feat(authentication): Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage.

helmfile/environments/default/charts.yaml

@@ -192,6 +192,16 @@ charts:
     name: "memcached"
     version: "6.7.1"
     verify: true
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
+    name: "opendesk-migrations"
+    version: "1.0.1"
+    verify: true
   minio:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -240,7 +250,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "1.1.0"
+    version: "2.1.0"
     verify: true
   openproject:
     # providerCategory: "Supplier"

helmfile/environments/default/images.yaml

@@ -198,6 +198,14 @@ images:
     registry: "registry-1.docker.io"
     repository: "bitnami/memcached"
     tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -253,7 +261,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
+    tag: "1.1.0@sha256:20e885e2f2cb19e4b45adfdd6f1622ea888fe26621a0a3ace12c074497ac04aa"
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "OpenProject"

helmfile/environments/default/selinux.yaml

@@ -30,6 +30,7 @@ seLinuxOptions:
   matrixNeoDateFixWidget: ~
   matrixUserVerificationService: ~
   memcached: ~
+  migrations: ~
   milter: ~
   minio: ~
   nextcloudApache2: ~

helmfile/environments/default/workplace.gotmpl

@@ -0,0 +1,76 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+#
+# Note: Currently only single namespace deployments are supported.
+---
+certificates:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavDistributed:
+  enabled: false
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavSimple:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+collabora:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+cryptpad:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+dovecot:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+element:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+home:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+intercom:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+jitsi:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+mariadb:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+memcached:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+migrations:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+minio:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+nextcloud:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+openproject:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxAppsuite:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxConnector:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postfix:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postgresql:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+redis:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+univentionManagementStack:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+xwiki:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+...

helmfile/environments/default/workplace.yaml

@@ -1,49 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-certificates:
-  enabled: true
-clamavDistributed:
-  enabled: false
-clamavSimple:
-  enabled: true
-collabora:
-  enabled: true
-cryptpad:
-  enabled: true
-dovecot:
-  enabled: true
-element:
-  enabled: true
-home:
-  enabled: true
-intercom:
-  enabled: true
-jitsi:
-  enabled: true
-mariadb:
-  enabled: true
-memcached:
-  enabled: true
-minio:
-  enabled: true
-nextcloud:
-  enabled: true
-openproject:
-  enabled: true
-oxAppsuite:
-  enabled: true
-oxConnector:
-  enabled: true
-postfix:
-  enabled: true
-postgresql:
-  enabled: true
-redis:
-  enabled: true
-univentionManagementStack:
-  enabled: true
-xwiki:
-  enabled: true
-...