feat(element): Featuretoggle for presence propagation

feat(element): Reduced presence values to one for all presence features
feat(element): Default for Element status disabled
2025-12-06 07:21:36 +01:00 · 2024-07-31 08:24:43 +02:00 · 2024-07-30 16:09:29 +02:00 · 2024-07-30 15:00:25 +02:00 · 2024-07-30 13:26:02 +02:00 · 2024-07-30 12:20:57 +02:00
46 changed files with 1008 additions and 343 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,9 +36,11 @@ stages:
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
+  - "migrations-pre"
  - "basic-services-deploy"
  - "component-deploy-stage-1"
  - "component-deploy-stage-2"
+  - "migrations-post"
  - "lint"
  - "tests"
  - "env-stop"
@@ -77,6 +79,12 @@ variables:
    options:
      - "yes"
      - "no"
+  DEPLOY_MIGRATIONS:
+    description: "Deploy K8s job for migrations (pre & post)."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
  DEPLOY_SERVICES:
    description: "Enable Service deployment."
    value: "no"
@@ -208,6 +216,7 @@ env-cleanup:
        done
        kubectl delete pvc --all --namespace ${NAMESPACE};
        kubectl delete jobs --all --namespace ${NAMESPACE};
+        kubectl delete configmaps --all --namespace ${NAMESPACE};
      else
        helmfile destroy --namespace ${NAMESPACE};
      fi
@@ -250,6 +259,30 @@ policies-deploy:
    COMPONENT: "services"
    ADDITIONAL_ARGS: "-l name=opendesk-otterize"

+migrations-pre:
+  stage: "migrations-pre"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-pre"
+
+migrations-post:
+  stage: "migrations-post"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-post"
+
 services-deploy:
  stage: "basic-services-deploy"
  extends: ".deploy-common"
--- a/README.md
+++ b/README.md
@@ -34,11 +34,11 @@ openDesk currently features the following functional main components:
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)               | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.2.0](https://www.openproject.org/docs/release-notes/14-2-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.4.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.5.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/cspell.json
+++ b/cspell.json
@@ -69,7 +69,11 @@
        "cryptpad",
        "clamav",
        "templating",
-        "localpart"
+        "localpart",
+        "Addressbooks",
+        "filestore",
+        "trashbin",
+        "bootstrap"
    ],
    "ignoreWords": [],
    "import": []
--- a/docs/components.md
+++ b/docs/components.md
@@ -10,11 +10,11 @@ This section covers the internal system requirements as well as external service
 <!-- TOC -->
 * [Overview](#overview)
 * [Component integration](#component-integration)
-  * [Intercom Service (ICS)](#intercom-service-ics)
+  * [Intercom Service / Silent Login](#intercom-service--silent-login)
  * [Filepicker](#filepicker)
  * [Central Navigation](#central-navigation)
-  * [(Read \& write) Central contacts](#read--write-central-contacts)
-  * [OpenProject file store](#openproject-file-store)
+  * [Central Contacts](#central-contacts)
+  * [File Store (OpenProject -\> Nextcloud)](#file-store-openproject---nextcloud)
 * [Identity data flows](#identity-data-flows)
 * [Provisioning](#provisioning)
 <!-- TOC -->
@@ -56,58 +56,91 @@ Some use cases require inter component integration.

 ```mermaid
 flowchart TD
-  OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
-  Element-->|CentralNavigation|IntercomService
-  IntercomService-->|SilentLogin, TokenExchange|IdP
-  IntercomService-->|Filepicker|Nextcloud
-  IntercomService-->|CentralNavigation|Portal
-  OXAppSuiteBackend-->|Filepicker|Nextcloud
-  Nextcloud-->|CentralNavigation|Portal
-  OpenProject-->|CentralNavigation|Portal
-  OpenProject-->|File store|Nextcloud
-  XWiki-->|CentralNavigation|Portal
-  Nextcloud-->|CentralContacts|OXAppSuiteBackend
-  OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
+  OX-AppSuite_Frontend-->|Silent Login, Filepicker, Central Navigation|Intercom_Service
+  Element-->|Silent Login, Central Navigation|Intercom_Service
+  Intercom_Service-->|Silent Login, Token Exchange|IdP
+  Intercom_Service-->|Filepicker|Nextcloud
+  Intercom_Service-->|Central Navigation|Portal
+  OX-AppSuite_Backend-->|Filepicker|Nextcloud
+  Nextcloud-->|Central Navigation|Portal
+  OpenProject-->|Central Navigation|Portal
+  OpenProject-->|File Store|Nextcloud
+  XWiki-->|Central Navigation|Portal
+  Nextcloud-->|Central Contacts|OX-AppSuite_Backend
+  OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
 ```

-## Intercom Service (ICS)
+Most details can be found in the upstream documentation that is linked in the respective sections.

-The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
-Handling authentication when the frontend of an application is using the API from another application is often a
+## Intercom Service / Silent Login
+
+The Intercom Service's role is to enable cross-application integration based on the user's browser interaction as handling
+authentication when the frontend of an application has to call the API from another application is often a
 challenge.
-For more details on the ICS please refer to its own [doc](./components/intercom-service.md).

-To establish a session with the Intercom Service, the application that wants to use the ICS must initiate a silent
-login.
+To establish a session with the Intercom Service an application can use the silent login feature within an iframe.

-Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
-the ICS API.
+Currently only OX AppSuite and Element are using the frontend based integration.
+
+**Links**
+- [Intercom Service upstream documentation](https://docs.software-univention.de/intercom-service/latest/index.html).

 ## Filepicker

-The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
-and saving attachments to Nextcloud.
+The Nextcloud filepicker is integrated into the OX AppSuite supporting the following use cases against the respective openDesk instance's Nextcloud:
+- Attaching files from Nextcloud to emails.
+- Adding links of Nextcloud files to emails.
+- Saving attachments from emails into Nextcloud.
+- Attaching files from Nextcloud to calendar entries.

-The filepicker is using frontend and backend based integration.
-Frontend-based integration means that OX AppSuite in the browser is communicating with ICS.
-While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
-when adding a file to an email or storing a file into Nextcloud.
+The filepicker is using frontend and backend based integration:
+- For frontend based integration the OX AppSuite frontend uses the Intercom Service.
+- Backend based integration is coming from OX AppSuite middleware. The middleware is communicating directly with Nextcloud,
+which is used when adding a file to an email or storing a file into Nextcloud, to avoid passing these files through the user's browser.
+
+**Links**
+- [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).

 ## Central Navigation

-Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
-allow components to render the menu showing all available SWP applications for the user.
+Central navigation is based on an API endpoint in the Nubus portal that returns a JSON containing the contents of the portal for
+a given user. The response from the API endpoint is used in the openDesk applications to render the central navigation.

-## (Read & write) Central contacts
+The API can be called by
+- frontend services through the Intercom Service's `/navigation.json` endpoint or
+- backend services directly at the portal's `/univention/portal/navigation.json` endpoint.

-Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
-Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
-available personal contact.
+The central navigation expects the API caller to present a shared secret for authentication and the username for whom the portal
+contents should be returned for.

-## OpenProject file store
+A `curl` based request returning the navigation contents looks like this:

-By default, Nextcloud is a configured option for storing attachments in OpenProject.
-The file store can be enabled on a per-project level in OpenProject's project admin section.
+```
+curl 'https://portal.<DOMAIN>/univention/portal/navigation.json?base=https%3A//portal.<DOMAIN>&language=de-DE' -u "<USERNAME>:<SHARED_SECRET>"
+```
+
+## Central Contacts
+
+OX App Suite is managing contacts in openDesk. Therefore Nextcloud's PHP backend is using the OX AppSuite's middleware Contacts API to
+- create a new contact in the user's contacts folder when a file is shared with a yet unknown email address.
+- retrieve contacts from the user's contacts folder to support search-as-you-type when starting to share a file.
+
+**Links:**
+- Currently used [OX Contacts API (deprecated)](https://documentation.open-xchange.com/components/middleware/http/8/index.html#!Contacts).
+- New [OX Addressbooks API](https://documentation.open-xchange.com/components/middleware/http/8/index.html#!Addressbooks) the Central Contacts integration will switch to.
+
+## File Store (OpenProject -> Nextcloud)
+
+While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are
+stored within Nextcloud or to link an existing file from your openDesk Nextcloud to a work package.
+
+Therefore openDesk pre-configures the trust between the openDesk instance's OpenProject and Nextcloud during the `openproject-boostrap` deployment step. As prerequisite for that openDesk's Nextcloud contains the `integration_openproject` app.
+
+The file store still needs to be enabled on a per-project level in OpenProject's project admin section.
+
+**Links:**
+- [OpenProject's documentation on Nextcloud integration](https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/)
+- [OpenProject Integration Nextcloud app](https://apps.nextcloud.com/apps/integration_openproject)

 # Identity data flows

--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -52,7 +52,7 @@ Below you will find some wrap-up notes when it comes to debugging openDesk by ad

 You can add a container by editing and updating an existing deployment, which is quite comfortable with tools like [Lens](https://k8slens.dev/).

- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest`.
 - Ensure the `shareProcessNamespace` option is enabled for the Pod.
 - Reference the selected container within the `containers` array of the deployment.
 - In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
--- a/docs/enhanced-configuration/matrix-federation.md
+++ b/docs/enhanced-configuration/matrix-federation.md
@@ -37,10 +37,11 @@ If not used it is also set to `opendesk.domain.tld`.
 The following setting can disable federation:

 ```yaml
-externalServices:
-  matrix:
-    federation:
-      enabled: false
+functional:
+  externalServices:
+    matrix:
+      federation:
+        enabled: false
 ```

 ## Separate Matrix domain
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -0,0 +1,33 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Migrations</h1>
+
+* [Disclaimer](#disclaimer)
+* [From v0.8.1](#from-v081)
+  * [Updated customizable template attributes](#updated-customizable-template-attributes)
+  * [`migrations` S3 bucket](#migrations-s3-bucket)
+
+# Disclaimer
+
+We do not offer support for upgrades before we reach openDesk 1.0.
+
+Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.
+
+# From v0.8.1
+
+## Updated customizable template attributes
+
+- Action: Please ensure you update you custom deployment values according with the updated default value structure.
+- References:
+  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
+  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
+  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
+  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
+
+## `migrations` S3 bucket
+
+- Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
+- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -17,11 +17,11 @@ fullnameOverride: "collabora"

 grafana:
  dashboards:
-    enabled: {{ .Values.grafana.dashboards.enabled }}
+    enabled: {{ .Values.monitoring.grafana.dashboards.enabled }}
    labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 6 }}
    annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}

 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -88,13 +88,13 @@ podSecurityContext:

 prometheus:
  servicemonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
    labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
  rules:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 6 }}

 replicaCount: {{ .Values.replicas.collabora }}

--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
  username: "meetings-bot"
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
  username: "uvs"
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -40,9 +40,14 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
+    use_presence: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
+    presence: 
+      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
+    
+    

    smtp:
-      senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
      host: {{ .Values.smtp.host | quote }}
      port: {{ .Values.smtp.port }}
      username: {{ .Values.smtp.username | quote }}
@@ -52,6 +57,9 @@ configuration:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
+      scopes:
+        - "openid"
+        - "opendesk-matrix-scope"

    turn:
      sharedSecret: {{ .Values.turn.credentials | quote }}
@@ -91,7 +99,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}

 federation:
-  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
+  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
  ingress:
    host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
    enabled: {{ .Values.ingress.enabled }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -27,7 +27,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/migrations-post/helmfile-child.yaml
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-post"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...
--- a/helmfile/apps/migrations-post/helmfile.yaml
+++ b/helmfile/apps/migrations-post/helmfile.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/values.yaml.gotmpl
@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "POST"
+...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-pre"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...
--- a/helmfile/apps/migrations-pre/helmfile.yaml
+++ b/helmfile/apps/migrations-pre/helmfile.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/values.yaml.gotmpl
@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "PRE"
+...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -14,7 +14,7 @@ additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

 configuration:
  administrator:
@@ -78,8 +78,13 @@ configuration:
        value: {{ .Values.smtp.password | quote }}
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
-    fromAddress: {{ .Values.localpartNoReply | quote }}
+    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  quota:
+    default: "{{ .Values.functional.filestore.quota.default }} GB"
+    retentionObligation:
+      trashbin: {{ .Values.functional.filestore.nextcloud.retentionObligation.trashbin | quote }}
+      versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}

  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
@@ -101,7 +106,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}

 debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -34,13 +34,13 @@ exporter:
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -84,7 +84,7 @@ php:
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,13 +92,13 @@ php:
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -11,8 +11,8 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

 config:
  openproject:
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -67,10 +67,13 @@ environment:
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
+  {{- if .Values.enterprise.openproject.token }}
+  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
+  {{- end }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
@@ -129,7 +132,7 @@ openproject:
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    identifier: "opendesk-openproject"
    provider: "keycloak"
-    scope: "[openid,opendesk]"
+    scope: "[openid,opendesk-openproject-scope]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -12,7 +12,7 @@ issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}

 cleanup:
-  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}

 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -67,9 +67,9 @@ mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{

 metrics:
  serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}

 networkPolicy:
  enabled: false
@@ -89,16 +89,43 @@ provisioning:
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
+    - name: {{ .Values.objectstores.migrations.bucket | quote }}
+      versioning: false
+      withLock: false
+    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
+      versioning: true
+      withLock: false
    - name: {{ .Values.objectstores.openproject.bucket | quote }}
      versioning: true
      withLock: false
    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
      versioning: false
      withLock: false
-    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
-      versioning: true
-      withLock: false
  policies:
+    - name: "migrations-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::migrations"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::migrations/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "nextcloud-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::nextcloud"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::nextcloud/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
    - name: "openproject-bucket-policy"
      statements:
        - resources:
@@ -123,19 +150,19 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
-    - name: "nextcloud-bucket-policy"
-      statements:
-        - resources:
-            - "arn:aws:s3:::nextcloud"
-          effect: "Allow"
-          actions:
-            - "s3:*"
-        - resources:
-            - "arn:aws:s3:::nextcloud/*"
-          effect: "Allow"
-          actions:
-            - "s3:*"
  users:
+    - username: {{ .Values.objectstores.migrations.username | quote }}
+      password: {{ .Values.secrets.minio.migrationsUser | quote }}
+      disabled: false
+      policies:
+        - "migrations-bucket-policy"
+      setPolicies: true
+    - username: {{ .Values.objectstores.nextcloud.username | quote }}
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
    - username: {{ .Values.objectstores.openproject.username | quote }}
      password: {{ .Values.secrets.minio.openprojectUser | quote }}
      disabled: false
@@ -148,12 +175,6 @@ provisioning:
      policies:
        - "ums-bucket-policy"
      setPolicies: true
-    - username: {{ .Values.objectstores.nextcloud.username | quote }}
-      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
-      disabled: false
-      policies:
-        - "nextcloud-bucket-policy"
-      setPolicies: true
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}

--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -17,10 +17,15 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

 config:
+  custom:
+    clientScopes:
+      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
+    clients:
+      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -29,14 +34,20 @@ config:
      enabled: true
      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
  twoFactorSettings:
-    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
-  custom:
+    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+  opendesk:
+    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
+    # to LDAP group membership to ensure a user cannot access an application without the required
+    # group membership.
+    # ToDo:
+    # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
    clientScopes:
      - name: "read_contacts"
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
-      - name: "opendesk"
+      - name: "opendesk-openproject-scope"
+        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
@@ -61,6 +72,306 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
+          - name: "opendeskProjectmanagementAdmin"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "opendeskProjectmanagementAdmin"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "openproject_admin"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "given name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "firstName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "given_name"
+              jsonType.label: "String"
+          - name: "family name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "lastName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "family_name"
+              jsonType.label: "String"
+      - name: "opendesk-jitsi-scope"
+        description: "Scope for the claims required by openDesk's Jitsi instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-nextcloud-scope"
+        description: "Scope for the claims required by openDesk's Nextcloud instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+      - name: "opendesk-matrix-scope"
+        description: "Scope for the claims required by openDesk's Matrix instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-xwiki-scope"
+        description: "Scope for the claims required by openDesk's XWiki instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-dovecot-scope"
+        description: "Scope for the claims required by openDesk's Dovecot instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+      - name: "opendesk-oxappsuite-scope"
+        description: "Scope for the claims required by openDesk's OX Appuite instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
    clients:
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
@@ -74,7 +385,7 @@ config:
        attributes:
          backchannel.logout.session.required: false
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-dovecot-scope"
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
        protocol: "openid-connect"
@@ -128,7 +439,6 @@ config:
              claim.name: "phoenixusername"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
@@ -142,8 +452,7 @@ config:
        fullScopeAllowed: true
        authorizationServicesEnabled: false
        defaultClientScopes:
-          - "opendesk"
-          - "profile"
+          - "opendesk-jitsi-scope"
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -165,12 +474,9 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk"
-        optionalClientScopes:
-          - "email"
-          - "profile"
-        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
-        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
+          - "opendesk-matrix-scope"
+      # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
+      # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
      - name: "matrix"
        clientId: "matrix"
        protocol: "openid-connect"
@@ -183,6 +489,8 @@ config:
        authorizationServicesEnabled: false
        attributes:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes: []
+        optionalClientScopes: []
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -199,21 +507,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
-          - "email"
+          - "opendesk-nextcloud-scope"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-openproject"
@@ -233,22 +528,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "opendeskProjectmanagementAdmin"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "opendeskProjectmanagementAdmin"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "openproject_admin"
-              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
-          - "email"
-          - "profile"
+          - "opendesk-openproject-scope"
      - name: "opendesk-oxappsuite"
        clientId: "opendesk-oxappsuite"
        protocol: "openid-connect"
@@ -265,20 +546,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-oxappsuite-scope"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-xwiki"
@@ -298,10 +567,7 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk"
-          - "address"
-          - "email"
-          - "profile"
+          - "opendesk-xwiki-scope"
      - name: "guardian-management-api"
        clientId: "guardian-management-api"
        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -505,7 +771,6 @@ config:
              claim.name: "dn"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
          - "web-origins"
          - "acr"
          - "roles"
@@ -594,7 +859,6 @@ config:
              access.token.claim: true
              userinfo.token.claim: false

-
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -674,7 +674,7 @@ stack-data-swp:

  stackDataSwp:
    udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    {{- if .Values.admin.portal.deploymentInformation.enabled }}
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
    systemInformation:
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
@@ -1062,8 +1062,8 @@ keycloak-bootstrap:
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}

  cleanup:
-    deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-    keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+    deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

  keycloak:
    connection:
@@ -1172,7 +1172,7 @@ keycloak-extensions:
      ipProtectionEnable: true
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
@@ -1319,7 +1319,7 @@ stack-gateway:
      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;


-      {{ if .Values.externalServices.nubus.udmRestApi.enabled }}
+      {{ if .Values.functional.externalServices.nubus.udmRestApi.enabled }}
      ## udm-rest-api
      location /univention/udm/ {
        # The UDM Rest API does return on some endpoints a lot of headers
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -60,14 +60,19 @@ customConfigs:
    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
+    ## Mapping for XWiki attributes to the respective LDAP attributes
+    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"

  xwiki.properties:
+    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
+    wikiInitializer.initialRequest.xwiki.contextPath: "/"
+    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
    oidc.clientid: "opendesk-xwiki"
    oidc.endpoint.token.auth_method: "client_secret_basic"
    oidc.endpoint.userinfo.method: "GET"
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
-    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.scope: "openid,opendesk-xwiki-scope"
    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
@@ -81,6 +86,8 @@ customConfigs:
    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+    openoffice.serverType: "0"
+    notifications.emails.live.graceTime: "5"

 ingress:
  enabled: {{ .Values.ingress.enabled }}
@@ -126,8 +133,11 @@ properties:
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
@@ -157,7 +167,7 @@ properties:
  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-    "sn,givenname,uid"
+    "sn,givenname,uid,mailPrimaryAddress"
  ## Restrict user import in the UI to global administrators
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
  ## Enable group and user synchronization
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -46,7 +46,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.17"
+    version: "1.1.20"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
@@ -78,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -88,7 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -180,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -192,6 +192,16 @@ charts:
    name: "memcached"
    version: "6.7.1"
    verify: true
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
+    name: "opendesk-migrations"
+    version: "1.0.1"
+    verify: true
  minio:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -210,7 +220,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "2.0.0"
+    version: "2.1.0"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -220,7 +230,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "2.0.0"
+    version: "2.1.0"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -240,7 +250,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "1.1.0"
+    version: "2.1.0"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -252,7 +262,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "5.1.4"
+    version: "5.3.0"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
@@ -346,7 +356,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -356,7 +366,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -366,7 +376,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  ums:
    # providerCategory: "Supplier"
@@ -402,6 +412,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
    name: "xwiki"
-    version: "1.3.0"
+    version: "1.3.1"
    verify: false
 ...
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -1,16 +1,16 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-cleanup:
-  # Keep Pods/Job logs after successful run.
-  deletePodsOnSuccess: true
-  # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
-  deletePodsOnSuccessTimeout: 60
-  # Keep persistence on deletion of this release.
-  keepPVCOnDelete: false
-  # Keep additional resources, like certificates on deletion of this release.
-  keepRessourceOnDelete: true
 debug:
+  cleanup:
+    # Keep Pods/Job logs after successful run.
+    deletePodsOnSuccess: true
+    # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
+    deletePodsOnSuccessTimeout: 60
+    # Keep persistence on deletion of this release.
+    keepPVCOnDelete: false
+    # Keep additional resources, like certificates on deletion of this release.
+    keepRessourceOnDelete: true
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
--- a/helmfile/environments/default/enterprise.yaml
+++ b/helmfile/environments/default/enterprise.yaml
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
+---
+enterprise:
+  openproject:
+    # Enterprise token must match the deployment's OpenProject host name.
+    token: ""
+...
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -1,26 +1,55 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-authentication:
-  twoFactor:
-    # Define a list of groups to enable 2FA for.
-    # Note: Removing a group from the list will not disable 2FA for the removed group.
-    groups:
+functional:
+  admin:
+    portal:
+      deploymentInformation:
+        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
+        enabled: true
+
+  authentication:
+    twoFactor:
+      # Define a list of groups to enable 2FA for.
+      # Note: Removing a group from the list will not disable 2FA for the removed group.
+      groups:
      - "Domain Admins"
+    oidc:
+      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
+      clients: ~
+      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
+      clientScopes: ~

-externalServices:
-  nubus:
-    udmRestApi:
-      # Enable to make the UDM REST API from the Nubus stack externally available.
+  externalServices:
+    nubus:
+      udmRestApi:
+        # Enable to make the UDM REST API from the Nubus stack externally available.
+        enabled: false
+    matrix:
+      federation:
+        # Disable to not support Matrix federation with your installation.
+        enabled: true
+
+  filestore:
+    quota:
+      # Set the default quota for all users in GB
+      default: 1
+    # Nextcloud specific configuration
+    nextcloud:
+      retentionObligation:
+        # yamllint disable rule:line-length
+        # Set Nextcloud's `trashbin_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
+        trashbin: "auto"
+        # Set Nextcloud's `versions_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
+        versions: "auto"
+        # yamllint enable rule:line-length
+        
+  dataProtection:
+    matrixPresence:
+      # Enable to allow information about the user presence status to be shared.
+      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
-  matrix:
-    federation:
-      # Disable to not support Matrix federation with your installation.
-      enabled: true
-
-admin:
-  portal:
-    deploymentInformation:
-      # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
-      enabled: true
+  
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -23,4 +23,39 @@ global:
  #
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    cryptpad: "cryptpad"
+    element: "chat"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    matrixNeoBoardWidget: "matrix-neoboard-widget"
+    matrixNeoChoiceWidget: "matrix-neochoice-widget"
+    matrixNeoDateFixBot: "matrix-neodatefix-bot"
+    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
+    minioApi: "minio"
+    minioConsole: "minio-console"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    synapse: "matrix"
+    synapseFederation: "matrix-federation"
+    univentionManagementStack: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -1,42 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
---
-## The global properties are used to configure multiple charts at once.
-#
-global:
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    cryptpad: "cryptpad"
-    element: "chat"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    matrixNeoBoardWidget: "matrix-neoboard-widget"
-    matrixNeoChoiceWidget: "matrix-neochoice-widget"
-    matrixNeoDateFixBot: "matrix-neodatefix-bot"
-    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "minio"
-    minioConsole: "minio-console"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    synapse: "matrix"
-    synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define the policy to pull container images.
-  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
-  #
-  imagePullPolicy: "IfNotPresent"
-...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.4.2.1@sha256:268b586d48848958f9a0329f1ce6849f842d1ab2413a3c45ddf2f2dd249efc9a"
+    tag: "24.04.5.2.1@sha256:583f3764661fdce99c5a97019b732db1bed9f9b333d70640ac99a6953c493666"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -198,6 +198,14 @@ images:
    registry: "registry-1.docker.io"
    repository: "bitnami/memcached"
    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -221,7 +229,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
+    tag: "1.1.22@sha256:8bfa92fcfdcb2fee1b3560a623ffb319fcfcc7e5fbcc20d631df747427e88f84"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -237,7 +245,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.12@sha256:54bb5a90ebe49b33b053e8a7df2fa8d8cb992b17f68a04d08357961c3aded0b0"
+    tag: "1.4.2@sha256:a4c12a624c76b44c8305a768ced33e2b9af9497ff9cfa639045df846d89fbda4"
  nextcloudPHP:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -245,7 +253,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.11@sha256:85b3bbf027c9e6a2ccf411b8e2b3752f6a58a3a14f00fb92ecefd9e7ca0c6954"
+    tag: "1.10.1@sha256:8eb5ac95eaea69e0928e48aa5a121cbf10f359be4679040da8464810e9d799ff"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -253,7 +261,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
+    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "OpenProject"
@@ -788,5 +796,5 @@ images:
    # upstreamMirrorStartFrom: ["0", "12"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.17-mariadb-jetty-alpine@sha256:9eb67520774c3022aa4485ce348be477f358263b716e647cacd057da3aca9739"
+    tag: "0.19-mariadb-jetty-alpine@sha256:8590ee815bceb7764df681b9239b4606adc5b3750e4eff2d928b62dcd046a623"
 ...
--- a/helmfile/environments/default/monitoring.yaml
+++ b/helmfile/environments/default/monitoring.yaml
@@ -1,25 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-prometheus:
-  serviceMonitors:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
-  podMonitors:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
-  prometheusRules:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
+monitoring:
+  prometheus:
+    serviceMonitors:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
+    podMonitors:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
+    prometheusRules:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"

-
-grafana:
-  dashboards:
-    enabled: false
-    labels:
-      grafana_dashboard: "1"
-    annotations:
+  grafana:
+    dashboards:
+      enabled: false
+      labels:
+        grafana_dashboard: "1"
+      annotations:
 ...
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -1,9 +1,18 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 objectstores:
+  migrations:
+    bucket: "migrations"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "migration_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
  nextcloud:
    bucket: "nextcloud"
    endpoint: ""
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -0,0 +1,76 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+#
+# Note: Currently only single namespace deployments are supported.
+---
+certificates:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavDistributed:
+  enabled: false
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavSimple:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+collabora:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+cryptpad:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+dovecot:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+element:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+home:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+intercom:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+jitsi:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+mariadb:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+memcached:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+migrations:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+minio:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+nextcloud:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+openproject:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxAppsuite:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxConnector:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postfix:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postgresql:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+redis:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+univentionManagementStack:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+xwiki:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -69,10 +69,11 @@ resources:
    requests:
      cpu: 0.1
      memory: "384Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jicofo:
    limits:
      cpu: 99
-      memory: "512Mi"
+      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
@@ -90,10 +91,11 @@ resources:
    requests:
      cpu: "10m"
      memory: "48Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jvb:
    limits:
      cpu: 99
-      memory: "768Mi"
+      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "384Mi"
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -68,10 +68,10 @@ secrets:
    nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
  minio:
    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
-    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
-    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
-    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
+    migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
+    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
+    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
  keycloak:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
    clientSecret:
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -30,6 +30,7 @@ seLinuxOptions:
  matrixNeoDateFixWidget: ~
  matrixUserVerificationService: ~
  memcached: ~
+  migrations: ~
  milter: ~
  minio: ~
  nextcloudApache2: ~
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -8,6 +8,5 @@ smtp:
  port: 587
  username: ""
  password: {{ env "SMTP_PASSWORD" | quote }}
-
-localpartNoReply: "no-reply"
+  localpartNoReply: "no-reply"
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -1,49 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-certificates:
-  enabled: true
-clamavDistributed:
-  enabled: false
-clamavSimple:
-  enabled: true
-collabora:
-  enabled: true
-cryptpad:
-  enabled: true
-dovecot:
-  enabled: true
-element:
-  enabled: true
-home:
-  enabled: true
-intercom:
-  enabled: true
-jitsi:
-  enabled: true
-mariadb:
-  enabled: true
-memcached:
-  enabled: true
-minio:
-  enabled: true
-nextcloud:
-  enabled: true
-openproject:
-  enabled: true
-oxAppsuite:
-  enabled: true
-oxConnector:
-  enabled: true
-postfix:
-  enabled: true
-postgresql:
-  enabled: true
-redis:
-  enabled: true
-univentionManagementStack:
-  enabled: true
-xwiki:
-  enabled: true
-...
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -0,0 +1,59 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+
+migrations:
+  runId: 1
+  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
+  namespace: {{ .Values.migrations.namespace | quote }}
+  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  failOnUnexpectedState: true
+  credentials:
+    keycloakAdminUsername: "kcadmin"
+    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  urls:
+    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
+  repository: {{ .Values.images.migrations.repository | quote }}
+  tag: {{ .Values.images.migrations.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+...
--- a/helmfile_generic.yaml
+++ b/helmfile_generic.yaml
@@ -6,11 +6,13 @@
 #
 helmfiles:
  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/services/helmfile-child.yaml"
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
    values: &values
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/default/*.gotmpl"
      - {{ toYaml .Values | nindent 8 }}
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
  - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
@@ -35,5 +37,7 @@ helmfiles:
    values: *values
  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
    values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
 missingFileHandler: "Error"
 ...
Author	SHA1	Message	Date
Sven Andersen	6afcf9aba5	feat(element): Featuretoggle for presence propagation	2024-07-31 08:24:43 +02:00
Sven Andersen	bd0b08b4cf	feat(element): Reduced presence values to one for all presence features	2024-07-30 16:09:29 +02:00
Sven Andersen	879014e068	feat(element): Default for Element status disabled	2024-07-30 15:00:25 +02:00
Sven Andersen	e734ec2e1b	feat(element): Functional test for toggle element presence	2024-07-30 13:26:02 +02:00
Sven Andersen	5976684a9a	feat(element): Implement toggle for userpresence within element-synapse and removed it from client	2024-07-30 12:20:57 +02:00
Sven Andersen	c3679341b0	feat(element): Use_presence into values-element	2024-07-30 11:30:48 +02:00
Sven Andersen	be5c55583c	feat(element): Implement toggle for presence Status for older Element Versions	2024-07-30 09:45:27 +02:00
Sven Andersen	5b5e53ab4b	fix(element): Removed latest Tag	2024-07-29 10:22:55 +02:00
Sven Andersen	1c26600ac2	fix(element): Bump element chart	2024-07-29 10:19:17 +02:00
Sven Andersen	0e99cbb834	feat(element): Changed element chart to test presence	2024-07-29 08:34:00 +02:00
Sven Andersen	2a59b836f1	fix(element): Insert presence into homeserver config	2024-07-26 15:04:12 +02:00
Sven Andersen	2fa55ec38a	feat(element): Typo in Template	2024-07-26 14:27:42 +02:00
Sven Andersen	cdf01cfde9	feat(element): Disable presence with approach from Thorsten	2024-07-26 14:03:49 +02:00
Sven Andersen	30fd4229c5	feat(element): Reverted change presence	2024-07-26 10:55:57 +02:00
Sven Andersen	82c40d47b0	feat(element): Homeserver presence false	2024-07-26 09:44:23 +02:00
Sven Andersen	e7f14149a3	feat(element): Presence enabled false	2024-07-25 11:23:33 +02:00
openDesk Bot	74d444e2d6	fix(collabora): Update to 24.04.5.1.2.	2024-07-18 07:53:49 +02:00
openDesk Bot	8a2d951c3b	fix(collabora): Update to 24.04.5.1.1.	2024-07-17 10:39:37 +02:00
Thorsten Roßner	46412d1a9e	fix(keycloak): Support for custom OIDC Clients and ClientScopes.	2024-07-17 10:39:37 +02:00
Thorsten Roßner	26a7641a5a	fix(helmfile): Streamline prefixes for customizable defaults. UPGRADES: See `./docs/migrations.md` for more details.	2024-07-17 10:39:16 +02:00
Thorsten Roßner	671f57a809	fix(nextcloud): Update to 28.0.7 including latest apps for 28.	2024-07-16 08:25:55 +00:00
Thorsten Roßner	fe923bb9cd	fix(jitsi): Raise memory limit for jicofo and jvb as required by upstream product.	2024-07-16 04:35:43 +00:00
Thorsten Roßner	b4570a9a87	feat(authentication): Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage.	2024-07-15 17:50:35 +02:00
Thorsten Roßner	1067e725b3	fix(xwiki): Add email address mapping to LDAP sync; Fix hostname `null` value in notification links.	2024-07-10 16:31:04 +00:00
Thorsten Roßner	dfaf4be640	fix(openproject): Support for adding token to enable OpenProject Premium.	2024-07-10 06:27:27 +02:00
openDesk Bot	e54aaab072	fix(xwiki): Update to 16.4.1.	2024-07-08 08:27:13 +02:00
Thorsten Roßner	b806d51311	fix(xwiki): Remove .rtf and .odt export options as they are currently non functional.	2024-07-05 15:18:42 +02:00
openDesk Bot	db7f5d60bd	fix(xwiki): Update to 16.4.	2024-07-05 09:21:16 +02:00
Thorsten Roßner	972020f946	fix(helmfile): Add S3 bucket for migrations.	2024-07-04 09:17:56 +02:00
Thorsten Roßner	23ef1d557b	fix(nextcloud): Support templating of default quota and `*_retention_obligation` settings (#93 ).	2024-07-03 14:48:05 +02:00
Thorsten Roßner	382af1dfb9	fix(docu): Update documentation on integration uses cases (#95 ).	2024-07-03 09:54:43 +02:00