feat(nubus): Update from 1.9.1 to 1.11.1; required minimum openDesk version for this upgrade is 1.5.0, see migrations.md for details

README.md

@@ -40,7 +40,7 @@ openDesk currently features the following functional main components:
 | File management      | Nextcloud                   | [30.0.10](https://nextcloud.com/de/changelog/#30-0-10)                                                                        | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | [8.38](https://documentation.open-xchange.com/appsuite/releases/8.38/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.9.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-9-1-2025-05-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | [1.11.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-11-1-2025-07-02) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | [16.1.1](https://www.openproject.org/docs/release-notes/16-1-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                         | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [25.04.2](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

docs/migrations.md

@@ -11,6 +11,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Manual checks/actions](#manual-checksactions)
   * [v1.6.0+](#v160)
     * [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
+      * [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
       * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
       * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
       * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
@@ -56,15 +57,136 @@ SPDX-License-Identifier: Apache-2.0
     * [Post-upgrade to v1.0.0+](#post-upgrade-to-v100)
       * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
       * [Optional Cleanup](#optional-cleanup)
-  * [v0.9.0](#v090)
-    * [Pre-upgrade to v0.9.0](#pre-upgrade-to-v090)
-      * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
-      * [Updated customizable template attributes](#updated-customizable-template-attributes)
-      * [`migrations` S3 bucket](#migrations-s3-bucket)
 * [Automated migrations - Details](#automated-migrations---details)
+  * [v1.6.0+ (automated)](#v160-automated)
+    * [v1.6.0+ migrations-post](#v160-migrations-post)
   * [v1.2.0+ (automated)](#v120-automated)
-    * [migrations-pre](#migrations-pre)
+    * [v1.2.0+ migrations-pre](#v120-migrations-pre)
-    * [migrations-post](#migrations-post)
+    * [v1.2.0+ migrations-post](#v120-migrations-post)
+  * [v1.1.0+ (automated)](#v110-automated)
+  * [v1.0.0+ (automated)](#v100-automated)
+  * [Related components and artifacts](#related-components-and-artifacts)
+  * [Development](#development)
+>>>>>>> 66e78530 (fix(Nubus): Update migrations for Nubus 1.10.x)
+* [Disclaimer](#disclaimer)
+* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
+* [Manual checks/actions](#manual-checksactions)
+  * [v1.6.0+](#v160)
+    * [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
+      * [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
+      * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
+      * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
+      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
+    * [Post-upgrade to v1.6.0+](#post-upgrade-to-v160)
+      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
+  * [v1.4.0+](#v140)
+    * [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140)
+      * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
+      * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
+  * [v1.2.0+](#v120)
+    * [Pre-upgrade to v1.2.0+](#pre-upgrade-to-v120)
+      * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
+      * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
+  * [v1.1.2+](#v112)
+    * [Pre-upgrade to v1.1.2+](#pre-upgrade-to-v112)
+      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
+  * [v1.1.1+](#v111)
+    * [Pre-upgrade to v1.1.1](#pre-upgrade-to-v111)
+      * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
+      * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
+  * [v1.1.0+](#v110)
+    * [Pre-upgrade to v1.1.0](#pre-upgrade-to-v110)
+      * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
+      * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
+      * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
+      * [Helmfile cleanup: Splitting external services and openDesk services](#helmfile-cleanup-splitting-external-services-and-opendesk-services)
+      * [Helmfile cleanup: Streamlining `openxchange` and `oxAppSuite` attribute names](#helmfile-cleanup-streamlining-openxchange-and-oxappsuite-attribute-names)
+      * [Helmfile feature update: Dicts to define `customization.release`](#helmfile-feature-update-dicts-to-define-customizationrelease)
+      * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
+      * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
+      * [External requirements: Redis 7.4](#external-requirements-redis-74)
+    * [Post-upgrade to v1.1.0+](#post-upgrade-to-v110)
+      * [XWiki fix-ups](#xwiki-fix-ups)
+  * [v1.1.0](#v110-1)
+    * [Pre-upgrade to v1.1.0](#pre-upgrade-to-v110-1)
+      * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
+      * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
+      * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
+      * [Changed openDesk defaults: Matrix ID](#changed-opendesk-defaults-matrix-id)
+      * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
+      * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
+      * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
+    * [Post-upgrade to v1.0.0+](#post-upgrade-to-v100)
+      * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
+      * [Optional Cleanup](#optional-cleanup)
+* [Automated migrations - Details](#automated-migrations---details)
+  * [v1.6.0+ (automated)](#v160-automated)
+    * [v1.6.0+ migrations-post](#v160-migrations-post)
+  * [v1.2.0+ (automated)](#v120-automated)
+    * [v1.2.0+ migrations-pre](#v120-migrations-pre)
+    * [v1.2.0+ migrations-post](#v120-migrations-post)
+  * [v1.1.0+ (automated)](#v110-automated)
+  * [v1.0.0+ (automated)](#v100-automated)
+  * [Related components and artifacts](#related-components-and-artifacts)
+  * [Development](#development)
+>>>>>>> 58fde95a (feat(nubus): Update from 1.9.1 to 1.11.1; required minimum openDesk version for this upgrade is 1.5.0, see `migrations.md` for details)
+* [Disclaimer](#disclaimer)
+* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
+* [Manual checks/actions](#manual-checksactions)
+  * [v1.6.0+](#v160)
+    * [Pre-upgrade to v1.6.0+](#pre-upgrade-to-v160)
+      * [Upstream contraint: Nubus' external secrets](#upstream-contraint-nubus-external-secrets)
+      * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
+      * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
+      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
+    * [Post-upgrade to v1.6.0+](#post-upgrade-to-v160)
+      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
+  * [v1.4.0+](#v140)
+    * [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140)
+      * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
+      * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
+  * [v1.2.0+](#v120)
+    * [Pre-upgrade to v1.2.0+](#pre-upgrade-to-v120)
+      * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
+      * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
+  * [v1.1.2+](#v112)
+    * [Pre-upgrade to v1.1.2+](#pre-upgrade-to-v112)
+      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
+  * [v1.1.1+](#v111)
+    * [Pre-upgrade to v1.1.1](#pre-upgrade-to-v111)
+      * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
+      * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
+  * [v1.1.0+](#v110)
+    * [Pre-upgrade to v1.1.0](#pre-upgrade-to-v110)
+      * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
+      * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
+      * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
+      * [Helmfile cleanup: Splitting external services and openDesk services](#helmfile-cleanup-splitting-external-services-and-opendesk-services)
+      * [Helmfile cleanup: Streamlining `openxchange` and `oxAppSuite` attribute names](#helmfile-cleanup-streamlining-openxchange-and-oxappsuite-attribute-names)
+      * [Helmfile feature update: Dicts to define `customization.release`](#helmfile-feature-update-dicts-to-define-customizationrelease)
+      * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
+      * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
+      * [External requirements: Redis 7.4](#external-requirements-redis-74)
+    * [Post-upgrade to v1.1.0+](#post-upgrade-to-v110)
+      * [XWiki fix-ups](#xwiki-fix-ups)
+  * [v1.1.0](#v110-1)
+    * [Pre-upgrade to v1.1.0](#pre-upgrade-to-v110-1)
+      * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
+      * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
+      * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
+      * [Changed openDesk defaults: Matrix ID](#changed-opendesk-defaults-matrix-id)
+      * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
+      * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
+      * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
+    * [Post-upgrade to v1.0.0+](#post-upgrade-to-v100)
+      * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
+      * [Optional Cleanup](#optional-cleanup)
+* [Automated migrations - Details](#automated-migrations---details)
+  * [v1.6.0+ (automated)](#v160-automated)
+    * [v1.6.0+ migrations-post](#v160-migrations-post)
+  * [v1.2.0+ (automated)](#v120-automated)
+    * [v1.2.0+ migrations-pre](#v120-migrations-pre)
+    * [v1.2.0+ migrations-post](#v120-migrations-post)
   * [v1.1.0+ (automated)](#v110-automated)
   * [v1.0.0+ (automated)](#v100-automated)
   * [Related components and artifacts](#related-components-and-artifacts)
@@ -95,7 +217,8 @@ To upgrade existing deployments, you cannot skip any version mentioned in the co
 
 | Mandatory version |
 | ----------------- |
-<!--| v1.2+             | add the entry to the table as soon as we get new migration requiring the set version (range) to be deployed first -->
+<!-- | 1.x.x        |  add the entry to the table as soon as we get new migration requiring that the former migration was executed -->
+| v1.5.0            |
 | v1.1.x            |
 | v1.0.0            |
 | v0.9.0            |
@@ -112,6 +235,15 @@ If you would like more details about the automated migrations, please read secti
 
 ### Pre-upgrade to v1.6.0+
 
+#### Upstream contraint: Nubus' external secrets
+
+**Target group:** Operators that use external secrets for Nubus.
+
+> **Note**<br>
+> External Secrets are not yet a supported feature. We are working on making it available in 2025, though it is possible to make use of the support for external secrets within single applications using the openDesk [customization](../helmfile/environments/default/customization.yaml.gotmpl) options.
+
+Please ensure you read the [Nubus 1.10.0 "Migration steps" section](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/changelog.html#v1-10-0-migration-steps) with focus on the paragraph "Operators that make use of the following UDM Listener secrets variables" and act accordingly.
+
 #### Helmfile new secret: `secrets.minio.openxchangeUser`
 
 **Target group:** All existing deployments that have OX App Suite enabled and that use externally defined secrets in combination with openDesk provided MinIO object storage.
@@ -781,42 +913,31 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
 kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 ```
 
-## v0.9.0
-
-### Pre-upgrade to v0.9.0
-
-#### Updated `cluster.networking.cidr`
-
-- Action: `cluster.networking.cidr` is now an array (was a string until v0.8.1); please update your setup accordingly if you explicitly set this value.
-- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
-
-#### Updated customizable template attributes
-
-- Action: Please update your custom deployment values according to the updated default value structure.
-- References:
-  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
-  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
-  - `monitoring.` prefix for `prometheus.*` and `grafana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
-  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
-
-#### `migrations` S3 bucket
-
-- Action: For self-managed/external S3/object storages, please create a bucket called `migrations` using your S3 endpoint.
-- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
-
 # Automated migrations - Details
 
+## v1.6.0+ (automated)
+
+> **Note**<br>
+> Details can be found in [run_5.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_5.py).
+
+### v1.6.0+ migrations-post
+
+Restarting the StatefulSets `ums-provisioning-nats` and `ox-connector` due to a workaround applied on the NATS secrets, see the "Notes" segment of the ["Password seed" heading in getting-started.md](./docs/getting-started.md#password-seed)
+
+> **Note**<br>
+> This change aims to prevent authentication failures with NATS in some Pods, which can lead to errors such as: `wait-for-nats Unavailable, waiting 2 seconds. Error: nats: 'Authorization Violation'`.
+
 ## v1.2.0+ (automated)
 
 > **Note**<br>
 > Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py).
 
-### migrations-pre
+### v1.2.0+ migrations-pre
 
 - Delete PVC `group-membership-cache-ums-portal-consumer-0`: With the upgrade the Nubus Portal Consumer no longer requires to be executed with root privileges. The PVC contains files that require root permission to access them, therefore the PVC gets deleted (and re-created) during the upgrade.
 - Delete StatefulSet `ums-portal-consumer`: A bug was fixed in the templating of the Portal Consumer's PVC causing the values in `persistence.storages.nubusPortalConsumer.*` to be ignored. As these values are immutable, we had to delete the whole StatefulSet.
 
-### migrations-post
+### v1.2.0+ migrations-post
 
 - Restarting Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` as well as deleting the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream.
 

helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl

@@ -0,0 +1,235 @@
+{{/*
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+#
+# This file is currently optional for customizing purposes only. It will be a mandatory part of Nubus in a later release.
+#
+nubusGuardian:
+  authorizationApi:
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
+      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
+      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullSecrets:
+      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-authorization-api"
+      {{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
+      {{ . | toYaml | nindent 6 }}
+      {{- end }}
+    podSecurityContext:
+      fsGroup: 1000
+      fsGroupChangePolicy: "Always"
+    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
+    resources:
+      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
+  global:
+    podAnnotations:
+      {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
+  ingress:
+    annotations:
+      {{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
+    certManager:
+      enabled: false
+    tls:
+      enabled: {{ .Values.ingress.tls.enabled }}
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+    items:
+      - name: management-ui
+        host: ""
+        # -- Define the Ingress paths.
+        paths:
+          - path: /univention/guardian/management-ui
+            pathType: Prefix
+            backend:
+              service:
+                name: guardian-management-ui
+                port:
+                  number: 80
+        ingressClassName: ""
+        annotations:
+          {{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
+        tls:
+          # enabled: true
+          secretName: ""
+      - name: management-api
+        host: ""
+        paths:
+          - path: /guardian/management
+            pathType: Prefix
+            backend:
+              service:
+                name: guardian-management-api
+                port:
+                  number: 80
+        ingressClassName: ""
+        annotations:
+          {{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
+        tls:
+          # enabled: true
+          secretName: ""
+      - name: authorization-api
+        host: ""
+        paths:
+          - path: /guardian/authorization
+            pathType: Prefix
+            backend:
+              service:
+                name: guardian-authorization-api
+                port:
+                  number: 80
+        ingressClassName: ""
+        annotations:
+          {{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
+        tls:
+          # enabled: true
+          secretName: ""
+  managementApi:
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
+      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
+      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullSecrets:
+      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-management-api"
+      {{- with .Values.annotations.nubusGuardian.managementApiPod }}
+      {{ . | toYaml | nindent 6 }}
+      {{- end }}
+    podSecurityContext:
+      fsGroup: 1000
+      fsGroupChangePolicy: "Always"
+    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
+    resources:
+      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
+  managementUi:
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
+      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
+      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullSecrets:
+      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-management-ui"
+      {{- with .Values.annotations.nubusGuardian.managementUiPod }}
+      {{ . | toYaml | nindent 6 }}
+      {{- end }}
+    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
+    resources:
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
+  openPolicyAgent:
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
+      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
+      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullSecrets:
+      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
+    podSecurityContext:
+      fsGroup: 1000
+      fsGroupChangePolicy: "Always"
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
+    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
+    resources:
+      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
+  postgresql:
+    connection:
+      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+      port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+      database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+      existingSecret:
+        name: "ums-guardian-postgresql-opendesk-credentials"
+        keyMapping:
+          password: "guardianDatabasePassword"
+  provisioning:
+    enabled: false
+    config:
+      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
+      keycloak:
+        credentialSecret:
+          name: "ums-opendesk-keycloak-credentials"
+          key: "admin_password"
+      realm: {{ .Values.platform.realm | quote }}
+      username: "kcadmin"
+    keycloak:
+      auth:
+        existingSecret:
+          name: "ums-opendesk-guardian-client-secret"
+          keyMapping:
+            password: "managementApiClientSecret"
+      connection:
+        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+        baseUrl: "http://ums-keycloak:8080"
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
+      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
+      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
+      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  serviceAccount:
+    annotations:
+      {{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
+---

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -10,15 +10,14 @@ global:
   certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   domain: {{ .Values.global.domain | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
   ldap:
     baseDn: {{ .Values.ldap.baseDn | quote }}
     domainName: {{ .Values.global.domain | quote }}
-    auth:
-      cnAdmin:
-        password: {{ .Values.secrets.nubus.ldapSecret | quote }}
   nubusDeployment: true
   secrets:
     masterPassword: {{ .Values.secrets.nubus.masterpassword | quote }}
@@ -28,35 +27,31 @@ global:
 
   # -- Extensions to load. Add entries to load additional extensions into Nubus.
   extensions:
-    - name: "ox"
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
-        repository: {{ .Values.images.nubusOxExtension.repository }}
-        tag: {{ .Values.images.nubusOxExtension.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-    - name: "opendesk"
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
-        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
     - name: "opendesk-a2g-mapper"
       image:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtensionA2gMapper.registry | quote }}
         repository: {{ .Values.images.nubusOpendeskExtensionA2gMapper.repository }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
         tag: {{ .Values.images.nubusOpendeskExtensionA2gMapper.tag }}
 
   # -- Allows to configure the system extensions to load. This is intended for
   # internal usage, prefer to use `global.extensions` for user configured
   # extensions.
   systemExtensions:
+    - name: "ox"
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
+        repository: {{ .Values.images.nubusOxExtension.repository }}
+        tag: {{ .Values.images.nubusOxExtension.tag }}
+    - name: "opendesk"
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
+        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
+        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
     - name: "portal"
       image:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }}
         repository: {{ .Values.images.nubusPortalExtension.repository }}
         tag: {{ .Values.images.nubusPortalExtension.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
   configUcr:
     directory:
       manager:
@@ -138,10 +133,6 @@ ingress:
     {{- with .Values.annotations.nubus.ingress }}
     {{ . | toYaml | nindent 4 }}
     {{- end }}
-  # temporary fix
-  {{- if not .Values.apps.minio.enabled }}
-  enabled: false
-  {{- end }}
   certManager:
     enabled: false
   tls:
@@ -185,14 +176,16 @@ keycloak:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
     repository: {{ .Values.images.nubusKeycloak.repository }}
     tag: {{ .Values.images.nubusKeycloak.tag }}
+    # NOTE: The subchart "keycloak" does not yet support
+    # "global.imagePullPolicy". The local configuration can be removed once it
+    # does have this feature.
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     enabled: false
   keycloak:
     auth:
       username: "kcadmin"
+      # TODO: Pending secrets refactoring to be able to provide the value directly
       existingSecret:
         name: "ums-opendesk-keycloak-credentials"
         keyMapping:
@@ -203,6 +196,10 @@ keycloak:
           loginTitle: "Anmeldung bei {{ .Values.theme.texts.productName }}"
         en:
           loginTitle: "Sign in to {{ .Values.theme.texts.productName }}"
+    features:
+      enabled:
+        - "admin-fine-grained-authz:v1"
+        - "token-exchange"
   podAnnotations:
     intents.otterize.com/service-name: "ums-keycloak"
     {{- with .Values.annotations.nubusKeycloak.pod }}
@@ -215,6 +212,7 @@ keycloak:
     auth:
       username: {{ .Values.databases.keycloak.username | quote }}
       database: {{ .Values.databases.keycloak.name | quote }}
+      # TODO: Pending secrets refactoring to be able to provide the value directly
       existingSecret:
         name: "ums-keycloak-postgresql-opendesk-credentials"
         keyMapping:
@@ -261,231 +259,7 @@ keycloak:
   {{- end }}
 
 nubusGuardian:
-  authorizationApi:
+  enabled: false
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
-      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-authorization-api"
-      {{- with .Values.annotations.nubusGuardian.authorizationApiPod }}
-      {{ . | toYaml | nindent 6 }}
-      {{- end }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
-    resources:
-      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
-  global:
-    podAnnotations:
-      {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
-  ingress:
-    annotations:
-      {{ .Values.annotations.nubusGuardian.ingressIngress | toYaml | nindent 6 }}
-    certManager:
-      enabled: false
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-    items:
-      - name: management-ui
-        host: ""
-        # -- Define the Ingress paths.
-        paths:
-          - path: /univention/guardian/management-ui
-            pathType: Prefix
-            backend:
-              service:
-                name: guardian-management-ui
-                port:
-                  number: 80
-        ingressClassName: ""
-        annotations:
-          {{ .Values.annotations.nubusGuardian.ingressManagementUi | toYaml | nindent 10 }}
-        tls:
-          # enabled: true
-          secretName: ""
-      - name: management-api
-        host: ""
-        paths:
-          - path: /guardian/management
-            pathType: Prefix
-            backend:
-              service:
-                name: guardian-management-api
-                port:
-                  number: 80
-        ingressClassName: ""
-        annotations:
-          {{ .Values.annotations.nubusGuardian.ingressManagementApi | toYaml | nindent 10 }}
-        tls:
-          # enabled: true
-          secretName: ""
-      - name: authorization-api
-        host: ""
-        paths:
-          - path: /guardian/authorization
-            pathType: Prefix
-            backend:
-              service:
-                name: guardian-authorization-api
-                port:
-                  number: 80
-        ingressClassName: ""
-        annotations:
-          {{ .Values.annotations.nubusGuardian.ingressAuthorizationApi | toYaml | nindent 10 }}
-        tls:
-          # enabled: true
-          secretName: ""
-  managementApi:
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
-      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-management-api"
-      {{- with .Values.annotations.nubusGuardian.managementApiPod }}
-      {{ . | toYaml | nindent 6 }}
-      {{- end }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
-    resources:
-      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-  managementUi:
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
-      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-management-ui"
-      {{- with .Values.annotations.nubusGuardian.managementUiPod }}
-      {{ . | toYaml | nindent 6 }}
-      {{- end }}
-    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
-    resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-  openPolicyAgent:
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
-      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
-      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
-    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
-    resources:
-      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
-  postgresql:
-    connection:
-      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
-      port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
-    auth:
-      username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-      database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-      existingSecret:
-        name: "ums-guardian-postgresql-opendesk-credentials"
-        keyMapping:
-          password: "guardianDatabasePassword"
-  provisioning:
-    enabled: false
-    config:
-      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
-      keycloak:
-        credentialSecret:
-          name: "ums-opendesk-keycloak-credentials"
-          key: "admin_password"
-      realm: {{ .Values.platform.realm | quote }}
-      username: "kcadmin"
-    keycloak:
-      auth:
-        existingSecret:
-          name: "ums-opendesk-guardian-client-secret"
-          keyMapping:
-            password: "managementApiClientSecret"
-      connection:
-        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "http://ums-keycloak:8080"
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
-      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  serviceAccount:
-    annotations:
-      {{ .Values.annotations.nubusGuardian.serviceAccount | toYaml | nindent 6 }}
 
 nubusNotificationsApi:
   enabled: false
@@ -512,9 +286,6 @@ nubusNotificationsApi:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
     repository: {{ .Values.images.nubusNotificationsApi.repository }}
     tag: {{ .Values.images.nubusNotificationsApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     annotations:
       nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
@@ -539,8 +310,12 @@ nubusNotificationsApi:
     auth:
       username: {{ .Values.databases.umsNotificationsApi.username | quote }}
       database: {{ .Values.databases.umsNotificationsApi.name | quote }}
+      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+      # NOTE: Nubus has still an existing secret configured for legacy reasons.
+      # This disables the existing secret and ensures that the value from above
+      # is used.
       existingSecret:
-        name: "ums-notifications-api-postgresql-opendesk-credentials"
+        name: null
   service:
     annotations:
       {{ .Values.annotations.nubusNotificationsApi.service | toYaml | nindent 6 }}
@@ -576,9 +351,6 @@ nubusPortalFrontend:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
     repository: {{ .Values.images.nubusPortalFrontend.repository }}
     tag: {{ .Values.images.nubusPortalFrontend.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     annotations:
       {{ .Values.annotations.nubusPortalFrontend.ingressIngress | toYaml | nindent 6 }}
@@ -658,6 +430,8 @@ nubusKeycloakExtensions:
   keycloak:
     auth:
       username: "kcadmin"
+      # TODO: Pending secrets refactoring in component chart. This will refer to
+      # the secret generated by the keycloak subchart.
       existingSecret:
         name: "ums-opendesk-keycloak-credentials"
         keyMapping:
@@ -669,7 +443,11 @@ nubusKeycloakExtensions:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
       repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
       tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
+      # NOTE: The subchart "keycloak-extensions" does not yet support
+      # "global.imagePullPolicy".
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    # NOTE: Remove once the keycloak-extensions subchart respects
+    # "global.imagePullSecrets".
     imagePullSecrets:
       {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     ingress:
@@ -735,6 +513,7 @@ nubusKeycloakExtensions:
     auth:
       database: {{ .Values.databases.keycloakExtension.name | quote }}
       username: {{ .Values.databases.keycloakExtension.username | quote }}
+      # TODO: Pending secrets refactoring for this component chart
       existingSecret:
         name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
         keyMapping:
@@ -748,6 +527,7 @@ nubusKeycloakExtensions:
     auth:
       enabled: true
       username: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      # TODO: Pending secrets refactoring in the component chart
       password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
       existingSecret:
         name: "ums-keycloak-extensions-smtp-opendesk-credentials"
@@ -765,7 +545,11 @@ nubusKeycloakExtensions:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
       repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
       tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
+      # NOTE: The subchart "keycloak-extensions" does not yet support
+      # "global.imagePullPolicy".
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    # NOTE: Remove once the keycloak-extensions subchart respects
+    # "global.imagePullSecrets".
     imagePullSecrets:
       {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
@@ -788,9 +572,6 @@ nubusKeycloakExtensions:
       annotations:
         {{ .Values.annotations.nubusKeycloakExtensions.handlerServiceAccount | toYaml | nindent 8 }}
 
-nubusPortalListener:
-  enabled: false
-
 nubusPortalConsumer:
   enabled: true
   portalConsumer:
@@ -798,24 +579,12 @@ nubusPortalConsumer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
       repository: {{ .Values.images.nubusPortalConsumer.repository }}
       tag: {{ .Values.images.nubusPortalConsumer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-      pullSecrets:
-        {{- range .Values.global.imagePullSecrets }}
-        - name: {{ . | quote }}
-        {{- end }}
     assetsBaseUrl: {{ printf "https://%s.%s/univention/portal" .Values.global.hosts.nubus .Values.global.domain | quote }}
     logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   objectStorage:
     auth:
       accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
-      accessKey: {{ .Values.objectstores.nubus.username | quote }}
       secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      existingSecret:
-        name: "{{ .Release.Name }}-portal-consumer-minio-credentials"
-        keyMapping:
-          accessKey: "accessKey"
-          secretKey: "secretKey"
     bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
     endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
   persistence:
@@ -846,7 +615,6 @@ nubusPortalConsumer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     {{- if .Values.certificate.selfSigned }}
     extraVolumeMounts:
       - name: "trusted-cert-secret-volume"
@@ -905,9 +673,6 @@ nubusPortalServer:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
     repository: {{ .Values.images.nubusPortalServer.repository }}
     tag: {{ .Values.images.nubusPortalServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     annotations:
         nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
@@ -932,18 +697,11 @@ nubusPortalServer:
       {{ .Values.annotations.nubusPortalServer.persistence | toYaml | nindent 6 }}
   podAnnotations:
     {{ .Values.annotations.nubusPortalServer.pod | toYaml | nindent 4 }}
-  portalServer:
-    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
-    objectStorageCredentialSecret:
-      name: "ums-portal-server-minio-opendesk-credentials"
-      accessKeyKey: "access-key-id"
-      secretKeyKey: "secret-key-id"
   portalServer:
     centralNavigation:
       enabled: true
-      existingSecret:
+      auth:
-        name: "ums-opendesk-portal-server-central-navigation"
+        sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     featureToggles:
       notifications_api: false
   replicaCount: {{ .Values.replicas.umsPortalServer }}
@@ -1005,8 +763,6 @@ nubusUdmRestApi:
     runAsNonRoot: true
     seLinuxOptions:
       {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     enabled: {{ .Values.functional.externalServices.nubus.udmRestApi.enabled }}
     annotations:
@@ -1025,6 +781,23 @@ nubusUdmRestApi:
       secretName: {{ .Values.ingress.tls.secretName | quote }}
   initResources:
     {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
+  waitForDependency:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+  blocklistCleanup:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusBlocklistCleanup.registry | quote }}
+      repository: {{ .Values.images.nubusBlocklistCleanup.repository }}
+      tag: {{ .Values.images.nubusBlocklistCleanup.tag }}
+  ldapUpdateUniventionObjectIdentifier:
+    enabled: true
+    suspend: false
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapUpdateUniventionObjectIdentifier.registry | quote }}
+      repository: {{ .Values.images.nubusLdapUpdateUniventionObjectIdentifier.repository }}
+      tag: {{ .Values.images.nubusLdapUpdateUniventionObjectIdentifier.tag }}
   persistence:
     annotations:
       {{ .Values.annotations.nubusUdmRestApi.persistence | toYaml | nindent 6 }}
@@ -1047,7 +820,6 @@ nubusUdmRestApi:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
       repository: {{ .Values.images.nubusUdmRestApi.repository }}
       tag: {{ .Values.images.nubusUdmRestApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusLdapNotifier:
   additionalAnnotations:
@@ -1070,9 +842,6 @@ nubusLdapNotifier:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
     repository: {{ .Values.images.nubusLdapNotifier.repository }}
     tag: {{ .Values.images.nubusLdapNotifier.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-ldap-notifier"
     {{- with .Values.annotations.nubusLdapNotifier.pod }}
@@ -1091,10 +860,6 @@ serviceAccount:
 nubusLdapServer:
   additionalAnnotations:
     {{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }}
-  global:
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-ldap-server"
   dhInitcontainer:
@@ -1102,20 +867,19 @@ nubusLdapServer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
       repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
       tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
   ldapServer:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
       repository: {{ .Values.images.nubusLdapServer.repository }}
       tag: {{ .Values.images.nubusLdapServer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    auth:
+      password: {{ .Values.secrets.nubus.ldapSecret | quote }}
     leaderElector:
       image:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }}
         repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }}
         tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }}
-        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   persistence:
     size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }}
     storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
@@ -1139,7 +903,6 @@ nubusLdapServer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusProvisioning:
   enabled: true
@@ -1152,14 +915,16 @@ nubusProvisioning:
       {{ . | toYaml | nindent 6 }}
       {{- end }}
     auth:
-      adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote }}
+      admin:
-      prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
+        password: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote }}
-      udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
+      prefill:
+        password: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
+      eventsUdm:
+        password: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
       tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     nats:
       auth:
         password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
@@ -1191,7 +956,6 @@ nubusProvisioning:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
       tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     nats:
       auth:
         password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
@@ -1199,11 +963,6 @@ nubusProvisioning:
       {{ .Values.annotations.nubusProvisioning.dispatcherPod | toYaml | nindent 6 }}
     resources:
       {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  ldap:
-    auth:
-      password: {{ .Values.secrets.nubus.ldapSecret | quote }}
   nats:
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-nats"
@@ -1229,19 +988,23 @@ nubusProvisioning:
       runAsNonRoot: true
       seLinuxOptions:
         {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     nats:
       image:
         registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
         repository: {{ .Values.images.nubusNats.repository }}
         tag: {{ .Values.images.nubusNats.tag }}
+        # NOTE: The subchart does not yet fully support
+        # "global.imagePullPolicy". This can be removed once the subchart has
+        # been adjusted.
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     natsBox:
       image:
         registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
         repository: {{ .Values.images.nubusNatsBox.repository }}
         tag: {{ .Values.images.nubusNatsBox.tag }}
+        # NOTE: The subchart does not yet fully support
+        # "global.imagePullPolicy". This can be removed once the subchart has
+        # been adjusted.
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     persistence:
       size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
@@ -1251,6 +1014,9 @@ nubusProvisioning:
         registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
         repository: {{ .Values.images.nubusNatsReloader.repository }}
         tag: {{ .Values.images.nubusNatsReloader.tag }}
+        # NOTE: The subchart does not yet fully support
+        # "global.imagePullPolicy". This can be removed once the subchart has
+        # been adjusted.
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     resources:
       {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
@@ -1268,7 +1034,6 @@ nubusProvisioning:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
       tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     nats:
       auth:
         password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
@@ -1286,7 +1051,6 @@ nubusProvisioning:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
       tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     nats:
       auth:
         password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
@@ -1311,13 +1075,12 @@ nubusProvisioning:
         existingSecret:
           name: ums-provisioning-ox-credentials
           keyMapping:
-            password: "ox-connector.json"
+            registration: "ox-connector.json"
     {{- end }}
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-register-consumers"
       {{- with .Values.annotations.nubusProvisioning.registerConsumersPod }}
@@ -1354,9 +1117,9 @@ nubusUdmListener:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
     tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  persistence:
-  imagePullSecrets:
+    size: {{ .Values.persistence.storages.nubusUdmListener.size | quote }}
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+#    storageClass: -- coalesce .Values.persistence.storages.nubusUdmListener.storageClassName .Values.persistence.storageClassNames.RWO | quote --
   podAnnotations:
     {{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }}
   replicaCount: {{ .Values.replicas.umsUdmListener }}
@@ -1369,13 +1132,6 @@ nubusUdmListener:
     annotations:
       {{ .Values.annotations.nubusUdmListener.serviceAccount | toYaml | nindent 6 }}
 
-nubusSelfServiceListener:
-  enabled: false
-  resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-
 nubusSelfServiceConsumer:
   enabled: true
   containerSecurityContext:
@@ -1396,9 +1152,6 @@ nubusSelfServiceConsumer:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
     repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
     tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-selfservice-listener"
     {{- with .Values.annotations.nubusSelfserviceConsumer.pod }}
@@ -1420,7 +1173,6 @@ nubusSelfServiceConsumer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 # Nubus services
 nubusStackDataUms:
@@ -1449,7 +1201,8 @@ nubusStackDataUms:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
     repository: {{ .Values.images.nubusDataLoader.repository }}
     tag: {{ .Values.images.nubusDataLoader.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+  # TODO: Are these used for anything?
   nubusPortalConsumer:
     objectStorage:
       bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
@@ -1458,6 +1211,7 @@ nubusStackDataUms:
     objectStorage:
       bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
       endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+
   initResources:
     {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
   # In openDesk the external memcache does not expect a username to be set. Overwriting
@@ -1475,17 +1229,15 @@ nubusStackDataUms:
         host: {{ .Values.databases.umsSelfservice.host | quote }}
   podAnnotations:
     {{ .Values.annotations.nubusStackDataUms.pod | toYaml | nindent 4 }}
-  pullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   resources:
     {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
   stackDataContext:
-    umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
-    umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
-    umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
-    umcMemcachedUsername: ""
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
+    # NOTE: The sub-chart is not yet properly respecting the configuration of
+    # "global.subDomains.portal". This value should be removed once this is
+    # supported in the sub-chart.
+    ldapSamlSpUrls: {{ printf "https://%s.%s/univention/saml/metadata" .Values.global.hosts.nubus .Values.global.domain | quote }}
     smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     smtpPort: 25
     smtpUser: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
@@ -1599,12 +1351,12 @@ nubusUmcServer:
     capabilities:
       drop:
         - "ALL"
-    runAsUser: 0
+    runAsUser: 999
-    runAsGroup: 0
+    runAsGroup: 999
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
-    runAsNonRoot: false
+    runAsNonRoot: true
     seLinuxOptions:
       {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
   containerSecurityContextSssd:
@@ -1638,10 +1390,6 @@ nubusUmcServer:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
     repository: {{ .Values.images.nubusUmcServer.repository }}
     tag: {{ .Values.images.nubusUmcServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     annotations:
       nginx.ingress.kubernetes.io/use-regex: "true"
@@ -1660,10 +1408,7 @@ nubusUmcServer:
     bundled: false
     server: {{ .Values.cache.umsSelfservice.host | quote }}
     auth:
-      existingSecret:
+      password: ""
-        name: "ums-umc-server-memcached-opendesk-credentials"
-        keyMapping:
-          memcached-password: "umcServerMemcachedPassword"
   podAnnotations:
     {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
   postgresql:
@@ -1674,16 +1419,17 @@ nubusUmcServer:
     auth:
       username: {{ .Values.databases.umsSelfservice.username | quote }}
       database: {{ .Values.databases.umsSelfservice.name | quote }}
+      password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+      # NOTE: Nubus has still an existing secret configured for legacy reasons.
+      # This disables the existing secret and ensures that the value from above
+      # is used.
       existingSecret:
-        name: "ums-umc-server-postgresql-opendesk-credentials"
+        name: null
-        keyMapping:
-          password: "umcServerDatabasePassword"
   proxy:
     image:
       registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
       repository: {{ .Values.images.nubusUmcServerProxy.repository }}
       tag: {{ .Values.images.nubusUmcServerProxy.tag }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
   replicaCount: {{ .Values.replicas.umsUmcServer }}
   resources:
@@ -1708,8 +1454,8 @@ nubusUmcServer:
     annotations:
       {{ .Values.annotations.nubusUmcServer.serviceAccount | toYaml | nindent 6 }}
   smtp:
-    existingSecret:
+    auth:
-      name: "ums-umc-server-smtp-credentials-custom"
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
 
 nubusUmcGateway:
   containerSecurityContext:
@@ -1730,10 +1476,6 @@ nubusUmcGateway:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
     repository: {{ .Values.images.nubusUmcGateway.repository }}
     tag: {{ .Values.images.nubusUmcGateway.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
     annotations:
       nginx.ingress.kubernetes.io/use-regex: "true"
@@ -1789,9 +1531,10 @@ nubusKeycloakBootstrap:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
     repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
     tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
+    # NOTE: The subchart does not yet fully support
+    # "global.imagePullPolicy". This can be removed once the subchart has
+    # been adjusted.
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   keycloak:
     auth:
       username: "kcadmin"
@@ -1814,6 +1557,9 @@ nubusKeycloakBootstrap:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
+      # NOTE: The subchart does not yet fully support
+      # "global.imagePullPolicy". This can be removed once the subchart has
+      # been adjusted.
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   serviceAccount:
     annotations:
@@ -1821,9 +1567,6 @@ nubusKeycloakBootstrap:
 
 # Credential secrets for accessing customer supplied services
 extraSecrets:
-  - name: "ums-opendesk-portal-server-central-navigation"
-    stringData:
-      password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   - name: "ums-opendesk-guardian-client-secret"
     stringData:
       managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
@@ -1836,15 +1579,6 @@ extraSecrets:
   - name: "ums-guardian-postgresql-opendesk-credentials"
     stringData:
       guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-  - name: "ums-notifications-api-postgresql-opendesk-credentials"
-    stringData:
-      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-  - name: "ums-umc-server-postgresql-opendesk-credentials"
-    stringData:
-      umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-  - name: "ums-umc-server-memcached-opendesk-credentials"
-    stringData:
-      umcServerMemcachedPassword: ""
   - name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
     stringData:
       umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
@@ -1854,13 +1588,6 @@ extraSecrets:
   - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
     stringData:
       password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
-  - name: "ums-portal-server-minio-opendesk-credentials"
-    stringData:
-      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
-      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  - name: "ums-umc-server-smtp-credentials-custom"
-    stringData:
-      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
   - name: "ums-provisioning-ox-credentials"
     stringData:
       ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"

helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/opendesk-migrations-pre/values.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/environments/default/charts.yaml.gotmpl

@@ -231,7 +231,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.6.0"
+    version: "1.7.4"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -303,7 +303,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "1.9.1"
+    version: "1.11.1"
     verify: true
   opendeskAlerts:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml.gotmpl

@@ -296,7 +296,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.6.1@sha256:cc97de002f5821e3b3751879514f3f45a3b4ffa851d999187c3cf3dd0dee82e7"
+    tag: "1.7.5@sha256:98375df151d4b9bba81b5a7f3ab80dedd4cbd46dd0440c94b014b656b7115c71"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -361,6 +361,16 @@ images:
     registry: "registry-1.docker.io"
     repository: "lasuite/impress-y-provider"
     tag: "v3.2.1@sha256:9dd7068336c02fe71806bc3576e7dc8636d7ccb139667c6303f0753e18d3ab7e"
+  nubusBlocklistCleanup:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/blocklist-cleanup"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "34", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup"
+    tag: "0.34.2@sha256:137dc06ef02ea4962f5bd55c093153eead2b9f2d204cfc26fd44bc77397b9461"
   nubusDataLoader:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -370,7 +380,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.90.0@sha256:a776ea84ca5d4f984a1ecf1f97d8c90cd98894c3568401be6858a8e955c7ed92"
+    tag: "0.95.0@sha256:57028c6a76d000a2085f7a429c704ac495be6e4e7ce0a5cc85e3bed25766ce32"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -420,7 +430,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak"
-    tag: "0.0.1@sha256:ce2397ac38920750b81a8a6065f7ed8a551641c6562a551963a2857fe6822beb"
+    tag: "0.2.1@sha256:c338d5bba11185b1cca6d5e5e1b6fe28bedcd8f02af8b4b96e431bde617f5f72"
   nubusKeycloakBootstrap:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -430,7 +440,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.11.0@sha256:55ad741e01dd91bb9b0332fd602a6262d3618abdf97a86c13f1e6148b36bd242"
+    tag: "0.12.1@sha256:4a36e3753bda7d6ccc6fc98f5e115bf96a4257c1a9458d075888256484cfdd4b"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -460,7 +470,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.37.0@sha256:b148e15c268badc45db9a6ce12c97cce332d25b86e86fec47fc417b8fe74d0d2"
+    tag: "0.43.0@sha256:dcd4e7f1008eb4c6c1ae809785bee0da9cba1347af09ddbc147b76c422f4f35c"
   nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -470,7 +480,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.37.0@sha256:caf7de9e121e5500c52dc8338b80057acd3eaa1e3877b526a5ae944bb53fe876"
+    tag: "0.43.0@sha256:67557ec3e3bd7ff4981666dddb5455672ee8767e12e3876ea79447627f9d9742"
   nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -488,7 +498,17 @@ images:
     # upstreamMirrorStartFrom: ["0", "29", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.37.0@sha256:c9580e33ea48ec5d7ab2d4816926ca1b2ef72787f7615f31b124119c376c4324"
+    tag: "0.40.0@sha256:abd273062824bf652b891b37ef3093771a8f686ef414cbe376c837293d115ac9"
+  nubusLdapUpdateUniventionObjectIdentifier:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/ldap-update-univention-object-identifier"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "34", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
+    tag: "0.34.2@sha256:137dc06ef02ea4962f5bd55c093153eead2b9f2d204cfc26fd44bc77397b9461"
   nubusNats:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -522,7 +542,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.67.0@sha256:da28ce84d97b78027eafbe0bcf8286a333efffdfc52a8abe852caed9d8cde339"
+    tag: "0.70.0@sha256:0120cca997eddcd6b9a5f0b9d6fb39ac2ffb118357380c28ab5352c16130a873"
   nubusOpendeskExtension:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -558,7 +578,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "10", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.11.0@sha256:2cb5a9683b6ff81b995a5c71da52c2ff8177b662bb0be8f11e9cd0c6b48d8a11"
+    tag: "0.11.1@sha256:e57df5c02d0480ccf1d299964e3c676d92440d5e959b4f587945f08624da3ae9"
   nubusPortalConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -568,7 +588,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.67.1@sha256:580adf9079d27f53f6efd0c519252c7855f6907e3badc033b994165856b16126"
+    tag: "0.70.0@sha256:09eed9e5a7066f69b5d6085541ca91538ca9519d765ec7109d6934a6e67ab7cc"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -596,7 +616,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.67.0@sha256:d9418c7a1db7541ced1e3034f45683c190bf63270c6ba8f3d67c1fe0ac2edb1a"
+    tag: "0.70.0@sha256:1331d5b5861574195f6bd0dfc3c8e1d6a2650b518e206a2815b682d43ab75d0b"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -606,7 +626,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.51.0@sha256:f0cea25f788ff565b883e50c6138874c6f0338e0f91c5f8a32595323059930ef"
+    tag: "0.56.0@sha256:324866b7a80e17c5a1a6bbc02163a14e084eecc86df1ece5b3e10d3344bbe1ad"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -616,7 +636,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.51.0@sha256:66fec83fd5033cf32cd759e9c73f7ae659a4ec45a433f13417a12e007b1d4db6"
+    tag: "0.56.0@sha256:37d8ac54a9d06685e4536f6f349a51efc0f51a5a06d2503333918377cb7fed37"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -626,7 +646,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.51.0@sha256:ff04d8cec6ecc0b33cdea164e1ba1222c90ed9fe8370057a58329b4521e56de1"
+    tag: "0.56.0@sha256:76b6f556a8baec164ee060104d85b9641bd6f17342d40a53943eea03fd432343"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -636,7 +656,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.51.0@sha256:5f0bba855945da2fa97d40b0fe51a14e3495b0b6da83562def6a6fcf4c21c059"
+    tag: "0.56.0@sha256:e89f2094f245b70ffa198942ae4310e5784b61099ac80f427659a28706b509f5"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -646,7 +666,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.51.0@sha256:ce9c312699ebe42c2e1df0d6caf150dfda1e4cc3fc1aaebe62c9ea5de8c11780"
+    tag: "0.56.0@sha256:4bb855be7a1b9abb8c6ae07afd9c35acb6d7aaad80d36c1132e054fe1bdd0156"
   nubusSelfServiceConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -656,7 +676,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.15.0@sha256:a7c4c097029de8903e3c2eee2082d740b5352dcc7a7a2a3c330bd9ebd7ad5b62"
+    tag: "0.17.0@sha256:00e6124eecc1b763326023ecaf9702053e24b39b20f5efbcd35dfaad642d2cda"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -666,7 +686,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.30.0@sha256:9503666bac5f44a1d7cb6f17c6fd11a7d6976bc9059938596b6ac9f7bb581ca5"
+    tag: "0.37.1@sha256:a0508191a52ed9c388e0574cf6a97031fdfffcff95ab8ca3e4231c795d3a68df"
   nubusUmcGateway:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -676,7 +696,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.43.1@sha256:e1f23a199e1e35667e2ba6a45866bcb6d37bc2b13f3b8134e511ae95973c743b"
+    tag: "0.47.1@sha256:71d1fb00a28a7cc83e1a8a675b8e9dc3ff67b1d7f366b2d60f9623fdb5f6e419"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -686,7 +706,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.43.1@sha256:1aef76db446164c3ffaeaf233e9ef6303ebb1609b47f918ac4ab6714abf95283"
+    tag: "0.47.1@sha256:8f451e7b50c6a32a8d4bad5959a103e34e3ae8d0bef2fe3df2dc8fbe7ae9c1b6"
   nubusUmcServerProxy:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -704,7 +724,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.30.0@sha256:fa804c2a10aa42439bf3f388007d7e55c046d6da6dc8a74c27f5a989fd422c8d"
+    tag: "0.33.0@sha256:7e0e5e93422b2e99915d95d674ab37a8f9c79c0b8f1ebf69c2e7706bb718ae75"
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/environments/default/persistence.yaml.gotmpl

@@ -36,6 +36,14 @@ persistence:
     nubusProvisioningNats:
       size: "1Gi"
       storageClassName: ~
+    # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
+    # to avoid issues during the upgrade modifying an existing PV, as the migrations in 1.6 required a smooth
+    # Nubus deployment.
+    # In a later openDesk release we will advise in the migrations.md to explicitly set this on existing deployments
+    # to the default storage class.
+    nubusUdmListener:
+      size: "1Gi"
+      #storageClassName: ""
     oxConnector:
       size: "1Gi"
       storageClassName: ~

helmfile/shared/migrations.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -19,7 +19,7 @@ cleanup:
   deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 migrations:
-  runId: 4
+  runId: 5
   namespace: {{ .Values.apps.migrations.namespace | default .Release.Namespace | quote }}
   loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   failOnUnexpectedState: true