chore(release): 0.7.0 [skip ci]

# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)

### Bug Fixes

* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](3dc648421b))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](b9ac5ecf2d))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](e9ec2f3a6e))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](2ad027082f))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](9be3b78761))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](d1bd43fa95))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](fefd2f6cae))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](cd225703eb))

### Features

* **element:** Add support for Matrix federation ([36139b4](36139b42f1))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](e6fe2a7c18))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](c7e217208c))

.gitignore

@@ -6,5 +6,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml.gotmpl
-helmfile/environments/test/values.yaml.gotmpl
 helmfile/environments/prod/values.yaml.gotmpl
+
+# Ignore in CI generated files
+.kyverno/opendesk.yaml
+.kyverno/kyverno-test.yaml

.gitlab-ci.yml

@@ -1,31 +1,42 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "main"
+    ref: "v2.3.2"
     file:
       - "ci/common/automr.yml"
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
+  - local: "/.gitlab/generate/generate-docs.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    ref: "main"
+  - local: "/.gitlab/lint/lint-opendesk.yml"
     rules:
-      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
+      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+        when: "never"
+      - when: "always"
+  - local: "/.gitlab/lint/lint-kyverno.yml"
+    rules:
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
+        when: "never"
+      - when: "always"
 
 stages:
   - ".pre"
   - "scan"
   - "automr"
-  - "lint"
   - "env-cleanup"
   - "env"
+  - "pre-services-deploy"
   - "basic-services-deploy"
   - "component-deploy-stage-1"
   - "component-deploy-stage-2"
+  - "lint"
   - "tests"
   - "env-stop"
-  - "generate-release-assets"
   - ".post"
 
 variables:
@@ -33,14 +44,23 @@ variables:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
+    description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
-      sovereign-workplace-env included above."
+        repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
+        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     value: "dev"
   MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a passphrase to be used for password generation."
+    description: >
+      Optional: Provide a seed to be used for generation of all internal secrets.
+      Same seed will result in same secrets.
     value: ""
   ENV_STOP_BEFORE:
-    description: "Stop environment/delete namespace for the deployment"
+    description: "Stop environment/delete namespace for the deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  DEBUG_ENABLED:
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
     value: "no"
     options:
       - "yes"
@@ -132,22 +152,13 @@ variables:
   TESTS_BRANCH:
     description: "Branch of E2E-tests on which the test pipeline is triggered"
     value: "main"
-  RUN_UMS_TESTS:
-    description: "Run E2E test suite of SouvAP Dev team"
-    value: "no"
-    options:
-      - "yes"
-      - "no"
-  UMS_TESTS_BRANCH:
-    description: "Branch of E2E test suite of SouvAP Dev team"
-    value: "main"
 
 .deploy-common:
   cache: {}
   dependencies: []
   extends: ".environments"
-  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
-          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
+          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -157,7 +168,7 @@ variables:
       fi;
     - >
       echo "Installing ${COMPONENT} into ${NAMESPACE} namespace as ${HELMFILE_ENVIRONMENT} environment on ${CLUSTER}"
-    - "helmfile --namespace ${NAMESPACE} apply --suppress-diff"
+    - "helmfile --namespace ${NAMESPACE} apply --suppress-diff ${ADDITIONAL_ARGS}"
   tags:
     - "docker"
     - "kubernetes"
@@ -195,7 +206,7 @@ env-start:
     name: "${NAMESPACE}"
     on_stop: "env-stop"
   extends: ".deploy-common"
-  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
   rules:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -208,12 +219,25 @@ env-start:
       kubectl create secret
       --namespace "${NAMESPACE}"
       docker-registry external-registry
-      --docker-server "external-registry.souvap-univention.de"
+      --docker-server "${EXTERNAL_REGISTRY}"
-      --docker-username sovereign-workplace
+      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
       --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
       --dry-run=client -o yaml | kubectl apply -f -
   stage: "env"
 
+policies-deploy:
+  stage: "pre-services-deploy"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "services"
+    ADDITIONAL_ARGS: "-l name=opendesk-otterize"
+
 services-deploy:
   stage: "basic-services-deploy"
   extends: ".deploy-common"
@@ -376,7 +400,7 @@ env-stop:
   environment:
     name: "${NAMESPACE}"
     action: "stop"
-  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
   needs: []
   rules:
     - if: >
@@ -443,41 +467,16 @@ run-tests:
       }" \
       "https://${TESTS_PROJECT_URL}/trigger/pipeline"
 
-run-souvap-dev-tests:
-  extends: ".deploy-common"
-  environment:
-    name: "${NAMESPACE}"
-  stage: "tests"
-  rules:
-    - if: >
-        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
-      when: "on_success"
-  script:
-    - *ums-default-password
-    - |
-      curl --request POST \
-      --header "Content-Type: application/json" \
-      --data "{ \
-        \"ref\": \"${UMS_TESTS_BRANCH}\", \
-        \"token\": \"${CI_JOB_TOKEN}\", \
-        \"variables\": { \
-          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
-          \"username\": \"${DEFAULT_USER_NAME}\", \
-          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
-          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
-          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
-          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
-        } \
-      }" \
-      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
-
 avscan-prepare:
   stage: ".pre"
   rules:
-    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+          $JOB_AVSCAN_ENABLED != 'false' &&
+          $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
       when: "always"
     - when: "never"
-  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
   script:
     - |
       cat << 'EOF' > dynamic-scans.yml
@@ -507,7 +506,8 @@ avscan-prepare:
       yq '.images
       | with_entries(.key |= "scan-" + .)
       | .[].extends=".container-clamav"
-      | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
+      | with(.[]; .variables.CONTAINER_IMAGE = .repository
+      | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
       | del(.[].repository)
       | del(.[].tag)
       | del(.[].registry)'
@@ -520,7 +520,10 @@ avscan-prepare:
 avscan-start:
   stage: "scan"
   rules:
-    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
       when: "always"
     - when: "never"
   trigger:
@@ -529,48 +532,7 @@ avscan-start:
         job: "avscan-prepare"
     strategy: "depend"
 
-generate-release-assets:
+# Declare .environments which is in environments repository. In case it is not available
-  stage: "generate-release-assets"
-  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
-  rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
-      when: "on_success"
-    - when: "never"
-  script:
-    - |
-      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
-      cd opendesk-asset-generator
-      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
-      ./opendesk_asset_generator.py
-      mv ./build_artefacts ${CI_PROJECT_DIR}
-      cd ..
-      rm -rf opendesk-asset-generator
-      ls -l ./build_artefacts
-  artifacts:
-    paths:
-      - "./build_artefacts/chart-index.json"
-      - "./build_artefacts/image-index.json"
-  tags: []
-  variables:
-    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
-
-opendesk-linter:
-  cache: {}
-  image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
-  needs: []
-  rules:
-    - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
-      when: "never"
-    - when: "always"
-  script:
-    - "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
-    - "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
-    - "git diff --exit-code"
-  stage: "lint"
-  tags:
-    - "docker"
-
-# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
   cache: {}
@@ -580,14 +542,12 @@ opendesk-linter:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
   tags: []
 
-
 conventional-commits-linter:
   rules:
     - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
       when: "never"
     - when: "always"
 
-
 common-yaml-linter:
   rules:
     - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -603,14 +563,18 @@ reuse-linter:
 
 generate-release-version:
   rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false'"
+    - if: >
+        $JOB_RELEASE_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
       when: "on_success"
 
 release:
-  dependencies:
-    - "generate-release-assets"
   rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
       when: "on_success"
   script:
     - >
@@ -626,7 +590,7 @@ release:
     - |
       echo -e "\n[INFO] Writing data to helm value file..."
       cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
       # SPDX-License-Identifier: Apache-2.0
       ---
       global:
@@ -639,20 +603,18 @@ release:
       {
         "branches": ["main"],
         "plugins": [
-          ["@semantic-release/gitlab",
+          "@semantic-release/gitlab",
-            {
-              "assets": [
-                { "path": "./build_artefacts/chart-index.json",
-                  "label": "Chart Index JSON" },
-                { "path": "./build_artefacts/image-index.json",
-                  "label": "Image Index JSON" },
-              ]
-            }
-          ],
           "@semantic-release/release-notes-generator",
           "@semantic-release/changelog",
           ["@semantic-release/git", {
-            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"],
+            "assets": [
+              "charts/**/Chart.yaml",
+              "CHANGELOG.md",
+              "charts/**/README.md",
+              "helmfile/environments/default/global.generated.yaml",
+              ".kyverno/kyverno-test.yaml",
+              "docs"
+            ],
             "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
           }]
         ]
@@ -660,5 +622,5 @@ release:
       EOF
     - "semantic-release"
   needs:
-    - "generate-release-assets"
+    - "generate-docs"
 ...

.gitlab/common/common.yml

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+variables:
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.3\
+    @sha256:4630299fddf4248af1ad04528f0435d78f5b2694a154c99fe72b960260a7be61"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.4\
+    @sha256:386e84e2c85c33537479e4bb1e1fe744c9cce5e87bcb9a3a384dcdc1727c19c0"
+
+.common:
+  cache: {}
+  needs: []
+  tags: []
+...

.gitlab/generate/generate-common.yml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/common/common.yml"
+
+.generate-common:
+  extends: ".common"
+  stage: ".post"
+  tags: []
+...

.gitlab/generate/generate-docs.yml

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/generate/generate-common.yml"
+
+generate-docs:
+  cache:
+    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
+      paths:
+        - "${CI_PROJECT_DIR}/docs"
+      policy: "push"
+  extends: ".generate-common"
+  image: "${OPENDESK_CI_CLI_IMAGE}"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "on_success"
+  script:
+    - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
+...

.gitlab/lint/lint-common.yml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/common/common.yml"
+
+.lint-common:
+  extends: ".common"
+  stage: "lint"
+
+...

.gitlab/lint/lint-kyverno.yml

@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/lint/lint-common.yml"
+
+lint-kyverno:
+  allow_failure: true
+  extends: ".lint-common"
+  image: "${OPENDESK_LINT_IMAGE}"
+  parallel:
+    matrix:
+      - APP:
+          - "collabora"
+          - "cryptpad"
+          - "element"
+          - "intercom-service"
+          - "jitsi"
+          - "nextcloud"
+          - "open-xchange"
+          - "openproject"
+          - "openproject-bootstrap"
+          - "provisioning"
+          - "services"
+          - "univention-management-stack"
+          - "xwiki"
+  script:
+    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
+    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - >
+      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
+      -d ${CI_PROJECT_DIR}/.kyverno
+      -t required
+      -s manifest
+      -f opendesk.yaml
+      --skip-tests true
+      ${APP}
+    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "cd ${CI_PROJECT_DIR}/.kyverno"
+    - "kyverno test ."
+
+...

.gitlab/lint/lint-opendesk.yml

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+include:
+  - local: "/.gitlab/lint/lint-common.yml"
+
+lint-opendesk:
+  extends: ".lint-common"
+  image: "${OPENDESK_CI_CLI_IMAGE}"
+  script:
+    - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
+    - "git diff --exit-code"
+...

.kyverno/policies/_policies.yaml

@@ -0,0 +1,292 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+pod:
+  - name: "require-tag-and-digest"
+    rule: "require-tag-and-digest"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-default-serviceaccount"
+    rule: "disallow-default-serviceAccountName"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "template-imagepullsecrets"
+    rule: "template-imagePullSecrets"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-latest-tag"
+    rule: "disallow-latest-tag"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-latest-tag"
+    rule: "require-image-tag-or-digest"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-imagepullpolicy"
+    rule: "require-imagePullPolicy"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-health-and-liveness-check"
+    rule: "require-health-and-liveness-check"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Pod"
+      - "DaemonSet"
+  - name: "template-storage"
+    rule: "template-storageClassName-pod"
+    type: "required"
+    kinds:
+      - "PersistentVolumeClaim"
+  - name: "template-storage"
+    rule: "template-storageClassName-pvc"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+  - name: "template-storage"
+    rule: "template-requests-storage-pod"
+    type: "required"
+    kinds:
+      - "PersistentVolumeClaim"
+  - name: "template-storage"
+    rule: "template-requests-storage-pvc"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+  - name: "require-requests-limits"
+    rule: "validate-resources"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "template-image-registries"
+    rule: "template-image-registries"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-ro-rootfs"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-no-privilege-escalation"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-all-capabilities-dropped"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-no-privileged"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-user"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-group"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-seccomp-profile"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-run-as-non-root"
+    type: "optional"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-empty-seLinuxOptions"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-default-procMount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "restrict-sysctls"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-docker-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-containerd-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-crio-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-dockerd-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-namespaces"
+    rule: "disallow-host-namespaces"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-path"
+    rule: "disallow-host-path"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-ports"
+    rule: "disallow-host-ports"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-process"
+    rule: "disallow-host-process"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "template-ingress"
+    rule: "template-ingressClassName"
+    type: "required"
+    kinds:
+      - "Ingress"
+  - name: "template-ingress"
+    rule: "template-tls-secretName"
+    type: "required"
+    kinds:
+      - "Ingress"
+  - name: "template-replicas"
+    rule: "template-replicas"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+...

.kyverno/policies/disallow-container-sock-mounts.yaml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-container-sock-mounts"
+  annotations:
+    policies.kyverno.io/title: "Disallow CRI socket mounts"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Container daemon socket bind mounts allow access to the container engine on the node.
+      This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should
+      not be allowed.
+      This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
+      In addition to or replacement of this policy, preventing users from mounting the parent directories
+      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
+spec:
+  background: true
+  rules:
+    - name: "validate-docker-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the Docker Unix socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/docker.sock"
+          - spec:
+              =(volumes):
+    - name: "validate-containerd-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the Containerd Unix socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/containerd/containerd.sock"
+          - spec:
+              =(volumes):
+    - name: "validate-crio-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the CRI-O Unix socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/crio/crio.sock"
+          - spec:
+              =(volumes):
+    - name: "validate-dockerd-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the Docker CRI socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/cri-dockerd.sock"
+          - spec:
+              =(volumes):

.kyverno/policies/disallow-default-serviceaccount.yaml

@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-default-serviceaccount"
+  annotations:
+    policies.kyverno.io/title: "Prevent default ServiceAccount privilege escalation"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Kubernetes automatically creates a ServiceAccount object named default for every namespace in your cluster.
+      These default service accounts get no permissions by default.
+      Accidental or intended assignment of permissions on the default service account results in elevated permissions
+      for all pods with default service account assigned.
+      This risk can be mitigated by creating a custom ServiceAccount for each application or reduce the risk by disable
+      auto mounting the default service account into the pod.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "disallow-default-serviceAccountName"
+      validate:
+        message: >-
+          Field serviceAccountName must be set to anything other than 'default'.
+          When serviceAccountName is 'default' then automountServiceAccountToken must set to 'false' .
+        anyPattern:
+          - spec:
+              serviceAccountName: "!default"
+          - spec:
+              automountServiceAccountToken: "false"
+  validationFailureAction: "audit"
+...

.kyverno/policies/disallow-host-namespaces.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-namespaces"
+  annotations:
+    policies.kyverno.io/title: "Disallow Host Namespaces"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access
+      to shared information and can be used to elevate privileges.
+      Pods should not be allowed access to host namespaces.
+      This policy ensures fields which make use of these host namespaces are unset or set to `false`.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-namespaces"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
+          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
+        pattern:
+          spec:
+            =(hostPID): "false"
+            =(hostIPC): "false"
+            =(hostNetwork): "false"

.kyverno/policies/disallow-host-path.yaml

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-path"
+  annotations:
+    policies.kyverno.io/title: "Disallow hostPath"
+    policies.kyverno.io/subject: "Pod,Volume"
+    policies.kyverno.io/description: >-
+      HostPath volumes let Pods use host directories and volumes in containers.
+      Using host resources can be used to access shared data or escalate privileges and should not be allowed.
+      This policy ensures no hostPath volumes are in use.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-path"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
+        anyPattern:
+          - spec:
+              =(volumes):
+                - X(hostPath): "null"
+          - spec:
+              =(volumes):

.kyverno/policies/disallow-host-ports.yaml

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-ports"
+  annotations:
+    policies.kyverno.io/title: "Disallow hostPorts"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum
+      restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-ports"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
+          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+          must either be unset or set to `0`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(ports):
+                  - =(hostPort): 0
+            =(initContainers):
+              - =(ports):
+                  - =(hostPort): 0
+            containers:
+              - =(ports):
+                  - =(hostPort): 0

.kyverno/policies/disallow-host-process.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-process"
+  annotations:
+    policies.kyverno.io/title: "Disallow hostProcess"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node.
+      Privileged access to the host is disallowed in the baseline policy.
+      HostProcess pods are an alpha feature as of Kubernetes v1.22.
+      This policy ensures the `hostProcess` field, if present, is set to `false`.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-process"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
+          spec.containers[*].securityContext.windowsOptions.hostProcess,
+          spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
+          spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to
+          `false`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
+            =(initContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
+            containers:
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"

.kyverno/policies/disallow-latest-tag.yaml

@@ -0,0 +1,57 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-latest-tag"
+  annotations:
+    policies.kyverno.io/title: "Disallow usage of latest tag"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      The ':latest' tag is mutable and can lead to unexpected errors if the image changes.
+      A best practice is to use an immutable tag that maps to a specific version of an application Pod.
+      This policy validates that the image specifies a tag and that it is not called `latest`.
+      Defining no image tag or digest result in the container engine retrieving the latest tag.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "disallow-latest-tag"
+      validate:
+        message: "Using a mutable image tag e.g. 'latest' is not allowed."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "!*:latest"
+            =(initContainers):
+              - image: "!*:latest"
+            containers:
+              - image: "!*:latest"
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-image-tag-or-digest"
+      validate:
+        message: "A image tag or a digest is required, otherwise latest tag is chosen."
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - image: "*:*"
+              =(initContainers):
+                - image: "*:*"
+              containers:
+                - image: "*:*"
+          - spec:
+              =(ephemeralContainers):
+                - image: "*@*"
+              =(initContainers):
+                - image: "*@*"
+              containers:
+                - image: "*@*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-containersecuritycontext.yaml

@@ -0,0 +1,244 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-containersecuritycontext"
+  annotations:
+    policies.kyverno.io/title: "ContainerSecurityContext best practices are set."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      The containerSecurityContext is the most important security-related section because it has the highest precedence
+      and restricts the container to its minimal privileges.
+spec:
+  background: true
+  rules:
+    - name: "require-ro-rootfs"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Root filesystem must be read-only."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  readOnlyRootFilesystem: true
+            =(initContainers):
+              - securityContext:
+                  readOnlyRootFilesystem: true
+            containers:
+              - securityContext:
+                  readOnlyRootFilesystem: true
+
+    - name: "require-no-privilege-escalation"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Disallow privilege escalation."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  allowPrivilegeEscalation: false
+            =(initContainers):
+              - securityContext:
+                  allowPrivilegeEscalation: false
+            containers:
+              - securityContext:
+                  allowPrivilegeEscalation: false
+
+    - name: "require-all-capabilities-dropped"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Required to drop ALL linux capabilities."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+            =(initContainers):
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+            containers:
+              - securityContext:
+                  capabilities:
+                    drop:
+                      - "ALL"
+
+    - name: "require-no-privileged"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Disallow privileged container."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  privileged: false
+            =(initContainers):
+              - securityContext:
+                  privileged: false
+            containers:
+              - securityContext:
+                  privileged: false
+
+    - name: "require-run-as-user"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run as non-root user."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsUser: ">0"
+            =(initContainers):
+              - securityContext:
+                  runAsUser: ">0"
+            containers:
+              - securityContext:
+                  runAsUser: ">0"
+
+    - name: "require-run-as-group"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run as non-root group."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsGroup: ">0"
+            =(initContainers):
+              - securityContext:
+                  runAsGroup: ">0"
+            containers:
+              - securityContext:
+                  runAsGroup: ">0"
+
+    - name: "require-seccomp-profile"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must have seccompProfile"
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+            =(initContainers):
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+            containers:
+              - securityContext:
+                  seccompProfile:
+                    type: "RuntimeDefault | Localhost"
+
+    - name: "require-run-as-non-root"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "Container must run in non-root mode."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsNonRoot: true
+            =(initContainers):
+              - securityContext:
+                  runAsNonRoot: true
+            containers:
+              - securityContext:
+                  runAsNonRoot: true
+
+    - name: "require-empty-seLinuxOptions"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "SELinux options have to be unset."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  seLinuxOptions:
+            =(initContainers):
+              - securityContext:
+                  seLinuxOptions:
+            containers:
+              - securityContext:
+                  seLinuxOptions:
+
+    - name: "require-default-procMount"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: >-
+          Changing the proc mount from the default is not allowed. The fields
+          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
+          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
+          set to `Default`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(procMount): "Default"
+            =(initContainers):
+              - =(securityContext):
+                  =(procMount): "Default"
+            containers:
+              - =(securityContext):
+                  =(procMount): "Default"
+
+    - name: "restrict-sysctls"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: >-
+          Setting additional sysctls above the allowed type is not allowed.
+          The field spec.securityContext.sysctls must be unset or not use any other names
+          than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
+          net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
+          net.ipv4.ping_group_range.
+        pattern:
+          spec:
+            =(securityContext):
+              =(sysctls):
+                - =(name): >-
+                    kernel.shm_rmid_forced |
+                    net.ipv4.ip_local_port_range |
+                    net.ipv4.ip_unprivileged_port_start |
+                    net.ipv4.tcp_syncookies |
+                    net.ipv4.ping_group_range
+
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-health-and-liveness-check.yaml

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-health-and-liveness-check"
+  annotations:
+    policies.kyverno.io/title: "Disallow usage of latest tag"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments,
+      restarts, and upgrades.
+      For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are
+      running or need to be restarted.
+      A `readinessProbe` is used by Services and Pods to determine if the Pod is ready to receive network traffic.
+      This policy validates that all containers have livenessProbe and readinessProbe defined.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-health-and-liveness-check"
+      validate:
+        message: >-
+          Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds must be set to a
+          value greater than 0.
+        pattern:
+          spec:
+            containers:
+              - livenessProbe:
+                  periodSeconds: ">0"
+                readinessProbe:
+                  periodSeconds: ">0"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-imagepullpolicy.yaml

@@ -0,0 +1,51 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullpolicy"
+  annotations:
+    policies.kyverno.io/title: "Disallow usage of latest tag"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to
+      ensure later pulls get an updated image in case the latest tag gets updated.
+      This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or
+      where a tag is not defined at all.
+      Additionally this policy checks if the variable `.Values.global.imagePullPolicy` is used in templates.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagePullPolicy"
+      validate:
+        message: >-
+          The imagePullPolicy must be set to `Always` when the `latest` tag is used, otherwise the value from
+          `.Values.global.imagePullPolicy` has to be used.
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - (image): "*:latest | !*:*"
+                  imagePullPolicy: "Always"
+              =(initContainers):
+                - (image): "*:latest | !*:*"
+                  imagePullPolicy: "Always"
+              containers:
+                - (image): "*:latest | !*:*"
+                  imagePullPolicy: "Always"
+          - spec:
+              =(ephemeralContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "kyverno"
+              =(initContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "kyverno"
+              containers:
+                - (image): "!*:latest"
+                  imagePullPolicy: "kyverno"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-requests-limits.yaml

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-requests-limits"
+  annotations:
+    policies.kyverno.io/title: "Require resources cpu/memory request and limits."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      As application workloads share cluster resources, it is important to limit resources requested and consumed by
+      each Pod.
+      It is recommended to require resource requests and limits per Pod, especially for memory and CPU.
+      If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on
+      the LimitRange configuration.
+      This policy validates that all containers have specified requests for memory and CPU and a limit for memory.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "validate-resources"
+      validate:
+        message: "CPU and memory resource requests and limits are required."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/require-tag-and-digest.yaml

@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-tag-and-digest"
+  annotations:
+    policies.kyverno.io/title: "Require tag and digest for image."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      To ensure that containers are not compromised in container registry by pushing malicious code to the same tag, it
+      is required to reference images by setting a sha256 hashed digest.
+      Setting only the digest is complicated for humans to compare software versions, therefore in openDesk it is
+      required to reference container images by tag and digest.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-tag-and-digest"
+      validate:
+        message: "An image tag and digest required."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "*:*@sha256:*"
+            =(initContainers):
+              - image: "*:*@sha256:*"
+            containers:
+              - image: "*:*@sha256:*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/template-image-registries.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-image-registries"
+  annotations:
+    policies.kyverno.io/title: "Check image registry template"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy verifies that a custom external registry can be template to allow downloads from a private registry or
+      cache.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "template-image-registries"
+      validate:
+        message: "Unknown image registry."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - image: "external-registry.souvap-univention.de/*"
+            =(initContainers):
+              - image: "external-registry.souvap-univention.de/*"
+            containers:
+              - image: "external-registry.souvap-univention.de/*"
+  validationFailureAction: "audit"
+...

.kyverno/policies/template-ingress.yaml

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-ingress"
+  annotations:
+    policies.kyverno.io/title: "Validate openDesk Ingress templating"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy verifies that ingress variables are templated.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Ingress"
+      name: "template-ingressClassName"
+      validate:
+        message: "Verifies that ingressClassName can be customized by `.Values.ingress.ingressClassName` variable."
+        pattern:
+          spec:
+            ingressClassName: "kyverno"
+    - match:
+        resources:
+          kinds:
+            - "Ingress"
+      name: "template-tls-secretName"
+      validate:
+        message: "Verifies that tls.secretName can be customized by `.Values.ingress.tls.secretName` variable."
+        pattern:
+          spec:
+            tls:
+              - secretName: "kyverno-tls"
+  validationFailureAction: "audit"
+...

.kyverno/policies/template-replicas.yaml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-replicas"
+  annotations:
+    policies.kyverno.io/title: "Validate openDesk Pod replicas templating"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy verifies that `.Values.replicas.<app>` variables are templated.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Deployment"
+            - "StatefulSet"
+      name: "template-replicas"
+      validate:
+        message: "Verifies that replica count can be customized by `.Values.replicas.<app>` variable."
+        pattern:
+          spec:
+            replicas: 42
+
+  validationFailureAction: "audit"
+...

.kyverno/policies/template-require-imagepullsecets.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-imagepullsecrets"
+  annotations:
+    policies.kyverno.io/title: "ImagePullSecrets template variable have to be implemented."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      It is recommended to cache images to ensure continuous image availability during network partitions, rate limiting
+      or registry outages.
+      These caches as well as a company proxy may require authentication which will be provided as ImagePullSecrets.
+      This is a openDesk test to ensure that environment variables are templated in Helmfile deployment.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "template-imagePullSecrets"
+      validate:
+        message: "ImagePullSecrets are required."
+        pattern:
+          spec:
+            imagePullSecrets:
+              - name: "kyverno-test"
+  validationFailureAction: "audit"
+...

.kyverno/policies/template-storage.yaml

@@ -0,0 +1,67 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-storage"
+  annotations:
+    policies.kyverno.io/title: "Validate storageClass and size templates."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy validates if `.Values.persistence.storageClassNames` variables are used in templates and if the size
+      of volumes can be customized by `.Values.persistence.size` variable.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "StatefulSet"
+      name: "template-storageClassName-pod"
+      validate:
+        message: "VolumeClaims inside pods needs to have storageClass set when templated."
+        pattern:
+          spec:
+            (volumeClaimTemplates):
+              - spec:
+                  storageClassName: "kyverno-test"
+    - match:
+        resources:
+          kinds:
+            - "PersistentVolumeClaim"
+      name: "template-storageClassName-pvc"
+      validate:
+        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
+        pattern:
+          spec:
+            storageClassName: "kyverno-test"
+
+    - match:
+        resources:
+          kinds:
+            - "StatefulSet"
+      name: "template-requests-storage-pod"
+      validate:
+        message: "VolumeClaims inside pods needs to have storageClass set when templated."
+        pattern:
+          spec:
+            (volumeClaimTemplates):
+              - spec:
+                  resources:
+                    requests:
+                      storage: "42Gi"
+    - match:
+        resources:
+          kinds:
+            - "PersistentVolumeClaim"
+      name: "template-requests-storage-pvc"
+      validate:
+        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
+        pattern:
+          spec:
+            resources:
+              requests:
+                storage: "42Gi"
+  validationFailureAction: "audit"
+...

CHANGELOG.md

@@ -1,3 +1,162 @@
+# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
+
+
+### Bug Fixes
+
+* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
+* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
+* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
+* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
+* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
+* **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
+* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
+* **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
+
+
+### Features
+
+* **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
+* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
+* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
+
+# [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
+
+
+### Bug Fixes
+
+* **helmfile:** Improve support for external Objectstore, and fix issue with DoveCot storageClassName ([1b748b6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1b748b6bf63d75fc5232c90407a3fa885c2dd3c8)), closes [#57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/57) [#60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/60) [#56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/56)
+* **nextcloud:** Bump to 28.0.4 ([cb33a92](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cb33a929ef7c13a9a578e56a631951292d14d0e4))
+* **univention-management-stack:** add Guardian provisioning job image ([79c52d0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/79c52d014cec188d010a2827bb63b2635abafb2c))
+* **univention-management-stack:** Update UMC to 0.11.8 ([5e3f4fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5e3f4faade2ea02e51f260d1d614296a6a484848))
+* **univention-management-stack:** Use umbrella helm chart ([10ecb44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10ecb44aa675d2f139aaec6fe8d4246fa1d3dd40))
+* **xwiki:** Bump to 15.10.8 and enable OIDC backchannel logout ([c395d35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c395d35dd77bbec5e6b7d01768533f87af843560))
+
+
+### Features
+
+* **open-xchange:** Bump to 8.23 and remove Istio prerequisite ([3be3564](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3be3564ec7168a1a2d72b58f11da84e89e81911d))
+
+## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
+
+
+### Bug Fixes
+
+* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
+* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
+* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
+* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
+* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
+* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
+* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
+* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
+* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
+* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
+* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
+* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
+* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
+
+## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)
+
+
+### Bug Fixes
+
+* **ci:** Remove creation of release artefacts, use the `images.yaml` and `charts.yaml` in `./helmfile/environments/default` for information about the artefacts instead. ([ee99eef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee99eefb72d3207866ffd1b3bd21a36bd55ad288))
+* **collabora:** Bump image to 23.05.9.4.1 ([9c32058](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c32058fcc21a14e9e66a46064ea044402638920))
+* **docs:** Add development.md and refactor `images.yaml` and `charts.yaml` ([a2b333b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a2b333b46277a4bb86b75ca04edb64e69efff916))
+* **helmfile:** YAML handling of seLinuxOptions and align overall `toYaml` syntax ([011ad2c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/011ad2cd6bfe552e04a598452e8814d4d1029152))
+* **nextcloud:** Update images digests ([bc18724](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc18724d70ffff749d5192487944e62233cf4376))
+* **openproject:** Bump to 13.3.1 ([7ee9e47](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ee9e47e8269334294c80093a359b247d86f5d62))
+
+## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
+
+
+### Bug Fixes
+
+* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
+* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
+* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
+* **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
+* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
+* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
+* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
+* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
+* **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
+* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
+
+## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
+
+
+### Bug Fixes
+
+* **ci:** Move main development repo OpenCoDE ([43718b8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/43718b8da2966b87fab8e206df449c923f6615e7))
+* **ci:** Run release pipeline only on pushes to main ([13dcb00](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13dcb004419b4efd8ded8c25e7afa41d10156be8))
+* **ci:** Update kyverno rules ([d9263c9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9263c90110df241adaef8d1a5df8e8d8ceda11b))
+* **docs:** Add missing footnote regarding Nubus ([bc6e4f8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc6e4f8e5dcc32cc476de579fd56dbade79b7c31))
+* **nextcloud:** Set admin priviledges for users in central IAM ([a3e415d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a3e415d575ba24b99e741994fb29d0f0cfd11d8a))
+* **univention-management-stack:** Scaling udm-rest-api ([57d0f61](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/57d0f61b2c3e789b72a0098907817c97fee69268))
+* **univention-management-stack:** Set Keycloak CSP header to allow session continuation in admin portal. ([a398e5a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a398e5aaf131c1f00b09e1776d6daf10f2c343ad))
+* **univention-management-stack:** UMS portal-server scalability ([b1b4c28](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b1b4c28618e0eca31b59719e9e1f2db8ecff7f5c))
+* **univention-management-stack:** Univention Portal upstream codefixes version bump ([c2f62f7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2f62f7c9487b2119b0d3efd98b40c92efb97c5d))
+* **univention-management-stack:** Update provisioning to fix high CPU usage when in idle ([d9c23bd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9c23bdf0b955c0b5e4c82dd1ee785b75ce18a3b))
+
+## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)
+
+
+### Bug Fixes
+
+* **ci:** Complete CI var usage for external registry ([3bcdcd0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3bcdcd06b7c4829686f11b8f065ec38829b5a5a6))
+* **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/250ef2bc3fe9047b49b236b606ec3e3fa28e13ce))
+* **collabora:** Add chart validation ([0159902](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01599022f14d447dfdadf390ca9e8e29668dfb07))
+* **collabora:** Bump to 23.05.9.1.1 ([b525a81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b525a814fc25867c068579d5cbd8d1a993144519))
+* **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6f0b1f37fc06c40bf537dbaed60f314341211e41))
+* **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc7eeb8c9d3dd19f625d6f7ba94b15eb4b782d20))
+* **docs:** Add generated security-context.md ([d9e07ff](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9e07ff7bd0e8be090f4fe2c370fa9978c22dfd5))
+* **element:** Change name of neodatefix bot job ([dd535da](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dd535daac0bb0e602eefa45e8dc448fd07fbdd33))
+* **element:** Disable e2ee ([ba0824b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ba0824bac30ae1fc43458bdc8c09a143076e874c))
+* **helmfile:** Add additional provisioning components and configuration ([110ff56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/110ff56f7487e7ac89b1b75c8c63d04e1c2a41c0))
+* **helmfile:** Add seLinuxOptions for all applications ([02d04fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02d04faa2a8d8a0b3bfc179cc8efb3fec086bc70))
+* **helmfile:** Annotations in image.yaml ([7ebbd03](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ebbd03bdcb11abf4e459035c459b74adf8cfcda))
+* **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d2b1f0b07b5ebe4b98b2dc29b916857e28ce5706))
+* **helmfile:** Fix annotations in images.yaml ([acaec3b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/acaec3b8ac6e0ecd58167fca874cd56caa15fa98))
+* **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8f832619864504eaa04945a9a79d6790d2ab8a48))
+* **helmfile:** Improve debugging ([56f5e35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56f5e35895c712440c1a7d249be672c86fc34eeb))
+* **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2b8acfba85d384ed425779fa52133935e553e86))
+* **nextcloud:** Set backchannel logout url ([c0fc225](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0fc225349794034feea1d0c05b29068b9a455af))
+* **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd2a66f8f2a987aa71872122267f29aee3d5f22a))
+* **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d95e7ab2a71097d8c6231bff8c3a6aa3b6f163a))
+* **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7c9f38f06e1f0d000992ecdfd77921d6fc28015c))
+* **open-xchange:** Bump Gotenberg image ([49f126d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/49f126d169759b3e9dd130101e64892822750d7b))
+* **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/139607186549f7a9a129023f1f72aff82cf36460))
+* **openproject:** Bump version to 13.3.0 ([c2087ef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2087efcf95bf2eef19556ba1a1d26b7807021c4))
+* **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee1a337ab5dea7001045860eb6a5bee1dfc84219))
+* **univention-management-stack:** Patches not applied to uldap ([2909e1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2909e1d821397797244d7c11c0935a3bbc902bb1))
+* **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83ac645faec748e773dd7940ca0ca1102bd6dff3))
+* **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c16c0ac7955e64254214d7129ae70d5dd8808743))
+* **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6c15dc1d668623ddd95090e321d1bb268e681db5))
+* **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/affa92cde2caa175707f8ae0e8d4adedbdceb608))
+* **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cabee0c9da3a32e180931b3bd490ba8f83aadb79))
+
+## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)
+
+
+### Bug Fixes
+
+* **nextcloud:** Correct indent in monitoring resources ([bea1413](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bea1413b860aa69cab3bb4a9dfb6d8593594cc25))
+* **services:** Monitoring for minio with correct labels and there are no prometheusRule ([af63e5c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/af63e5c18dbd6d7d1e1ebd79ad91c4f994fe7003))
+* **univention-management-stack:** Fix external registry for nats charts ([cbb33b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cbb33b922d397467d01a9227f3eb18d789cdc39c))
+
+## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)
+
+
+### Bug Fixes
+
+* **ci:** Add Kyverno CI Lint ([e778a59](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e778a59cddecc7c73b827e03af5e47ddd5c3dcee))
+* **helmfile:** Cleanup and small conformity fixes ([db0a544](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db0a5441550ae08450afc04ef274ff8d19e85138))
+* **helmfile:** Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([a49daa6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a49daa6fa27dc7c51c3163b1155eec33b78949f5))
+* **helmfile:** Split image and helm registry ([89c149a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/89c149af954a6f0884ae905e55b52e8db9036b05))
+* **univention-management-stack:** UMC secure session cookie ([67f7c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/67f7c050387157808f010857395715335b42d767))
+* **univention-management-stack:** Update guardian to version 2 ([a99f338](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a99f3389dc90aa89ce2ba4bcfc266a2dfdf15ab9))
+
 ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12)
 
 

README.md

@@ -1,69 +1,65 @@
 <!--
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
 
-![logo](./helmfile/environments/default/theme/logo_portal_background.svg)
+<h1>openDesk Deployment Automation</h1>
+
+<!-- TOC -->
+* [Overview](#overview)
+* [Disclaimer](#disclaimer)
+* [Requirements](#requirements)
+* [Getting started](#getting-started)
+* [Advanced customization](#advanced-customization)
+* [Development](#development)
+* [Releases](#releases)
+* [Components](#components)
+* [Feedback](#feedback)
+* [License](#license)
+* [Copyright](#copyright)
+* [Footnotes](#footnotes)
+<!-- TOC -->
+
+# Overview
 
 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 
-It features:
+openDesk currently features the following functional main components:
-- Fully integrated Identity Management (Univention)
-- File storage (Nextcloud)
-- Weboffice (Collabora)
-- Videoconference (Nordeck w/ Jitsi)
-- Chat and Collaboration (Element w/ Nordeck)
-- Groupware (OX Appsuite)
-- Wiki (XWiki)
-- Project Management (OpenProject)
-- Notes and Diagrams (Cryptpad)
 
-openDesk integrates these components and is working towards a seamless user experience.
+| Function             | Functional Component        | Component<br/>Version                                                                                          | Upstream Documentation                                                                                                                       |
+| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
+| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
+| File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
+| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
+| Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
-While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
+While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
-align the applications with the best practises regarding container design and operations.
+align the applications with best practises regarding container design and operations.
 
 This documentation aims to give you all that is needed to set up your own instance of the openDesk.
-Basic knowledge of Kubernetes and Devops is required though.
 
-<!-- TOC -->
+Basic knowledge of Kubernetes and DevOps processes is required though.
-* [Active development notice](#active-development-notice)
+
-* [Feedback](#feedback)
+# Disclaimer
-* [Requirements](#requirements)
-* [Getting started](#getting-started)
-* [Advanced customization](#advanced-customization)
-* [Releases](#releases)
-* [Components](#components)
-* [License](#license)
-* [Copyright](#copyright)
-<!-- TOC -->
 
-# Active development notice
 openDesk will face breaking changes in the near future without upgrade paths before
 [technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.
 
 While most components support upgrades, major configuration or component changes may occur, therefore we recommend
-at the moment always installing from scratch.
+from scratch installations for now.
 
-Components that are going to be replaced soon are:
+In the next months, we not only expect to integrate upstream updates of the functional components to include their
-- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
+most recent feature and security sets, but also to address operational topics like scalability for the openDesk
-- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
+platform.
 
-In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
+Of course, further development also includes enhancing the documentation itself.
-are also going to address operational issues like monitoring and network policies.
-
-Of course, further development also includes enhancing the documentation.
-
-# Feedback
-
-We love to get feedback from you!
-Related to the deployment / contents of this repository,
-please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
-
-If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 
 # Requirements
 
@@ -81,6 +77,10 @@ If you want to address other topics, please check the section
 - [Monitoring](./docs/monitoring.md)
 - [Theming](./docs/theming.md)
 
+# Development
+
+⟶ To understand the repository contents from a developer perspective please read the [Development](./docs/development.md) guide.
+
 # Releases
 
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
@@ -89,20 +89,40 @@ Gitlab provides an
 [overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 of this project.
 
-The following release artefacts are provided beside the default source code assets:
+Please find a list of the artefacts related to the release either in the source code archive attached to the release or
-- `chart-index.json`: An overview of all Helm charts used by the release.
+in the files from the release's git-tag:
-- `image-index.json`: An overview of all container images used by the release.
+- `./helmfile/environments/default/images.yaml`
+- `./helmfile/environments/default/charts.yaml`
 
-⟶ Visit out detailed [Workflow](./docs/workflow.md) docs.
+⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
 
 # Components
 
 ⟶ Visit our detailed [Component](./docs/components.md) docs.
 
+# Feedback
+
+We love to get feedback from you!
+
+Related to the deployment / contents of this repository,
+please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
+
+If you want to address other topics, please check the section
+["Rückmeldungen und Beteiligung" in the OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung) of the [openDesk Info Repository](https://gitlab.opencode.de/bmi/opendesk/info).
 
 # License
 
 This project uses the following license: Apache-2.0
 
 # Copyright
-Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+
+Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+
+# Footnotes
+
+[^1]: Nubus is the Cloud Portal and IAM from Univention.
+It is currently integrated as a product preview within openDesk therefore,
+not all resources like documentation and structured release notes are available,
+while the
+[source code can already be found on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/component-code/crossfunctional/univention).
+Please find updates regarding the Nubus at https://nubus.io.

docs/ci.md

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 -->
 <h1>CI/CD</h1>
 
-This page will cover openDesk automation via Gitlab CI.
+This page covers openDesk deployment automation via Gitlab CI.
 
 <!-- TOC -->
 * [Deployment](#deployment)
@@ -13,30 +13,31 @@ This page will cover openDesk automation via Gitlab CI.
 
 # Deployment
 
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
 
 
-When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
+When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
 
 - `DOMAIN` = The domain to deploy to.
-- `ISTIO_DOMAIN` = istio.`DOMAIN`
+- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
-- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
+- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
+- `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
 - `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
 
 Based on your input, the following variables will be set:
 - `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
   is not set, the default for `MASTER_PASSWORD` will be used, unless you set
-  `MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
+  `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
 
-You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
 
 # Tests
 
-The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
-In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
 
-If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.

docs/components.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Components</h1>
@@ -34,7 +35,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
-| Dovecot                     | Mail backend                   | Functional |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -44,7 +44,8 @@ they need to be replaced in production deployments.
 | Nextcloud                   | File share                     | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
-| Provisioning                | Backend provisioning           | Functional |
+| OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
@@ -58,12 +59,14 @@ Some use cases require inter component integration.
 ```mermaid
 flowchart TD
   OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
+  Element-->|CentralNavigation|IntercomService
   IntercomService-->|SilentLogin, TokenExchange|IdP
   IntercomService-->|Filepicker|Nextcloud
   IntercomService-->|CentralNavigation|Portal
   OXAppSuiteBackend-->|Filepicker|Nextcloud
   Nextcloud-->|CentralNavigation|Portal
   OpenProject-->|CentralNavigation|Portal
+  OpenProject-->|Filestore|Nextcloud
   XWiki-->|CentralNavigation|Portal
   Nextcloud-->|CentralContacts|OXAppSuiteBackend
   OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
@@ -71,7 +74,7 @@ flowchart TD
 
 ## Intercom Service (ICS)
 
-The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
+The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
 Handling authentication when the frontend of an application is using the API from another application is often a
 challenge.
 For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
@@ -111,8 +114,13 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows
 
 An overview of
-- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
+- components that consume the LDAP service.
-- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
+  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP).
+  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
+  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
+    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
+    require an OIDC client to be configured in Keycloak.
 
 Some components trust others to handle authentication for them.
 
@@ -124,7 +132,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    X[XWiki]-->|in 2023|L
+    X[XWiki]-->L
     A-->K
     N-->K
     D-->K

docs/debugging.md

@@ -0,0 +1,174 @@
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+<h1>Debugging</h1>
+
+* [Disclaimer](#disclaimer)
+* [Enable debugging](#enable-debugging)
+* [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
+  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
+  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
+* [Components](#components)
+  * [MariaDB](#mariadb)
+  * [Nextcloud](#nextcloud)
+  * [OpenProject](#openproject)
+  * [PostgreSQL](#postgresql)
+
+# Disclaimer
+
+This document collects information how to deal with debugging an openDesk deployment.
+
+It will be extended over time as we have to deal with debugging cases.
+
+We for sure do not want to reinvent the wheel, so we might link to external sources that contain helpful
+information where available.
+
+**Note:** You should never enable debug in production environments! By looking up `debug.enable` in the deployment you
+will find the various places changes are applied when enabling debugging. So outside of development and test
+environments you may want to make use of them in a very thoughtful and selective manner if needed.
+
+# Enable debugging
+
+Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
+component's loglevel to debug and it get some features like:
+- The `/admin` console is routed for Keycloak.
+- An ingress for `http://minio-console.<your_domain>` is configured.
+and set the loglevel for components to "Debug".
+
+**Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
+
+# Adding containers to a pod for debugging purposes
+
+During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
+
+This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
+
+Adding a container to a Pod can ease the pain.
+
+Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
+
+## Adding a container to a pod/deployment - Dev/Test only
+
+You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
+
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Ensure the `shareProcessNamespace` option is enabled for the Pod.
+- Reference the selected container within the `containers` array of the deployment.
+- In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
+- Save & update the deployment.
+
+The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
+
+```
+      shareProcessNamespace: true
+      containers:
+        - name: debugging
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsUser: 65532
+            runAsGroup: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+```
+
+- After the deployment was reloaded open the shell of the debugging container.
+- When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
+- To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
+
+## Temporary/ephemeral containers
+
+Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
+
+Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
+
+For the commands further down this section we set some environment variables first:
+- `NAMESPACE`: The namespace the Pod you want to inspects is running in.
+- `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
+- `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
+- `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
+- `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
+
+e.g.
+
+```
+export EPH_CONTAINER_NAME=debugging
+export NAMESPACE=my_testdeployment
+export DEPLOYMENT_NAME=opendesk-nextcloud-php
+export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
+export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+```
+
+You still need to ensure that your deployment supports process namespace sharing:
+
+```
+kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
+spec:
+  template:
+    spec:
+      shareProcessNamespace: true'
+```
+
+Now you can add the ephemeral container with:
+```
+kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
+```
+and open it's interactive terminal with
+```
+kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
+```
+
+# Components
+
+## MariaDB
+
+When using the openDesk bundled MariaDB you can explore database(s) using the MariaDB interactive terminal from the pod's command line: `mariadb -u root -p`. As password provide the value for `MARIADB_ROOT_PASSWORD` set in the pod's environment.
+
+While you will find all details for the CLI tool in [the online documentation](https://mariadb.com/kb/en/mariadb-command-line-client/), some quick commands are:
+
+- `help`: Get help on the psql command set
+- `show databases`: Lists all databases
+- `use <databasename>`: Connect to `<databasename>`
+- `show tables`: Lists tables within the currently connected database
+- `quit`: Quit the client
+
+## Nextcloud
+
+`occ` is the CLI for Nextcloud, all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
+
+You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+
+## OpenProject
+
+OpenProject is a Ruby on Rails application. Therefore you can make use of the Rails console from the pod's command line `bundle exec rails console`
+
+and run debug code like this:
+
+```
+uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
+Net::HTTP.start(uri.host, uri.port,
+  :use_ssl => uri.scheme == 'https') do |http|
+  request = Net::HTTP::Get.new uri
+  response = http.request request # Net::HTTPResponse object
+end
+```
+
+## PostgreSQL
+
+When using the openDesk bundled PostgreSQL you can explore database(s) using the PostgreSQL interactive terminal from the pod's command line: `psql -U postgres`.
+
+While you will find all details in the [psql subsection](https://www.postgresql.org/docs/current/app-psql.html)) of the PostgreSQL documentation, some quick commands are:
+
+- `\?`: Get help on the psql command set
+- `\l`: Lists all databases
+- `\c <databasename>`: Connect to `<databasename>`
+- `\dt`: List (describe) tables within the currently connected database
+- `\q`: Quit the client

docs/development.md

@@ -0,0 +1,142 @@
+<!--
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Developing openDesk deployment automation</h1>
+
+Active development on the deployment is currently only available for project members.
+But contributions will be possible soon once the CLA process is sorted out.
+
+* [Overview](#overview)
+* [Default branch, `develop` and other branches](#default-branch-develop-and-other-branches)
+* [External artefacts - `charts.yaml` and `images.yaml`](#external-artefacts---chartsyaml-and-imagesyaml)
+  * [Linting](#linting)
+  * [Renovate](#renovate)
+  * [Mirroring](#mirroring)
+    * [Get new artefacts mirrored](#get-new-artefacts-mirrored)
+* [Creating new charts / images](#creating-new-charts--images)
+
+# Overview
+
+The following sketch provides an high level overview to get a basic understanding of the deployment relevant
+structure of this repository. An understanding of that structure is vital if you want to contribute to
+the development of the deployment automation of openDesk.
+
+```mermaid
+flowchart TD
+    A[./helmfile.yaml]-->B[./helmfile/apps/*all_configured_apps*/helmfile.yaml\nReferences the relevant app Helm\ncharts using details from 'charts.yaml']
+    B-->C[./values-*all_configured_components*.yaml.gotmpl\nValues to template the charts\nwith references to the `images.yaml`]
+    A-->D[./helmfile/environments/default/*\nwith just some examples below]
+    D-->F[charts.yaml]
+    D-->G[images.yaml]
+    D-->H[global.*]
+    D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
+    A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
+```
+
+The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
+global values files in `./environments/default`. It allows you to overwrite defaults by using one of the three predefined environments `dev`, `test`
+and `prod`.
+
+Before you look into any app specifc configuration it is recommended to review the contents of `./environments/default` to get an understanding of what
+details are maintained in there, as they are usually referenced by the app configurations.
+
+# Default branch, `develop` and other branches
+
+The `main` branch is configured to be the default branch, as visitors of the project on Open CoDE should see that
+branch by default.
+
+Please use the `develop` branch to diverge your own branch(es) from. See the [workflow guide](./workflow.md)
+for more details on naming conventions.
+
+There is a CI bot that automatically creates a merge request once you initially pushed your branch to Open CoDE.
+The merge request will of course target the `develop` branch, be in status `draft` and have you as assignee.
+
+In case you do not plan to actually merge from the branch you have pushed, please close or delete the autocreated MR.
+
+# External artefacts - `charts.yaml` and `images.yaml`
+
+The `charts.yaml` and `images.yaml` are the central place to reference external artefacts that are used for the deployment.
+
+Beside the deployment automation itself some tools work with the contents of the files:
+
+- **Linting**: Ensures consistency of the file contents for the other tools.
+- **Renovate**: Automatically create MRs that update the components to their latest version.
+- **Mirror**: Mirror artefacts to Open CoDE.
+
+Please find details on these tools below.
+
+## Linting
+
+In the project's CI there is a step dedicated to lint the two yaml files, as we want them to be in
+- alphabetical order regarding the components and
+- in a logical order regarding the non-commented lines (registry > repository > tag).
+
+In the linting step the [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli) is used to apply the
+just mentioned sorting and the result is compared with the unsorted version. If there is a delta the linting fails and you probably
+want to fix it by running the CLI tool locally.
+
+**Note**: Please ensure that in component blocks you use comments only at the beginning of the block or at its end. Ideally you just stick
+with the many available examples in the yaml files.
+
+Example:
+```
+  synapse:
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Element'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'matrixdotorg/synapse'
+    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['1', '91', '2']
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
+```
+
+## Renovate
+
+Uses a regular expression to match the values of the following attributes:
+
+- `registry`
+- `repository`
+- `tag`
+
+Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
+
+## Mirroring
+
+- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/oci-pull-mirror
+
+**Note:** The mirror is scheduled to run every hour at 42 minutes past the hour.
+
+openDesk strives to make all relevant artefacts available on Open CoDE so there is the mirroring process
+configured to pull artefacts that do not originate from Open CoDE into projects called `*-Mirror` within the
+[openDesk Components section](https://gitlab.opencode.de/bmi/opendesk/components).
+
+The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
+- `# upstreamRegistry` *required*: To identify the source registry
+- `# upstreamRepository` *required*: To identify the source repository
+- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
+- `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
+  in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
+  element here to define the version the mirror should start with.
+
+### Get new artefacts mirrored
+
+If you want new images or charts to be mirrored that are not yet included in one of the yaml files there are two options:
+
+You include them in your branch with all required annotations and either
+1. ask somebody from the platform development team to trigger the mirror's CI based on your branch or
+2. you get your branch merged to `develop` already.
+
+# Creating new charts / images
+
+When you create new Helm charts please check out the
+[openDesk Best Practises](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-best-practises)
+for Helm charts.
+
+You may also want to make use of our [standard CI](https://gitlab.opencode.de/bmi/opendesk/tooling/gitlab-config) to
+easily get Charts and Images that are signed, linted, scanned and released.
+Check out the `.gitlab-ci.yaml` files in the project's [Charts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts) or [Images](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images) to get an idea how little you need to do yourself.

docs/getting-started.md

@@ -10,9 +10,10 @@ This documentation should enable you to create your own evaluation instance of o
 <!-- TOC -->
 * [Requirements](#requirements)
 * [Customize environment](#customize-environment)
+  * [DNS](#dns)
   * [Domain](#domain)
     * [Apps](#apps)
-  * [Private Helm chart and container image registry](#private-helm-chart-and-container-image-registry)
+  * [Private registries](#private-registries)
   * [Cluster capabilities](#cluster-capabilities)
     * [Service](#service)
     * [Networking](#networking)
@@ -49,10 +50,24 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 
-## Domain
+## DNS
 
-The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
+The deployment is designed to deploy each application/service under a dedicated subdomain.
-`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
+For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
+otherwise you need to create an A-Record for each subdomain.
+
+| Record name             | Type | Value                                              | Additional information                                                                  |
+| ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                         |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                         |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                         |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                              |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                                |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
+
+## Domain
 
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
 
@@ -68,29 +83,49 @@ The domain have to be set either via `dev` environment
 
 ```yaml
 global:
-  domain: "my.open.desk"
+  domain: "domain.tld"
-istio:
-  domain: "istio.my.open.desk"
 ```
 
 or via environment variable
 
 ```shell
-export DOMAIN=my.open.desk
+export DOMAIN=domain.tld
-export ISTIO_DOMAIN=istio.my.open.desk
 ```
 
-When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
+Additionally, you can announce/specify an alternative domain for mail and chat.
 
-Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
+As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
+`*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
+Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
+The required routing have to be implemented by yourself.
+
+The alternative domains have to be set either via `dev` environment
 
 ```yaml
-istio:
+global:
-  enabled: false
+  mailDomain: "open.desk"
-oxAppsuite:
+  synapseDomain: "open.desk"
-  enabled: false
 ```
 
+or via environment variable
+
+```shell
+export MAIL_DOMAIN=open.desk
+export SYNAPSE_DOMAIN=open.desk
+```
+
+If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
+
+| Record name                    | Type | Value                     |
+|--------------------------------|------|---------------------------|
+| _matrix._tcp.SYNAPSE_DOMAIN    | SRV  | `1 10 PORT matrix.DOMAIN` |
+| matrix-fed._tcp.SYNAPSE_DOMAIN | SRV  | `1 10 PORT matrix.DOMAIN` |
+| MAIL_DOMAIN                    | MX   | `10 mail.domain.tld`    |
+
+_Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
+
+_Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
+
 ### Apps
 
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
@@ -126,7 +161,7 @@ jitsi:
   enabled: false
 ```
 
-## Private Helm chart and container image registry
+## Private registries
 
 By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases
 in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components).
@@ -137,8 +172,9 @@ like Docker Hub.
 Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day
 and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you
 prefer the use of a private image registry anyway you can configure such for
-[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting `global.imageRegistry`
+[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
-like this:
+- `global.imageRegistry` for a private image registry and
+- `global.helmRegistry` for a private Helm chart registry.
 
 ```yaml
 global:
@@ -355,17 +391,12 @@ by your specified subdomain.
 # Replace with your namespace
 NAMESPACE=your-namespace
 
-# Get credentials from ConfigMap
+# Get ConfigMap with credentials
-kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}'
-  | yq '.properties.username,.properties.password'
-# default.user
-# 40615..............................e9e2f
-# ---
-# default.admin
-# bdbbb..............................04db6
 ```
 
-Now you can log in with obtained credentials:
+Renders you a two part ConfigMap where the `username` and `password` attributes in the `properties`
+section provide you with the desired information to login with the two default user roles:
 
 | Username        | Password                                   | Description      |
 |-----------------|--------------------------------------------|------------------|

docs/requirements.md

@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 This section covers the internal system requirements as well as external service requirements for productive use.
 
 <!-- TOC -->
-* [TL;DR;](#tldr)
+* [tl;dr](#tldr)
 * [Hardware](#hardware)
 * [Kubernetes](#kubernetes)
 * [Ingress controller](#ingress-controller)
@@ -17,7 +17,7 @@ This section covers the internal system requirements as well as external service
 * [Deployment](#deployment)
 <!-- TOC -->
 
-# TL;DR;
+# tl;dr
 openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
 
 - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
@@ -28,7 +28,6 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
-- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
 
 # Hardware
 
@@ -56,12 +55,8 @@ configured ingress controller deployed.
 
 **Maintained controllers:**
 - [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
-- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
-
-**Community Supported:**
 - [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
-
+- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
-When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
 
 # Volume provisioner
 
@@ -82,7 +77,6 @@ openDesk certificate management disabled.
 
 Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
 
-
 | Group    | Type                | Version | Tested against        |
 |----------|---------------------|---------|-----------------------|
 | Cache    | Memached            | `1.6.x` | Memached              |

docs/scaling.md

@@ -20,38 +20,42 @@ Verified positive effects are marke with a check-mark in `Scaling (verified)` co
 marked with a gear.
 
 
-| Component        | Name                                     | Scaling (effective) | Scaling (verified) |
+| Component                   | Name                                     | Scaling (effective) | Scaling (verified) |
-|------------------|------------------------------------------|:-------------------:|:------------------:|
+|-----------------------------|------------------------------------------|:-------------------:|:------------------:|
-| ClamAV           | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
+| ClamAV                      | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.freshclam`                     |         :x:         |        :x:         |
+|                             | `replicas.freshclam`                     |         :x:         |        :x:         |
-|                  | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
-| Collabora        | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
+| Collabora                   | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
-| CryptPad         | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
+| CryptPad                    | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
-| Dovecot          | `replicas.dovecot`                       |         :x:         |       :gear:       |
+| Dovecot                     | `replicas.dovecot`                       |         :x:         |       :gear:       |
-| Element          | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
+| Element                     | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
-|                  | `replicas.synapse`                       |         :x:         |       :gear:       |
+|                             | `replicas.synapse`                       |         :x:         |       :gear:       |
-|                  | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
-| Intercom Service | `replicas.intercomService`               | :white_check_mark:  |       :gear:       |
+| Intercom Service            | `replicas.intercomService`               | :white_check_mark:  | :white_check_mark: |
-| Jitsi            | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
+| Jitsi                       | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jvb `                          |         :x:         |        :x:         |
+|                             | `replicas.jvb `                          |         :x:         |        :x:         |
-| Keycloak         | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
+| Keycloak                    | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
-| Memcached        | `replicas.memcached`                     |       :gear:        |       :gear:       |
+| Memcached                   | `replicas.memcached`                     |       :gear:        |       :gear:       |
-| Minio            | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
+| Minio                       | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
-| Nextcloud        | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
+| Nextcloud                   | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
-| OpenProject      | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
+| OpenProject                 | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
-| Postfix          | `replicas.postfix`                       |         :x:         |       :gear:       |
+| Postfix                     | `replicas.postfix`                       |         :x:         |       :gear:       |
-| Redis            | `replicas.redis`                         |       :gear:        |       :gear:       |
+| Redis                       | `replicas.redis`                         |       :gear:        |       :gear:       |
-| XWiki            | `replicas.xwiki`                         |         :x:         |       :gear:       |
+| Univention Management Stack |                                          |       :gear:        |       :gear:       |
+|                             | `replicas.umsPortalFrontend`             | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.umsPortalServer`               | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.umsUdmRestApi`                 | :white_check_mark:  | :white_check_mark: |
+| XWiki                       | `replicas.xwiki`                         |         :x:         |       :gear:       |

docs/security-context.md

@@ -0,0 +1,227 @@
+<!--
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+<h1>Kubernetes Security Context</h1>
+
+* [Container Security Context](#container-security-context)
+  * [allowPrivilegeEscalation](#allowprivilegeescalation)
+  * [capabilities](#capabilities)
+  * [privileged](#privileged)
+  * [runAsUser](#runasuser)
+  * [runAsGroup](#runasgroup)
+  * [seccompProfile](#seccompprofile)
+  * [readOnlyRootFilesystem](#readonlyrootfilesystem)
+  * [runAsNonRoot](#runasnonroot)
+* [Status quo](#status-quo)
+
+# Container Security Context
+
+
+The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
+
+## allowPrivilegeEscalation
+
+
+Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
+
+```yaml
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+```
+
+## capabilities
+
+
+Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
+
+
+**Optimal:**
+
+```yaml
+containerSecurityContext:
+  capabilities:
+    drop:
+      - "ALL"
+```
+
+
+**Allowed:**
+
+```yaml
+containerSecurityContext:
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "NET_BIND_SERVICE"
+```
+
+## privileged
+
+
+Privileged Pods disable most security mechanisms and must be disallowed.
+
+```yaml
+containerSecurityContext:
+  privileged: false
+```
+
+## runAsUser
+
+
+Containers should set a user id >= 1000 and never use 0 (root) as user.
+
+```yaml
+containerSecurityContext:
+  runAsUser: 1000
+```
+
+## runAsGroup
+
+
+Containers should set a group id >= 1000 and never use 0 (root) as user.
+
+```yaml
+containerSecurityContext:
+  runAsGroup: 1000
+```
+
+## seccompProfile
+
+
+Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+
+```yaml
+containerSecurityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+```
+
+
+or
+
+```yaml
+containerSecurityContext:
+  seccompProfile:
+    type: "Localhost"
+```
+
+## readOnlyRootFilesystem
+
+
+Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+
+```yaml
+containerSecurityContext:
+  readOnlyRootFilesystem: true
+```
+
+## runAsNonRoot
+
+
+Containers must be required to run as non-root users.
+
+```yaml
+containerSecurityContext:
+  runAsNonRoot: true
+```
+
+# Status quo
+
+
+openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+
+
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+
+
+This list gives you an overview of templated security settings and if they comply with security standards:
+
+
+ - **yes**: Value is set to `true`
+ - **no**: Value is set to `false`
+ - **n/a**: No explicitly templated in openDesk and default is used.
+
+| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
+| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
+| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
+| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
+| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
+| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
+| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
+| **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
+| **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
+| **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
+
+
+This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)

docs/security.md

@@ -15,89 +15,21 @@ This document should cover the current status of security measurements.
 
 # Helm Chart Trust Chain
 
-Helm charts are signed and validated against GPG keys which could be found in `helmfile/files/gpg-pubkeys`.
+Helm charts are signed and validated against GPG keys which can be found in `helmfile/files/gpg-pubkeys`.
 
-All charts except these are verifiable:
+For more details on Chart validation please visit: https://helm.sh/docs/topics/provenance/
+
+All charts except the ones mentioned below are verifiable:
 
 | Repository        | Verifiable |
 |-------------------|:----------:|
-| collabora-repo    |     no     |
 | open-xchange-repo |     no     |
 
 # Kubernetes Security Enforcements
 
 This list gives you an overview of default security settings and if they comply with security standards:
 
-
+⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
-| Component                   | Process                       |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV                      | clamd                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | freshclam                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | icap                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | milter                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| Collabora                   | collabora                     |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| CryptPad                    | cryptpad                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
-| Dovecot                     | dovecot                       |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
-| Element                     | element                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|                             | synapse                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
-|                             | synapseWeb                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|                             | wellKnown                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-| IntercomService             | intercom-service              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Jitsi                       | jibri                         |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | jicofo                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | jitsiKeycloakAdapter          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
-|                             | jvb                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | prosody                       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | web                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| MariaDB                     | mariadb                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Memcached                   | memcached                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
-| Minio                       | minio                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Nextcloud                   | opendesk-nextcloud-apache2    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-cron       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-exporter   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-management |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-php        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-| Open-Xchange                | core-documentconverter        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
-|                             | core-guidedtours              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-imageconverter           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
-|                             | core-mw-default               |        :x:         |                :x:                 |                                                                      :x:                                                                       |                :x:                |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | core-ui                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-ui-middleware            | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-ui-middleware-updater    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | core-user-guide               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | gotenberg                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | guard-ui                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | nextlcoud-integration-ui      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | public-sector-ui              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-| OpenProject                 | openproject                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | opendeskOpenprojectBootstrap  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Postfix                     | postfix                       |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
-| PostgreSQL                  | postgresql                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Redis                       | redis                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
-| Univention Management Stack | guardian-authorization-api    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | guardian-management-api       |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | guardian-management-ui        |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | keycloak                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | keycloak-bootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | keycloak-extension-handler    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | keycloak-extension-proxy      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|                             | ldap-notifier                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | ldap-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | notifications-api             |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | opendesk-keycloak-bootstrap   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|                             | open-policy-agent             |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | portal-frontend               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | portal-listener               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | portal-server                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | provisioning-api              |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | selfservice-listener          |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | stack-gateway                 | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|                             | store-dav                     |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | udm-rest-api                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | umc-gateway                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | umc-server                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| XWiki                       | xwiki                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
-|                             | xwiki initContainers          |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 
 # NetworkPolicies
 

docs/workflow.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 
@@ -139,17 +140,19 @@ As a standard, the openDesk platform development team uses [reuse.software](http
 
 openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
 ```
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ```
 As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).
 
+**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
+
 ## Development workflow
 
 ### Disclaimer
 
 openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
-- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
+- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
 - openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.
 
 ### Workflow
@@ -225,22 +228,28 @@ gitGraph
 
 The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.
 
+1. Linting
+   - Blocking
+     - Licening: [reuse](https://github.com/fsfe/reuse-tool)
+     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
+   - Non Blocking
+     - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
+     - Formal: Yaml
 1. Deploy the full openDesk stack from scratch:
    - All deployment steps must be successful (green)
    - All tests from the end-to-end test set must be successful
-2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
+1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
    - Deploy the current merge target baseline (`develop` or `main`)
    - Update deploy from your QA branch into the instance from the previous step
-3. No showstopper found regarding
+1. No showstopper found regarding
    - SBOM compliance[^4]
    - Malware check
    - CVE check[^5]
    - Kubescape scan[^5]
-   - Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]
 
-Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
+Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
 
-Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
+Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
 
 ```mermaid
 flowchart TD

helmfile/apps/collabora/helmfile.yaml

@@ -8,10 +8,12 @@ repositories:
   # Collabora Online
   # Source: https://github.com/CollaboraOnline/online
   - name: "collabora-online-repo"
+    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
+    verify: {{ .Values.charts.collabora.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.collabora.registry }}/\
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
       {{ .Values.charts.collabora.repository }}"
 
 releases:

helmfile/apps/collabora/values.yaml.gotmpl

@@ -11,7 +11,7 @@ collabora:
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 
 fullnameOverride: "collabora"
 
@@ -19,9 +19,9 @@ grafana:
   dashboards:
     enabled: {{ .Values.grafana.dashboards.enabled }}
     labels:
-      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
+      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
     annotations:
-      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
+      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
 
 image:
   repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -90,11 +90,11 @@ prometheus:
   servicemonitor:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     labels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
   rules:
     enabled: {{ .Values.prometheus.prometheusRules.enabled }}
     additionalLabels:
-      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 
 replicaCount: {{ .Values.replicas.collabora }}
 
@@ -126,7 +126,8 @@ securityContext:
       - "NET_RAW"
       - "SYS_CHROOT"
       - "MKNOD"
-
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:
   create: true
 ...

helmfile/apps/cryptpad/helmfile.yaml

@@ -13,15 +13,15 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
+      {{ .Values.charts.cryptpad.repository }}"
 
 releases:
   - name: "cryptpad"
     chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
     version: "{{ .Values.charts.cryptpad.version }}"
     values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
-      - "values.gotmpl"
     installed: {{ .Values.cryptpad.enabled }}
 
 commonLabels:

helmfile/apps/cryptpad/values.gotmpl

@@ -1,33 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
-  tag: {{ .Values.images.cryptpad.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  className: {{ .Values.ingress.ingressClassName | quote }}
-  hosts:
-    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-      paths:
-        - path: "/"
-          pathType: "ImplementationSpecific"
-  tls:
-    - secretName: {{ .Values.ingress.tls.secretName | quote }}
-      hosts:
-        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-
-replicaCount: {{ .Values.replicas.cryptpad }}
-
-resources:
-  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
-...

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -22,9 +22,30 @@ enableEmbedding: true
 
 fullnameOverride: "cryptpad"
 
+image:
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
 ingress:
+  enabled: {{ .Values.ingress.enabled }}
   annotations:
     nginx.org/websocket-services: "cryptpad"
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
 
 persistence:
   enabled: false
@@ -32,20 +53,29 @@ persistence:
 podSecurityContext:
   fsGroup: 4001
 
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
+  privileged: false
   seccompProfile:
     type: "RuntimeDefault"
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 4001
   runAsGroup: 4001
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
 
 serviceAccount:
   create: true
 
 workloadStateful: false
+
 ...

helmfile/apps/element/helmfile.yaml

@@ -13,35 +13,40 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
+      {{ .Values.charts.element.repository }}"
   - name: "element-well-known-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.elementWellKnown.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
+      {{ .Values.charts.elementWellKnown.repository }}"
   - name: "synapse-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseWeb.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
+      {{ .Values.charts.synapseWeb.repository }}"
   - name: "synapse-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapse.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
+      {{ .Values.charts.synapse.repository }}"
   - name: "synapse-create-account-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseCreateAccount.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
+      {{ .Values.charts.synapseCreateAccount.repository }}"
 
   # openDesk Matrix Widgets
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -51,7 +56,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
       {{ .Values.charts.matrixUserVerificationService.repository }}"
   - name: "matrix-neoboard-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -59,28 +64,32 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neochoice-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neodatefix-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
+      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
   - name: "matrix-neodatefix-bot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
+      {{ .Values.charts.matrixNeodatefixBot.repository }}"
 
 
 releases:
@@ -88,8 +97,7 @@ releases:
     chart: "element-repo/{{ .Values.charts.element.name }}"
     version: "{{ .Values.charts.element.version }}"
     values:
-      - "values-element.yaml"
+      - "values-element.yaml.gotmpl"
-      - "values-element.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -97,8 +105,7 @@ releases:
     chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
     version: "{{ .Values.charts.elementWellKnown.version }}"
     values:
-      - "values-well-known.yaml"
+      - "values-well-known.yaml.gotmpl"
-      - "values-well-known.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -106,8 +113,7 @@ releases:
     chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
     version: "{{ .Values.charts.synapseWeb.version }}"
     values:
-      - "values-synapse-web.yaml"
+      - "values-synapse-web.yaml.gotmpl"
-      - "values-synapse-web.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -115,8 +121,7 @@ releases:
     chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
     version: "{{ .Values.charts.synapse.version }}"
     values:
-      - "values-synapse.yaml"
+      - "values-synapse.yaml.gotmpl"
-      - "values-synapse.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -124,8 +129,7 @@ releases:
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-      - "values-matrix-user-verification-service-bootstrap.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -133,8 +137,7 @@ releases:
     chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
     version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
-      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.yaml.gotmpl"
-      - "values-matrix-user-verification-service.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -142,8 +145,7 @@ releases:
     chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
     version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
-      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.yaml.gotmpl"
-      - "values-matrix-neoboard-widget.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -151,8 +153,7 @@ releases:
     chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
     version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
     values:
-      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.yaml.gotmpl"
-      - "values-matrix-neochoice-widget.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -160,8 +161,7 @@ releases:
     chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
     version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
-      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.yaml.gotmpl"
-      - "values-matrix-neodatefix-widget.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -169,8 +169,7 @@ releases:
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -178,8 +177,7 @@ releases:
     chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
     version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
-      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.yaml.gotmpl"
-      - "values-matrix-neodatefix-bot.gotmpl"
     installed: {{ .Values.element.enabled }}
     timeout: 900
 

helmfile/apps/element/values-element.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-element.yaml.gotmpl

@@ -1,16 +1,8 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 configuration:
+  endToEndEncryption: true
   additionalConfiguration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
 
@@ -23,9 +15,6 @@ configuration:
           portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
-        widget_types:
-          - jitsi
-          - net.nordeck
 
     "net.nordeck.element_web.module.widget_lifecycle":
       widget_permissions:
@@ -105,6 +94,29 @@ configuration:
 
   welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -119,11 +131,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.element }}
 
 resources:
   {{ .Values.resources.element | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neoboard-widget.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -1,8 +1,22 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -23,11 +37,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
 
 resources:
   {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neochoice-widget.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -1,8 +1,22 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -23,11 +37,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
 
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 resources:
   {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl

@@ -1,22 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
-
-configuration:
-  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
-  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml

@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  username: "meetings-bot"
-  pod: "opendesk-synapse-0"
-  secretName: "matrix-neodatefix-bot-account"
-...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
+  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+fullnameOverride: "matrix-neodatefix-bot-bootstrap"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
+
+...

helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl

@@ -1,37 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-configuration:
-  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
-  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
-  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-persistence:
-  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
-
-resources:
-  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
-...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml

@@ -1,50 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  bot:
-    username: "meetings-bot"
-    displayname: "Terminplaner Bot"
-
-  strings:
-    breakoutSessionWidgetName: "Breakoutsessions"
-    calendarRoomName: "Terminplaner"
-    calendarWidgetName: "Terminplaner"
-    cockpitWidgetName: "Meeting Steuerung"
-    jitsiWidgetName: "Videokonferenz"
-    matrixNeoBoardWidgetName: "Whiteboard"
-    matrixNeoChoiceWidgetName: "Abstimmungen"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-extraEnvVars:
-  - name: "ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "matrix-neodatefix-bot-account"
-        key: "access_token"
-
-# TODO: The health endpoint does not work with the haproxy configuration, yet
-livenessProbe:
-  enabled: false
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-# TODO: The health endpoint does not work with the haproxy configuration, yet
-readinessProbe:
-  enabled: false
-...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  bot:
+    username: "meetings-bot"
+    displayname: "Terminplaner Bot"
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+  strings:
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
+    matrixNeoBoardWidgetName: "Whiteboard"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
+
+extraEnvVars:
+  - name: "ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "matrix-neodatefix-bot-account"
+        key: "access_token"
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+livenessProbe:
+  enabled: true
+
+persistence:
+  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+readinessProbe:
+  enabled: true
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  bot:
-    username: "meetings-bot"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -1,8 +1,27 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+configuration:
+  bot:
+    username: "meetings-bot"
+    homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -23,11 +42,16 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
+  fsGroup: 101
 
 replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
 
 resources:
   {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl

@@ -1,22 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
-
-configuration:
-  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
-  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml

@@ -1,8 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  username: "uvs"
-  pod: "opendesk-synapse-0"
-  secretName: "opendesk-matrix-user-verification-service-account"
-...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
+...

helmfile/apps/element/values-matrix-user-verification-service.gotmpl

@@ -1,23 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
-  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
-  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-
-replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
-
-resources:
-  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
-...

helmfile/apps/element/values-matrix-user-verification-service.yaml

@@ -1,31 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  # TODO: the service can't run with read only filesystem or as non-root
-  # readOnlyRootFilesystem: true
-  # runAsGroup: 101
-  # runAsNonRoot: true
-  # runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-extraEnvVars:
-  - name: "UVS_ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "opendesk-matrix-user-verification-service-account"
-        key: "access_token"
-  - name: "UVS_DISABLE_IP_BLACKLIST"
-    value: "true"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -0,0 +1,51 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
+
+extraEnvVars:
+  - name: "UVS_ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "opendesk-matrix-user-verification-service-account"
+        key: "access_token"
+  - name: "UVS_DISABLE_IP_BLACKLIST"
+    value: "true"
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-synapse-web.yaml

@@ -1,21 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -1,8 +1,24 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+clusterDomain: {{ .Values.cluster.networking.domain }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -24,8 +40,13 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 replicaCount: {{ .Values.replicas.synapseWeb }}
 
 resources:
   {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-synapse.yaml

@@ -1,52 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  additionalConfiguration:
-    user_directory:
-      enabled: true
-      search_all_users: true
-    room_prejoin_state:
-      additional_event_types:
-        - "m.space.parent"
-        - "net.nordeck.meetings.metadata"
-        - "m.room.power_levels"
-    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
-    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
-    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
-    rc_login:
-      account:
-        per_second: 2
-        burst_count: 8
-      address:
-        per_second: 2
-        burst_count: 12
-
-  homeserver:
-    guestModule:
-      enabled: true
-    oidc:
-      clientId: "opendesk-matrix"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 10991
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 10991
-
-readinessProbe:
-  initialDelaySeconds: 15
-  periodSeconds: 5
-
-...

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -1,22 +1,27 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
-  repository: {{ .Values.images.synapse.repository | quote }}
-  tag: {{ .Values.images.synapse.tag | quote }}
-
 configuration:
+  additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
+    room_prejoin_state:
+      additional_event_types:
+        - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
+        - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
+
   database:
     host: {{ .Values.databases.synapse.host | quote }}
     name: {{ .Values.databases.synapse.name | quote }}
@@ -24,6 +29,7 @@ configuration:
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
+    serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
     appServiceConfigs:
       - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -36,6 +42,7 @@ configuration:
         sender_localpart: intercom-service
 
     oidc:
+      clientId: "opendesk-matrix"
       clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
       issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
 
@@ -53,18 +60,57 @@ configuration:
         {{- end }}
 
     guestModule:
+      enabled: true
       image:
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
         registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
         repository: {{ .Values.images.synapseGuestModule.repository | quote }}
         tag: {{ .Values.images.synapseGuestModule.tag | quote }}
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  runAsGroup: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
+  repository: {{ .Values.images.synapse.repository | quote }}
+  tag: {{ .Values.images.synapse.tag | quote }}
+
 persistence:
   size: {{ .Values.persistence.size.synapse | quote }}
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+
+readinessProbe:
+  initialDelaySeconds: 15
+  periodSeconds: 5
+
 replicaCount: {{ .Values.replicas.synapse }}
 
 resources:
   {{ .Values.resources.synapse | toYaml | nindent 2 }}
+
 ...

helmfile/apps/element/values-well-known.yaml

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-configuration:
-  e2ee:
-    forceDisable: true
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-...

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -1,8 +1,26 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+configuration:
+  e2ee:
+    forceDisable: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -24,8 +42,13 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 replicaCount: {{ .Values.replicas.wellKnown }}
 
 resources:
   {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+
 ...

helmfile/apps/intercom-service/helmfile.yaml

@@ -13,15 +13,15 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
+      {{ .Values.charts.intercomService.repository }}"
 
 releases:
   - name: "intercom-service"
     chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
     version: "{{ .Values.charts.intercomService.version }}"
     values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
-      - "values.gotmpl"
     installed: {{ .Values.intercom.enabled }}
 
 commonLabels:

helmfile/apps/intercom-service/values.yaml

@@ -1,26 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-ics:
-  oidc:
-    id: "opendesk-intercom"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-...

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -1,8 +1,22 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
+
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
@@ -13,12 +27,13 @@ global:
 ics:
   secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-  originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
+  originRegex: "{{ .Values.global.domain }}"
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
   default:
     domain: {{ .Values.global.domain | quote }}
   oidc:
+    id: "opendesk-intercom"
     secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
   matrix:
     asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -34,7 +49,7 @@ ics:
     password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     oci: true
-    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
     audience: "opendesk-oxappsuite"
   nextcloud:
     audience: "opendesk-nextcloud"
@@ -52,8 +67,14 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+
 replicaCount: {{ .Values.replicas.intercomService }}
 
 resources:
   {{ .Values.resources.intercomService | toYaml | nindent 2 }}
+
 ...

helmfile/apps/jitsi/helmfile.yaml

@@ -13,7 +13,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
+      {{ .Values.charts.jitsi.repository }}"
 
 releases:
   - name: "jitsi"

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -14,6 +14,7 @@ containerSecurityContext:
   allowPrivilegeEscalation: false
   enabled: true
   readOnlyRootFilesystem: true
+  privileged: false
   capabilities:
     drop:
       - "ALL"
@@ -22,6 +23,8 @@ containerSecurityContext:
   runAsUser: 1993
   runAsGroup: 1993
   runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -62,6 +65,18 @@ jitsi:
       TURN_ENABLE: "1"
     resources:
       {{ .Values.resources.jitsi | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -98,6 +113,18 @@ jitsi:
     persistence:
       size: {{ .Values.persistence.size.prosody | quote }}
       storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
@@ -108,6 +135,18 @@ jitsi:
       componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
@@ -119,6 +158,18 @@ jitsi:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: {{ .Values.cluster.service.type | quote }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
@@ -130,6 +181,10 @@ jitsi:
       password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
     resources:
       {{ .Values.resources.jibri | toYaml | nindent 6 }}
+    securityContext:
+      # Chart does not allow to template more
+      capabilities:
+        add: ["SYS_ADMIN"]
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
@@ -141,8 +196,19 @@ patchJVB:
     loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
     enabled: true
+    privileged: false
     readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    seccompProfile:
+      type: "RuntimeDefault"
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

helmfile/apps/nextcloud/helmfile.yaml

@@ -13,14 +13,16 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
+      {{ .Values.charts.nextcloudManagement.repository }}"
   - name: "nextcloud-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.nextcloud.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
+      {{ .Values.charts.nextcloud.repository }}"
 
 releases:
   - name: "opendesk-nextcloud-management"

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -9,11 +9,13 @@ global:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  istioDomain: {{ .Values.istio.domain }}
 
 additionalAnnotations:
   intents.otterize.com/service-name: "opendesk-nextcloud-php"
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 configuration:
   administrator:
     username: "nextcloud"
@@ -44,12 +46,20 @@ configuration:
   ldap:
     host: {{ .Values.ldap.host | quote }}
     password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
+    adminGroupName: "managed-by-attribute-FileshareAdmin"
   objectstore:
     auth:
       accessKey:
-        value: "nextcloud_user"
+        value: {{ .Values.objectstores.nextcloud.username | quote }}
       secretKey:
-        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
+        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
+    region: {{ .Values.objectstores.nextcloud.region | quote }}
+    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
+    port: {{ .Values.objectstores.nextcloud.port | quote }}
+    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
+    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
   oidc:
     username:
       value: "opendesk-nextcloud"
@@ -77,12 +87,18 @@ containerSecurityContext:
     drop:
       - "ALL"
   enabled: true
+  privileged: false
   runAsUser: 65532
   runAsGroup: 65532
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
   runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
+
+debug:
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
@@ -95,4 +111,5 @@ theme:
 
 resources:
   {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
+
 ...

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -18,12 +18,15 @@ exporter:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
     repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -33,12 +36,12 @@ exporter:
     serviceMonitor:
       enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
       labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
       enabled: {{ .Values.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
-  replicas: {{ .Values.replicas.nextcloudExporter }}
+  replicaCount: {{ .Values.replicas.nextcloudExporter }}
   resources:
     {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
 
@@ -69,12 +72,19 @@ php:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
+  cron:
+    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
+  debug:
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
     repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -84,12 +94,12 @@ php:
     serviceMonitor:
       enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
       labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
       enabled: {{ .Values.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
-  replicas: {{ .Values.replicas.nextcloudPHP }}
+  replicaCount: {{ .Values.replicas.nextcloudPHP }}
   resources:
     {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
 
@@ -103,12 +113,15 @@ apache2:
       drop:
         - "ALL"
     enabled: true
+    privileged: false
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
   ingress:
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -120,7 +133,7 @@ apache2:
     repository: {{ .Values.images.nextcloudApache2.repository | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.nextcloudApache2.tag | quote }}
-  replicas: {{ .Values.replicas.nextcloudApache2 }}
+  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
   resources:
     {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 ...

helmfile/apps/open-xchange/helmfile.yaml

@@ -6,31 +6,36 @@ bases:
 ---
 repositories:
   # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
   - name: "dovecot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.dovecot.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
+      {{ .Values.charts.dovecot.repository }}"
 
   # Open-Xchange
   - name: "open-xchange-repo"
+    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
+    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
+      {{ .Values.charts.openXchangeAppSuite.repository }}"
 
   # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
+  # Source:
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
   - name: "open-xchange-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
       {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 
 releases:

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -66,6 +66,8 @@ containerSecurityContext:
   readOnlyRootFilesystem: true
   seccompProfile:
     type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 
 podSecurityContext:
   enabled: true

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
   mysql:
     host: {{ .Values.databases.oxAppsuite.host | quote }}
     database: {{ .Values.databases.oxAppsuite.name | quote }}
@@ -13,9 +13,6 @@ global:
       password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
       rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 
-istio:
-  enabled: {{ .Values.istio.enabled }}
-
 nextcloud-integration-ui:
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
@@ -32,12 +29,16 @@ nextcloud-integration-ui:
     capabilities:
       drop:
         - "ALL"
-    readOnlyRootFilesystem: true
+    privileged: false
+    readOnlyRootFilesystem: false
     runAsGroup: 1000
     runAsNonRoot: true
     runAsUser: 1000
+    privileged: false
     seccompProfile:
       type: "RuntimeDefault"
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
 
 public-sector-ui:
   image:
@@ -56,12 +57,16 @@ public-sector-ui:
     capabilities:
       drop:
         - "ALL"
+    privileged: false
     readOnlyRootFilesystem: true
     runAsGroup: 1000
     runAsNonRoot: true
     runAsUser: 1000
+    privileged: false
     seccompProfile:
       type: "RuntimeDefault"
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
 
 appsuite:
   appsuite-toolkit:
@@ -69,18 +74,22 @@ appsuite:
   switchboard:
     enabled: false
   istio:
-    enabled: {{ .Values.istio.enabled }}
+    enabled: false
-    ingressGateway:
+  ingress:
-      name: "opendesk-gateway-istio-gateway"
+    enabled: {{ .Values.ingress.enabled }}
+    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+    tls:
+      enabled: true
+      existingSecret: {{ .Values.ingress.tls.secretName | quote }}
+    appsuite:
       hosts:
-        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
-    virtualServices:
+    dav:
-      appsuite:
+      hosts:
-        hosts:
+        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
-          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    routes:
-      dav:
+      trailslash:
-        hosts:
+        enabled: false
-          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   core-mw:
     enabled: true
     asConfig:
@@ -91,7 +100,9 @@ appsuite:
         oidcPath: "/oidc"
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
-    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+    serviceAccount:
+      create: true
     features:
       status:
         # enable admin pack
@@ -119,8 +130,12 @@ appsuite:
         readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 1001
+        runAsGroup: 1001
+        privileged: false
         seccompProfile:
           type: "RuntimeDefault"
+        seLinuxOptions:
+          {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
     hooks:
       beforeAppsuiteStart:
         create-guard-dir.sh: |
@@ -154,9 +169,9 @@ appsuite:
       com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
       com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
       com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
+      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/auth"
       com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
+      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/logout"
       com.openexchange.oidc.ssoLogout: "true"
       com.openexchange.oidc.startDefaultBackend: "true"
       com.openexchange.oidc.userLookupClaim: "opendesk_username"
@@ -342,14 +357,17 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
 
   core-ui-middleware:
     enabled: true
     ingress:
       hosts:
-        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
       enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
@@ -368,6 +386,8 @@ appsuite:
       auth:
         enabled: true
         password: {{ .Values.secrets.redis.password | quote }}
+        # Workaround for a bug in 8.23
+        ca: ""
     resources:
       {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
       updater:
@@ -382,9 +402,11 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
   core-cacheservice:
     enabled: false
 
@@ -398,21 +420,24 @@ appsuite:
       registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
-    podSecurityContext:
+    resources:
+      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
+    securityContext:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 987
       seccompProfile:
         type: "RuntimeDefault"
-    resources:
+      readOnlyRootFilesystem: false
-      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
-    securityContext:
-      # missing:
-      # readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
+      privileged: false
       capabilities:
         drop:
           - "ALL"
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
 
   core-documents-collaboration:
     enabled: false
@@ -451,8 +476,11 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
 
   core-imageconverter:
     enabled: true
@@ -466,21 +494,24 @@ appsuite:
           endpoint: "."
           accessKey: "."
           secretKey: "."
-    podSecurityContext:
+    resources:
+      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
+    securityContext:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 987
       seccompProfile:
         type: "RuntimeDefault"
-    resources:
+      readOnlyRootFilesystem: false
-      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
-    securityContext:
-      # missing:
-      # readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
+      privileged: false
       capabilities:
         drop:
           - "ALL"
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
 
   guard-ui:
     enabled: true
@@ -503,9 +534,11 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
   core-spellcheck:
     enabled: false
 
@@ -531,6 +564,9 @@ appsuite:
       runAsGroup: 1000
       runAsNonRoot: true
       runAsUser: 1000
+      privileged: false
       seccompProfile:
         type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
 ...

helmfile/apps/openproject-bootstrap/helmfile.yaml

@@ -13,7 +13,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
+      {{ .Values.charts.openprojectBootstrap.repository }}"
 
 releases:
   - name: "opendesk-openproject-bootstrap"

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -38,6 +38,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}

helmfile/apps/openproject/helmfile.yaml

@@ -13,7 +13,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
+      {{ .Values.charts.openproject.repository }}"
 
 releases:
   - name: "openproject"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -9,6 +9,7 @@ global:
 
 containerSecurityContext:
   enabled: true
+  privileged: false
   runAsUser: 1000
   runAsGroup: 1000
   allowPrivilegeEscalation: false
@@ -19,11 +20,13 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ .Values.debug.logLevel | lower | quote }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -71,7 +74,7 @@ environment:
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
   repository: {{ .Values.images.openproject.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.openproject.tag | quote }}
 
 initdb:
@@ -79,7 +82,7 @@ initdb:
     registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
     repository: {{ .Values.images.openprojectInitDb.repository | quote }}
     tag: {{ .Values.images.openprojectInitDb.tag | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 memcached:
   bundled: false
@@ -142,7 +145,9 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-replicaCount: {{ .Values.replicas.openproject }}
+backgroundReplicaCount: {{ .Values.replicas.openprojectWorker }}
+
+replicaCount: {{ .Values.replicas.openprojectWeb }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
@@ -150,14 +155,14 @@ resources:
 s3:
   enabled: true
   endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  host: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: "true"
+  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
   region: {{ .Values.objectstores.openproject.region | quote }}
   bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
   use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
   auth:
     accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
 
 seederJob:
   annotations:

helmfile/apps/provisioning/helmfile.yaml

@@ -10,15 +10,15 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
+      {{ .Values.charts.oxConnector.repository }}"
 
 releases:
   - name: "ox-connector"
     chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
     version: "{{ .Values.charts.oxConnector.version }}"
     values:
-      - "values-oxconnector.yaml"
+      - "values-oxconnector.yaml.gotmpl"
-      - "values-oxconnector.gotmpl"
     installed: {{ .Values.oxConnector.enabled }}
 
 commonLabels:

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -1,34 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
-  repository: {{ .Values.images.oxConnector.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.oxConnector.tag | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-oxConnector:
-  domainName: {{ .Values.global.domain | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  logLevel: {{ .Values.debug.logLevel | quote }}
-  #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
-  oxMasterAdmin: "admin"
-  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
-  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  oxDefaultContext: "1"
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-
-resources:
-  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
-...

helmfile/apps/provisioning/values-oxconnector.yaml

@@ -1,41 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-ingress:
-  enabled: false
-
-oxConnector:
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  tlsMode: "off"
-  caCert: "ucctempldapstring"
-  debugLevel: "5"
-  oxDefaultContext: "1"
-  oxLocalTimezone: "Europe/Berlin"
-  oxLanguage: "de_DE"
-  oxSmtpServer: "smtp://127.0.0.1:587"
-  oxImapServer: "imap://127.0.0.1:143"
-
-## Container deployment probes
-probes:
-  liveness:
-    enabled: true
-    initialDelaySeconds: 120
-    timeoutSeconds: 3
-    periodSeconds: 30
-    failureThreshold: 3
-    successThreshold: 1
-
-  readiness:
-    enabled: true
-    initialDelaySeconds: 30
-    timeoutSeconds: 3
-    periodSeconds: 15
-    failureThreshold: 30
-    successThreshold: 1
-
-
-serviceAccount:
-  create: true
-
-...

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -0,0 +1,94 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
+  repository: {{ .Values.images.oxConnector.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.oxConnector.tag | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: false
+
+oxConnector:
+  caCert: "ucctempldapstring"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
+  domainName: {{ .Values.global.domain | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  tlsMode: "off"
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  oxDefaultContext: "1"
+  oxImapServer: "imap://127.0.0.1:143"
+  oxLocalTimezone: "Europe/Berlin"
+  oxLanguage: "de_DE"
+  oxMasterAdmin: "admin"
+  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+  oxSmtpServer: "smtp://127.0.0.1:587"
+  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+
+resources:
+  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+## Container deployment probes
+probes:
+  liveness:
+    enabled: true
+    initialDelaySeconds: 120
+    timeoutSeconds: 3
+    periodSeconds: 30
+    failureThreshold: 3
+    successThreshold: 1
+
+  readiness:
+    enabled: true
+    initialDelaySeconds: 30
+    timeoutSeconds: 3
+    periodSeconds: 15
+    failureThreshold: 30
+    successThreshold: 1
+
+replicaCount: {{ .Values.replicas.oxConnector }}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
+
+serviceAccount:
+  create: true
+
+...

helmfile/apps/services/helmfile.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -13,7 +14,19 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
+      {{ .Values.charts.otterize.repository }}"
+
+  # openDesk Home
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
+  - name: "home-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.home.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"
 
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -23,7 +36,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
+      {{ .Values.charts.certificates.repository }}"
 
   # openDesk PostgreSQL
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -33,7 +47,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
+      {{ .Values.charts.postgresql.repository }}"
 
   # openDesk MariaDB
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -43,7 +58,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
+      {{ .Values.charts.mariadb.repository }}"
 
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -53,17 +69,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
-
+      {{ .Values.charts.postfix.repository }}"
-  # openDesk Istio Resources
-  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
-  - name: "istio-resources-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.istioResources.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
 
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -73,14 +80,16 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
+      {{ .Values.charts.clamav.repository }}"
   - name: "clamav-simple-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.clamavSimple.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
+      {{ .Values.charts.clamavSimple.repository }}"
 
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
@@ -90,36 +99,46 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
+      {{ .Values.charts.memcached.repository }}"
   - name: "redis-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.redis.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
+      {{ .Values.charts.redis.repository }}"
   - name: "minio-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.minio.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.imageRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
+      {{ .Values.charts.minio.repository }}"
 
 releases:
   - name: "opendesk-otterize"
     chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
     version: "{{ .Values.charts.otterize.version }}"
     values:
-      - "values-otterize.gotmpl"
+      - "values-otterize.yaml.gotmpl"
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
+  - name: "opendesk-home"
+    chart: "home-repo/{{ .Values.charts.home.name }}"
+    version: "{{ .Values.charts.home.version }}"
+    values:
+      - "values-home.yaml.gotmpl"
+    installed: {{ .Values.home.enabled }}
+
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"
     values:
-      - "values-certificates.gotmpl"
+      - "values-certificates.yaml.gotmpl"
     installed: {{ .Values.certificates.enabled }}
     timeout: 900
 
@@ -127,8 +146,7 @@ releases:
     chart: "redis-repo/{{ .Values.charts.redis.name }}"
     version: "{{ .Values.charts.redis.version }}"
     values:
-      - "values-redis.gotmpl"
+      - "values-redis.yaml.gotmpl"
-      - "values-redis.yaml"
     installed: {{ .Values.redis.enabled }}
     timeout: 900
 
@@ -136,8 +154,7 @@ releases:
     chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
     version: "{{ .Values.charts.memcached.version }}"
     values:
-      - "values-memcached.yaml"
+      - "values-memcached.yaml.gotmpl"
-      - "values-memcached.gotmpl"
     installed: {{ .Values.memcached.enabled }}
     timeout: 900
 
@@ -145,8 +162,7 @@ releases:
     chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
     version: "{{ .Values.charts.postgresql.version }}"
     values:
-      - "values-postgresql.yaml"
+      - "values-postgresql.yaml.gotmpl"
-      - "values-postgresql.gotmpl"
     installed: {{ .Values.postgresql.enabled }}
     timeout: 900
 
@@ -154,8 +170,7 @@ releases:
     chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
     version: "{{ .Values.charts.mariadb.version }}"
     values:
-      - "values-mariadb.yaml"
+      - "values-mariadb.yaml.gotmpl"
-      - "values-mariadb.gotmpl"
     installed: {{ .Values.mariadb.enabled }}
     timeout: 900
 
@@ -163,8 +178,7 @@ releases:
     chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
     version: "{{ .Values.charts.postfix.version }}"
     values:
-      - "values-postfix.yaml"
+      - "values-postfix.yaml.gotmpl"
-      - "values-postfix.gotmpl"
     installed: {{ .Values.postfix.enabled }}
     timeout: 900
 
@@ -172,8 +186,7 @@ releases:
     chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
     version: "{{ .Values.charts.clamav.version }}"
     values:
-      - "values-clamav-distributed.yaml"
+      - "values-clamav-distributed.yaml.gotmpl"
-      - "values-clamav-distributed.gotmpl"
     installed: {{ .Values.clamavDistributed.enabled }}
     timeout: 900
 
@@ -181,26 +194,15 @@ releases:
     chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
     version: "{{ .Values.charts.clamavSimple.version }}"
     values:
-      - "values-clamav-simple.yaml"
+      - "values-clamav-simple.yaml.gotmpl"
-      - "values-clamav-simple.gotmpl"
     installed: {{ .Values.clamavSimple.enabled }}
     timeout: 900
 
-  - name: "opendesk-gateway"
-    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
-    version: "{{ .Values.charts.istioResources.version }}"
-    values:
-      - "values-istio-gateway.yaml"
-      - "values-istio-gateway.gotmpl"
-    installed: {{ .Values.istio.enabled }}
-    timeout: 900
-
   - name: "minio"
     chart: "minio-repo/{{ .Values.charts.minio.name }}"
     version: "{{ .Values.charts.minio.version }}"
     values:
-      - "values-minio.yaml"
+      - "values-minio.yaml.gotmpl"
-      - "values-minio.gotmpl"
     installed: {{ .Values.minio.enabled }}
     timeout: 900
 

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -11,14 +11,6 @@ global:
 issuerRef:
   name: {{ .Values.certificate.issuerRef.name | quote }}
 
-{{- if .Values.istio.enabled }}
-istio:
-  enabled: {{ .Values.istio.enabled }}
-  domain: {{ .Values.istio.domain | quote }}
-  issuerRef:
-    name: {{ .Values.istio.issuerRef.name | quote }}
-{{- end }}
-
 cleanup:
   keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
 

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -1,56 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-clamd:
-  podSecurityContext:
-  replicaCount: {{ .Values.replicas.clamd }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
-    repository: {{ .Values.images.clamd.repository | quote }}
-    tag: {{ .Values.images.clamd.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  resources:
-    {{ .Values.resources.clamd | toYaml | nindent 4 }}
-
-freshclam:
-  podSecurityContext:
-  replicaCount: {{ .Values.replicas.freshclam }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
-    repository: {{ .Values.images.freshclam.repository | quote }}
-    tag: {{ .Values.images.freshclam.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  resources:
-    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-icap:
-  replicaCount: {{ .Values.replicas.icap }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
-    repository: {{ .Values.images.icap.repository | quote }}
-    tag: {{ .Values.images.icap.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  resources:
-    {{ .Values.resources.icap | toYaml | nindent 4 }}
-
-milter:
-  podSecurityContext:
-  replicaCount: {{ .Values.replicas.milter }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
-    repository: {{ .Values.images.milter.repository | quote }}
-    tag: {{ .Values.images.milter.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  resources:
-    {{ .Values.resources.milter | toYaml | nindent 4 }}
-
-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
-  size: {{ .Values.persistence.size.clamav | quote }}
-...

helmfile/apps/services/values-clamav-distributed.yaml

@@ -1,80 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  enabled: true
-  readOnlyRootFilesystem: true
-
-clamd:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-
-freshclam:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-
-icap:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-
-milter:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-...

helmfile/apps/services/values-clamav-distributed.yaml.gotmpl

@@ -0,0 +1,142 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    privileged: false
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
+    repository: {{ .Values.images.clamd.repository | quote }}
+    tag: {{ .Values.images.clamd.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.clamd }}
+  resources:
+    {{ .Values.resources.clamd | toYaml | nindent 4 }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+  runAsUser: 0
+  runAsGroup: 0
+  seccompProfile:
+    type: "RuntimeDefault"
+  runAsNonRoot: false
+  capabilities:
+    drop: []
+  privileged: false
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    privileged: false
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
+    repository: {{ .Values.images.freshclam.repository | quote }}
+    tag: {{ .Values.images.freshclam.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.freshclam }}
+  resources:
+    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
+    repository: {{ .Values.images.icap.repository | quote }}
+    tag: {{ .Values.images.icap.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.icap }}
+  resources:
+    {{ .Values.resources.icap | toYaml | nindent 4 }}
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
+    repository: {{ .Values.images.milter.repository | quote }}
+    tag: {{ .Values.images.milter.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+  replicaCount: {{ .Values.replicas.milter }}
+  resources:
+    {{ .Values.resources.milter | toYaml | nindent 4 }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
+  size: {{ .Values.persistence.size.clamav | quote }}
+...

helmfile/apps/services/values-clamav-simple.yaml

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 100
-  runAsGroup: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-  fsGroupChangePolicy: "Always"
-...

helmfile/apps/services/values-clamav-simple.yaml.gotmpl

@@ -1,9 +1,25 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
-replicaCount: {{ .Values.replicas.clamav }}
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
   clamav:
@@ -17,14 +33,18 @@ image:
     tag: {{ .Values.images.icap.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-resources:
-  {{ .Values.resources.clamd | toYaml | nindent 4 }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.clamav | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+
+replicaCount: {{ .Values.replicas.clamav }}
+
+resources:
+  {{ .Values.resources.clamd | toYaml | nindent 4 }}
+
 ...

helmfile/apps/services/values-home.yaml.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+ingress:
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/services/values-istio-gateway.gotmpl

@@ -1,13 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.istio.domain | quote }}
-  hosts:
-    openxchange: {{ .Values.global.hosts.openxchange | quote }}
-
-tls:
-  secretName: "{{ .Values.istio.domain }}-tls"
-...

helmfile/apps/services/values-istio-gateway.yaml

@@ -1,6 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-tls:
-  httpsRedirect: false
-...

helmfile/apps/services/values-mariadb.yaml

@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-job:
-  enabled: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-
-replicaCount: 1
-...