  annotations:
    {{ .Values.annotations.servicesExternalRedis.replicaReplica | toYaml | nindent 4 }}
  persistence:
    annotations:
      {{ .Values.annotations.servicesExternalRedis.replicaPersistence | toYaml | nindent 6 }}
  podAnnotations:
    {{ .Values.annotations.servicesExternalRedis.replicaPod | toYaml | nindent 4 }}
  service:
    annotations:
      {{ .Values.annotations.servicesExternalRedis.replicaService | toYaml | nindent 6 }}
  serviceAccount:
    annotations:
      {{ .Values.annotations.servicesExternalRedis.replicaServiceAccount | toYaml | nindent 6 }}
 secretAnnotations:
  {{ .Values.annotations.servicesExternalRedis.secret | toYaml | nindent 2 }}
 sentinel:
  enabled: false
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -4,6 +4,9 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 commonAnnotations:
  {{ .Values.annotations.xwiki.common | toYaml | nindent 2 }}
 image:
  {{- if eq .Values.databases.xwiki.type "mariadb" }}
  name: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.xwikiMariadb.registry }}/{{ .Values.images.xwikiMariadb.repository }}"
@@ -129,6 +132,9 @@ ingress:
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.xwiki }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.xwiki }}s"
    haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
    {{- with .Values.annotations.xwiki.ingress }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  hosts:
    - host: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
      paths:
@@ -149,6 +155,8 @@ mysql:
  enabled: false
 persistence:
  annotations:
    {{ .Values.annotations.xwiki.persistence | toYaml | nindent 4 }}
  size: {{ .Values.persistence.storages.xwiki.size | quote }}
  storageClass: {{ coalesce .Values.persistence.storages.xwiki.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
@@ -217,9 +225,15 @@ resources:
  {{ .Values.resources.xwiki | toYaml | nindent 2 }}
 service:
  annotations:
    {{ .Values.annotations.xwiki.service | toYaml | nindent 4 }}
  externalPort: 80
  enabled: true
 serviceAccount:
  annotations:
    {{ .Values.annotations.xwiki.serviceAccount | toYaml | nindent 4 }}
 volumePermissions:
  enabled: true
--- a/helmfile/environments/default/annotations.yaml.gotmpl
+++ b/helmfile/environments/default/annotations.yaml.gotmpl
@@ -0,0 +1,440 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 annotations:
  cassandra:
    ingress: ~
    pod: ~
    serviceAccount: ~
  coco:
    ingress: ~
    pod: ~
    serviceAccount: ~
  collabora:
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  cryptpad:
    ingress: ~
    pod: ~
    serviceAccount: ~
  element:
    common: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementMatrixNeoboardWidget:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementMatrixNeochoiceWidget:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementMatrixNeodatefixBot:
    additional: ~
    ingress: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementMatrixNeodatefixBotBootstrap:
    pod: ~
    serviceAccount: ~
  elementMatrixNeodatefixWidget:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementMatrixUserVerificationService:
    additional: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementMatrixUserVerificationServiceBootstrap:
    pod: ~
    serviceAccount: ~
  elementSynapse:
    common: ~
    federationIngress: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementSynapseWeb:
    common: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  elementWellKnown:
    common: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  jitsi:
    pod: ~
    serviceAccount: ~
  jitsiGlobal:
    pod: ~
  jitsiJibri:
    pod: ~
  jitsiJicofo:
    pod: ~
  jitsiJigasi:
    pod: ~
  jitsiJitsiPatchJVB:
    serviceAccount: ~
  jitsiJvb:
    pod: ~
    service: ~
    metricsPrometheus: ~
    metricsGrafana: ~
  jitsiProsody:
    pod: ~
  jitsiWeb:
    ingress: ~
    pod: ~
  nextcloudAio:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nextcloudExporter:
    additional: ~
    ingress: ~
    pod: ~
    serviceAccount: ~
  nextcloudNextcloudMgmt:
    additional: ~
    pod: ~
    serviceAccount: ~
  notes:
    ingressAdmin: ~
    ingressCollaborationWS: ~
    ingressCollaborationAPI: ~
    ingressMedia: ~
    serviceMedia: ~
  notesBackend:
    migrateJob: ~
    pod: ~
    service: ~
  notesFrontend:
    pod: ~
    service: ~
  notesYProvider:
    pod: ~
    service: ~
  nubus:
    additional: ~
    ingress: ~
  nubusGuardian:
    authorizationApiPod: ~
    globalPod: ~
    ingressIngress: ~
    ingressManagementUi: ~
    ingressManagementApi: ~
    ingressAuthorizationApi: ~
    managementApiPod: ~
    managementUiPod: ~
    serviceAccount: ~
  nubusIntercomService:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusKeycloak:
    common: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusKeycloakBootstrap:
    additional: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusKeycloakBootstrapNubus:
    additional: ~
    pod: ~
    serviceAccount: ~
  nubusKeycloakExtensions:
    handlerAdditional: ~
    handlerPod: ~
    handlerService: ~
    handlerServiceAccount: ~
    proxyAdditional: ~
    proxyIngress: ~
    proxyPod: ~
    proxyService: ~
    proxyServiceAccount: ~
  nubusLdapNotifier:
    additional: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusLdapServer:
    additional: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusNotificationsApi:
    additional: ~
    ingress: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusOxConnector:
    pod: ~
    serviceAccount: ~
  nubusPortalConsumer:
    pod: ~
  nubusPortalFrontend:
    additional: ~
    ingressIngress: ~
    ingressRewrites: ~
    ingressRedirects: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusPortalServer:
    additional: ~
    ingress: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusProvisioning:
    additional: ~
    apiAdditional: ~
    apiPod: ~
    dispatcherAdditional: ~
    dispatcherPod: ~
    natsAdditional: ~
    natsPod: ~
    udmTransformerAdditional: ~
    udmTransformerPod: ~
    pod: ~
    prefillAdditional: ~
    prefillPod: ~
    registerConsumersAdditional: ~
    registerConsumersPod: ~
    service: ~
    serviceAccount: ~
  nubusNginxS3Gateway:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusSelfserviceConsumer:
    pod: ~
    serviceAccount: ~
  nubusStackDataUms:
    additional: ~
    pod: ~
    serviceAccount: ~
  nubusUdmListener:
    pod: ~
    serviceAccount: ~
  nubusUdmRestApi:
    additional: ~
    ingress: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  nubusUmcGateway:
    ingress: ~
    pod: ~
    serviceAccount: ~
  nubusUmcServer:
    additional: ~
    ingress: ~
    pod: ~
    serviceAccount: ~
  opendeskMigrationsPost:
    additional: ~
    pod: ~
    serviceAccount: ~
  opendeskMigrationsPre:
    additional: ~
    pod: ~
    serviceAccount: ~
  opendeskServicesHome:
    additional: ~
    ingress: ~
  opendeskServicesOtterize:
    additional: ~
  opendeskServicesStaticFiles:
    additional: ~
    ingress: ~
    pod: ~
    service: ~
    serviceAccount: ~
  openproject:
    ingress: ~
    pod: ~
    openprojectTempVolumes: ~
    serviceAccount: ~
    seederJob: ~
  openprojectBootstrap:
    additional: ~
    pod: ~
  openxchangeAppsuiteCoreDocumentconverter:
    pod: ~
  openxchangeAppsuiteCoreGuidedtours:
    pod: ~
  openxchangeAppsuiteCoreImageconverter:
    pod: ~
  openxchangeAppsuiteCoreUi:
    pod: ~
  openxchangeAppsuiteCoreUiMiddleware:
    pod: ~
  openxchangeAppsuiteCoreMw:
    gotenbergPod: ~
    pod: ~
    serviceAccount: ~
    updatePod: ~
  openxchangeAppsuiteCoreUserGuide:
    pod: ~
  openxchangeAppsuiteIngress:
    appsuitebase: ~
    ingress: ~
    rootredirect: ~
    trailslash: ~
    restRoutesAdmin: ~
    restRoutesAdvertisement: ~
    restRoutesChronos: ~
    restRoutesPreliminary: ~
    restRoutesUserfeedback: ~
    staticRoutesServlet: ~
    staticRoutesRealtime: ~
    staticRoutesInfostore: ~
    staticRoutesWebservices: ~
    driveClientWindowsOxRoute: ~
    guardApiRoute: ~
    guardSupportApiRoute: ~
    guardPgpRoute: ~
    httpApiRoutesApi: ~
    httpApiRoutesAjax: ~
    httpApiRoutesAppsuiteApi: ~
    httpApiRoutesAppRootApi: ~
    rt2Route: ~
    documentsHelpRoute: ~
    driveHelpRoute: ~
    coreHelpRoute: ~
    officeWebRoute: ~
    caldavWellKnownRedirect: ~
    carddavWellKnownRedirect: ~
    davInfostoreRoute: ~
    davRootRoute: ~
    wopiServerRoute: ~
  openxchangeBootstrap:
    additional: ~
    serviceAccount: ~
  openxchangeDovecot:
    common: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  openxchangeEnterpriseContactPicker:
    appsuiteCoreMw:
    appsuiteCoreMwPod: ~
    appsuiteCoreMwServiceAccount: ~
  openxchangeNextcloudIntegrationUi:
    pod: ~
  openxchangePostfix:
    pod: ~
    service: ~
  openxchangePublicSectorUi:
    pod: ~
  servicesExternalClamavDistributed:
    clamdCommon: ~
    clamdPod: ~
    clamdService: ~
    clamdServiceAccount: ~
    freshclamCommon: ~
    freshclamService: ~
    freshclamServiceAccount: ~
    milterCommon: ~
    milterPod: ~
    milterService: ~
    milterServiceAccount: ~
    persistence: ~
  servicesExternalClamavSimple:
    common: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  servicesExternalDkimpy:
    additional: ~
    pod: ~
    service: ~
    serviceAccount: ~
  servicesExternalMariadb:
    common: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  servicesExternalMemcached:
    common: ~
    pod: ~
    service: ~
    serviceAccount: ~
  servicesExternalMinio:
    apiIngress: ~
    common:
    ingress: ~
    persistence: ~
    provisioningPod: ~
    pod: ~
    serviceService: ~
    serviceHeadless: ~
    serviceAccount: ~
  servicesExternalPostfix:
    common: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  servicesExternalPostgresql:
    common: ~
    persistence: ~
    pod: ~
    service: ~
    serviceAccount: ~
  servicesExternalRedis:
    common: ~
    masterMaster: ~
    masterPersistence: ~
    masterPod: ~
    masterService: ~
    masterServiceAccount: ~
    replicaReplica: ~
    replicaPersistence: ~
    replicaPod: ~
    replicaService: ~
    replicaServiceAccount: ~
    secret: ~
  xwiki:
    common: ~
    ingress: ~
    persistence: ~
    service: ~
    serviceAccount: ~
 ...