docs(persistance): Update comment on nubusProvisioningNats

docs(README.md): Update to Nubus v1.15.1
fix(nubus): Use Keycloak v26.3.5 image from Nubus v1.14.1
2025-12-06 07:21:36 +01:00 · 2025-11-19 08:00:11 +01:00 · 2025-11-17 12:09:04 +01:00 · 2025-11-17 12:07:24 +01:00 · 2025-11-17 12:07:17 +01:00 · 2025-11-17 12:02:17 +01:00
7 changed files with 100 additions and 101 deletions
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ openDesk currently features the following functional main components:
 | File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                          | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.15.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.15.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -14,6 +14,9 @@ SPDX-License-Identifier: Apache-2.0
    * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190)
      * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
      * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
+  * [Versions ≥ v1.10.0](#versions--v1100)
+    * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
+      * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
  * [Versions ≥ v1.8.0](#versions--v180)
    * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180)
      * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
@@ -143,19 +146,20 @@ matching that constraint, though our links always point to the newest patch rele
 > 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1

 <!-- IMPORTANT: Make sure to mark mandatory releases if an automatic migration requires a previous update to be installed -->
-| Version                                                                                 | Mandatory | Pre-Upgrade                                                                                                                 | Post-Upgrade                            | Minimum Required Previous Version            |
-|-----------------------------------------------------------------------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|----------------------------------------------|
-| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | --        | [Pre](#pre-upgrade-to-versions--v190)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
-| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | --        | [Pre](#pre-upgrade-to-versions--v180)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
-| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | --        | [Pre](#pre-upgrade-to-versions--v170)                                                                                       | [Post](#post-upgrade-to-versions--v170) | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
-| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | --        | [Pre](#pre-upgrade-to-versions--v160)                                                                                       | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) |
-| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes**   | --                                                                                                                          | --                                      | ⬇ Install &GreaterEqual; v1.1.x first                                           |
-| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | --        | [Pre](#pre-upgrade-to-versions--v140)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.1.x first                                           |
-| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | --        | [Pre](#pre-upgrade-to-versions--v130)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.1.x first                                           |
-| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | --        | [Pre](#pre-upgrade-to-versions--v120)                                                                                       | --                                      | [⚠ Install v1.1.x first](#versions--v120-automated) |
-| [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes**   | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) |
-| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes**   | [Pre](#pre-upgrade-to-versions--v100)                                                                                       | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) |
-| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes**   | --                                                                                                                          | --                                      | --                                           |
+| Version                                                                                  | Mandatory | Pre-Upgrade                                                                                                                    | Post-Upgrade                            | Minimum Required Previous Version                    |
+| ---------------------------------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------- | ---------------------------------------------------- |
+| [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | --        | [Pre](#pre-upgrade-to-versions--v1100)                                                                                         | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first               |
+| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0)  | --        | [Pre](#pre-upgrade-to-versions--v190)                                                                                          | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first               |
+| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0)  | --        | [Pre](#pre-upgrade-to-versions--v180)                                                                                          | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first               |
+| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1)  | --        | [Pre](#pre-upgrade-to-versions--v170)                                                                                          | [Post](#post-upgrade-to-versions--v170) | ⬇ Install &GreaterEqual; v1.5.0 first               |
+| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0)  | --        | [Pre](#pre-upgrade-to-versions--v160)                                                                                          | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) |
+| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0)  | **yes**   | --                                                                                                                             | --                                      | ⬇ Install &GreaterEqual; v1.1.x first               |
+| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1)  | --        | [Pre](#pre-upgrade-to-versions--v140)                                                                                          | --                                      | ⬇ Install &GreaterEqual; v1.1.x first               |
+| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2)  | --        | [Pre](#pre-upgrade-to-versions--v130)                                                                                          | --                                      | ⬇ Install &GreaterEqual; v1.1.x first               |
+| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1)  | --        | [Pre](#pre-upgrade-to-versions--v120)                                                                                          | --                                      | [⚠ Install v1.1.x first](#versions--v120-automated) |
+| [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2)  | **yes**   | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) |
+| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0)  | **yes**   | [Pre](#pre-upgrade-to-versions--v100)                                                                                          | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) |
+| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0)  | **yes**   | --                                                                                                                             | --                                      | --                                                   |

 > [!warning]
 > Be sure to check out the table in the release version you are going to install, and not the currently installed version.
@@ -211,6 +215,25 @@ Additionally, it is now possible to explicitly define the hostnames shown in the

 If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases.

+## Versions &GreaterEqual; v1.10.0
+
+### Pre-upgrade to versions &GreaterEqual; v1.10.0
+
+#### New Helmfile default: Nubus provisioning debug container no longer deployed
+
+**Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box",
+
+The [nats-box](https://github.com/nats-io/nats-box) is a handy tool for debugging the Nubus provisioning stack is no longer enabled by default.
+
+To re-enable the nats-box for your deployment you have to set:
+```
+technical.nubus.provisioning.nats.natsBox.enabled: true
+```
+
+> [!note]
+> The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug
+> accross the whole deployment.
+
 ## Versions &GreaterEqual; v1.8.0

 ### Pre-upgrade to versions &GreaterEqual; v1.8.0
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -183,20 +183,12 @@ keycloak:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}
-    # NOTE: The subchart "keycloak" does not yet support
-    # "global.imagePullPolicy". The local configuration can be removed once it
-    # does have this feature.
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  ingress:
    enabled: false
  keycloak:
    auth:
      username: "kcadmin"
-      # TODO: Pending secrets refactoring to be able to provide the value directly
-      existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
-        keyMapping:
-          adminPassword: "admin_password"
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
    login:
      messages:
        de:
@@ -448,12 +440,6 @@ nubusKeycloakExtensions:
  keycloak:
    auth:
      username: "kcadmin"
-      # TODO: Pending secrets refactoring in component chart. This will refer to
-      # the secret generated by the keycloak subchart.
-      existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
-        keyMapping:
-          adminPassword: "admin_password"
  proxy:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
@@ -461,13 +447,6 @@ nubusKeycloakExtensions:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
      tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
-      # NOTE: The subchart "keycloak-extensions" does not yet support
-      # "global.imagePullPolicy".
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    # NOTE: Remove once the keycloak-extensions subchart respects
-    # "global.imagePullSecrets".
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    ingress:
      annotations:
        nginx.org/proxy-buffer-size: "8k"
@@ -563,13 +542,6 @@ nubusKeycloakExtensions:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
      tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
-      # NOTE: The subchart "keycloak-extensions" does not yet support
-      # "global.imagePullPolicy".
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    # NOTE: Remove once the keycloak-extensions subchart respects
-    # "global.imagePullSecrets".
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
      {{- with .Values.annotations.nubusKeycloakExtensions.handlerPod }}
@@ -622,7 +594,7 @@ nubusPortalConsumer:
  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
  resources:
    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
+  initResources:
    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
  containerSecurityContext:
    seccompProfile:
@@ -1021,11 +993,13 @@ nubusProvisioning:
      {{- with .Values.annotations.nubusProvisioning.natsAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
-    auth:
-      adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote }}
    config:
      cluster:
        replicas: {{ .Values.replicas.umsProvisioningNats }}
+      createUsers:
+        adminUser:
+          auth:
+            password: {{ .Values.secrets.nats.natsAdminPassword | quote }}
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
@@ -1045,19 +1019,12 @@ nubusProvisioning:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
        repository: {{ .Values.images.nubusNats.repository }}
        tag: {{ .Values.images.nubusNats.tag }}
-        # NOTE: The subchart does not yet fully support
-        # "global.imagePullPolicy". This can be removed once the subchart has
-        # been adjusted.
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    natsBox:
+      enabled: {{ or .Values.technical.nubus.provisioning.nats.natsBox.enabled .Values.debug.enabled }}
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
        repository: {{ .Values.images.nubusNatsBox.repository }}
        tag: {{ .Values.images.nubusNatsBox.tag }}
-        # NOTE: The subchart does not yet fully support
-        # "global.imagePullPolicy". This can be removed once the subchart has
-        # been adjusted.
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    persistence:
      size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
 #      storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
@@ -1219,6 +1186,8 @@ nubusSelfServiceConsumer:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
+  initResources:
+    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
    {{- with .Values.annotations.nubusSelfserviceConsumer.pod }}
@@ -1229,8 +1198,6 @@ nubusSelfServiceConsumer:
      password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
  resources:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
  serviceAccount:
    annotations:
@@ -1285,8 +1252,6 @@ nubusStackDataUms:
  # the default username of `selfservice` is part of the customizing:
  nubusUmcServer:
    memcached:
-      auth:
-        username: ""
      connection:
        host: {{ .Values.cache.umsSelfservice.host | quote }}
    postgresql:
@@ -1485,7 +1450,9 @@ nubusUmcServer:
    bundled: false
    server: {{ .Values.cache.umsSelfservice.host | quote }}
    auth:
-      password: ""
+      # The memcached connection is not authenticated in openDesk but the umc-server pod needs a secret it can mount.
+      password: "stub-value"
+      existingSecret: null
  podAnnotations:
    intents.otterize.com/service-name: "ums-umc-server"
    {{- with .Values.annotations.nubusUmcServer.pod }}
@@ -1631,15 +1598,9 @@ nubusKeycloakBootstrap:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
-    # NOTE: The subchart does not yet fully support
-    # "global.imagePullPolicy". This can be removed once the subchart has
-    # been adjusted.
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  keycloak:
    auth:
      username: "kcadmin"
-      existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
  ldap:
    auth:
      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
@@ -1674,9 +1635,6 @@ extraSecrets:
  - name: "ums-opendesk-guardian-client-secret"
    stringData:
      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-  - name: "ums-opendesk-keycloak-credentials"
-    stringData:
-      admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
  - name: "ums-keycloak-postgresql-opendesk-credentials"
    stringData:
      keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -321,7 +321,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.14.0"
+    version: "1.15.1"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -380,7 +380,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup"
-    tag: "0.40.0@sha256:1b4d388196b144327bc55376225675b1df8d23fdaffc85bb9e350c3c94fa0eb5"
+    tag: "0.41.4@sha256:6313e41aaebb6904ca461896ac9633eb05b33bf30b87d83d81852935e8cf0302"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -390,7 +390,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.99.0@sha256:52ef05c1e682e6c706f70632206be1b427a1a346a32ae3bff1566386f75e68af"
+    tag: "0.99.20@sha256:37af6f2a8ed7b5156e01f126c83797c70485353673d92b60d904af97bd309b0c"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -400,7 +400,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api"
-    tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5"
+    tag: "3.0.0@sha256:d2849b25ddd0322e1bef6c1e7b16f59fb63f35b0924f99f200bc22de834d9a2d"
  nubusGuardianManagementApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -410,7 +410,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api"
-    tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2"
+    tag: "3.0.0@sha256:f3c9af13d50632a7e2232f675408b5559fb9ca314b7babf367cf4db80b62ebea"
  nubusGuardianManagementUi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -420,7 +420,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
-    tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
+    tag: "3.0.0@sha256:b90d496a323353c71e29938a6b1980655fb3aefe53bab455da865e3202b7f0f8"
  nubusGuardianProvisioning:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -440,7 +440,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak"
-    tag: "0.2.5@sha256:499006904d262bdd334b54583c359c7e34b521697d5fda32ea977d856bfa93d2"
+    tag: "0.3.0@sha256:5a24f4b57f3ce12b7343306b0d2045cf6501627eb0d34cb2be3f4994e52d62f9"
  nubusKeycloakBootstrap:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -450,7 +450,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.17.5@sha256:08e2aa0bc0eb7b4bb80498e71ae21ee3de74eb985b46e7c3dd1502e96312d080"
+    tag: "0.19.10@sha256:29dbac967a71c11f2f2920a1a4c109b473fe5edf542a2f5b9dc843a4c0c29fe6"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -460,7 +460,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.20.0@sha256:227c7cba4eee15c626abbc77ca06b8b61a9dece04c986a9fa2e97b13d0458fe0"
+    tag: "0.23.2@sha256:2a67c9ace51a610397776c17f3542231c9fbce411cfa56d9346b47f66478e416"
  nubusKeycloakExtensionProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -470,7 +470,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.20.0@sha256:bd075d33c16926ab4c123ac3a8673209664647f35324dfdebd95c6662ee05b2c"
+    tag: "0.23.2@sha256:03a05abd9b759ddf2fa537d61e09a54f1a772121f391e136000eeed44a254189"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -480,7 +480,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.47.0@sha256:1d00e0bb1575defce42c84eb5139b5b4f7d0942111b339044c2bdf58ed0b025e"
+    tag: "0.47.5@sha256:cc8edd9dfa3cf552396bc1ada9a8a18e2db33b53ab1705bfc392c4a423cfeb96"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -490,7 +490,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.47.0@sha256:3be012680b2da2db4ac468ae948d8514622a245b4e3e00385bbf778e836720b1"
+    tag: "0.47.5@sha256:1a81ef8431aa6a7b021032ce57e5907e27c69dc6603b455793911a7d581889e8"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -498,7 +498,7 @@ images:
    # upstreamRepository: 'natsio/nats-box'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-box"
-    tag: "0.16.0-nonroot@sha256:f486ca86dfc9b72a2310ea720994a94ce55e447ad01daccd2fb33d61f322dc51"
+    tag: "0.18.1-nonroot@sha256:ec2f58b953916b4804d6636bf6a625bab7894d1b71319bc7865b3e70ab5e3f6f"
  nubusLdapServerLeaderElector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -508,7 +508,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.47.0@sha256:9b6754e7213f1fa13a12cb593bfe718643f6945ad111bbe1d5f71d7ce5729225"
+    tag: "0.47.5@sha256:abf2e9af9c8d22dde23144cb6344b5e9b0e39d778d28e70d97b0f1b82dd28a5d"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -518,7 +518,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.40.0@sha256:1ad952c039140ef1985712201f7bae7cbe9eba66086e0d3f475759e1c181b843"
+    tag: "0.41.4@sha256:c27e4d4cf5a15607c249c8d917e57f698d4d5388967c1ff6151185957eacb779"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -526,7 +526,7 @@ images:
    # upstreamRepository: 'library/nats'
    registry: "registry-1.docker.io"
    repository: "library/nats"
-    tag: "2.10.26@sha256:736d575e60135ce1d50fc206675d48d0e57dcaa0704f696f0cb4b5f6dadd49d7"
+    tag: "2.11.9@sha256:4e97bea2e69ffe4449cdc9b4c7fa707984aa9a4c090bf2faf5441cb6c97c99a4"
  nubusNatsBox:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -534,7 +534,7 @@ images:
    # upstreamRepository: 'natsio/nats-box'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-box"
-    tag: "0.16.0-nonroot@sha256:f486ca86dfc9b72a2310ea720994a94ce55e447ad01daccd2fb33d61f322dc51"
+    tag: "0.18.1-nonroot@sha256:ec2f58b953916b4804d6636bf6a625bab7894d1b71319bc7865b3e70ab5e3f6f"
  nubusNatsReloader:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -542,7 +542,7 @@ images:
    # upstreamRepository: 'natsio/nats-server-config-reloader'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-server-config-reloader"
-    tag: "0.17.1@sha256:f364bb8330d3430666ca09f17c6a43bfaefde32f0f3e79d4a41c588c29936e99"
+    tag: "0.18.3@sha256:41271dc1b9e1027867ee0e63aa2866c89ca8272a4f88991f6ebec34eb12dee3b"
  nubusNotificationsApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -552,7 +552,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.80.2@sha256:94b18841018cb7353a95a9c4ef2d5460f82a9ceb0bba97275b8064806e3e8a1c"
+    tag: "0.86.0@sha256:522c4d0a42d2c0b37219f5af4fba7fceb60d070719970ef2754a00ca916f67be"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -578,7 +578,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa"
-    tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4"
+    tag: "3.0.0@sha256:85539fb7854fac6ba1b874d639188ee0a33743dc16dad0113c54763f2984fc9d"
  nubusOxExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -598,7 +598,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.80.2@sha256:c719ada025e0ad629516017ed26803c15cee50572f45896b41a6b066b1fe593e"
+    tag: "0.86.0@sha256:80ed7c8300365a3dc4c504d4f0f4f8f1c3f9cfc883508a8ea794d63629a9b086"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -608,7 +608,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.80.2@sha256:cde5547ef1c2d5da55fb41bdae7248ba8514ab4f200822709ca9a99f483a1cc8"
+    tag: "0.86.0@sha256:1799413fe8cbc6d9cb97656be95a99786a382a3558a7720b7fe62a38c84bdd22"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -618,7 +618,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "67", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.80.2@sha256:8b40acc66459058dc0cade33793aba2737cdc20ef75968ca2b21d9aa569c9ecc"
+    tag: "0.86.0@sha256:d4e34b42662dbd433dd5d647c6fcfa8f2a0d71fe65c0c6efeebe80d4f13b226d"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -628,7 +628,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.80.2@sha256:9a8f6950e7bf1086075d1c36ea0ad914a61e1198883e8d4926d688c88b8e67cc"
+    tag: "0.86.0@sha256:33a3a7d44fa084d74449dc8f7d5f5d2551b02abee16fe4ec6d4972e134c56906"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -638,7 +638,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f"
+    tag: "0.63.0@sha256:3773333a12b786db6cea5fc0ecd5e74ba3f276ca084cd1ae8b6665bda86b72c1"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -648,7 +648,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740"
+    tag: "0.63.0@sha256:c1687ff385d5bd30e0590472f02de85a3f182b75dc4edd5cf9d063e1db488b4d"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -658,7 +658,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0"
+    tag: "0.63.0@sha256:b93400fecc19bba79ae0f0498b07d18bf9ffb0fc03b9ed25a18f3b6d3be9cc9d"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -668,7 +668,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b"
+    tag: "0.63.0@sha256:6dcb696920137973b24f90bb8f6045c2dffd8bc201b0cc62aed43e1a01e5aa0e"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -678,7 +678,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810"
+    tag: "0.63.0@sha256:da5486cf5d6a30e7d95270db8a6735c82813805e7bce882ff51a2f47faad086f"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -688,7 +688,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91"
+    tag: "0.19.31@sha256:b6d1a145e8a3f43b54be1d7d737da1527347e93c9894943c17469cd153f77ccf"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -698,7 +698,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.40.0@sha256:7d39c0defda20fc58da19389216d9a80f479a731dca682d834dd8bd00b80e20f"
+    tag: "0.41.4@sha256:d3476100f4174d991faa43ce20630175a1fc33011258887dd52bafad1e779189"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -708,7 +708,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.51.2@sha256:c76860852133b9bbc91eb6d81a6592a5f451be9234376933ddb4d827e0f08515"
+    tag: "0.53.5@sha256:7044228155c8fcb939684855d5b405dd1b066d91c8a5df75676518d88e140ab3"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -718,7 +718,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.51.3@sha256:00f8cc2e7ee98d3988b1db924ca67783e9a645204ae2c388c7afadc50f22bb12"
+    tag: "0.53.5@sha256:1ec839c07492b2f1d6897643b71c284aa2d507cd05f1a0f1696dfdff1885eb20"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/persistence.yaml.gotmpl
+++ b/helmfile/environments/default/persistence.yaml.gotmpl
@@ -33,6 +33,7 @@ persistence:
    nubusPortalConsumer:
      size: "1Gi"
      storageClassName: ~
+    # For production or load test environments 10Gi is recommended.
    nubusProvisioningNats:
      size: "1Gi"
      storageClassName: ~
--- a/helmfile/environments/default/technical.yaml.gotmpl
+++ b/helmfile/environments/default/technical.yaml.gotmpl
@@ -2,10 +2,27 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 technical:
+
  # Collabora related technical settings
  collabora:
    # Defines the value for the start parameter `-o:num_prespawn_children`
    numPrespawnChildren: 4
+
+  # Nubus related settings
+  nubus:
+    # Nubus provisioning framework that is being used to actively provision data internally within
+    # Nubus e.g. for the portal or self service as well as externally, e.g. to OX App Suite.
+    provisioning:
+      # NATS including NATS JetStream is the queueing used by Nubus' provisioning.
+      # Ref.: https://nats.io/about/
+      nats:
+        # The NATS Box is a container for debugging NATS messages using a CLI tool.
+        # Ref.: https://github.com/nats-io/nats-box
+        natsBox:
+          # Enable the NATS Box container for the deployment. Will also be enabled in case of
+          # `.Values.debug.enabled: true`
+          enabled: false
+
  # Groupware related technical settings
  oxAppSuite:
    provisioning:
Author	SHA1	Message	Date
Thorsten Roßner	788606441e	docs(persistance): Update comment on `nubusProvisioningNats`	2025-11-19 08:00:11 +01:00
Norbert Tretkowski	da4c2e7a86	docs(README.md): Update to Nubus v1.15.1	2025-11-17 12:09:04 +01:00
Norbert Tretkowski	f427f442c4	fix(nubus): Use Keycloak v26.3.5 image from Nubus v1.14.1	2025-11-17 12:07:24 +01:00
Thorsten Roßner	cdc82166de	fix(nubus): Add `technical.nubus.provisioning.nats.natsBox.enabled` to allow nats-box being toggled separately	2025-11-17 12:07:17 +01:00
Norbert Tretkowski	9a41f717ef	fix(nubus): Add comment regarding the size of the NATS PVC	2025-11-17 12:02:17 +01:00
Norbert Tretkowski	a9eada7635	feat(nubus): Update to v1.15.1	2025-11-17 12:02:16 +01:00