From 19438c02817875bd408c5d6cf423d7bfb61f907f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Wed, 5 Nov 2025 13:05:58 +0100 Subject: [PATCH 01/28] feat(openproject): Update OpenProject from 16.5.1 to 16.6.0 --- README.md | 2 +- helmfile/environments/default/images.yaml.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 79fdec97..b757bf87 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ openDesk currently features the following functional main components: | Groupware | OX App Suite | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend) | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/) | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) | | Knowledge management | XWiki | LGPL-2.1-or-later | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) | | Portal & IAM | Nubus | AGPL-3.0-or-later | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | -| Project management | OpenProject | GPL-3.0-only | [16.5.1](https://www.openproject.org/docs/release-notes/16-5-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | +| Project management | OpenProject | GPL-3.0-only | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | | Videoconferencing | Jitsi | Apache-2.0 | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | | Weboffice | Collabora | MPL-2.0 | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index a12b9a7a..20da9f04 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -762,7 +762,7 @@ images: # upstreamMirrorStartFrom: ["13", "1", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk" - tag: "16.5.1@sha256:0e29ae9fcee825b76d62e10e374c10ad40da20ba9c0e584839645bb68e6167bf" + tag: "16.6.0@sha256:11fcbc357a5a4e724bb1164e43a93c713f73e5efb52212d75cfc845becbf64c0" openprojectBootstrap: # providerCategory: "Platform" # providerResponsible: "openDesk" From 7aa717c0509a731c060c58a1b5877e1d9899406f Mon Sep 17 00:00:00 2001 From: Sven-Erik Schmidt Date: Tue, 14 Oct 2025 16:54:36 +0200 Subject: [PATCH 02/28] fix(helmfile): Streamline annotations --- .../values-coco-enterprise.yaml.gotmpl | 5 +- helmfile/apps/collabora/values.yaml.gotmpl | 5 +- helmfile/apps/cryptpad/values.yaml.gotmpl | 5 +- .../apps/element/values-element.yaml.gotmpl | 5 +- .../values-matrix-neoboard-widget.yaml.gotmpl | 5 +- ...values-matrix-neochoice-widget.yaml.gotmpl | 5 +- ...atrix-neodatefix-bot-bootstrap.yaml.gotmpl | 11 ++- .../values-matrix-neodatefix-bot.yaml.gotmpl | 5 +- ...alues-matrix-neodatefix-widget.yaml.gotmpl | 5 +- ...verification-service-bootstrap.yaml.gotmpl | 5 +- ...trix-user-verification-service.yaml.gotmpl | 5 +- .../element/values-synapse-admin.yaml.gotmpl | 5 ++ .../values-synapse-adminbot-pipe.yaml.gotmpl | 2 + .../values-synapse-adminbot-web.yaml.gotmpl | 2 + .../values-synapse-auditbot-pipe.yaml.gotmpl | 2 + .../values-synapse-groupsync.yaml.gotmpl | 2 + .../element/values-synapse-web.yaml.gotmpl | 5 +- .../apps/element/values-synapse.yaml.gotmpl | 5 +- .../element/values-well-known.yaml.gotmpl | 5 +- helmfile/apps/jitsi/values-jitsi.yaml.gotmpl | 42 ++++++---- .../values-nextcloud-management.yaml.gotmpl | 2 +- .../values-nextcloud-notifypush.yaml.gotmpl | 6 +- .../nextcloud/values-nextcloud.yaml.gotmpl | 12 ++- helmfile/apps/notes/values.yaml.gotmpl | 25 ++++-- .../nubus/values-intercom-service.yaml.gotmpl | 5 +- .../nubus/values-nginx-s3-gateway.yaml.gotmpl | 5 +- helmfile/apps/nubus/values-nubus.yaml.gotmpl | 82 +++++++++++++------ .../open-xchange/values-dovecot.yaml.gotmpl | 5 +- .../values-openxchange-bootstrap.yaml.gotmpl | 1 + ...ues-openxchange-contact-picker.yaml.gotmpl | 1 + .../values-openxchange.yaml.gotmpl | 54 +++++++++--- .../values-oxconnector.yaml.gotmpl | 5 +- .../open-xchange/values-postfix.yaml.gotmpl | 5 +- .../values.yaml.gotmpl | 5 +- .../values.yaml.gotmpl | 5 +- .../values-opendesk-static-files.yaml.gotmpl | 5 +- .../values-otterize.yaml.gotmpl | 16 +++- helmfile/apps/openproject/values.yaml.gotmpl | 5 +- .../values-cassandra.yaml.gotmpl | 6 +- .../values-clamav-distributed.yaml.gotmpl | 20 ++++- .../values-clamav-simple.yaml.gotmpl | 5 +- .../values-dkimpy.yaml.gotmpl | 5 +- .../values-mariadb.yaml.gotmpl | 1 + .../values-memcached.yaml.gotmpl | 6 +- .../values-minio.yaml.gotmpl | 10 ++- .../values-postfix.yaml.gotmpl | 7 +- .../values-postgresql.yaml.gotmpl | 1 + .../values-redis.yaml.gotmpl | 5 +- .../default/annotations.yaml.gotmpl | 5 ++ 49 files changed, 338 insertions(+), 108 deletions(-) diff --git a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl index 30f07cbf..c28115bd 100644 --- a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl +++ b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl @@ -47,7 +47,10 @@ ingress: - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}" podAnnotations: - {{ .Values.annotations.coco.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "collabora-controller" + {{- with .Values.annotations.coco.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} securityContext: allowPrivilegeEscalation: false diff --git a/helmfile/apps/collabora/values.yaml.gotmpl b/helmfile/apps/collabora/values.yaml.gotmpl index 5d902df3..1dc60831 100644 --- a/helmfile/apps/collabora/values.yaml.gotmpl +++ b/helmfile/apps/collabora/values.yaml.gotmpl @@ -110,7 +110,10 @@ ingress: - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}" podAnnotations: - {{ .Values.annotations.collabora.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "collabora" + {{- with .Values.annotations.collabora.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: fsGroup: 1001 diff --git a/helmfile/apps/cryptpad/values.yaml.gotmpl b/helmfile/apps/cryptpad/values.yaml.gotmpl index 47dc0a3d..c1657419 100644 --- a/helmfile/apps/cryptpad/values.yaml.gotmpl +++ b/helmfile/apps/cryptpad/values.yaml.gotmpl @@ -55,7 +55,10 @@ persistence: enabled: false podAnnotations: - {{ .Values.annotations.cryptpad.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "cryptpad" + {{- with .Values.annotations.cryptpad.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: fsGroup: 4001 diff --git a/helmfile/apps/element/values-element.yaml.gotmpl b/helmfile/apps/element/values-element.yaml.gotmpl index e5c21a23..6a07e362 100644 --- a/helmfile/apps/element/values-element.yaml.gotmpl +++ b/helmfile/apps/element/values-element.yaml.gotmpl @@ -143,7 +143,10 @@ ingress: {{ .Values.annotations.element.ingress | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.element.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-element" + {{- with .Values.annotations.element.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl index 558a5312..0d885a05 100644 --- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl @@ -44,7 +44,10 @@ ingress: {{ .Values.annotations.elementMatrixNeoboardWidget.ingress | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.elementMatrixNeoboardWidget.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "matrix-neoboard-widget" + {{- with .Values.annotations.elementMatrixNeoboardWidget.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl index 6572950a..368c477f 100644 --- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl @@ -44,7 +44,10 @@ ingress: {{ .Values.annotations.elementMatrixNeochoiceWidget.ingress | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.elementMatrixNeochoiceWidget.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "matrix-neochoice-widget" + {{- with .Values.annotations.elementMatrixNeochoiceWidget.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl index 2713a494..b75aa36d 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl @@ -25,7 +25,10 @@ image: fullnameOverride: "matrix-neodatefix-bot-bootstrap" podAnnotations: - {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "values-matrix-neodatefix-bot-bootstrap" + {{- with .Values.annotations.elementMatrixNeodatefixBotBootstrap.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} securityContext: allowPrivilegeEscalation: false @@ -42,7 +45,7 @@ securityContext: seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }} -podAnnotations: - {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.serviceAccount | toYaml | nindent 2 }} - +serviceAccount: + annotations: + {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.serviceAccount | toYaml | nindent 4 }} ... diff --git a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl index ba4c41c6..2e4033ef 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl @@ -90,7 +90,10 @@ persistence: {{ .Values.annotations.elementMatrixNeodatefixBot.persistence | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.elementMatrixNeodatefixBot.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "matrix-neodatefix-bot" + {{- with .Values.annotations.elementMatrixNeodatefixBot.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl index 532197dd..cc584af2 100644 --- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl @@ -49,7 +49,10 @@ ingress: {{ .Values.annotations.elementMatrixNeodatefixWidget.ingress | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.elementMatrixNeodatefixWidget.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "matrix-neodatefix-widget" + {{- with .Values.annotations.elementMatrixNeodatefixWidget.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl index cc89b979..34a3f3bc 100644 --- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl @@ -25,7 +25,10 @@ image: fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap" podAnnotations: - {{ .Values.annotations.elementMatrixUserVerificationServiceBootstrap.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-matrix-user-verification-service-bootstrap" + {{- with .Values.annotations.elementMatrixUserVerificationServiceBootstrap.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} securityContext: allowPrivilegeEscalation: false diff --git a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl index b427af90..033fbd5b 100644 --- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl +++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl @@ -44,7 +44,10 @@ image: tag: {{ .Values.images.matrixUserVerificationService.tag | quote }} podAnnotations: - {{ .Values.annotations.elementMatrixUserVerificationService.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-matrix-user-verification-service" + {{- with .Values.annotations.elementMatrixUserVerificationService.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl index 2ea78cce..8961f0a5 100644 --- a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl @@ -56,7 +56,12 @@ cron: repository: {{ .Values.images.elementSyncAdmins.repository | quote }} tag: {{ .Values.images.elementSyncAdmins.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} + podAnnotations: + intents.otterize.com/service-name: "opendesk-synapse-admin-cron" #fullnameOverride: "opendesk-synapse-admin" + +podAnnotations: + intents.otterize.com/service-name: "opendesk-synapse-admin" image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }} repository: {{ .Values.images.elementSynapseAdmin.repository | quote }} diff --git a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl index 7ada80d2..d188114c 100644 --- a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl @@ -16,4 +16,6 @@ image: tag: {{ .Values.images.elementPipe.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} fullnameOverride: "opendesk-synapse-adminbot-pipe" +podAnnotations: + intents.otterize.com/service-name: "opendesk-synapse-adminbot-pipe" ... diff --git a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl index dd75a987..312accd2 100644 --- a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl @@ -20,4 +20,6 @@ ingress: enabled: {{ .Values.ingress.enabled }} tls: secretName: {{ .Values.ingress.tls.secretName | quote }} +podAnnotations: + intents.otterize.com/service-name: "opendesk-synapse-adminbot-web" ... diff --git a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl index cd950209..f165260e 100644 --- a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl @@ -16,4 +16,6 @@ image: tag: {{ .Values.images.elementPipe.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} fullnameOverride: "opendesk-synapse-auditbot-pipe" +podAnnotations: + intents.otterize.com/service-name: "opendesk-synapse-auditbot-pipe" ... diff --git a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl index 286c13aa..1bfba83a 100644 --- a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl @@ -51,4 +51,6 @@ image: url: {{ .Values.images.elementGroupsync.repository | quote }} tag: {{ .Values.images.elementGroupsync.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} +podAnnotations: + intents.otterize.com/service-name: "opendesk-synapse-groupsync" ... diff --git a/helmfile/apps/element/values-synapse-web.yaml.gotmpl b/helmfile/apps/element/values-synapse-web.yaml.gotmpl index 0ee4fd81..df5e1e98 100644 --- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl @@ -56,7 +56,10 @@ ingress: secretName: {{ .Values.ingress.tls.secretName | quote }} podAnnotations: - {{ .Values.annotations.elementSynapseWeb.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-synapse-web" + {{- with .Values.annotations.elementSynapseWeb.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-synapse.yaml.gotmpl b/helmfile/apps/element/values-synapse.yaml.gotmpl index 2cc49521..ce782246 100644 --- a/helmfile/apps/element/values-synapse.yaml.gotmpl +++ b/helmfile/apps/element/values-synapse.yaml.gotmpl @@ -250,7 +250,10 @@ persistence: {{ .Values.annotations.elementSynapse.persistence | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.elementSynapse.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-synapse" + {{- with .Values.annotations.elementSynapse.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/element/values-well-known.yaml.gotmpl b/helmfile/apps/element/values-well-known.yaml.gotmpl index e284cff8..1fa1f8d6 100644 --- a/helmfile/apps/element/values-well-known.yaml.gotmpl +++ b/helmfile/apps/element/values-well-known.yaml.gotmpl @@ -49,7 +49,10 @@ ingress: {{ .Values.annotations.elementWellKnown.ingress | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.elementWellKnown.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-well-known" + {{- with .Values.annotations.elementWellKnown.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl index f541f1b7..b4944fda 100644 --- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl +++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl @@ -111,10 +111,11 @@ jitsi: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }} - {{- if .Values.annotations.jitsiWeb.pod }} podAnnotations: - {{ .Values.annotations.jitsiWeb.pod | toYaml | nindent 6 }} - {{- end }} + intents.otterize.com/service-name: "jitsi-web" + {{- with .Values.annotations.jitsiWeb.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} prosody: image: repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}" @@ -164,10 +165,11 @@ jitsi: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }} - {{- if .Values.annotations.jitsiProsody.pod }} podAnnotations: - {{ .Values.annotations.jitsiProsody.pod | toYaml | nindent 6 }} - {{- end }} + intents.otterize.com/service-name: "jitsi-prosody" + {{- with .Values.annotations.jitsiProsody.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} jicofo: replicaCount: {{ .Values.replicas.jicofo }} image: @@ -191,10 +193,11 @@ jitsi: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }} - {{- if .Values.annotations.jitsiJicofo.pod }} podAnnotations: - {{ .Values.annotations.jitsiJicofo.pod | toYaml | nindent 6 }} - {{- end }} + intents.otterize.com/service-name: "jitsi-jicofo" + {{- with .Values.annotations.jitsiJicofo.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} jigasi: replicaCount: {{ .Values.replicas.jigasi }} enabled: {{ .Values.sip.jigasi.enabled }} @@ -224,10 +227,11 @@ jitsi: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }} - {{- if .Values.annotations.jitsiJigasi.pod }} podAnnotations: - {{ .Values.annotations.jitsiJigasi.pod | toYaml | nindent 6 }} - {{- end }} + intents.otterize.com/service-name: "jitsi-jigasi" + {{- with .Values.annotations.jitsiJigasi.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} jvb: replicaCount: {{ .Values.replicas.jvb }} # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since @@ -260,10 +264,11 @@ jitsi: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }} - {{- if .Values.annotations.jitsiJvb.pod }} podAnnotations: - {{ .Values.annotations.jitsiJvb.pod | toYaml | nindent 6 }} - {{- end }} + intents.otterize.com/service-name: "jitsi-jvb" + {{- with .Values.annotations.jitsiJvb.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} metrics: prometheusAnnotations: {{ .Values.annotations.jitsiJvb.metricsPrometheus | toYaml | nindent 8 }} @@ -288,10 +293,11 @@ jitsi: # Chart does not allow to template more capabilities: add: ["SYS_ADMIN"] - {{- if .Values.annotations.jitsiJibri.pod }} podAnnotations: - {{ .Values.annotations.jitsiJibri.pod | toYaml | nindent 6 }} - {{- end }} + intents.otterize.com/service-name: "jitsi-jibri" + {{- with .Values.annotations.jitsiJibri.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} diff --git a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl index 9f9c02c3..3dddab1b 100644 --- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl @@ -10,7 +10,7 @@ global: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} additionalAnnotations: - intents.otterize.com/service-name: "opendesk-nextcloud-php" + intents.otterize.com/service-name: "opendesk-nextcloud-management" {{- with .Values.annotations.nextcloudNextcloudMgmt.additional }} {{ . | toYaml | nindent 2}} {{- end }} diff --git a/helmfile/apps/nextcloud/values-nextcloud-notifypush.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-notifypush.yaml.gotmpl index dc51230c..562c6e31 100644 --- a/helmfile/apps/nextcloud/values-nextcloud-notifypush.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud-notifypush.yaml.gotmpl @@ -10,7 +10,6 @@ global: {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} additionalAnnotations: - intents.otterize.com/service-name: "opendesk-nextcloud-notifypush" {{- with .Values.annotations.nextcloudNotifyPush.additional }} {{ . | toYaml | nindent 4 }} {{- end }} @@ -114,7 +113,10 @@ metrics: {{ .Values.annotations.nextcloudNotifyPush.serviceMetrics | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.nextcloudNotifyPush.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "opendesk-nextcloud-notifypush" + {{- with .Values.annotations.nextcloudNotifyPush.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: fsGroup: 101 # prometheus: diff --git a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl index 3742bb05..24d5b257 100644 --- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl @@ -39,7 +39,10 @@ exporter: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} tag: {{ .Values.images.nextcloudExporter.tag | quote }} podAnnotations: - {{ .Values.annotations.nextcloudExporter.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "opendesk-nextcloud-exporter" + {{- with .Values.annotations.nextcloudExporter.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} prometheus: serviceMonitor: enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }} @@ -76,7 +79,7 @@ aio: topologyKey: "kubernetes.io/hostname" additionalAnnotations: - intents.otterize.com/service-name: "opendesk-nextcloud-aio" + intents.otterize.com/service-name: "opendesk-nextcloud-aio-cron" {{- with .Values.annotations.nextcloudAio.additional }} {{ . | toYaml | nindent 4 }} {{- end }} @@ -177,7 +180,10 @@ aio: tls: secretName: {{ .Values.ingress.tls.secretName | quote }} podAnnotations: - {{ .Values.annotations.nextcloudAio.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "opendesk-nextcloud-aio" + {{- with .Values.annotations.nextcloudAio.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: fsGroup: 101 prometheus: diff --git a/helmfile/apps/notes/values.yaml.gotmpl b/helmfile/apps/notes/values.yaml.gotmpl index 0f1dc298..58055dc4 100644 --- a/helmfile/apps/notes/values.yaml.gotmpl +++ b/helmfile/apps/notes/values.yaml.gotmpl @@ -117,11 +117,20 @@ backend: seLinuxOptions: {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "impress-backend" + {{- with .Values.annotations.notesBackend.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podAnnotationsCreateUser: - {{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }} + intents.otterize.com/service-name: "impress-create-user" + {{- with .Values.annotations.notesBackend.createUserJob }} + {{ . | toYaml | nindent 4 }} + {{- end }} podAnnotationsMigrate: - {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }} + intents.otterize.com/service-name: "impress-migrate" + {{- with .Values.annotations.notesBackend.migrateJob }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 1000 @@ -189,7 +198,10 @@ frontend: seLinuxOptions: {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "impress-frontend" + {{- with .Values.annotations.notesFrontend.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 1000 @@ -257,7 +269,10 @@ y-provider: {{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }} ingressClassName: {{ .Values.ingress.ingressClassName }} podAnnotations: - {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "impress-y-provider" + {{- with .Values.annotations.notesYProvider.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 1001 diff --git a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl index 9983daff..569349fd 100644 --- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl +++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl @@ -109,7 +109,10 @@ ingress: {{ .Values.annotations.nubusIntercomService.ingress | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.nubusIntercomService.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "intercom-service" + {{- with .Values.annotations.nubusIntercomService.pod }} + {{ . | toYaml | nindent 2}} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl index ce64a308..056341f2 100644 --- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl @@ -42,7 +42,10 @@ configuration: value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }} podAnnotations: - {{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "nubus-nginx-s3-gateway" + {{- with .Values.annotations.nubusNginxS3Gateway.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} resources: {{ .Values.resources.nginxS3Gateway | toYaml | nindent 2 }} diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl index 9cb2a43d..f6f81890 100644 --- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -274,7 +274,6 @@ nubusTwofaHelpdesk: nubusNotificationsApi: enabled: false additionalAnnotations: - intents.otterize.com/service-name: "ums-notifications-api" {{- with .Values.annotations.nubusNotificationsApi.additional }} {{ . | toYaml | nindent 4 }} {{- end }} @@ -312,7 +311,10 @@ nubusNotificationsApi: annotations: {{ .Values.annotations.nubusNotificationsApi.persistence | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.nubusNotificationsApi.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-notifications-api" + {{- with .Values.annotations.nubusNotificationsApi.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} postgresql: connection: host: {{ .Values.databases.umsNotificationsApi.host | quote }} @@ -339,7 +341,6 @@ nubusNotificationsApi: nubusPortalFrontend: additionalAnnotations: - intents.otterize.com/service-name: "ums-portal-frontend" {{- with .Values.annotations.nubusPortalFrontend.additional }} {{ . | toYaml | nindent 4 }} {{- end }} @@ -415,7 +416,10 @@ nubusPortalFrontend: annotations: {{ .Values.annotations.nubusPortalFrontend.persistence | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.nubusPortalFrontend.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-portal-frontend" + {{- with .Values.annotations.nubusPortalFrontend.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} portalFrontend: branding: css: {{ .Values.theme.styles.portal.main | toJson }} @@ -666,7 +670,6 @@ nubusPortalConsumer: nubusPortalServer: additionalAnnotations: - intents.otterize.com/service-name: "ums-portal-server" {{- with .Values.annotations.nubusPortalServer.additional }} {{ . | toYaml | nindent 4 }} {{- end }} @@ -711,7 +714,10 @@ nubusPortalServer: annotations: {{ .Values.annotations.nubusPortalServer.persistence | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.nubusPortalServer.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-portal-server" + {{- with .Values.annotations.nubusPortalServer.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} portalServer: centralNavigation: enabled: true @@ -839,7 +845,10 @@ nubusUdmRestApi: annotations: {{ .Values.annotations.nubusUdmRestApi.persistence | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.nubusUdmRestApi.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-udm-rest-api" + {{- with .Values.annotations.nubusUdmRestApi.pod }} + {{ . | toYaml | nindent 4 }} + {{- end}} replicaCount: {{ .Values.replicas.umsUdmRestApi }} resources: {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }} @@ -898,7 +907,7 @@ nubusLdapServer: additionalAnnotations: {{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }} additionalAnnotations: - intents.otterize.com/service-name: "ums-ldap-server" + {{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }} dhInitcontainer: image: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }} @@ -921,7 +930,10 @@ nubusLdapServer: size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }} storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }} podAnnotations: - {{ .Values.annotations.nubusLdapServer.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-ldap-server" + {{- with .Values.annotations.nubusLdapServer.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }} replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }} replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }} @@ -947,7 +959,6 @@ nubusProvisioning: {{ .Values.annotations.nubusProvisioning.additional | toYaml | nindent 4 }} api: additionalAnnotations: - intents.otterize.com/service-name: "ums-provisioning-api" {{- with .Values.annotations.nubusProvisioning.apiAdditional }} {{ . | toYaml | nindent 6 }} {{- end }} @@ -966,7 +977,10 @@ nubusProvisioning: auth: password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}} podAnnotations: - {{ .Values.annotations.nubusProvisioning.apiPod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "ums-provisioning-api" + {{- with .Values.annotations.nubusProvisioning.apiPod }} + {{ . | toYaml | nindent 6 }} + {{- end }} resources: {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }} containerSecurityContext: @@ -985,7 +999,6 @@ nubusProvisioning: {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }} dispatcher: additionalAnnotations: - intents.otterize.com/service-name: "ums-provisioning-dispatcher" {{- with .Values.annotations.nubusProvisioning.dispatcherAdditional }} {{ . | toYaml | nindent 6 }} {{- end }} @@ -997,12 +1010,14 @@ nubusProvisioning: auth: password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}} podAnnotations: - {{ .Values.annotations.nubusProvisioning.dispatcherPod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "ums-provisioning-dispatcher" + {{- with .Values.annotations.nubusProvisioning.dispatcherPod }} + {{ . | toYaml | nindent 6 }} + {{- end }} resources: {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }} nats: additionalAnnotations: - intents.otterize.com/service-name: "ums-provisioning-nats" {{- with .Values.annotations.nubusProvisioning.natsAdditional }} {{ . | toYaml | nindent 6 }} {{- end }} @@ -1060,10 +1075,12 @@ nubusProvisioning: serviceAccount: create: true podAnnotations: - {{ .Values.annotations.nubusProvisioning.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-provisioning-nats" + {{- with .Values.annotations.nubusProvisioning.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} prefill: additionalAnnotations: - intents.otterize.com/service-name: "ums-provisioning-prefill" {{- with .Values.annotations.nubusProvisioning.prefillAdditional }} {{ . | toYaml | nindent 6 }} {{- end }} @@ -1075,12 +1092,14 @@ nubusProvisioning: auth: password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}} podAnnotations: - {{ .Values.annotations.nubusProvisioning.prefillPod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "ums-provisioning-prefill" + {{- with .Values.annotations.nubusProvisioning.prefillPod }} + {{ . | toYaml | nindent 6 }} + {{- end }} resources: {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }} udmTransformer: additionalAnnotations: - intents.otterize.com/service-name: "ums-provisioning-udm-transformer" {{- with .Values.annotations.nubusProvisioning.udmTransformerAdditional }} {{ . | toYaml | nindent 6 }} {{- end }} @@ -1092,7 +1111,10 @@ nubusProvisioning: auth: password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}} podAnnotations: - {{ .Values.annotations.nubusProvisioning.udmTransformerPod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "ums-provisioning-udm-transformer" + {{- with .Values.annotations.nubusProvisioning.udmTransformerPod }} + {{ . | toYaml | nindent 6 }} + {{- end }} resources: {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }} replicaCount: @@ -1163,7 +1185,10 @@ nubusUdmListener: size: {{ .Values.persistence.storages.nubusUdmListener.size | quote }} # storageClass: -- coalesce .Values.persistence.storages.nubusUdmListener.storageClassName .Values.persistence.storageClassNames.RWO | quote -- podAnnotations: - {{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-provisioning-udm-listener" + {{- with .Values.annotations.nubusUdmListener.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} replicaCount: {{ .Values.replicas.umsUdmListener }} resources: {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }} @@ -1219,9 +1244,9 @@ nubusSelfServiceConsumer: # Nubus services nubusStackDataUms: additionalAnnotations: + intents.otterize.com/service-name: "ums-stack-data-ums" argocd.argoproj.io/hook: "Sync" argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation" - intents.otterize.com/service-name: "ums-stack-data-ums" {{- with .Values.annotations.nubusStackDataUms.additional }} {{ . | toYaml | nindent 4 }} {{- end }} @@ -1270,7 +1295,10 @@ nubusStackDataUms: connection: host: {{ .Values.databases.umsSelfservice.host | quote }} podAnnotations: - {{ .Values.annotations.nubusStackDataUms.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-stack-data-ums" + {{- with .Values.annotations.nubusStackDataUms.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} resources: {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }} stackDataContext: @@ -1459,7 +1487,10 @@ nubusUmcServer: auth: password: "" podAnnotations: - {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-umc-server" + {{- with .Values.annotations.nubusUmcServer.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}" postgresql: @@ -1555,7 +1586,10 @@ nubusUmcGateway: initResources: {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.nubusUmcGateway.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "ums-umc-gateway" + {{- with .Values.annotations.nubusUmcGateway.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} replicaCount: {{ .Values.replicas.umsUmcGateway }} serviceAccount: annotations: diff --git a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl index 4d4cfca1..c75b9f8a 100644 --- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl @@ -126,7 +126,10 @@ persistence: {{ .Values.annotations.openxchangeDovecot.persistence | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.openxchangeDovecot.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "open-xchange-dovecot" + {{- with .Values.annotations.openxchangeDovecot.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} resources: {{ .Values.resources.dovecot | toYaml | nindent 2 }} diff --git a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl index 8d1f69b8..c5368986 100644 --- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl @@ -3,6 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 --- additionalAnnotations: + intents.otterize.com/service-name: "open-xchange-bootstrap" argocd.argoproj.io/hook: "Sync" argocd.argoproj.io/hook-delete-policy: "HookSucceeded" {{- with .Values.annotations.openxchangeBootstrap.additional }} diff --git a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl index fb7dca1f..c1daffee 100644 --- a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl @@ -5,6 +5,7 @@ appsuite: core-mw: podAnnotations: + intents.otterize.com/service-name: "open-xchange-core-mw" logging.open-xchange.com/format: "appsuite-json" {{- with .Values.annotations.openxchangeEnterpriseContactPicker.appsuiteCoreMwPod }} {{ . | toYaml | nindent 6 }} diff --git a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl index de1fc88b..0dccd8ac 100644 --- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl @@ -31,7 +31,10 @@ nextcloud-integration-ui: - name: {{ . | quote }} {{- end }} podAnnotations: - {{ .Values.annotations.openxchangeNextcloudIntegrationUi.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "open-xchange-nextcloud-integration-ui" + {{- with .Values.annotations.openxchangeNextcloudIntegrationUi.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }} resources: {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }} @@ -66,7 +69,10 @@ public-sector-ui: pullPolicy: {{ .Values.global.imagePullPolicy | quote }} replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }} podAnnotations: - {{ .Values.annotations.openxchangePublicSectorUi.pod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "open-xchange-public-sector-ui" + {{- with .Values.annotations.openxchangePublicSectorUi.pod }} + {{ . | toYaml | nindent 4 }} + {{- end }} resources: {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }} securityContext: @@ -311,7 +317,10 @@ appsuite: jolokiaPassword: {{ .Values.secrets.oxAppSuite.jolokiaPassword | quote }} hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}" podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreMw.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-core-mw" + {{- with .Values.annotations.openxchangeAppsuiteCoreMw.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} serviceAccount: annotations: {{ .Values.annotations.openxchangeAppsuiteCoreMw.serviceAccount | toYaml | nindent 8 }} @@ -338,7 +347,10 @@ appsuite: pullPolicy: {{ .Values.global.imagePullPolicy | quote }} replicaCount: {{ .Values.replicas.openxchangeGotenberg }} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreMw.gotenbergPod | toYaml | nindent 8 }} + intents.otterize.com/service-name: "open-xchange-gotenberg" + {{- with .Values.annotations.openxchangeAppsuiteCoreMw.gotenbergPod }} + {{ . | toYaml | nindent 8 }} + {{- end }} resources: {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }} securityContext: @@ -351,7 +363,6 @@ appsuite: runAsNonRoot: true runAsUser: 1001 runAsGroup: 1001 - privileged: false seccompProfile: type: "RuntimeDefault" seLinuxOptions: @@ -769,7 +780,10 @@ appsuite: pullPolicy: {{ .Values.global.imagePullPolicy | quote }} replicaCount: {{ .Values.replicas.openxchangeCoreUI }} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreUi.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-core-ui" + {{- with .Values.annotations.openxchangeAppsuiteCoreUi.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} resources: {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }} securityContext: @@ -806,7 +820,10 @@ appsuite: pullPolicy: {{ .Values.global.imagePullPolicy | quote }} overrides: {} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreUiMiddleware.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-core-ui-middleware" + {{- with .Values.annotations.openxchangeAppsuiteCoreUiMiddleware.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} redis: *redisConfiguration replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }} resources: @@ -855,7 +872,10 @@ appsuite: pullPolicy: {{ .Values.global.imagePullPolicy | quote }} {{- if .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod }} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-core-documentconverter" + {{- with .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} {{- end }} redis: *redisConfiguration replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }} @@ -907,7 +927,10 @@ appsuite: tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreGuidedtours.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-guidedtours" + {{- with .Values.annotations.openxchangeAppsuiteCoreGuidedtours.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }} resources: {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }} @@ -951,7 +974,10 @@ appsuite: secretKey: "." {{- if .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod }} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-core-imageconverter" + {{- with .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} {{- end }} redis: *redisConfiguration replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }} @@ -987,7 +1013,8 @@ appsuite: repository: {{ .Values.images.openxchangeGuardUI.repository | quote }} tag: {{ .Values.images.openxchangeGuardUI.tag | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} - podAnnotations: {} + podAnnotations: + intents.otterize.com/service-name: "open-xchange-guard-ui" replicaCount: {{ .Values.replicas.openxchangeGuardUI }} resources: {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }} @@ -1023,7 +1050,10 @@ appsuite: - name: {{ . | quote }} {{- end }} podAnnotations: - {{ .Values.annotations.openxchangeAppsuiteCoreUserGuide.pod | toYaml | nindent 6 }} + intents.otterize.com/service-name: "open-xchange-core-user-guide" + {{- with .Values.annotations.openxchangeAppsuiteCoreUserGuide.pod }} + {{ . | toYaml | nindent 6 }} + {{- end }} replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }} resources: {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }} diff --git a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl index 9f88b461..0cbb8225 100644 --- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl @@ -68,7 +68,10 @@ persistence: #storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }} podAnnotations: - {{ .Values.annotations.nubusOxConnector.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "open-xchange-connector" + {{- with .Values.annotations.nubusOxConnector.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} replicaCount: {{ .Values.replicas.oxConnector }} diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl index a7d74f1c..e67364f4 100644 --- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl @@ -91,7 +91,10 @@ postfix: virtualTransport: "lmtps:dovecot:24" podAnnotations: - {{ .Values.annotations.openxchangePostfix.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "open-xchange-postfix" + {{- with .Values.annotations.openxchangePostfix.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} replicaCount: {{ .Values.replicas.postfix }} diff --git a/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl b/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl index 9680dfce..94f00dac 100644 --- a/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl +++ b/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl @@ -5,7 +5,10 @@ additionalAnnotations: {{ .Values.annotations.opendeskMigrationsPost.additional | toYaml | nindent 2 }} podAnnotations: - {{ .Values.annotations.opendeskMigrationsPost.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-migrations-post" + {{- with .Values.annotations.opendeskMigrationsPost.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} serviceAccount: annotations: diff --git a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl index ae6c8b72..6463b015 100644 --- a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl +++ b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl @@ -74,7 +74,10 @@ job: enabled: true podAnnotations: - {{ .Values.annotations.openprojectBootstrap.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-openproject-bootstrap" + {{- with .Values.annotations.openprojectBootstrap.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl index 185e6c71..28e207f7 100644 --- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl +++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl @@ -116,7 +116,10 @@ image: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.opendeskServicesStaticFiles.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "opendesk-static-files" + {{- with .Values.annotations.opendeskServicesStaticFiles.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl b/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl index 565f3386..51a69100 100644 --- a/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl +++ b/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl @@ -10,12 +10,18 @@ additionalAnnotations: {{ .Values.annotations.opendeskServicesOtterize.additional | toYaml | nindent 2 }} apps: + cassandra: + enabled: {{ .Values.apps.cassandra.enabled }} + certificates: + enabled: {{ .Values.apps.certificates.enabled }} clamavDistributed: enabled: {{ .Values.apps.clamavDistributed.enabled }} clamavSimple: enabled: {{ .Values.apps.clamavSimple.enabled }} collabora: enabled: {{ .Values.apps.collabora.enabled }} + collaboraController: + enabled: {{ .Values.apps.collaboraController.enabled }} cryptpad: enabled: {{ .Values.apps.cryptpad.enabled }} dkimpy: @@ -24,6 +30,12 @@ apps: enabled: {{ .Values.apps.dovecot.enabled }} element: enabled: {{ .Values.apps.element.enabled }} + elementAdmin: + enabled: {{ .Values.apps.elementAdmin.enabled }} + elementGroupsync: + enabled: {{ .Values.apps.elementGroupsync.enabled }} + home: + enabled: {{ .Values.apps.home.enabled }} jitsi: enabled: {{ .Values.apps.jitsi.enabled }} mariadb: @@ -42,7 +54,7 @@ apps: enabled: {{ .Values.apps.nubus.enabled }} openproject: enabled: {{ .Values.apps.openproject.enabled }} - oxAppsuite: + oxAppSuite: enabled: {{ .Values.apps.oxAppSuite.enabled }} postfix: enabled: {{ .Values.apps.postfix.enabled }} @@ -50,6 +62,8 @@ apps: enabled: {{ .Values.apps.postgresql.enabled }} redis: enabled: {{ .Values.apps.redis.enabled }} + staticFiles: + enabled: {{ .Values.apps.staticFiles.enabled }} xwiki: enabled: {{ .Values.apps.xwiki.enabled }} diff --git a/helmfile/apps/openproject/values.yaml.gotmpl b/helmfile/apps/openproject/values.yaml.gotmpl index 9c5af17a..8c366342 100644 --- a/helmfile/apps/openproject/values.yaml.gotmpl +++ b/helmfile/apps/openproject/values.yaml.gotmpl @@ -131,7 +131,10 @@ persistence: enabled: false podAnnotations: - {{ .Values.annotations.openproject.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "openproject" + {{- with .Values.annotations.openproject.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} postgresql: bundled: false diff --git a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl index a1fd9ae8..100ce239 100644 --- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl +++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl @@ -73,8 +73,10 @@ persistence: storageClass: {{ coalesce .Values.persistence.storages.cassandra.storageClassName .Values.persistence.storageClassNames.RWO | quote }} podAnnotations: - {{ .Values.annotations.cassandra.pod | toYaml | nindent 2 }} - + intents.otterize.com/service-name: "cassandra" + {{- with .Values.annotations.cassandra.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 1001 diff --git a/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl b/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl index 11ce3961..d084c0a2 100644 --- a/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl +++ b/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl @@ -26,7 +26,10 @@ clamd: tag: {{ .Values.images.clamd.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.servicesExternalClamavDistributed.clamdPod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "clamav-distributed" + {{- with .Values.annotations.servicesExternalClamavDistributed.clamdPod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 101 @@ -81,7 +84,10 @@ freshclam: tag: {{ .Values.images.freshclam.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.servicesExternalClamavDistributed.freshclamPod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "clamav-freshclam" + {{- with .Values.annotations.servicesExternalClamavDistributed.freshclamPod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 101 @@ -129,7 +135,10 @@ icap: tag: {{ .Values.images.icap.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.servicesExternalClamavDistributed.icapPod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "clamav-icap" + {{- with .Values.annotations.servicesExternalClamavDistributed.icapPod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 101 @@ -169,7 +178,10 @@ milter: tag: {{ .Values.images.milter.tag | quote }} imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.servicesExternalClamavDistributed.milterPod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "clamav-milter" + {{- with .Values.annotations.servicesExternalClamavDistributed.milterPod }} + {{ . | toYaml | nindent 4 }} + {{- end }} podSecurityContext: enabled: true fsGroup: 101 diff --git a/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl b/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl index 3a25d1b6..ffc434c0 100644 --- a/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl +++ b/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl @@ -44,7 +44,10 @@ persistence: {{ .Values.annotations.servicesExternalClamavSimple.persistence | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.servicesExternalClamavSimple.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "clamav-simple" + {{- with .Values.annotations.servicesExternalClamavSimple.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl b/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl index ab51c42c..c1f23e8a 100644 --- a/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl +++ b/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl @@ -30,7 +30,10 @@ image: imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.servicesExternalDkimpy.service | toYaml | nindent 2 }} + intents.otterize.com/service-name: "dkimpy-milter" + {{- with .Values.annotations.servicesExternalDkimpy.service }} + {{ . | toYaml | nindent 2 }} + {{- end }} podSecurityContext: enabled: true diff --git a/helmfile/apps/services-external/values-mariadb.yaml.gotmpl b/helmfile/apps/services-external/values-mariadb.yaml.gotmpl index ff2190c8..ef4db136 100644 --- a/helmfile/apps/services-external/values-mariadb.yaml.gotmpl +++ b/helmfile/apps/services-external/values-mariadb.yaml.gotmpl @@ -78,6 +78,7 @@ persistence: {{ .Values.annotations.servicesExternalMariadb.persistence | toYaml | nindent 4 }} podAnnotations: + intents.otterize.com/service-name: "mariadb" argocd.argoproj.io/hook: "PostSync" argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation" {{- with .Values.annotations.servicesExternalMariadb.pod }} diff --git a/helmfile/apps/services-external/values-memcached.yaml.gotmpl b/helmfile/apps/services-external/values-memcached.yaml.gotmpl index 4837c54b..2492c8a1 100644 --- a/helmfile/apps/services-external/values-memcached.yaml.gotmpl +++ b/helmfile/apps/services-external/values-memcached.yaml.gotmpl @@ -34,8 +34,10 @@ image: pullPolicy: {{ .Values.global.imagePullPolicy | quote }} podAnnotations: - {{ .Values.annotations.servicesExternalMemcached.pod | toYaml | nindent 2 }} - + intents.otterize.com/service-name: "memcached" + {{- with .Values.annotations.servicesExternalMemcached.pod }} + {{ . | toYaml | nindent 2 }} + {{- end}} replicaCount: {{ .Values.replicas.memcached }} resources: diff --git a/helmfile/apps/services-external/values-minio.yaml.gotmpl b/helmfile/apps/services-external/values-minio.yaml.gotmpl index 7b1cfefd..e68abfcd 100644 --- a/helmfile/apps/services-external/values-minio.yaml.gotmpl +++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl @@ -134,7 +134,10 @@ provisioning: withLock: false {{- end }} podAnnotations: - {{ .Values.annotations.servicesExternalMinio.provisioningPod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "minio-provisioning" + {{- with .Values.annotations.servicesExternalMinio.provisioningPod }} + {{ . | toYaml | nindent 4}} + {{- end }} policies: - name: "migrations-bucket-policy" statements: @@ -271,7 +274,10 @@ provisioning: {{ .Values.resources.minio | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.servicesExternalMinio.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "minio" + {{- with .Values.annotations.servicesExternalMinio.pod }} + {{ . | toYaml | nindent 2 }} + {{- end }} readinessProbe: enabled: true diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl index d98a9236..a736bc40 100644 --- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl @@ -41,7 +41,10 @@ persistence: {{ .Values.annotations.servicesExternalPostfix.persistence | toYaml | nindent 4 }} podAnnotations: - {{ .Values.annotations.servicesExternalPostfix.pod | toYaml | nindent 2 }} + intents.otterize.com/service-name: "postfix" + {{- with .Values.annotations.servicesExternalPostfix.pod }} + {{ . | toYaml | nindent 2}} + {{- end}} podSecurityContext: enabled: true @@ -106,8 +109,6 @@ postfix: virtualTransport: "lmtps:dovecot:24" {{- end }} -podAnnotations: {} - replicaCount: {{ .Values.replicas.postfix }} resources: diff --git a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl index 447a0c7a..1e4c59e3 100644 --- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl @@ -115,6 +115,7 @@ persistence: {{ .Values.annotations.servicesExternalPostgresql.persistence | toYaml | nindent 4 }} podAnnotations: + intents.otterize.com/service-name: "postgresql" argocd.argoproj.io/hook: "PostSync" argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation" {{- with .Values.annotations.servicesExternalPostgresql.pod}} diff --git a/helmfile/apps/services-external/values-redis.yaml.gotmpl b/helmfile/apps/services-external/values-redis.yaml.gotmpl index d72dc43f..b7d81579 100644 --- a/helmfile/apps/services-external/values-redis.yaml.gotmpl +++ b/helmfile/apps/services-external/values-redis.yaml.gotmpl @@ -44,7 +44,10 @@ master: annotations: {{ .Values.annotations.servicesExternalRedis.masterPersistence | toYaml | nindent 6 }} podAnnotations: - {{ .Values.annotations.servicesExternalRedis.masterPod | toYaml | nindent 4 }} + intents.otterize.com/service-name: "redis" + {{- with .Values.annotations.servicesExternalRedis.masterPod }} + {{ . | toYaml | nindent 4 }} + {{- end }} resources: {{ .Values.resources.redis | toYaml | nindent 4 }} service: diff --git a/helmfile/environments/default/annotations.yaml.gotmpl b/helmfile/environments/default/annotations.yaml.gotmpl index 32ad72e8..3712b4d0 100644 --- a/helmfile/environments/default/annotations.yaml.gotmpl +++ b/helmfile/environments/default/annotations.yaml.gotmpl @@ -376,7 +376,12 @@ annotations: clamdPod: ~ clamdService: ~ clamdServiceAccount: ~ + icapCommon: ~ + icapPod: ~ + icapService: ~ + icapServiceAccount: ~ freshclamCommon: ~ + freshclamPod: ~ freshclamService: ~ freshclamServiceAccount: ~ milterCommon: ~ From 152221fa7976bfa942d5e9e9b8f78cc8e65765c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Thu, 30 Oct 2025 12:14:46 +0100 Subject: [PATCH 03/28] fix(nubus): Remove legacy `UMC` Keycloak client that was used for SAML connection with the Nubus portal --- docs/architecture.md | 9 +-- docs/migrations.md | 72 +++++++++---------- ...es-opendesk-keycloak-bootstrap.yaml.gotmpl | 2 +- 3 files changed, 39 insertions(+), 44 deletions(-) diff --git a/docs/architecture.md b/docs/architecture.md index 36ff582f..653c0eac 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -129,7 +129,7 @@ An overview of - components that consume the LDAP service. - The components access the LDAP using a component-specific LDAP search account. - components using Univention Keycloak as an identity provider (IdP). - - The components should use OAuth2 / OIDC flows if not otherwise denoted. + - All components use OAuth2 / OIDC flows. - All components have a client configured in Keycloak. Some components trust others to handle authentication for them. @@ -148,7 +148,7 @@ flowchart TD D-->K O-->K X-->K - P-->|SAML|K + P-->K E[Element]-->K J[Jitsi]-->K I[IntercomService]-->K @@ -184,11 +184,6 @@ sequenceDiagram Note over Browser: User is authenticated ``` -> [!note] -> Nubus' Portal and UMC still use [SAML 2.0](https://www.oasis-open.org/standard/saml/) to authenticate -> users. However, Nubus will switch to OIDC in an upcoming release, eliminating the use of SAML in openDesk -> altogether. - ## Keycloak [Keycloak](https://www.keycloak.org/) is an open-source identity and access management solution for web based applications and services. It provides features such as single sign-on, multi-factor authentication, user federation, and centralized user management. diff --git a/docs/migrations.md b/docs/migrations.md index 4b47c3fc..4f9494c9 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -8,14 +8,14 @@ SPDX-License-Identifier: Apache-2.0 * [Disclaimer](#disclaimer) * [Deprecation warnings](#deprecation-warnings) -* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path) +* [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path) * [Manual checks/actions](#manual-checksactions) - * [Versions ≥ v1.9.0](#versions--v190) - * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190) + * [Versions ≥ v1.9.0](#versions--v190) + * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190) * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases) * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients) - * [Versions ≥ v1.8.0](#versions--v180) - * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180) + * [Versions ≥ v1.8.0](#versions--v180) + * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180) * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users) * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc) * [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts) @@ -24,39 +24,39 @@ SPDX-License-Identifier: Apache-2.0 * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour) * [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default) * [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject) - * [Versions ≥ v1.7.0](#versions--v170) - * [Pre-upgrade to versions ≥ v1.7.0](#pre-upgrade-to-versions--v170) + * [Versions ≥ v1.7.0](#versions--v170) + * [Pre-upgrade to versions ≥ v1.7.0](#pre-upgrade-to-versions--v170) * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root) * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments) - * [Post-upgrade to versions ≥ v1.7.0](#post-upgrade-to-versions--v170) + * [Post-upgrade to versions ≥ v1.7.0](#post-upgrade-to-versions--v170) * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes) - * [Versions ≥ v1.6.0](#versions--v160) - * [Pre-upgrade to versions ≥ v1.6.0](#pre-upgrade-to-versions--v160) + * [Versions ≥ v1.6.0](#versions--v160) + * [Pre-upgrade to versions ≥ v1.6.0](#pre-upgrade-to-versions--v160) * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets) * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser) * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange) * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade) - * [Post-upgrade to versions ≥ v1.6.0](#post-upgrade-to-versions--v160) + * [Post-upgrade to versions ≥ v1.6.0](#post-upgrade-to-versions--v160) * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade) - * [Versions ≥ v1.4.0](#versions--v140) - * [Pre-upgrade to versions ≥ v1.4.0](#pre-upgrade-to-versions--v140) + * [Versions ≥ v1.4.0](#versions--v140) + * [Pre-upgrade to versions ≥ v1.4.0](#pre-upgrade-to-versions--v140) * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list) - * [Versions ≥ v1.3.0](#versions--v130) - * [Pre-upgrade to versions ≥ v1.3.0](#pre-upgrade-to-versions--v130) + * [Versions ≥ v1.3.0](#versions--v130) + * [Pre-upgrade to versions ≥ v1.3.0](#pre-upgrade-to-versions--v130) * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation) - * [Versions ≥ v1.2.0](#versions--v120) - * [Pre-upgrade to versions ≥ v1.2.0](#pre-upgrade-to-versions--v120) + * [Versions ≥ v1.2.0](#versions--v120) + * [Pre-upgrade to versions ≥ v1.2.0](#pre-upgrade-to-versions--v120) * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed) * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud) - * [Versions ≥ v1.1.2](#versions--v112) - * [Pre-upgrade to versions ≥ v1.1.2](#pre-upgrade-to-versions--v112) + * [Versions ≥ v1.1.2](#versions--v112) + * [Pre-upgrade to versions ≥ v1.1.2](#pre-upgrade-to-versions--v112) * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element) - * [Versions ≥ v1.1.1](#versions--v111) - * [Pre-upgrade to versions ≥ v1.1.1](#pre-upgrade-to-versions--v111) + * [Versions ≥ v1.1.1](#versions--v111) + * [Pre-upgrade to versions ≥ v1.1.1](#pre-upgrade-to-versions--v111) * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname) * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword) - * [Versions ≥ v1.1.0](#versions--v110) - * [Pre-upgrade to versions ≥ v1.1.0](#pre-upgrade-to-versions--v110) + * [Versions ≥ v1.1.0](#versions--v110) + * [Pre-upgrade to versions ≥ v1.1.0](#pre-upgrade-to-versions--v110) * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder) * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl) * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-) @@ -66,10 +66,10 @@ SPDX-License-Identifier: Apache-2.0 * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login) * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled) * [External requirements: Redis 7.4](#external-requirements-redis-74) - * [Post-upgrade to versions ≥ v1.1.0](#post-upgrade-to-versions--v110) + * [Post-upgrade to versions ≥ v1.1.0](#post-upgrade-to-versions--v110) * [XWiki fix-ups](#xwiki-fix-ups) - * [Versions ≥ v1.0.0](#versions--v100) - * [Pre-upgrade to versions ≥ v1.0.0](#pre-upgrade-to-versions--v100) + * [Versions ≥ v1.0.0](#versions--v100) + * [Pre-upgrade to versions ≥ v1.0.0](#pre-upgrade-to-versions--v100) * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus) * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets) * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled) @@ -77,17 +77,17 @@ SPDX-License-Identifier: Apache-2.0 * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability) * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts) * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api) - * [Post-upgrade to versions ≥ v1.0.0](#post-upgrade-to-versions--v100) + * [Post-upgrade to versions ≥ v1.0.0](#post-upgrade-to-versions--v100) * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component) * [Optional Cleanup](#optional-cleanup) * [Automated migrations - Details](#automated-migrations---details) - * [Versions ≥ v1.6.0 (automated)](#versions--v160-automated) - * [Versions ≥ v1.6.0 migrations-post](#versions--v160-migrations-post) - * [Versions ≥ v1.2.0 (automated)](#versions--v120-automated) - * [Versions ≥ v1.2.0 migrations-pre](#versions--v120-migrations-pre) - * [Versions ≥ v1.2.0 migrations-post](#versions--v120-migrations-post) - * [Versions ≥ v1.1.0 (automated)](#versions--v110-automated) - * [Versions ≥ v1.0.0 (automated)](#versions--v100-automated) + * [Versions ≥ v1.6.0 (automated)](#versions--v160-automated) + * [Versions ≥ v1.6.0 migrations-post](#versions--v160-migrations-post) + * [Versions ≥ v1.2.0 (automated)](#versions--v120-automated) + * [Versions ≥ v1.2.0 migrations-pre](#versions--v120-migrations-pre) + * [Versions ≥ v1.2.0 migrations-post](#versions--v120-migrations-post) + * [Versions ≥ v1.1.0 (automated)](#versions--v110-automated) + * [Versions ≥ v1.0.0 (automated)](#versions--v100-automated) * [Related components and artifacts](#related-components-and-artifacts) * [Development](#development) @@ -140,7 +140,7 @@ matching that constraint, though our links always point to the newest patch rele > 1. You are at v1.3.2 → pre steps for v1.4.0 to v1.5.0 > 1. Upgrade to v1.5.0 → post steps for v1.4.0 to v1.5.0 > 1. You are at v1.5.0 → pre steps for v1.6.0 to 1.7.1 -> 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 +> 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 | Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | @@ -237,7 +237,7 @@ The portal has been migrated to use OIDC for single sign-on by default. This int - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above. > [!note] -> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases. +> The SAML Client for the Nubus portal is still preserved in Keycloak and is going to be removed with openDesk 1.10.0. #### New application default: XWiki blocks self-registration of user accounts diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl index 1a865d11..403ba0e5 100644 --- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl +++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl @@ -84,7 +84,7 @@ config: managed: clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ] - clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}', + clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC OIDC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ] keycloak: From 8de0f5de7277ad726588d7de2d06cb3e9376c993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Fri, 7 Nov 2025 07:32:49 +0100 Subject: [PATCH 04/28] fix(collabora): Update from 25.04.5 to 25.04.6 --- README.md | 2 +- .../default-enterprise-overrides/images.yaml.gotmpl | 2 +- helmfile/environments/default/images.yaml.gotmpl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b757bf87..66d9572f 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ openDesk currently features the following functional main components: | Portal & IAM | Nubus | AGPL-3.0-or-later | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | | Project management | OpenProject | GPL-3.0-only | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | | Videoconferencing | Jitsi | Apache-2.0 | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | -| Weboffice | Collabora | MPL-2.0 | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | +| Weboffice | Collabora | MPL-2.0 | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to align the applications with best practices regarding container design and operations. diff --git a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl index 64a839be..a05893d4 100644 --- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl +++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl @@ -5,7 +5,7 @@ images: collabora: registry: "registry.opencode.de" repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk" - tag: "25.04.5.3.1@sha256:d22407cd3bd83dd832f986a697d81c1a4642f55129c76a5a20e637274ce7bf62" + tag: "25.04.6.3.1@sha256:9ea79433e71db3b9056f47a0c8324a3a4f23f78b2412222991abf63969a714f1" dovecot: registry: "registry.opencode.de" repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 20da9f04..55f6257e 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -50,7 +50,7 @@ images: # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk" registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk" - tag: "25.04.5.3.1@sha256:0e1ccf43308121c657936510de27244057c3826777a491495a0f7e55a196bc59" + tag: "25.04.6.3.1@sha256:ade67ba25db8909308a0f498364c62172b482dfc1b4f80e33c1b01f7c164d8ac" collaboraController: # Enterprise Component # providerCategory: "Supplier" From d25c95f06bc199d09aa6ea4dc09c10e95153de38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Mon, 17 Nov 2025 07:54:20 +0100 Subject: [PATCH 05/28] fix(collabora): Update Controller to 1.1.6 incl. Helm chart update to 1.1.10 --- helmfile/apps/collabora/values.yaml.gotmpl | 2 +- helmfile/environments/default/charts.yaml.gotmpl | 2 +- helmfile/environments/default/images.yaml.gotmpl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/helmfile/apps/collabora/values.yaml.gotmpl b/helmfile/apps/collabora/values.yaml.gotmpl index 1dc60831..fc989e36 100644 --- a/helmfile/apps/collabora/values.yaml.gotmpl +++ b/helmfile/apps/collabora/values.yaml.gotmpl @@ -35,7 +35,7 @@ collabora: {{- end }} {{- if .Values.apps.collaboraController.enabled }} --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken - --o:monitors.monitor[0]=ws://collabora-controller-cool-controller:9000/controller/ws + --o:monitors.monitor[0]=ws://collabora-controller-cool-controller.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:9000/controller/ws --o:monitors.monitor[0][@retryInterval]=5 {{- end }} username: "collabora-internal-admin" diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 33ece677..78b3c29e 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -65,7 +65,7 @@ charts: registry: "registry.opencode.de" repository: "zendis/opendesk-enterprise/components/supplier/collabora/charts-mirror" name: "cool-controller" - version: "1.1.6" + version: "1.1.10" verify: false cryptpad: # providerCategory: "Supplier" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 55f6257e..ccaaf401 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -57,7 +57,7 @@ images: # providerResponsible: "Collabora" registry: "registry.opencode.de" repository: "zendis/opendesk-enterprise/components/supplier/collabora/images-mirror/cool-controller" - tag: "1.1.3@sha256:552b63fd748ec873bd286c4d9ea0cf675f349f35a9ca2a69d2962336e4bc5f83" + tag: "1.1.6@sha256:7935f21bf75cdddbbbd01754d8d0458014a68ab64b08121c8fca7a2715e0d85b" cryptpad: # providerCategory: "Supplier" # providerResponsible: "XWiki" From 12379d67e07936496fe31276b2052406e0137db6 Mon Sep 17 00:00:00 2001 From: Norbert Tretkowski Date: Wed, 19 Nov 2025 07:38:58 +0100 Subject: [PATCH 06/28] feat(nubus): Update from v1.14.0 to v1.15.2 --- README.md | 2 +- docs/migrations.md | 49 ++++++++++---- helmfile/apps/nubus/values-nubus.yaml.gotmpl | 65 ++++--------------- .../environments/default/charts.yaml.gotmpl | 2 +- .../environments/default/images.yaml.gotmpl | 64 +++++++++--------- .../default/persistence.yaml.gotmpl | 1 + .../default/technical.yaml.gotmpl | 17 +++++ 7 files changed, 101 insertions(+), 99 deletions(-) diff --git a/README.md b/README.md index 66d9572f..1e6736b8 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ openDesk currently features the following functional main components: | File management | Nextcloud | AGPL-3.0-or-later | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7) | [Nextcloud 31](https://docs.nextcloud.com/) | | Groupware | OX App Suite | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend) | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/) | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) | | Knowledge management | XWiki | LGPL-2.1-or-later | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) | -| Portal & IAM | Nubus | AGPL-3.0-or-later | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | +| Portal & IAM | Nubus | AGPL-3.0-or-later | [1.15.2](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.15.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | | Project management | OpenProject | GPL-3.0-only | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | | Videoconferencing | Jitsi | Apache-2.0 | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | | Weboffice | Collabora | MPL-2.0 | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | diff --git a/docs/migrations.md b/docs/migrations.md index 4f9494c9..7e617b79 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -14,6 +14,9 @@ SPDX-License-Identifier: Apache-2.0 * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190) * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases) * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients) + * [Versions ≥ v1.10.0](#versions--v1100) + * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100) + * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed) * [Versions ≥ v1.8.0](#versions--v180) * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180) * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users) @@ -143,19 +146,20 @@ matching that constraint, though our links always point to the newest patch rele > 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 -| Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | -|-----------------------------------------------------------------------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|----------------------------------------------| -| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v190) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | -- | [Pre](#pre-upgrade-to-versions--v180) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | -- | [Pre](#pre-upgrade-to-versions--v170) | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first | -| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | -- | [Pre](#pre-upgrade-to-versions--v160) | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) | -| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes** | -- | -- | ⬇ Install ≥ v1.1.x first | -| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | -- | [Pre](#pre-upgrade-to-versions--v140) | -- | ⬇ Install ≥ v1.1.x first | -| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | -- | [Pre](#pre-upgrade-to-versions--v130) | -- | ⬇ Install ≥ v1.1.x first | -| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | -- | [Pre](#pre-upgrade-to-versions--v120) | -- | [⚠ Install v1.1.x first](#versions--v120-automated) | -| [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes** | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) | -| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes** | [Pre](#pre-upgrade-to-versions--v100) | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) | -| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes** | -- | -- | -- | +| Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | +| ---------------------------------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------- | ---------------------------------------------------- | +| [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v1100) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v190) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | -- | [Pre](#pre-upgrade-to-versions--v180) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | -- | [Pre](#pre-upgrade-to-versions--v170) | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first | +| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | -- | [Pre](#pre-upgrade-to-versions--v160) | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) | +| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes** | -- | -- | ⬇ Install ≥ v1.1.x first | +| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | -- | [Pre](#pre-upgrade-to-versions--v140) | -- | ⬇ Install ≥ v1.1.x first | +| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | -- | [Pre](#pre-upgrade-to-versions--v130) | -- | ⬇ Install ≥ v1.1.x first | +| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | -- | [Pre](#pre-upgrade-to-versions--v120) | -- | [⚠ Install v1.1.x first](#versions--v120-automated) | +| [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes** | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) | +| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes** | [Pre](#pre-upgrade-to-versions--v100) | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) | +| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes** | -- | -- | -- | > [!warning] > Be sure to check out the table in the release version you are going to install, and not the currently installed version. @@ -211,6 +215,25 @@ Additionally, it is now possible to explicitly define the hostnames shown in the If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases. +## Versions ≥ v1.10.0 + +### Pre-upgrade to versions ≥ v1.10.0 + +### New Helmfile default: Nubus provisioning debug container no longer deployed + +**Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box", + +The [nats-box](https://github.com/nats-io/nats-box), a handy tool when it comes to debugging the Nubus provisioning stack, is no longer enabled in openDesk by default. + +To re-enable the nats-box for your deployment you have to set: +``` +technical.nubus.provisioning.nats.natsBox.enabled: true +``` + +> [!note] +> The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug +> accross the whole deployment. + ## Versions ≥ v1.8.0 ### Pre-upgrade to versions ≥ v1.8.0 diff --git a/helmfile/apps/nubus/values-nubus.yaml.gotmpl b/helmfile/apps/nubus/values-nubus.yaml.gotmpl index f6f81890..fcbd6dfc 100644 --- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl +++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl @@ -183,20 +183,12 @@ keycloak: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }} repository: {{ .Values.images.nubusKeycloak.repository }} tag: {{ .Values.images.nubusKeycloak.tag }} - # NOTE: The subchart "keycloak" does not yet support - # "global.imagePullPolicy". The local configuration can be removed once it - # does have this feature. - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} ingress: enabled: false keycloak: auth: username: "kcadmin" - # TODO: Pending secrets refactoring to be able to provide the value directly - existingSecret: - name: "ums-opendesk-keycloak-credentials" - keyMapping: - adminPassword: "admin_password" + password: {{ .Values.secrets.keycloak.adminPassword | quote }} login: messages: de: @@ -448,12 +440,6 @@ nubusKeycloakExtensions: keycloak: auth: username: "kcadmin" - # TODO: Pending secrets refactoring in component chart. This will refer to - # the secret generated by the keycloak subchart. - existingSecret: - name: "ums-opendesk-keycloak-credentials" - keyMapping: - adminPassword: "admin_password" proxy: additionalAnnotations: {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }} @@ -461,13 +447,6 @@ nubusKeycloakExtensions: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }} repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }} tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }} - # NOTE: The subchart "keycloak-extensions" does not yet support - # "global.imagePullPolicy". - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - # NOTE: Remove once the keycloak-extensions subchart respects - # "global.imagePullSecrets". - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} ingress: annotations: nginx.org/proxy-buffer-size: "8k" @@ -563,13 +542,6 @@ nubusKeycloakExtensions: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }} repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }} tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }} - # NOTE: The subchart "keycloak-extensions" does not yet support - # "global.imagePullPolicy". - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} - # NOTE: Remove once the keycloak-extensions subchart respects - # "global.imagePullSecrets". - imagePullSecrets: - {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }} podAnnotations: intents.otterize.com/service-name: "ums-keycloak-extensions-handler" {{- with .Values.annotations.nubusKeycloakExtensions.handlerPod }} @@ -622,7 +594,7 @@ nubusPortalConsumer: replicaCount: {{ .Values.replicas.umsPortalConsumer }} resources: {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }} - resourcesWaitForDependency: + initResources: {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }} containerSecurityContext: seccompProfile: @@ -1021,11 +993,13 @@ nubusProvisioning: {{- with .Values.annotations.nubusProvisioning.natsAdditional }} {{ . | toYaml | nindent 6 }} {{- end }} - auth: - adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote }} config: cluster: replicas: {{ .Values.replicas.umsProvisioningNats }} + createUsers: + adminUser: + auth: + password: {{ .Values.secrets.nats.natsAdminPassword | quote }} containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -1045,19 +1019,12 @@ nubusProvisioning: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }} repository: {{ .Values.images.nubusNats.repository }} tag: {{ .Values.images.nubusNats.tag }} - # NOTE: The subchart does not yet fully support - # "global.imagePullPolicy". This can be removed once the subchart has - # been adjusted. - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} natsBox: + enabled: {{ or .Values.technical.nubus.provisioning.nats.natsBox.enabled .Values.debug.enabled }} image: registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }} repository: {{ .Values.images.nubusNatsBox.repository }} tag: {{ .Values.images.nubusNatsBox.tag }} - # NOTE: The subchart does not yet fully support - # "global.imagePullPolicy". This can be removed once the subchart has - # been adjusted. - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} persistence: size: {{ .Values.persistence.storages.nubusProvisioningNats.size }} # storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote -- @@ -1219,6 +1186,8 @@ nubusSelfServiceConsumer: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }} repository: {{ .Values.images.nubusSelfServiceConsumer.repository }} tag: {{ .Values.images.nubusSelfServiceConsumer.tag }} + initResources: + {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} podAnnotations: intents.otterize.com/service-name: "ums-selfservice-listener" {{- with .Values.annotations.nubusSelfserviceConsumer.pod }} @@ -1229,8 +1198,6 @@ nubusSelfServiceConsumer: password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}} resources: {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} - resourcesWaitForDependency: - {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }} replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }} serviceAccount: annotations: @@ -1291,6 +1258,7 @@ nubusStackDataUms: host: {{ .Values.cache.umsSelfservice.host | quote }} postgresql: auth: + database: {{ .Values.databases.umsSelfservice.name | quote }} username: {{ .Values.databases.umsSelfservice.username | quote }} connection: host: {{ .Values.databases.umsSelfservice.host | quote }} @@ -1485,7 +1453,9 @@ nubusUmcServer: bundled: false server: {{ .Values.cache.umsSelfservice.host | quote }} auth: - password: "" + # The memcached connection is not authenticated in openDesk but the umc-server pod needs a secret it can mount. + password: "stub-value" + existingSecret: null podAnnotations: intents.otterize.com/service-name: "ums-umc-server" {{- with .Values.annotations.nubusUmcServer.pod }} @@ -1631,15 +1601,9 @@ nubusKeycloakBootstrap: registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }} repository: {{ .Values.images.nubusKeycloakBootstrap.repository }} tag: {{ .Values.images.nubusKeycloakBootstrap.tag }} - # NOTE: The subchart does not yet fully support - # "global.imagePullPolicy". This can be removed once the subchart has - # been adjusted. - imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }} keycloak: auth: username: "kcadmin" - existingSecret: - name: "ums-opendesk-keycloak-credentials" ldap: auth: bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }} @@ -1674,9 +1638,6 @@ extraSecrets: - name: "ums-opendesk-guardian-client-secret" stringData: managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }} - - name: "ums-opendesk-keycloak-credentials" - stringData: - admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }} - name: "ums-keycloak-postgresql-opendesk-credentials" stringData: keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }} diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 78b3c29e..1253dd8f 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -321,7 +321,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/charts-mirror" name: "nubus" - version: "1.14.0" + version: "1.15.2" verify: true opendeskAlerts: # providerCategory: "Platform" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index ccaaf401..231626c6 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -380,7 +380,7 @@ images: # upstreamMirrorStartFrom: ["0", "34", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup" - tag: "0.40.0@sha256:1b4d388196b144327bc55376225675b1df8d23fdaffc85bb9e350c3c94fa0eb5" + tag: "0.41.4@sha256:6313e41aaebb6904ca461896ac9633eb05b33bf30b87d83d81852935e8cf0302" nubusDataLoader: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -390,7 +390,7 @@ images: # upstreamMirrorStartFrom: ["0", "41", "5"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader" - tag: "0.99.0@sha256:52ef05c1e682e6c706f70632206be1b427a1a346a32ae3bff1566386f75e68af" + tag: "0.99.20@sha256:37af6f2a8ed7b5156e01f126c83797c70485353673d92b60d904af97bd309b0c" nubusGuardianAuthorizationApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -400,7 +400,7 @@ images: # upstreamMirrorStartFrom: ["1", "0", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api" - tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5" + tag: "3.0.0@sha256:d2849b25ddd0322e1bef6c1e7b16f59fb63f35b0924f99f200bc22de834d9a2d" nubusGuardianManagementApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -410,7 +410,7 @@ images: # upstreamMirrorStartFrom: ["1", "0", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api" - tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2" + tag: "3.0.0@sha256:f3c9af13d50632a7e2232f675408b5559fb9ca314b7babf367cf4db80b62ebea" nubusGuardianManagementUi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -420,7 +420,7 @@ images: # upstreamMirrorStartFrom: ["1", "0", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui" - tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf" + tag: "3.0.0@sha256:b90d496a323353c71e29938a6b1980655fb3aefe53bab455da865e3202b7f0f8" nubusGuardianProvisioning: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -440,7 +440,7 @@ images: # upstreamMirrorStartFrom: ["0", "0", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak" - tag: "0.2.5@sha256:499006904d262bdd334b54583c359c7e34b521697d5fda32ea977d856bfa93d2" + tag: "0.4.1@sha256:482f3108ce775bb028cefa763a21d7af71b3d55e2e1800724ab9cabcd60ba2c6" nubusKeycloakBootstrap: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -450,7 +450,7 @@ images: # upstreamMirrorStartFrom: ["0", "1", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap" - tag: "0.17.5@sha256:08e2aa0bc0eb7b4bb80498e71ae21ee3de74eb985b46e7c3dd1502e96312d080" + tag: "0.19.10@sha256:29dbac967a71c11f2f2920a1a4c109b473fe5edf542a2f5b9dc843a4c0c29fe6" nubusKeycloakExtensionHandler: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -460,7 +460,7 @@ images: # upstreamMirrorStartFrom: ["0", "0", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler" - tag: "0.20.0@sha256:227c7cba4eee15c626abbc77ca06b8b61a9dece04c986a9fa2e97b13d0458fe0" + tag: "0.23.2@sha256:2a67c9ace51a610397776c17f3542231c9fbce411cfa56d9346b47f66478e416" nubusKeycloakExtensionProxy: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -470,7 +470,7 @@ images: # upstreamMirrorStartFrom: ["0", "0", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy" - tag: "0.20.0@sha256:bd075d33c16926ab4c123ac3a8673209664647f35324dfdebd95c6662ee05b2c" + tag: "0.23.2@sha256:03a05abd9b759ddf2fa537d61e09a54f1a772121f391e136000eeed44a254189" nubusLdapNotifier: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -480,7 +480,7 @@ images: # upstreamMirrorStartFrom: ["0", "8", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier" - tag: "0.47.0@sha256:1d00e0bb1575defce42c84eb5139b5b4f7d0942111b339044c2bdf58ed0b025e" + tag: "0.47.5@sha256:cc8edd9dfa3cf552396bc1ada9a8a18e2db33b53ab1705bfc392c4a423cfeb96" nubusLdapServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -490,7 +490,7 @@ images: # upstreamMirrorStartFrom: ["0", "8", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server" - tag: "0.47.0@sha256:3be012680b2da2db4ac468ae948d8514622a245b4e3e00385bbf778e836720b1" + tag: "0.47.5@sha256:1a81ef8431aa6a7b021032ce57e5907e27c69dc6603b455793911a7d581889e8" nubusLdapServerDhInitContainer: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -498,7 +498,7 @@ images: # upstreamRepository: 'natsio/nats-box' registry: "registry-1.docker.io" repository: "natsio/nats-box" - tag: "0.16.0-nonroot@sha256:f486ca86dfc9b72a2310ea720994a94ce55e447ad01daccd2fb33d61f322dc51" + tag: "0.18.1-nonroot@sha256:ec2f58b953916b4804d6636bf6a625bab7894d1b71319bc7865b3e70ab5e3f6f" nubusLdapServerLeaderElector: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -508,7 +508,7 @@ images: # upstreamMirrorStartFrom: ["0", "29", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector" - tag: "0.47.0@sha256:9b6754e7213f1fa13a12cb593bfe718643f6945ad111bbe1d5f71d7ce5729225" + tag: "0.47.5@sha256:abf2e9af9c8d22dde23144cb6344b5e9b0e39d778d28e70d97b0f1b82dd28a5d" nubusLdapUpdateUniventionObjectIdentifier: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -518,7 +518,7 @@ images: # upstreamMirrorStartFrom: ["0", "34", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier" - tag: "0.40.0@sha256:1ad952c039140ef1985712201f7bae7cbe9eba66086e0d3f475759e1c181b843" + tag: "0.41.4@sha256:c27e4d4cf5a15607c249c8d917e57f698d4d5388967c1ff6151185957eacb779" nubusNats: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -526,7 +526,7 @@ images: # upstreamRepository: 'library/nats' registry: "registry-1.docker.io" repository: "library/nats" - tag: "2.10.26@sha256:736d575e60135ce1d50fc206675d48d0e57dcaa0704f696f0cb4b5f6dadd49d7" + tag: "2.11.9@sha256:4e97bea2e69ffe4449cdc9b4c7fa707984aa9a4c090bf2faf5441cb6c97c99a4" nubusNatsBox: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -534,7 +534,7 @@ images: # upstreamRepository: 'natsio/nats-box' registry: "registry-1.docker.io" repository: "natsio/nats-box" - tag: "0.16.0-nonroot@sha256:f486ca86dfc9b72a2310ea720994a94ce55e447ad01daccd2fb33d61f322dc51" + tag: "0.18.1-nonroot@sha256:ec2f58b953916b4804d6636bf6a625bab7894d1b71319bc7865b3e70ab5e3f6f" nubusNatsReloader: # providerCategory: 'Community' # providerResponsible: 'Univention' @@ -542,7 +542,7 @@ images: # upstreamRepository: 'natsio/nats-server-config-reloader' registry: "registry-1.docker.io" repository: "natsio/nats-server-config-reloader" - tag: "0.17.1@sha256:f364bb8330d3430666ca09f17c6a43bfaefde32f0f3e79d4a41c588c29936e99" + tag: "0.18.3@sha256:41271dc1b9e1027867ee0e63aa2866c89ca8272a4f88991f6ebec34eb12dee3b" nubusNotificationsApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -552,7 +552,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api" - tag: "0.80.2@sha256:94b18841018cb7353a95a9c4ef2d5460f82a9ceb0bba97275b8064806e3e8a1c" + tag: "0.86.0@sha256:522c4d0a42d2c0b37219f5af4fba7fceb60d070719970ef2754a00ca916f67be" nubusOpendeskExtension: # providerCategory: "Platform" # providerResponsible: "openDesk" @@ -578,7 +578,7 @@ images: # upstreamMirrorStartFrom: ["1", "0", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa" - tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4" + tag: "3.0.0@sha256:85539fb7854fac6ba1b874d639188ee0a33743dc16dad0113c54763f2984fc9d" nubusOxExtension: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -598,7 +598,7 @@ images: # upstreamMirrorStartFrom: ["0", "27", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer" - tag: "0.80.2@sha256:c719ada025e0ad629516017ed26803c15cee50572f45896b41a6b066b1fe593e" + tag: "0.86.0@sha256:80ed7c8300365a3dc4c504d4f0f4f8f1c3f9cfc883508a8ea794d63629a9b086" nubusPortalExtension: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -608,7 +608,7 @@ images: # upstreamMirrorStartFrom: ["0", "28", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension" - tag: "0.80.2@sha256:cde5547ef1c2d5da55fb41bdae7248ba8514ab4f200822709ca9a99f483a1cc8" + tag: "0.86.0@sha256:1799413fe8cbc6d9cb97656be95a99786a382a3558a7720b7fe62a38c84bdd22" nubusPortalFrontend: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -618,7 +618,7 @@ images: # upstreamMirrorStartFrom: ["0", "67", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend" - tag: "0.80.2@sha256:8b40acc66459058dc0cade33793aba2737cdc20ef75968ca2b21d9aa569c9ecc" + tag: "0.86.0@sha256:d4e34b42662dbd433dd5d647c6fcfa8f2a0d71fe65c0c6efeebe80d4f13b226d" nubusPortalServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -628,7 +628,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "4"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server" - tag: "0.80.2@sha256:9a8f6950e7bf1086075d1c36ea0ad914a61e1198883e8d4926d688c88b8e67cc" + tag: "0.86.0@sha256:33a3a7d44fa084d74449dc8f7d5f5d2551b02abee16fe4ec6d4972e134c56906" nubusProvisioningDispatcher: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -638,7 +638,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher" - tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f" + tag: "0.63.0@sha256:3773333a12b786db6cea5fc0ecd5e74ba3f276ca084cd1ae8b6665bda86b72c1" nubusProvisioningEventsAndConsumerApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -648,7 +648,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api" - tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740" + tag: "0.63.0@sha256:c1687ff385d5bd30e0590472f02de85a3f182b75dc4edd5cf9d063e1db488b4d" nubusProvisioningPrefill: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -658,7 +658,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill" - tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0" + tag: "0.63.0@sha256:b93400fecc19bba79ae0f0498b07d18bf9ffb0fc03b9ed25a18f3b6d3be9cc9d" nubusProvisioningUdmListener: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -668,7 +668,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener" - tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b" + tag: "0.63.0@sha256:6dcb696920137973b24f90bb8f6045c2dffd8bc201b0cc62aed43e1a01e5aa0e" nubusProvisioningUdmTransformer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -678,7 +678,7 @@ images: # upstreamMirrorStartFrom: ["0", "14", "0"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer" - tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810" + tag: "0.63.0@sha256:da5486cf5d6a30e7d95270db8a6735c82813805e7bce882ff51a2f47faad086f" nubusSelfServiceConsumer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -688,7 +688,7 @@ images: # upstreamMirrorStartFrom: ["0", "3", "2"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation" - tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91" + tag: "0.19.31@sha256:b6d1a145e8a3f43b54be1d7d737da1527347e93c9894943c17469cd153f77ccf" nubusUdmRestApi: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -698,7 +698,7 @@ images: # upstreamMirrorStartFrom: ["0", "9", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api" - tag: "0.40.0@sha256:7d39c0defda20fc58da19389216d9a80f479a731dca682d834dd8bd00b80e20f" + tag: "0.41.4@sha256:d3476100f4174d991faa43ce20630175a1fc33011258887dd52bafad1e779189" nubusUmcGateway: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -708,7 +708,7 @@ images: # upstreamMirrorStartFrom: ["0", "7", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway" - tag: "0.51.2@sha256:c76860852133b9bbc91eb6d81a6592a5f451be9234376933ddb4d827e0f08515" + tag: "0.53.5@sha256:7044228155c8fcb939684855d5b405dd1b066d91c8a5df75676518d88e140ab3" nubusUmcServer: # providerCategory: "Supplier" # providerResponsible: "Univention" @@ -718,7 +718,7 @@ images: # upstreamMirrorStartFrom: ["0", "7", "3"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server" - tag: "0.51.3@sha256:00f8cc2e7ee98d3988b1db924ca67783e9a645204ae2c388c7afadc50f22bb12" + tag: "0.53.5@sha256:1ec839c07492b2f1d6897643b71c284aa2d507cd05f1a0f1696dfdff1885eb20" nubusUmcServerProxy: # providerCategory: "Supplier" # providerResponsible: "Univention" diff --git a/helmfile/environments/default/persistence.yaml.gotmpl b/helmfile/environments/default/persistence.yaml.gotmpl index 4cf3fb2f..8ca43cb1 100644 --- a/helmfile/environments/default/persistence.yaml.gotmpl +++ b/helmfile/environments/default/persistence.yaml.gotmpl @@ -34,6 +34,7 @@ persistence: size: "1Gi" storageClassName: ~ nubusProvisioningNats: + # For production and load test environments "10Gi" is recommended. size: "1Gi" storageClassName: ~ # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string diff --git a/helmfile/environments/default/technical.yaml.gotmpl b/helmfile/environments/default/technical.yaml.gotmpl index 832ef73f..0c200e7d 100644 --- a/helmfile/environments/default/technical.yaml.gotmpl +++ b/helmfile/environments/default/technical.yaml.gotmpl @@ -2,10 +2,27 @@ # SPDX-License-Identifier: Apache-2.0 --- technical: + # Collabora related technical settings collabora: # Defines the value for the start parameter `-o:num_prespawn_children` numPrespawnChildren: 4 + + # Nubus related settings + nubus: + # Nubus provisioning framework that is being used to actively provision data internally within + # Nubus e.g. for the portal or self service as well as externally, e.g. to OX App Suite. + provisioning: + # NATS including NATS JetStream is the queueing used by Nubus' provisioning. + # Ref.: https://nats.io/about/ + nats: + # The NATS Box is a container for debugging NATS messages using a CLI tool. + # Ref.: https://github.com/nats-io/nats-box + natsBox: + # Enable the NATS Box container for the deployment. Will also be enabled in case of + # `.Values.debug.enabled: true` + enabled: false + # Groupware related technical settings oxAppSuite: provisioning: From 850761e0475b2f281fb23f6972d5c74fbdaa3a61 Mon Sep 17 00:00:00 2001 From: Thomas Kaltenbrunner Date: Tue, 18 Nov 2025 16:12:06 +0100 Subject: [PATCH 07/28] fix(open-xchange): Update Dovecot configuration based on supplier's best practise review --- docs/migrations.md | 14 ++++++++++++++ .../values-dovecot-enterprise.yaml.gotmpl | 2 ++ .../charts.yaml.gotmpl | 2 +- helmfile/environments/default/charts.yaml.gotmpl | 2 +- helmfile/environments/default/secrets.yaml.gotmpl | 1 + 5 files changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index 7e617b79..be933382 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -175,6 +175,20 @@ If you would like more details about the automated migrations, please read secti > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from > version 1.7.0 to version 1.7.1. +## Versions ≥ v1.10.0 + +### Post-upgrade to versions ≥ v1.10.0 + +#### Fix: Optimize indexes + +**Target group:** All openDesk Enterprise deployments. + +FTS indexes need to be rebuilt. Run the following command inside the dovecot container: + +```shell +set -x; for d in /var/lib/dovecot/*/*; do uuid=$(basename "$d"); [[ $uuid =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]] || continue; doveadm fts rescan -u "$uuid"; doveadm index -u "$uuid" -q '*'; done +``` + ## Versions ≥ v1.9.0 ### Pre-upgrade to versions ≥ v1.9.0 diff --git a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl index 8cebc132..033fc768 100644 --- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl @@ -33,6 +33,8 @@ dovecot: password: value: {{ .Values.databases.dovecotACL.password | default .Values.secrets.cassandra.dovecotACLUser | quote }} keyspace: {{ .Values.databases.dovecotACL.name | quote }} + masterPassword: + value: {{ .Values.secrets.dovecot.sharedMailboxesMasterPassword | quote }} objectStorage: bucket: {{ .Values.objectstores.dovecot.bucket | quote }} encryption: diff --git a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl index 0a8cbbd5..630e4fa3 100644 --- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl +++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl @@ -6,7 +6,7 @@ charts: registry: "registry.opencode.de" repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro" name: "dovecot" - version: "3.2.0-authcache" + version: "3.2.1" verify: true oxAppSuite: registry: "registry.opencode.de" diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 1253dd8f..86c56ca8 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -97,7 +97,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot" name: "dovecot" - version: "3.2.0" + version: "3.2.1" verify: true element: # providerCategory: "Platform" diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index 5c55b69d..7d19de1d 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -122,6 +122,7 @@ secrets: password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum | quote }} dovecot: doveadm: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum | quote }} + sharedMailboxesMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "sharedMailboxesMasterPassword" | sha1sum | quote }} xwiki: superadminpassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum | quote }} intercom: From f3f707c9eee8edf3ad61834d87b5c059f31b0e26 Mon Sep 17 00:00:00 2001 From: Thomas Kaltenbrunner Date: Thu, 6 Nov 2025 09:52:52 +0100 Subject: [PATCH 08/28] fix(open-xchange): Optimize Dovecot Pro full-text search caches; review `migrations.md` for required upgrade steps --- docs/data-storage.md | 1 + .../values-dovecot-enterprise.yaml.gotmpl | 3 +++ .../environments/default/persistence.yaml.gotmpl | 2 ++ helmfile/environments/default/technical.yaml.gotmpl | 12 ++++++++++++ 4 files changed, 18 insertions(+) diff --git a/docs/data-storage.md b/docs/data-storage.md index 87b15d4b..29906ecf 100644 --- a/docs/data-storage.md +++ b/docs/data-storage.md @@ -70,6 +70,7 @@ XWiki,PersistentVolume,1 | -------------------- | ------------ | -------- | --------------------------------------------------------------------------------- | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------- | | **ClamAV** | PVC | No | ClamAV Database | `clamav-database-clamav-simple-0` | `/var/lib/clamav` | | **Dovecot** | PVC | Yes | openDesk CE only: User mail directories | `dovecot` | `/srv/mail` | +| | PVC | No | openDesk EE only: Metacache directory | `var-lib-dovecot-dovecot-0` | `/var/lib/dovecot` | | | S3 | Yes | openDesk EE only: User mail | `dovecot` | `dovecot` | | | Cassandra | Yes | openDesk EE only: Metadata and ACLs | `dovecot_dictmap`, `dovecot_acl` | | | **Element/Synapse** | PostgreSQL | Yes | Application's main database | `matrix` | | diff --git a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl index 033fc768..1632f8ba 100644 --- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl @@ -37,11 +37,14 @@ dovecot: value: {{ .Values.secrets.dovecot.sharedMailboxesMasterPassword | quote }} objectStorage: bucket: {{ .Values.objectstores.dovecot.bucket | quote }} + cacheTmpfs: {{ if .Values.technical.dovecot.objectStorage.cacheTmpfs }}true{{ else }}false{{ end }} encryption: privateKey: value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }} publicKey: value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }} + fsCacheSize: {{ .Values.technical.dovecot.objectStorage.fsCacheSize | quote }} + ftsCacheSize: {{ .Values.technical.dovecot.objectStorage.ftsCacheSize | quote }} fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }} username: {{ .Values.objectstores.dovecot.username | quote }} password: diff --git a/helmfile/environments/default/persistence.yaml.gotmpl b/helmfile/environments/default/persistence.yaml.gotmpl index 8ca43cb1..ab3b2527 100644 --- a/helmfile/environments/default/persistence.yaml.gotmpl +++ b/helmfile/environments/default/persistence.yaml.gotmpl @@ -16,6 +16,8 @@ persistence: size: "1Gi" storageClassName: ~ dovecot: + # With Dovecot CE this is used for the mail storage. + # Dovecot Pro (EE) uses this storage for the metacache, size: "1Gi" storageClassName: ~ mariadb: diff --git a/helmfile/environments/default/technical.yaml.gotmpl b/helmfile/environments/default/technical.yaml.gotmpl index 0c200e7d..da14afe5 100644 --- a/helmfile/environments/default/technical.yaml.gotmpl +++ b/helmfile/environments/default/technical.yaml.gotmpl @@ -8,6 +8,18 @@ technical: # Defines the value for the start parameter `-o:num_prespawn_children` numPrespawnChildren: 4 + # Dovecot EE related settings + dovecot: + objectStorage: + # Size of objectstore fs cache + fsCacheSize: "2G" + # Size of fts cache + ftsCacheSize: "2G" + # Wether fs and fts cache should reside in RAM (tmpfs) or not + # If this value is true, the cache sizes of the fs cache + fts cache + # must be considered additionally to Dovecot's memory footprint. + cacheTmpfs: false + # Nubus related settings nubus: # Nubus provisioning framework that is being used to actively provision data internally within From 7b592a24b0b212f38f4f133f7bb561ccff3dc310 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Wed, 19 Nov 2025 17:16:50 +0100 Subject: [PATCH 09/28] docs(migrations.md): Fix section sequence and some text streamlining --- docs/migrations.md | 52 ++++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index be933382..92c49a78 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -10,13 +10,15 @@ SPDX-License-Identifier: Apache-2.0 * [Deprecation warnings](#deprecation-warnings) * [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path) * [Manual checks/actions](#manual-checksactions) + * [Versions ≥ v1.10.0](#versions--v1100) + * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100) + * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed) + * [Post-upgrade to versions ≥ v1.10.0](#post-upgrade-to-versions--v1100) + * [New application default: Dovecot full-text search index configuration](#new-application-default-dovecot-full-text-search-index-configuration) * [Versions ≥ v1.9.0](#versions--v190) * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190) * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases) * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients) - * [Versions ≥ v1.10.0](#versions--v1100) - * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100) - * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed) * [Versions ≥ v1.8.0](#versions--v180) * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180) * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users) @@ -177,13 +179,32 @@ If you would like more details about the automated migrations, please read secti ## Versions ≥ v1.10.0 +### Pre-upgrade to versions ≥ v1.10.0 + +#### New Helmfile default: Nubus provisioning debug container no longer deployed + +**Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box", + +The [nats-box](https://github.com/nats-io/nats-box), a handy tool when it comes to debugging the Nubus provisioning stack, is no longer enabled in openDesk by default. + +To re-enable the nats-box for your deployment you have to set: +``` +technical.nubus.provisioning.nats.natsBox.enabled: true +``` + +> [!note] +> The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug +> accross the whole deployment. + ### Post-upgrade to versions ≥ v1.10.0 -#### Fix: Optimize indexes +#### New application default: Dovecot full-text search index configuration -**Target group:** All openDesk Enterprise deployments. +**Target group:** All openDesk Enterprise deployments using the groupware module. -FTS indexes need to be rebuilt. Run the following command inside the dovecot container: +Due to a configurational change the full-text search indexes of Dovecot Pro need to be rebuilt. + +Run the following command inside the Dovecot container: ```shell set -x; for d in /var/lib/dovecot/*/*; do uuid=$(basename "$d"); [[ $uuid =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]] || continue; doveadm fts rescan -u "$uuid"; doveadm index -u "$uuid" -q '*'; done @@ -229,25 +250,6 @@ Additionally, it is now possible to explicitly define the hostnames shown in the If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases. -## Versions ≥ v1.10.0 - -### Pre-upgrade to versions ≥ v1.10.0 - -### New Helmfile default: Nubus provisioning debug container no longer deployed - -**Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box", - -The [nats-box](https://github.com/nats-io/nats-box), a handy tool when it comes to debugging the Nubus provisioning stack, is no longer enabled in openDesk by default. - -To re-enable the nats-box for your deployment you have to set: -``` -technical.nubus.provisioning.nats.natsBox.enabled: true -``` - -> [!note] -> The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug -> accross the whole deployment. - ## Versions ≥ v1.8.0 ### Pre-upgrade to versions ≥ v1.8.0 From 62fae9976a731c00700d56ce8fab198bb2531d20 Mon Sep 17 00:00:00 2001 From: renovate Date: Tue, 18 Nov 2025 04:36:20 +0000 Subject: [PATCH 10/28] fix(openproject): Update from 16.1.0 to 16.1.1 --- README.md | 2 +- helmfile/environments/default/images.yaml.gotmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1e6736b8..1acef6d6 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ openDesk currently features the following functional main components: | Groupware | OX App Suite | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend) | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/) | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) | | Knowledge management | XWiki | LGPL-2.1-or-later | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) | | Portal & IAM | Nubus | AGPL-3.0-or-later | [1.15.2](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.15.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | -| Project management | OpenProject | GPL-3.0-only | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | +| Project management | OpenProject | GPL-3.0-only | [16.6.1](https://www.openproject.org/docs/release-notes/16-6-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | | Videoconferencing | Jitsi | Apache-2.0 | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | | Weboffice | Collabora | MPL-2.0 | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 231626c6..8fa18757 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -762,7 +762,7 @@ images: # upstreamMirrorStartFrom: ["13", "1", "1"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk" - tag: "16.6.0@sha256:11fcbc357a5a4e724bb1164e43a93c713f73e5efb52212d75cfc845becbf64c0" + tag: "16.6.1@sha256:e3eb4ecdff5a94d2d2aaa0eacc9e747306d6ba6a06f308d2d16cc209516dd4e0" openprojectBootstrap: # providerCategory: "Platform" # providerResponsible: "openDesk" From 684c6d4f29dd447872ebe582eef43c04034896f7 Mon Sep 17 00:00:00 2001 From: Philip Gaber Date: Wed, 19 Nov 2025 13:38:25 +0100 Subject: [PATCH 11/28] fix(open-xchange): Template SASL security options --- docs/migrations.md | 130 +++++++++++------- .../values-postfix.yaml.gotmpl | 3 +- .../environments/default/smtp.yaml.gotmpl | 11 ++ 3 files changed, 95 insertions(+), 49 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index 92c49a78..31ed2698 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -148,20 +148,20 @@ matching that constraint, though our links always point to the newest patch rele > 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 -| Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | -| ---------------------------------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------- | ---------------------------------------------------- | -| [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v1100) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v190) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | -- | [Pre](#pre-upgrade-to-versions--v180) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | -- | [Pre](#pre-upgrade-to-versions--v170) | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first | +| Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | +|------------------------------------------------------------------------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|-----------------------------------------------------| +| [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v1100) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v190) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | -- | [Pre](#pre-upgrade-to-versions--v180) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | -- | [Pre](#pre-upgrade-to-versions--v170) | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first | | [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | -- | [Pre](#pre-upgrade-to-versions--v160) | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) | -| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes** | -- | -- | ⬇ Install ≥ v1.1.x first | -| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | -- | [Pre](#pre-upgrade-to-versions--v140) | -- | ⬇ Install ≥ v1.1.x first | -| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | -- | [Pre](#pre-upgrade-to-versions--v130) | -- | ⬇ Install ≥ v1.1.x first | +| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes** | -- | -- | ⬇ Install ≥ v1.1.x first | +| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | -- | [Pre](#pre-upgrade-to-versions--v140) | -- | ⬇ Install ≥ v1.1.x first | +| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | -- | [Pre](#pre-upgrade-to-versions--v130) | -- | ⬇ Install ≥ v1.1.x first | | [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | -- | [Pre](#pre-upgrade-to-versions--v120) | -- | [⚠ Install v1.1.x first](#versions--v120-automated) | | [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes** | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) | | [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes** | [Pre](#pre-upgrade-to-versions--v100) | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) | -| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes** | -- | -- | -- | +| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes** | -- | -- | -- | > [!warning] > Be sure to check out the table in the release version you are going to install, and not the currently installed version. @@ -171,15 +171,15 @@ If you would like more details about the automated migrations, please read secti # Manual checks/actions > [!note] -> We **only** use the mathematical symbol ≥ to denote for which versions manual steps must be -> applied. For example, "Versions ≥ v1.7.0" refers to all openDesk versions (major, minor and +> We **only** use the mathematical symbol ≥ to denote for which versions manual steps must be +> applied. For example, "Versions ≥ v1.7.0" refers to all openDesk versions (major, minor and > patch) starting from 1.7.0, e.g. 1.7.0, 1.7.1, 1.8.0, etc. Furthermore, if a version is not explicitly > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from > version 1.7.0 to version 1.7.1. -## Versions ≥ v1.10.0 +## Versions ≥ v1.10.0 -### Pre-upgrade to versions ≥ v1.10.0 +### Pre-upgrade to versions ≥ v1.10.0 #### New Helmfile default: Nubus provisioning debug container no longer deployed @@ -196,7 +196,41 @@ technical.nubus.provisioning.nats.natsBox.enabled: true > The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug > accross the whole deployment. -### Post-upgrade to versions ≥ v1.10.0 +#### Helmfile fix: New Postfix SMTP SASL security option defaults + +Starting from openDesk v1.9.0, the SMTP SALS security options set within openDesk are aligned with the +recommended defaults. This might break currently working connections with external SMTP relays. + +> [!warning] +> Please check your mail relays supported SASL security options and adjust your deployment accordingly to +> prevent the disruption of mail delivery. + +To fall back to the behavior of openDesk < v1.9.0 (no security options at all) set the following in +`smtp.yaml.gotmpl` + +``` yaml +smtp: + security: + smtpdSASLSecurityOptions: ~ + smtpSASLSecurityOptions: ~ +``` + +To set specific options consult the official Postfix documentation for +[smtpd](https://www.postfix.org/postconf.5.html#smtpd_sasl_security_options) or +[smtp](https://www.postfix.org/postconf.5.html#smtp_sasl_security_options) and set the string options via the +yaml array notation: + +``` yaml +smtp: + security: + smtpdSASLSecurityOptions: + - "noanonymous" + smtpSASLSecurityOptions: + - "noanonymous" + - "noplaintext" +``` + +### Post-upgrade to versions ≥ v1.10.0 #### New application default: Dovecot full-text search index configuration @@ -210,9 +244,9 @@ Run the following command inside the Dovecot container: set -x; for d in /var/lib/dovecot/*/*; do uuid=$(basename "$d"); [[ $uuid =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]] || continue; doveadm fts rescan -u "$uuid"; doveadm index -u "$uuid" -q '*'; done ``` -## Versions ≥ v1.9.0 +## Versions ≥ v1.9.0 -### Pre-upgrade to versions ≥ v1.9.0 +### Pre-upgrade to versions ≥ v1.9.0 #### Helmfile fix: Cassandra passwords read from `databases.*` @@ -250,9 +284,9 @@ Additionally, it is now possible to explicitly define the hostnames shown in the If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases. -## Versions ≥ v1.8.0 +## Versions ≥ v1.8.0 -### Pre-upgrade to versions ≥ v1.8.0 +### Pre-upgrade to versions ≥ v1.8.0 #### New application default: Default group for two-factor authentication is now "2FA Users" @@ -407,9 +441,9 @@ Gravatar support is no longer enabled by default in Jitsi and OpenProject. In ca OPENPROJECT_PLUGIN__OPENPROJECT__AVATARS: '{enable_gravatars: true, enable_local_avatars: true}' ``` -## Versions ≥ v1.7.0 +## Versions ≥ v1.7.0 -### Pre-upgrade to versions ≥ v1.7.0 +### Pre-upgrade to versions ≥ v1.7.0 #### Helmfile fix: Ensure enterprise overrides apply when deploying from project root @@ -440,7 +474,7 @@ annotation: notesYProvider: {} ``` -### Post-upgrade to versions ≥ v1.7.0 +### Post-upgrade to versions ≥ v1.7.0 #### Upstream fix: Provisioning of functional mailboxes @@ -467,9 +501,9 @@ kill ${PROVISIONING_PORT_FORWARD_PID} rm ${TEMPORARY_CONSUMER_JSON} ``` -## Versions ≥ v1.6.0 +## Versions ≥ v1.6.0 -### Pre-upgrade to versions ≥ v1.6.0 +### Pre-upgrade to versions ≥ v1.6.0 #### Upstream constraint: Nubus' external secrets @@ -524,7 +558,7 @@ kubectl cp -n ${NAMESPACE} open-xchange-core-mw-default-0:/opt/open-xchange/ox-f 2. Run the upgrade. 3. Continue with the [related post-upgrade steps](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade) -### Post-upgrade to versions ≥ v1.6.0 +### Post-upgrade to versions ≥ v1.6.0 #### OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade) @@ -565,9 +599,9 @@ ID Type of Job Status Further Information /opt/open-xchange/sbin/unregisterfilestore -A $MASTER_ADMIN_USER -P $MASTER_ADMIN_PW -i ``` -## Versions ≥ v1.4.0 +## Versions ≥ v1.4.0 -### Pre-upgrade to versions ≥ v1.4.0 +### Pre-upgrade to versions ≥ v1.4.0 #### Helmfile cleanup: `global.additionalMailDomains` as list @@ -591,9 +625,9 @@ global: - "sub2.maildomain.de" ``` -## Versions ≥ v1.3.0 +## Versions ≥ v1.3.0 -### Pre-upgrade to versions ≥ v1.3.0 +### Pre-upgrade to versions ≥ v1.3.0 #### Helmfile new feature: `functional.authentication.ssoFederation` @@ -601,9 +635,9 @@ global: Please ensure to configure your IdP federation config details as part of `functional.authentication.ssoFederation`. You can find more details in the "Example configuration" section of [`idp-federation.md`](./enhanced-configuration/idp-federation.md). -## Versions ≥ v1.2.0 +## Versions ≥ v1.2.0 -### Pre-upgrade to versions ≥ v1.2.0 +### Pre-upgrade to versions ≥ v1.2.0 #### Helmfile cleanup: Do not configure OX provisioning when no OX installed @@ -664,9 +698,9 @@ In case you are planning to migrate an existing instance from MariaDB to Postgre - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Backup#HUsingtheXWikiExportfeature - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/ImportExport -## Versions ≥ v1.1.2 +## Versions ≥ v1.1.2 -### Pre-upgrade to versions ≥ v1.1.2 +### Pre-upgrade to versions ≥ v1.1.2 #### Helmfile feature update: App settings wrapped in `apps.` element @@ -695,9 +729,9 @@ apps: enabled: true ``` -## Versions ≥ v1.1.1 +## Versions ≥ v1.1.1 -### Pre-upgrade to versions ≥ v1.1.1 +### Pre-upgrade to versions ≥ v1.1.1 #### Helmfile feature update: Component specific `storageClassName` @@ -750,9 +784,9 @@ persistence: A not yet templated secret was discovered in the Nubus deployment. It is now declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) and can be defined using: `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the same value as the `MASTER_PASSWORD` environment variable used in your deployment. -## Versions ≥ v1.1.0 +## Versions ≥ v1.1.0 -### Pre-upgrade to versions ≥ v1.1.0 +### Pre-upgrade to versions ≥ v1.1.0 #### Helmfile cleanup: Restructured `/helmfile/files/theme` folder @@ -915,7 +949,7 @@ The update from openDesk v1.0.0 contains Redis 7.4.1, like the other openDesk bu Please ensure the Redis you are using is updated to at least version 7.4 to support the requirement of OX App Suite. -### Post-upgrade to versions ≥ v1.1.0 +### Post-upgrade to versions ≥ v1.1.0 #### XWiki fix-ups @@ -941,9 +975,9 @@ Unfortunately XWiki does not upgrade itself as expected. The bug has been report You should have now a fully functional XWiki instance with single sign-on and full-text search. -## Versions ≥ v1.0.0 +## Versions ≥ v1.0.0 -### Pre-upgrade to versions ≥ v1.0.0 +### Pre-upgrade to versions ≥ v1.0.0 #### Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus @@ -1125,7 +1159,7 @@ The IAM admin account `Administrator` is the only member of this group by defaul If you need other accounts to use the API, please assign them to the aforementioned group. -### Post-upgrade to versions ≥ v1.0.0 +### Post-upgrade to versions ≥ v1.0.0 #### Configuration Improvement: Separate user permission for using Video Conference component @@ -1157,33 +1191,33 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0 # Automated migrations - Details -## Versions ≥ v1.6.0 (automated) +## Versions ≥ v1.6.0 (automated) > [!note] > Details can be found in [run_5.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_5.py). -### Versions ≥ v1.6.0 migrations-post +### Versions ≥ v1.6.0 migrations-post - Automatically restarts the StatefulSets `ums-provisioning-nats` and `ox-connector` due to a workaround applied on the NATS secrets, see the "Notes" segment of the ["Password seed" heading in getting-started.md](./docs/getting-started.md#password-seed) > [!note] > This change aims to prevent authentication failures with NATS in some Pods, which can lead to errors such as: `wait-for-nats Unavailable, waiting 2 seconds. Error: nats: 'Authorization Violation'`. -## Versions ≥ v1.2.0 (automated) +## Versions ≥ v1.2.0 (automated) > [!note] > Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py). -### Versions ≥ v1.2.0 migrations-pre +### Versions ≥ v1.2.0 migrations-pre - Automatically deletes PVC `group-membership-cache-ums-portal-consumer-0`: With the upgrade the Nubus Portal Consumer no longer requires to be executed with root privileges. The PVC contains files that require root permission to access them, therefore the PVC gets deleted (and re-created) during the upgrade. - Automatically deletes StatefulSet `ums-portal-consumer`: A bug was fixed in the templating of the Portal Consumer's PVC causing the values in `persistence.storages.nubusPortalConsumer.*` to be ignored. As these values are immutable, we had to delete the whole StatefulSet. -### Versions ≥ v1.2.0 migrations-post +### Versions ≥ v1.2.0 migrations-post - Automatically restarts the Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` and deletes the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream. -## Versions ≥ v1.1.0 (automated) +## Versions ≥ v1.1.0 (automated) With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods. @@ -1194,7 +1228,7 @@ creating the config map with the mentioned label. > [!note] > Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py). -## Versions ≥ v1.0.0 (automated) +## Versions ≥ v1.0.0 (automated) The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks. diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl index a736bc40..738c8832 100644 --- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl @@ -80,7 +80,8 @@ postfix: smtpdTLSMandatoryCiphers: "medium" smtpTLSSecurityLevel: "encrypt" smtpdSASLAuthEnable: "yes" - smtpdSASLSecurityOptions: "noanonymous" + smtpdSASLSecurityOptions: {{ .Values.smtp.security.smtpdSASLSecurityOptions | join ", " | quote }} + smtpSASLSecurityOptions: {{ .Values.smtp.security.smtpSASLSecurityOptions | join ", " | quote }} smtpdSASLType: "cyrus" smtpdTLSSecurityLevel: "may" smtpdTLSCertFile: "/etc/tls/tls.crt" diff --git a/helmfile/environments/default/smtp.yaml.gotmpl b/helmfile/environments/default/smtp.yaml.gotmpl index c6de1b8e..f4d7181b 100644 --- a/helmfile/environments/default/smtp.yaml.gotmpl +++ b/helmfile/environments/default/smtp.yaml.gotmpl @@ -20,4 +20,15 @@ smtp: key: "" selector: "rsa" useED25519: false + + security: + # Postfix defaults + # Ref.: https://www.postfix.org/postconf.5.html#smtpd_sasl_security_options + smtpdSASLSecurityOptions: + - "noanonymous" + # Postfix defaults + # Ref.: https://www.postfix.org/postconf.5.html#smtp_sasl_security_options + smtpSASLSecurityOptions: + - "noanonymous" + - "noplaintext" ... From cc94f0c66df098d0a20f7f0d4a6af5e791557981 Mon Sep 17 00:00:00 2001 From: Thomas Kaltenbrunner Date: Thu, 6 Nov 2025 09:41:09 +0100 Subject: [PATCH 12/28] feat(open-xchange): Support for LDAP group based mailing lists --- .../open-xchange/values-postfix.yaml.gotmpl | 22 ++++++++++++++++++- .../values-postfix.yaml.gotmpl | 19 ++++++++++++++++ .../environments/default/charts.yaml.gotmpl | 2 +- .../environments/default/images.yaml.gotmpl | 2 +- .../environments/default/secrets.yaml.gotmpl | 1 + 5 files changed, 43 insertions(+), 3 deletions(-) diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl index e67364f4..16b4c76f 100644 --- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl @@ -68,7 +68,8 @@ postfix: allowRelayNets: false smtpTLSSecurityLevel: "encrypt" smtpdSASLAuthEnable: "yes" - smtpdSASLSecurityOptions: "noanonymous" + smtpdSASLSecurityOptions: {{ .Values.smtp.security.smtpdSASLSecurityOptions | join ", " | quote }} + smtpSASLSecurityOptions: {{ .Values.smtp.security.smtpSASLSecurityOptions | join ", " | quote }} smtpdSASLType: "dovecot" smtpdTLSSecurityLevel: "encrypt" smtpdTLSCertFile: "/etc/tls/tls.crt" @@ -78,6 +79,25 @@ postfix: staticAuthDB: enabled: false + ldapTransportMaps: [] + + ldapVirtualAliasMaps: + - host: "ums-ldap-server" + scheme: "ldap" + port: 389 + baseDn: "{{ .Values.ldap.baseDn }}" + bindDn: "uid=ldapsearch_postfix,cn=users,{{ .Values.ldap.baseDn }}" + password: + value: {{ .Values.secrets.nubus.ldapSearch.postfix | quote }} + # ldap filter to find groups with mail address + queryFilter: "(&(|(objectClass=univentionMailList)(objectClass=posixGroup))(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)))" + # -- use this attribute if the query already returns email addresses of members and no recursive lookup needs to be done + resultAttribute: "" + # -- do a recursive search on the specified attribute if found, should be a DN + specialResultAttribute: "uniqueMember" + # -- return the following attribute from all found leaves when a recursive search is done + leafResultAttribute: "mailPrimaryAddress" + {{- if .Values.antivirus.milter.host }} smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}" {{- else }} diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl index 738c8832..430d3187 100644 --- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl @@ -95,6 +95,25 @@ postfix: password: value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }} + ldapTransportMaps: [] + + ldapVirtualAliasMaps: + - host: "ums-ldap-server" + scheme: "ldap" + port: 389 + baseDn: "{{ .Values.ldap.baseDn }}" + bindDn: "uid=ldapsearch_postfix,cn=users,{{ .Values.ldap.baseDn }}" + password: + value: {{ .Values.secrets.nubus.ldapSearch.postfix | quote }} + # ldap filter to find groups with mail address + queryFilter: "(&(|(objectClass=univentionMailList)(objectClass=posixGroup))(|(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)))" + # -- use this attribute if the query already returns email addresses of members and no recursive lookup needs to be done + resultAttribute: "" + # -- do a recursive search on the specified attribute if found, should be a DN + specialResultAttribute: "uniqueMember" + # -- return the following attribute from all found leaves when a recursive search is done + leafResultAttribute: "mailPrimaryAddress" + {{- if .Values.antivirus.milter.host }} smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}" {{- else }} diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 86c56ca8..9e2c16d3 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -437,7 +437,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix" name: "postfix" - version: "5.0.1" + version: "5.0.2" verify: true postgresql: # providerCategory: "Platform" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 8fa18757..6e730887 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -914,7 +914,7 @@ images: # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix" registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/images/postfix" - tag: "3.0.3@sha256:12bcebf57ddb53258c48eaa60e9c25b441f4319ee1b94b363c652ad0a992a875" + tag: "3.0.4@sha256:5b17c801283215b13e8305b0be1497d70c232e8ea8414f965cd1010333ae95ab" postfixBootstrap: # providerCategory: "Community" # providerResponsible: "openDesk" diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index 7d19de1d..f21617fe 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -32,6 +32,7 @@ secrets: dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_dovecot" | sha1sum | quote }} element: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_element" | sha1sum | quote }} ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_ox" | sha1sum | quote }} + postfix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_postfix" | sha1sum | quote }} openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_openproject" | sha1sum | quote }} xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_xwiki" | sha1sum | quote }} systemAccounts: From 70bbbf311fcba57c31f535be7d0d453f4a945cee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Thu, 20 Nov 2025 08:26:16 +0100 Subject: [PATCH 13/28] fix(open-xchange): Only enable `smtpSASLAuthEnable` when `relayHost` is set --- helmfile/apps/open-xchange/values-postfix.yaml.gotmpl | 2 ++ helmfile/apps/services-external/values-postfix.yaml.gotmpl | 2 ++ 2 files changed, 4 insertions(+) diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl index 16b4c76f..8fcbe508 100644 --- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl +++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl @@ -64,6 +64,8 @@ postfix: password: value: {{ .Values.smtp.password }} smtpSASLAuthEnable: "yes" + {{- else }} + smtpSASLAuthEnable: "no" {{- end }} allowRelayNets: false smtpTLSSecurityLevel: "encrypt" diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl index 430d3187..c22c28fb 100644 --- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl @@ -72,6 +72,8 @@ postfix: password: value: {{ .Values.smtp.password }} smtpSASLAuthEnable: "yes" + {{- else }} + smtpSASLAuthEnable: "no" {{- end }} # Warning: This setting allows unauthenticated mail relay from relayNets! allowRelayNets: true From e37361790bd79f835345a35f0ff30b3a463fbfe1 Mon Sep 17 00:00:00 2001 From: Philip Gaber Date: Thu, 20 Nov 2025 08:56:25 +0100 Subject: [PATCH 14/28] docs(migrations.md): Update for Postfix SASL security options in v1.9.0 and new Postfix secret --- docs/migrations.md | 42 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index 31ed2698..1da7fa2b 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -12,11 +12,14 @@ SPDX-License-Identifier: Apache-2.0 * [Manual checks/actions](#manual-checksactions) * [Versions ≥ v1.10.0](#versions--v1100) * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100) + * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix) * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed) + * [New Helmfile default: Postfix SMTP SASL security options](#new-helmfile-default-postfix-smtp-sasl-security-options) * [Post-upgrade to versions ≥ v1.10.0](#post-upgrade-to-versions--v1100) * [New application default: Dovecot full-text search index configuration](#new-application-default-dovecot-full-text-search-index-configuration) * [Versions ≥ v1.9.0](#versions--v190) * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190) + * [New application default: Postfix SMTP SASL security option](#new-application-default-postfix-smtp-sasl-security-option) * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases) * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients) * [Versions ≥ v1.8.0](#versions--v180) @@ -181,6 +184,17 @@ If you would like more details about the automated migrations, please read secti ### Pre-upgrade to versions ≥ v1.10.0 +#### Helmfile new secret: `secrets.nubus.ldapSearch.postfix` + +**Target group:** All existing deployments that use self-defined secrets. + +The updated Postfix configuration supporting LDAP group based mailing list requires a new secret that is +declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key +`secrets.nubus.ldapSearch.postfix`. + +If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will +be derived from the `MASTER_PASSWORD`. + #### New Helmfile default: Nubus provisioning debug container no longer deployed **Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box", @@ -188,17 +202,25 @@ If you would like more details about the automated migrations, please read secti The [nats-box](https://github.com/nats-io/nats-box), a handy tool when it comes to debugging the Nubus provisioning stack, is no longer enabled in openDesk by default. To re-enable the nats-box for your deployment you have to set: -``` -technical.nubus.provisioning.nats.natsBox.enabled: true +```yaml +technical: + nubus: + provisioning: + nats: + natsBox: + enabled: true ``` > [!note] > The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug > accross the whole deployment. -#### Helmfile fix: New Postfix SMTP SASL security option defaults +#### New Helmfile default: Postfix SMTP SASL security options -Starting from openDesk v1.9.0, the SMTP SALS security options set within openDesk are aligned with the +**Target group:** All openDesk deployments using an external SMTP relay that does not support +[Postfix's default `smtpSASLSecurityOptions`](https://www.postfix.org/postconf.5.html#smtp_sasl_security_options). + +Starting from openDesk v1.9.0, the SMTP SASL security options set within openDesk are aligned with the recommended defaults. This might break currently working connections with external SMTP relays. > [!warning] @@ -248,6 +270,18 @@ set -x; for d in /var/lib/dovecot/*/*; do uuid=$(basename "$d"); [[ $uuid =~ ^[0 ### Pre-upgrade to versions ≥ v1.9.0 +#### New application default: Postfix SMTP SASL security option + +**Target group:** All openDesk deployments using an external SMTP relay that does not support +[Postfix's default `smtpSASLSecurityOptions`](https://www.postfix.org/postconf.5.html#smtp_sasl_security_options). + +Starting from openDesk v1.9.0, the SMTP SASL security options set within openDesk are aligned with the +recommended defaults. This might break currently working connections with external SMTP relays. To prevent +this you have to configure the supported options for your mail relay one of the following ways: + +- Recommended: Directly upgrade to v1.10.0 and set SMTP SASL options through `smtp.security.*`. +- Configure a customization for `smtpSASLSecurityOptions`. + #### Helmfile fix: Cassandra passwords read from `databases.*` **Target group:** All of the below must apply to your deployment: From cb367775a66c1d5af346265a04320e72ed593bd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Mon, 10 Nov 2025 14:05:43 +0100 Subject: [PATCH 15/28] docs(gettings-started.md): [#184] Add a comment about the maximum length of the openDesk domain --- docs/getting-started.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/getting-started.md b/docs/getting-started.md index 0f576260..ac2fc220 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -77,6 +77,8 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c ## Domain +As example base domain for your deployment we use `domain.tld` in this document. + A list of all subdomains can be found in `helmfile/environments/default/global.yaml.gotmpl`. All subdomains can be customized. For example, _Nextcloud_ can be changed to `files.domain.tld` in `dev` environment: @@ -100,6 +102,11 @@ or alternatively via environment variable: export DOMAIN=domain.tld ``` +> [!warning] +> Due to a limitation caused by a [bug in the SSSD subcomponent](https://github.com/SSSD/sssd/issues/7246), there +> is an upper bound on the total domain length used by openDesk. To avoid issues, we recommend keeping the openDesk +> base domain length below 94 characters. + ### Apps Depending on your ideal openDesk deployment, you may wish to disable or enable certain apps. From bdcfb977e06e9f5417c0548ae8918857b5255d09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Mon, 10 Nov 2025 14:06:54 +0100 Subject: [PATCH 16/28] docs(migrations.md): Add v1.10.0 section to overview table --- docs/migrations.md | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index 1da7fa2b..12ecd333 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -13,6 +13,7 @@ SPDX-License-Identifier: Apache-2.0 * [Versions ≥ v1.10.0](#versions--v1100) * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100) * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix) + * [Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword`](#helmfile-new-secret-secretsdoveocotsharedmailboxesmasterpassword) * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed) * [New Helmfile default: Postfix SMTP SASL security options](#new-helmfile-default-postfix-smtp-sasl-security-options) * [Post-upgrade to versions ≥ v1.10.0](#post-upgrade-to-versions--v1100) @@ -151,20 +152,20 @@ matching that constraint, though our links always point to the newest patch rele > 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 -| Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | -|------------------------------------------------------------------------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|-----------------------------------------------------| -| [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v1100) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v190) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | -- | [Pre](#pre-upgrade-to-versions--v180) | -- | ⬇ Install ≥ v1.5.0 first | -| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | -- | [Pre](#pre-upgrade-to-versions--v170) | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first | -| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | -- | [Pre](#pre-upgrade-to-versions--v160) | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) | -| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes** | -- | -- | ⬇ Install ≥ v1.1.x first | -| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | -- | [Pre](#pre-upgrade-to-versions--v140) | -- | ⬇ Install ≥ v1.1.x first | -| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | -- | [Pre](#pre-upgrade-to-versions--v130) | -- | ⬇ Install ≥ v1.1.x first | -| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | -- | [Pre](#pre-upgrade-to-versions--v120) | -- | [⚠ Install v1.1.x first](#versions--v120-automated) | -| [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes** | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) | -| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes** | [Pre](#pre-upgrade-to-versions--v100) | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) | -| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes** | -- | -- | -- | +| Version | Mandatory | Pre-Upgrade | Post-Upgrade | Minimum Required Previous Version | +| ---------------------------------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------- | ---------------------------------------------------- | +| [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v1100) | [Post](#post-upgrade-to-versions--v1100) | ⬇ Install ≥ v1.5.0 first | +| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | -- | [Pre](#pre-upgrade-to-versions--v190) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | -- | [Pre](#pre-upgrade-to-versions--v180) | -- | ⬇ Install ≥ v1.5.0 first | +| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | -- | [Pre](#pre-upgrade-to-versions--v170) | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first | +| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | -- | [Pre](#pre-upgrade-to-versions--v160) | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) | +| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes** | -- | -- | ⬇ Install ≥ v1.1.x first | +| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | -- | [Pre](#pre-upgrade-to-versions--v140) | -- | ⬇ Install ≥ v1.1.x first | +| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | -- | [Pre](#pre-upgrade-to-versions--v130) | -- | ⬇ Install ≥ v1.1.x first | +| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | -- | [Pre](#pre-upgrade-to-versions--v120) | -- | [⚠ Install v1.1.x first](#versions--v120-automated) | +| [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes** | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) | +| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes** | [Pre](#pre-upgrade-to-versions--v100) | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) | +| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes** | -- | -- | -- | > [!warning] > Be sure to check out the table in the release version you are going to install, and not the currently installed version. @@ -195,6 +196,15 @@ declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yam If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will be derived from the `MASTER_PASSWORD`. +#### Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword` + +**Target group:** All existing deployments that have OX App Suite enabled and that use self-defined secrets. + +The revised Dovecot configuration requires a new secret that is declared in +[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key `secrets.doveocot.sharedMailboxesMasterPassword`. + +If you define your own secrets, please ensure that you provide a value for this secret, otherwise the aforementioned secret will be derived from the `MASTER_PASSWORD`. + #### New Helmfile default: Nubus provisioning debug container no longer deployed **Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box", From b5a76bea57ef7b136c54d1bc95c40f0a0c3f9716 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Wed, 12 Nov 2025 15:28:14 +0100 Subject: [PATCH 17/28] fix(opendesk-static-files): [#260] Fix doublette creation of configmap `data` keys when the same file is referenced multiple times for a component --- helmfile/environments/default/charts.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 9e2c16d3..df71fb48 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -361,7 +361,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files" name: "opendesk-static-files" - version: "4.1.0" + version: "4.1.1" verify: true openproject: # providerCategory: "Supplier" From 9387168e898c27a6bc6edae34f60b4968ac06b09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Fri, 14 Nov 2025 14:02:16 +0100 Subject: [PATCH 18/28] docs(data-storage.md): Streamline with current application state --- docs/data-storage.md | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/docs/data-storage.md b/docs/data-storage.md index 29906ecf..40067b70 100644 --- a/docs/data-storage.md +++ b/docs/data-storage.md @@ -31,8 +31,6 @@ sankey-beta ClamAV,PersistentVolume,1 -Dovecot,PersistentVolume,1 - Element/Synapse,PostgreSQL,1 Element/Synapse,PersistentVolume,1 @@ -54,9 +52,15 @@ OpenProject,S3,1 OpenProject,PersistentVolume,1 OpenProject,Memcached,1 -Open-Xchange,MariaDB,1 -Open-Xchange,PersistentVolume,1 -Open-Xchange,Redis,1 +OX App Suite,MariaDB,1 +OX App Suite,Redis,1 +OX App Suite,S3,1 + +OX Connector,PersistentVolume,1 + +OX Dovecot,Cassandra,1 +OX Dovecot,PersistentVolume,1 +OX Dovecot,S3,1 Postfix,PersistentVolume,1 @@ -70,7 +74,7 @@ XWiki,PersistentVolume,1 | -------------------- | ------------ | -------- | --------------------------------------------------------------------------------- | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------- | | **ClamAV** | PVC | No | ClamAV Database | `clamav-database-clamav-simple-0` | `/var/lib/clamav` | | **Dovecot** | PVC | Yes | openDesk CE only: User mail directories | `dovecot` | `/srv/mail` | -| | PVC | No | openDesk EE only: Metacache directory | `var-lib-dovecot-dovecot-0` | `/var/lib/dovecot` | +| | PVC | Yes | openDesk EE only: Metacache directory | `var-lib-dovecot-dovecot-0` | `/var/lib/dovecot` | | | S3 | Yes | openDesk EE only: User mail | `dovecot` | `dovecot` | | | Cassandra | Yes | openDesk EE only: Metadata and ACLs | `dovecot_dictmap`, `dovecot_acl` | | | **Element/Synapse** | PostgreSQL | Yes | Application's main database | `matrix` | | @@ -85,8 +89,8 @@ XWiki,PersistentVolume,1 | | | Yes | Login actions and device-fingerprints | `keycloak_extensions` | | | | | Optional | Store of the temporary password reset token | `selfservice` | | | | | Optional | OIDC session storage | `umsAuthSession` | | -| | | No | Notification features are not used in openDesk 1.1 | `notificationsapi` | | -| | | No | Guardian features are currently not used in openDesk 1.1 | `guardianmanagementapi` | | +| | | No | At the moment the notification feature not enabled in openDesk | `notificationsapi` | | +| | | No | At the moment the Guardian features are currently not enabled in openDesk | `guardianmanagementapi` | | | | S3 | No | Static files for Portal | `ums` | | | | PVC | Yes | openLDAP database (primary R/W Pods), when restore select the one from the leader | `shared-data-ums-ldap-server-primary-0` | `/var/lib/univention-ldap` | | | | Yes | openLDAP process data | `shared-run-ums-ldap-server-primary-0` | `/var/run/slapd` | @@ -101,13 +105,17 @@ XWiki,PersistentVolume,1 | | Memcached | No | Cache | | | | | PVC | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject--*-tmp` | `/tmp` | | | | No | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs | `openproject--app-*-tmp` | `/app/tmp` | -| **Open-Xchange** | MariaDB | Yes | Application's control database to coordiate dynamically created ones | `configdb` | | +| **OX App Suite** | MariaDB | Yes | Application's control database to coordiate dynamically created ones | `configdb` | | | | | Yes | Dynamically creates databases of schema `PRIMARYDB_n`containing multiple contexts | `PRIMARYDB_*` | | | | | Yes | OX Guard related settings | `oxguard*` | | | | S3 | Yes | Attachments of meetings, contacts and tasks | `openxchange` | | | | Redis | Optional | Cache, session related data, distributed maps | | | -| | PVC | Optional | OX Connector: Caching of OX object data | for backup | `/var/lib/univention-appcenter/apps/ox-connector` | +| **OX Connector** | PVC | Optional | OX Connector: Caching of OX object data | for backup | `/var/lib/univention-appcenter/apps/ox-connector` | | | | Yes | OX Connector: OX SOAP API credentials | `ox-connector-ox-contexts-ox-connector-0` | `/etc/ox-secrets` | +| **OX Dovecot** | PVC | Yes | openDesk CE only: User mail directories | `dovecot` | `/srv/mail` | +| | PVC | Yes | openDesk EE only: Various meta data and caches | `var-lib-dovecot` | `/var/lib/dovecot` | +| | S3 | Yes | Dovecot Pro/openDesk EE only: User mail | `dovecot` | `dovecot` | +| | Cassandra | Yes | Dovecot Pro/openDesk EE only: Metadata and ACLs | `dovecot_dictmap`, `dovecot_acl` | | | **Postfix** | PVC | Yes | Mail spool | `postfix` | `/var/spool/postfix` | | **XWiki** | PostgreSQL | Yes | Application's main database | `xwiki` | | | | PVC | Yes | Attachments | `xwiki-data-xwiki-0` | `/usr/local/xwiki/data` | From ec72602cdd3207f73ff806a26bfe7b9fd32b8634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Fri, 14 Nov 2025 16:05:24 +0100 Subject: [PATCH 19/28] fix(external-services): Create `nubus_authsession` database --- .../apps/services-external/values-postgresql.yaml.gotmpl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl index 1e4c59e3..cc11c8a9 100644 --- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl +++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl @@ -67,6 +67,9 @@ job: - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }} password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }} connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }} + - username: {{ .Values.databases.umsAuthSession.username | quote }} + password: {{ .Values.secrets.postgresql.umsAuthSessionUser | quote }} + connectionLimit: {{ .Values.databases.umsAuthSession.connectionLimit | default .Values.databases.defaults.userConnectionLimit }} - username: {{ .Values.databases.umsSelfservice.username | quote }} password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }} connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }} @@ -96,6 +99,8 @@ job: user: {{ .Values.databases.umsGuardianManagementApi.username | quote }} - name: {{ .Values.databases.umsNotificationsApi.name | quote }} user: {{ .Values.databases.umsNotificationsApi.username | quote }} + - name: {{ .Values.databases.umsAuthSession.name | quote }} + user: {{ .Values.databases.umsAuthSession.username | quote }} - name: {{ .Values.databases.umsSelfservice.name | quote }} user: {{ .Values.databases.umsSelfservice.username | quote }} {{ if or (eq .Values.databases.nextcloud.type "postgresql") (eq .Values.databases.nextcloud.type "psql") }} From 080073119bb65f41718e5b14bc03108909353c99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Mon, 17 Nov 2025 08:44:08 +0100 Subject: [PATCH 20/28] docs(README-EE.md): Add link to COOL Controller release notes --- README-EE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-EE.md b/README-EE.md index 66d60515..0f2d5877 100644 --- a/README-EE.md +++ b/README-EE.md @@ -86,7 +86,7 @@ When a repository path starts with `/zendis`, the artifact is only available in ### Collabora - Collabora Online (COOL) container image: Is build from the same public source code as Collabora Development Edition (CODE), only the build configurations might differ. COOL includes a brand package that is not public and its license is not open source. -- COOL Controller container image and Helm chart: Source code and chart are using Mozilla Public License Version 2.0, but the source code is not public. It is provided to customers upon request. +- [COOL Controller](https://www.collaboraonline.com/cool-controller-release-notes/) container image and Helm chart: Source code and chart are using Mozilla Public License Version 2.0, but the source code is not public. It is provided to customers upon request. openDesk updates Collabora once a COOL image based on the version pattern `...3+.` was made available. This happens usually at the same time the CODE image with `...2+.` is made available. From a83ecd5c011600893b7c0412ad6462b02481f23b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Tue, 18 Nov 2025 09:40:04 +0100 Subject: [PATCH 21/28] docs(gitops.md): [#206] Add warning about secrets in pre-rendered yaml files --- .gitlab-ci.yml | 2 +- docs/enhanced-configuration/gitops.md | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f36c6be4..ac0b31e4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,7 +4,7 @@ --- include: - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}" - ref: "v2.4.10" + ref: "v2.4.17" file: - "ci/common/lint.yml" - "ci/release-automation/semantic-release.yml" diff --git a/docs/enhanced-configuration/gitops.md b/docs/enhanced-configuration/gitops.md index cc52aa92..33813950 100644 --- a/docs/enhanced-configuration/gitops.md +++ b/docs/enhanced-configuration/gitops.md @@ -31,6 +31,11 @@ There are two options to deploy openDesk via Argo CD described in the following ## Option 1: Use YAML manifests +> [!warning] +> Pre-rendering the YAML files will also embed all referenced secrets into the resulting outputs. +> You must ensure that these files are accessible solely to individuals who are expressly authorized +> to view the corresponding secrets, as well as the infrastructure and data protected by them. + This option requires a preprocessing step before using Argo CD. This step requires you to compile the Helmfile based deployment into Kubernetes YAML manifest, to do so you need to execute the helmfile binary: From 51047936de102c610adc00f4dff12d2eb8e945b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Tue, 18 Nov 2025 16:06:54 +0100 Subject: [PATCH 22/28] fix(helmfile): Enable verification for XWiki Helm chart --- helmfile/environments/default/charts.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index df71fb48..c8630463 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -536,5 +536,5 @@ charts: repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror" name: "xwiki" version: "1.4.4" - verify: false + verify: true ... From 7032205acfeafa45b52997820c6a9a645e8d20b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Wed, 19 Nov 2025 08:58:17 +0100 Subject: [PATCH 23/28] docs(security.md): Update non-verifiable charts table --- docs/security.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/security.md b/docs/security.md index 3dd47fbb..40b356c4 100644 --- a/docs/security.md +++ b/docs/security.md @@ -21,9 +21,10 @@ For more details on Chart validation, please visit: https://helm.sh/docs/topics/ All charts except the ones mentioned below are verifiable: -| Repository | Verifiable | -|-------------------|:----------:| -| open-xchange-repo | no | +| Repository | Verifiable | +| ------------------------- | :--------: | +| collabora-controller-repo | no | +| open-xchange-repo | no | # Kubernetes security enforcements From e0a6850a2d504b43c5a93ffd0bc6a58db38753f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Wed, 19 Nov 2025 13:28:39 +0100 Subject: [PATCH 24/28] docs(global.yaml.gotmpl): Fix misleading comment for `additionalMailDomains` --- helmfile/environments/default/global.yaml.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helmfile/environments/default/global.yaml.gotmpl b/helmfile/environments/default/global.yaml.gotmpl index 5c6a6ca9..63204fe8 100644 --- a/helmfile/environments/default/global.yaml.gotmpl +++ b/helmfile/environments/default/global.yaml.gotmpl @@ -15,7 +15,7 @@ global: # mailDomain: {{ env "MAIL_DOMAIN" | quote }} - ## Define additional mail domains, comma separated, e.g. domain1.de,domain2.de + ## Optional list of additional mail domains # additionalMailDomains: [] From 0ab9979693c5bba70b58ed0a45dbdff6bd301c88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Wed, 19 Nov 2025 16:30:26 +0100 Subject: [PATCH 25/28] docs(gettings-started.md): Update section "Access deployment" --- docs/getting-started.md | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index ac2fc220..3250a96e 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -32,8 +32,10 @@ This documentation lets you create an openDesk evaluation instance on your Kuber * [Install](#install) * [Install single app](#install-single-app) * [Install single release/chart](#install-single-releasechart) -* [Access deployment](#access-deployment) * [Using from external repository](#using-from-external-repository) +* [Access deployment](#access-deployment) + * [Login](#login) + * [Credentials](#credentials) * [Uninstall](#uninstall) @@ -448,17 +450,37 @@ Instead of iterating through all services, you can also deploy a single release helmfile apply -e dev -n -l name=mariadb ``` +## Using from external repository + +Referring to `./helmfile_generic.yaml.gotmpl` from an external +directory or repository is possible. The `helmfile.yaml.gotmpl` that refers to +`./helmfile_generic.yaml.gotmpl` may define custom environments. These custom +environments may overwrite specific configuration values. These +configuration values are: + +* `global.domain` +* `global.helmRegistry` +* `global.master_password` + # Access deployment +## Login + When all apps are successfully deployed, and their Pod status is `Running` or `Succeeded`, you can navigate to +```text +https://domain.tld +``` + +which will redirect you to the actual URL of the openDesk portal: + ```text https://portal.domain.tld ``` -If you change the subdomain of `nubus`, you must replace the subdomain of `portal` with the same subdomain. +By default the portal will send you to openDesk's login screen. -**Credentials:** +## Credentials openDesk deploys with the standard user account `Administrator`, the password for which can be retrieved as follows: @@ -490,18 +512,6 @@ docker run --rm registry.opencode.de/bmi/opendesk/components/platform-developmen --create_admin_accounts True ``` -## Using from external repository - -Referring to `./helmfile_generic.yaml.gotmpl` from an external -directory or repository is possible. The `helmfile.yaml.gotmpl` that refers to -`./helmfile_generic.yaml.gotmpl` may define custom environments. These custom -environments may overwrite specific configuration values. These -configuration values are: - -* `global.domain` -* `global.helmRegistry` -* `global.master_password` - # Uninstall You can uninstall the deployment by executing the following: From 1857dd961e8c20aba963c24536addc2c0ed40fee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Wed, 19 Nov 2025 17:42:06 +0100 Subject: [PATCH 26/28] docs(persistance.yaml.gotmpl): Streamline comment for `dovecot` PVC usage --- helmfile/environments/default/persistence.yaml.gotmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helmfile/environments/default/persistence.yaml.gotmpl b/helmfile/environments/default/persistence.yaml.gotmpl index ab3b2527..a22efec0 100644 --- a/helmfile/environments/default/persistence.yaml.gotmpl +++ b/helmfile/environments/default/persistence.yaml.gotmpl @@ -16,8 +16,8 @@ persistence: size: "1Gi" storageClassName: ~ dovecot: - # With Dovecot CE this is used for the mail storage. - # Dovecot Pro (EE) uses this storage for the metacache, + # openDesk CE: Mail storage + # openDesk EE (with Dovecot Pro): Storage for metacache size: "1Gi" storageClassName: ~ mariadb: From f2fe6f3026df8415ce9dc74d488456e41823c5c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Thu, 20 Nov 2025 11:32:19 +0100 Subject: [PATCH 27/28] docs(migrations.md): Streamlining content --- docs/migrations.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/migrations.md b/docs/migrations.md index 12ecd333..d92aaf31 100644 --- a/docs/migrations.md +++ b/docs/migrations.md @@ -201,9 +201,11 @@ be derived from the `MASTER_PASSWORD`. **Target group:** All existing deployments that have OX App Suite enabled and that use self-defined secrets. The revised Dovecot configuration requires a new secret that is declared in -[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key `secrets.doveocot.sharedMailboxesMasterPassword`. +[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key +`secrets.doveocot.sharedMailboxesMasterPassword`. -If you define your own secrets, please ensure that you provide a value for this secret, otherwise the aforementioned secret will be derived from the `MASTER_PASSWORD`. +If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will +be derived from the `MASTER_PASSWORD`. #### New Helmfile default: Nubus provisioning debug container no longer deployed @@ -566,7 +568,7 @@ Please ensure you read the [Nubus 1.10.0 "Migration steps" section](https://docs For OX App Suite to access the object storage a new secret has been introduced. -It is declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key: `secrets.minio.openxchangeUser`. If you define your own secrets, please ensure that you provide a value for this secret as well, otherwise the aforementioned secret will be derived from the `MASTER_PASSWORD`. +It is declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key: `secrets.minio.openxchangeUser`. If you define your own secrets, please ensure that you provide a value for this secret as well, otherwise it will be derived from the `MASTER_PASSWORD`. #### Helmfile new object storage: `objectstores.openxchange.*` From f5aad1fa47559f0d3941c233c7d40029a9e83281 Mon Sep 17 00:00:00 2001 From: emrah Date: Tue, 18 Nov 2025 13:29:59 +0300 Subject: [PATCH 28/28] feat(jitsi): Update from 2.0.10431 to 2.0.10590 --- README.md | 2 +- helmfile/environments/default/charts.yaml.gotmpl | 2 +- helmfile/environments/default/images.yaml.gotmpl | 14 +++++++------- helmfile/environments/default/replicas.yaml.gotmpl | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 1acef6d6..3cc418cd 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ openDesk currently features the following functional main components: | Knowledge management | XWiki | LGPL-2.1-or-later | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) | | Portal & IAM | Nubus | AGPL-3.0-or-later | [1.15.2](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.15.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html) | | Project management | OpenProject | GPL-3.0-only | [16.6.1](https://www.openproject.org/docs/release-notes/16-6-1/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) | -| Videoconferencing | Jitsi | Apache-2.0 | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | +| Videoconferencing | Jitsi | Apache-2.0 | [2.0.10590](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10590) | [For the most recent release](https://jitsi.github.io/handbook/docs/category/user-guide/) | | Weboffice | Collabora | MPL-2.0 | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) | While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index c8630463..849f34ef 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -149,7 +149,7 @@ charts: registry: "registry.opencode.de" repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi" name: "opendesk-jitsi" - version: "3.3.2" + version: "3.4.0" verify: true mariadb: # providerCategory: "Platform" diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 6e730887..093d9833 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -168,7 +168,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri" - tag: "stable-10431@sha256:21ae6f3e9139ca1beea630756060b66f1a6221005f45e35df35d4bf9f69a4cc3" + tag: "stable-10590@sha256:c6e10bc418084c2e1664e76bdddb525db34ba5f140af5a9fe9dd5c4f7637a492" jicofo: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -178,7 +178,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo" - tag: "stable-10431@sha256:6857b0cad627cde79f6e21c1c40843b14d70dd43e627537c60449d448ce14769" + tag: "stable-10590@sha256:a30e9e09fdc39d88bc8cc8a4e83a32bb6bf58914abfb44290439afaf4c72e4a8" jigasi: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -188,7 +188,7 @@ images: # upstreamMirrorStartFrom: ["9955"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi" - tag: "stable-10431@sha256:9bcb35444296ab007b24a8ccecd6c1eacc0f01fccf4223e7f8ac340464f4a52e" + tag: "stable-10590@sha256:0596e603eb1b4909e8df97be00649848f2b1b85b7cbb7d5e3065ba482a231d49" jitsi: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -198,7 +198,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web" - tag: "stable-10431@sha256:47f57fb67d95a2d3b5fa6edf93916b4922e1599278c0f9dd16cc30f432c75511" + tag: "stable-10590@sha256:ae90a61975f7f7d498051ce9e0d7310117ee3f869dcc8c947a005214b253582d" jitsiKeycloakAdapter: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -208,7 +208,7 @@ images: # upstreamMirrorStartFrom: ["2023", "12", "14"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter" - tag: "v20250911@sha256:716fb9ba2e866d74cbbd6241a8c75335e48ba25ec2d35f4678e83dd3156bc87c" + tag: "v20251119@sha256:2df703ff789be841f984142120e5a31dfd60cfe112a8d8d548ecc92e1401f005" jitsiPatchJVB: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -228,7 +228,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb" - tag: "stable-10431@sha256:64f8a368f593a30d5388d9643b1b0af7b4a09f03f6e585e50cdbff398b5f8918" + tag: "stable-10590@sha256:651021ddd4fe1ca29848d96d5813a1ea71b3dbf3587b14a13968ec0e62de2f0c" mariadb: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -940,7 +940,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody" - tag: "stable-10431@sha256:792618fff60c6e0eb4facb221e3477b2249cabeaf0479753ac7a6b98c075fd20" + tag: "stable-10590@sha256:86d43e743268fa89035663a5e29be7689b131b9c1fb435c01c94d2eeebbb058a" redis: # providerCategory: "Community" # providerResponsible: "openDesk" diff --git a/helmfile/environments/default/replicas.yaml.gotmpl b/helmfile/environments/default/replicas.yaml.gotmpl index d1beb883..59bc16a6 100644 --- a/helmfile/environments/default/replicas.yaml.gotmpl +++ b/helmfile/environments/default/replicas.yaml.gotmpl @@ -146,7 +146,7 @@ replicas: # -- scalable: tbd jitsiKeycloakAdapter: 1 # -- scalable: tbd - jvb: 1 + jvb: 2 # -- component: Persistence Layer # -- scalable: false