fix(services): Add monitoring for redis and update redis

2025-12-06 15:31:38 +01:00 · 2024-02-19 17:34:01 +01:00
112 changed files with 1787 additions and 2727 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,10 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.2"
+    ref: "main"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
@@ -12,7 +11,8 @@ include:
  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
-    ref: "main"
+    rules:
+      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
  - local: "/.gitlab/lint/lint-opendesk.yml"
    rules:
      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -20,7 +20,7 @@ include:
      - when: "always"
  - local: "/.gitlab/lint/lint-kyverno.yml"
    rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
        when: "never"
      - when: "always"

@@ -36,6 +36,7 @@ stages:
  - "component-deploy-stage-2"
  - "tests"
  - "env-stop"
+  - "generate-release-assets"
  - ".post"

 variables:
@@ -43,15 +44,14 @@ variables:
    description: "The name of namespaces to deploy to."
    value: ""
  CLUSTER:
-    description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
-        repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
-        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
+      sovereign-workplace-env included above."
    value: "dev"
  MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a seed to be used for generation of all internal secrets. Same seed will result in same secrets."
+    description: "Optional: Provide a passphrase to be used for password generation."
    value: ""
  ENV_STOP_BEFORE:
-    description: "Stop environment/delete namespace for the deployment."
+    description: "Stop environment/delete namespace for the deployment"
    value: "no"
    options:
      - "yes"
@@ -197,7 +197,7 @@ env-start:
    name: "${NAMESPACE}"
    on_stop: "env-stop"
  extends: ".deploy-common"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -378,7 +378,7 @@ env-stop:
  environment:
    name: "${NAMESPACE}"
    action: "stop"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  needs: []
  rules:
    - if: >
@@ -448,13 +448,10 @@ run-tests:
 avscan-prepare:
  stage: ".pre"
  rules:
-    - if: >
-          $JOB_AVSCAN_ENABLED != 'false' &&
-          $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
+  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
  script:
    - |
      cat << 'EOF' > dynamic-scans.yml
@@ -484,8 +481,7 @@ avscan-prepare:
      yq '.images
      | with_entries(.key |= "scan-" + .)
      | .[].extends=".container-clamav"
-      | with(.[]; .variables.CONTAINER_IMAGE = .repository
-      | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
+      | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
      | del(.[].repository)
      | del(.[].tag)
      | del(.[].registry)'
@@ -498,10 +494,7 @@ avscan-prepare:
 avscan-start:
  stage: "scan"
  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  trigger:
@@ -510,7 +503,32 @@ avscan-start:
        job: "avscan-prepare"
    strategy: "depend"

-# Declare .environments which is in environments repository. In case it is not available
+generate-release-assets:
+  stage: "generate-release-assets"
+  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "on_success"
+    - when: "never"
+  script:
+    - |
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
+      cd opendesk-asset-generator
+      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
+      ./opendesk_asset_generator.py
+      mv ./build_artefacts ${CI_PROJECT_DIR}
+      cd ..
+      rm -rf opendesk-asset-generator
+      ls -l ./build_artefacts
+  artifacts:
+    paths:
+      - "./build_artefacts/chart-index.json"
+      - "./build_artefacts/image-index.json"
+  tags: []
+  variables:
+    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
+
+# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
  cache: {}
@@ -541,18 +559,14 @@ reuse-linter:

 generate-release-version:
  rules:
-    - if: >
-        $JOB_RELEASE_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_RELEASE_ENABLED != 'false'"
      when: "on_success"

 release:
+  dependencies:
+    - "generate-release-assets"
  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "on_success"
  script:
    - >
@@ -568,7 +582,7 @@ release:
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+      # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
@@ -581,7 +595,16 @@ release:
      {
        "branches": ["main"],
        "plugins": [
-          "@semantic-release/gitlab",
+          ["@semantic-release/gitlab",
+            {
+              "assets": [
+                { "path": "./build_artefacts/chart-index.json",
+                  "label": "Chart Index JSON" },
+                { "path": "./build_artefacts/image-index.json",
+                  "label": "Image Index JSON" },
+              ]
+            }
+          ],
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
@@ -600,5 +623,6 @@ release:
      EOF
    - "semantic-release"
  needs:
+    - "generate-release-assets"
    - "generate-docs"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,13 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.3\
-    @sha256:4630299fddf4248af1ad04528f0435d78f5b2694a154c99fe72b960260a7be61"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.4\
-    @sha256:386e84e2c85c33537479e4bb1e1fe744c9cce5e87bcb9a3a384dcdc1727c19c0"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
+    @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
+    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"

 .common:
  cache: {}
  needs: []
-  tags: []
+  tags:
+    - "docker"
 ...
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -27,14 +27,7 @@ lint-kyverno:
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - >
-      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
-      -d ${CI_PROJECT_DIR}/.kyverno
-      -t required
-      -s manifest
-      -f opendesk.yaml
-      --skip-tests true
-      ${APP}
+    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - "cd ${CI_PROJECT_DIR}/.kyverno"
    - "kyverno test ."
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 pod:
@@ -12,7 +12,7 @@ pod:
      - "Pod"
      - "DaemonSet"
  - name: "disallow-default-serviceaccount"
-    rule: "disallow-default-serviceAccountName"
+    rule: "require-sa"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -20,8 +20,8 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "template-imagepullsecrets"
-    rule: "template-imagePullSecrets"
+  - name: "require-imagepullsecrets"
+    rule: "require-imagepullsecrets"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -30,7 +30,7 @@ pod:
      - "Pod"
      - "DaemonSet"
  - name: "disallow-latest-tag"
-    rule: "disallow-latest-tag"
+    rule: "validate-image-tag"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -38,17 +38,8 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "disallow-latest-tag"
-    rule: "require-image-tag-or-digest"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-imagepullpolicy"
-    rule: "require-imagePullPolicy"
+  - name: "require-imagepullpolicy-always"
+    rule: "require-imagepullpolicy-always"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -64,23 +55,23 @@ pod:
      - "Deployment"
      - "Pod"
      - "DaemonSet"
-  - name: "template-storage"
-    rule: "template-storageClassName-pod"
+  - name: "require-storage"
+    rule: "require-storageclass-pvc"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
-  - name: "template-storage"
-    rule: "template-storageClassName-pvc"
+  - name: "require-storage"
+    rule: "require-storageclass-pod"
    type: "required"
    kinds:
      - "StatefulSet"
-  - name: "template-storage"
-    rule: "template-requests-storage-pod"
+  - name: "require-storage"
+    rule: "require-storage-size-pvc"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
-  - name: "template-storage"
-    rule: "template-requests-storage-pvc"
+  - name: "require-storage"
+    rule: "require-storage-size-pod"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -93,8 +84,8 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "template-image-registries"
-    rule: "template-image-registries"
+  - name: "restrict-image-registries"
+    rule: "validate-registries"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -174,119 +165,4 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-empty-seLinuxOptions"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-default-procMount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "restrict-sysctls"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-docker-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-containerd-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-crio-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-dockerd-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-namespaces"
-    rule: "disallow-host-namespaces"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-path"
-    rule: "disallow-host-path"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-ports"
-    rule: "disallow-host-ports"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-process"
-    rule: "disallow-host-process"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "template-ingress"
-    rule: "template-ingressClassName"
-    type: "required"
-    kinds:
-      - "Ingress"
-  - name: "template-ingress"
-    rule: "template-tls-secretName"
-    type: "required"
-    kinds:
-      - "Ingress"
-  - name: "template-replicas"
-    rule: "template-replicas"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
 ...
--- a/.kyverno/policies/disallow-container-sock-mounts.yaml
+++ b/.kyverno/policies/disallow-container-sock-mounts.yaml
@@ -1,80 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-container-sock-mounts"
-  annotations:
-    policies.kyverno.io/title: "Disallow CRI socket mounts"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Container daemon socket bind mounts allow access to the container engine on the node.
-      This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should
-      not be allowed.
-      This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
-      In addition to or replacement of this policy, preventing users from mounting the parent directories
-      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
-spec:
-  background: true
-  rules:
-    - name: "validate-docker-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the Docker Unix socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/docker.sock"
-          - spec:
-              =(volumes):
-    - name: "validate-containerd-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the Containerd Unix socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/containerd/containerd.sock"
-          - spec:
-              =(volumes):
-    - name: "validate-crio-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the CRI-O Unix socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/crio/crio.sock"
-          - spec:
-              =(volumes):
-    - name: "validate-dockerd-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the Docker CRI socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/cri-dockerd.sock"
-          - spec:
-              =(volumes):
--- a/.kyverno/policies/disallow-default-serviceaccount.yaml
+++ b/.kyverno/policies/disallow-default-serviceaccount.yaml
@@ -1,20 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "disallow-default-serviceaccount"
-  annotations:
-    policies.kyverno.io/title: "Prevent default ServiceAccount privilege escalation"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Kubernetes automatically creates a ServiceAccount object named default for every namespace in your cluster.
-      These default service accounts get no permissions by default.
-      Accidental or intended assignment of permissions on the default service account results in elevated permissions
-      for all pods with default service account assigned.
-      This risk can be mitigated by creating a custom ServiceAccount for each application or reduce the risk by disable
-      auto mounting the default service account into the pod.
 spec:
  background: true
  rules:
@@ -22,15 +12,11 @@ spec:
        resources:
          kinds:
            - "Pod"
-      name: "disallow-default-serviceAccountName"
+      name: "require-sa"
      validate:
-        message: >-
-          Field serviceAccountName must be set to anything other than 'default'.
-          When serviceAccountName is 'default' then automountServiceAccountToken must set to 'false' .
-        anyPattern:
-          - spec:
-              serviceAccountName: "!default"
-          - spec:
-              automountServiceAccountToken: "false"
+        message: "serviceAccountName must be set to anything other than 'default'."
+        pattern:
+          spec:
+            serviceAccountName: "!default"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/disallow-host-namespaces.yaml
+++ b/.kyverno/policies/disallow-host-namespaces.yaml
@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-namespaces"
-  annotations:
-    policies.kyverno.io/title: "Disallow Host Namespaces"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access
-      to shared information and can be used to elevate privileges.
-      Pods should not be allowed access to host namespaces.
-      This policy ensures fields which make use of these host namespaces are unset or set to `false`.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-namespaces"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
-          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
-        pattern:
-          spec:
-            =(hostPID): "false"
-            =(hostIPC): "false"
-            =(hostNetwork): "false"
--- a/.kyverno/policies/disallow-host-path.yaml
+++ b/.kyverno/policies/disallow-host-path.yaml
@@ -1,32 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-path"
-  annotations:
-    policies.kyverno.io/title: "Disallow hostPath"
-    policies.kyverno.io/subject: "Pod,Volume"
-    policies.kyverno.io/description: >-
-      HostPath volumes let Pods use host directories and volumes in containers.
-      Using host resources can be used to access shared data or escalate privileges and should not be allowed.
-      This policy ensures no hostPath volumes are in use.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-path"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
-        anyPattern:
-          - spec:
-              =(volumes):
-                - X(hostPath): "null"
-          - spec:
-              =(volumes):
--- a/.kyverno/policies/disallow-host-ports.yaml
+++ b/.kyverno/policies/disallow-host-ports.yaml
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-ports"
-  annotations:
-    policies.kyverno.io/title: "Disallow hostPorts"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum
-      restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-ports"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
-          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
-          must either be unset or set to `0`.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(ports):
-                  - =(hostPort): 0
-            =(initContainers):
-              - =(ports):
-                  - =(hostPort): 0
-            containers:
-              - =(ports):
-                  - =(hostPort): 0
--- a/.kyverno/policies/disallow-host-process.yaml
+++ b/.kyverno/policies/disallow-host-process.yaml
@@ -1,45 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-process"
-  annotations:
-    policies.kyverno.io/title: "Disallow hostProcess"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node.
-      Privileged access to the host is disallowed in the baseline policy.
-      HostProcess pods are an alpha feature as of Kubernetes v1.22.
-      This policy ensures the `hostProcess` field, if present, is set to `false`.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-process"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
-          spec.containers[*].securityContext.windowsOptions.hostProcess,
-          spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
-          spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to
-          `false`.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
-            =(initContainers):
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
-            containers:
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
--- a/.kyverno/policies/disallow-latest-tag.yaml
+++ b/.kyverno/policies/disallow-latest-tag.yaml
@@ -1,18 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "disallow-latest-tag"
-  annotations:
-    policies.kyverno.io/title: "Disallow usage of latest tag"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      The ':latest' tag is mutable and can lead to unexpected errors if the image changes.
-      A best practice is to use an immutable tag that maps to a specific version of an application Pod.
-      This policy validates that the image specifies a tag and that it is not called `latest`.
-      Defining no image tag or digest result in the container engine retrieving the latest tag.
 spec:
  background: true
  rules:
@@ -20,7 +12,7 @@ spec:
        resources:
          kinds:
            - "Pod"
-      name: "disallow-latest-tag"
+      name: "validate-image-tag"
      validate:
        message: "Using a mutable image tag e.g. 'latest' is not allowed."
        pattern:
@@ -31,27 +23,5 @@ spec:
              - image: "!*:latest"
            containers:
              - image: "!*:latest"
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-image-tag-or-digest"
-      validate:
-        message: "A image tag or a digest is required, otherwise latest tag is chosen."
-        anyPattern:
-          - spec:
-              =(ephemeralContainers):
-                - image: "*:*"
-              =(initContainers):
-                - image: "*:*"
-              containers:
-                - image: "*:*"
-          - spec:
-              =(ephemeralContainers):
-                - image: "*@*"
-              =(initContainers):
-                - image: "*@*"
-              containers:
-                - image: "*@*"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-containersecuritycontext.yaml
+++ b/.kyverno/policies/require-containersecuritycontext.yaml
@@ -1,16 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-containersecuritycontext"
-  annotations:
-    policies.kyverno.io/title: "ContainerSecurityContext best practices are set."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      The containerSecurityContext is the most important security-related section because it has the highest precedence
-      and restricts the container to its minimal privileges.
 spec:
  background: true
  rules:
@@ -175,70 +169,5 @@ spec:
              - securityContext:
                  runAsNonRoot: true

-    - name: "require-empty-seLinuxOptions"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "SELinux options have to be unset."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  seLinuxOptions:
-            =(initContainers):
-              - securityContext:
-                  seLinuxOptions:
-            containers:
-              - securityContext:
-                  seLinuxOptions:
-
-    - name: "require-default-procMount"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: >-
-          Changing the proc mount from the default is not allowed. The fields
-          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
-          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
-          set to `Default`.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(securityContext):
-                  =(procMount): "Default"
-            =(initContainers):
-              - =(securityContext):
-                  =(procMount): "Default"
-            containers:
-              - =(securityContext):
-                  =(procMount): "Default"
-
-    - name: "restrict-sysctls"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: >-
-          Setting additional sysctls above the allowed type is not allowed.
-          The field spec.securityContext.sysctls must be unset or not use any other names
-          than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
-          net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
-          net.ipv4.ping_group_range.
-        pattern:
-          spec:
-            =(securityContext):
-              =(sysctls):
-                - =(name): >-
-                    kernel.shm_rmid_forced |
-                    net.ipv4.ip_local_port_range |
-                    net.ipv4.ip_unprivileged_port_start |
-                    net.ipv4.tcp_syncookies |
-                    net.ipv4.ping_group_range
-
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-health-and-liveness-check.yaml
+++ b/.kyverno/policies/require-health-and-liveness-check.yaml
@@ -1,20 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-health-and-liveness-check"
-  annotations:
-    policies.kyverno.io/title: "Disallow usage of latest tag"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments,
-      restarts, and upgrades.
-      For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are
-      running or need to be restarted.
-      A `readinessProbe` is used by Services and Pods to determine if the Pod is ready to receive network traffic.
-      This policy validates that all containers have livenessProbe and readinessProbe defined.
 spec:
  background: true
  rules:
@@ -24,9 +14,8 @@ spec:
            - "Pod"
      name: "require-health-and-liveness-check"
      validate:
-        message: >-
-          Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds must be set to a
-          value greater than 0.
+        message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
+          must be set to a value greater than 0."
        pattern:
          spec:
            containers:
--- a/.kyverno/policies/require-imagepullpolicy-always.yaml
+++ b/.kyverno/policies/require-imagepullpolicy-always.yaml
@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullpolicy-always"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagepullpolicy-always"
+      validate:
+        message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+              =(initContainers):
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+              containers:
+                - (image): "*:latest"
+                  imagePullPolicy: "Always"
+          - spec:
+              =(ephemeralContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+              =(initContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+              containers:
+                - (image): "!*:latest"
+                  imagePullPolicy: "IfNotPresent"
+  validationFailureAction: "audit"
+...
--- a/.kyverno/policies/require-imagepullpolicy.yaml
+++ b/.kyverno/policies/require-imagepullpolicy.yaml
@@ -1,51 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-imagepullpolicy"
-  annotations:
-    policies.kyverno.io/title: "Disallow usage of latest tag"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to
-      ensure later pulls get an updated image in case the latest tag gets updated.
-      This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or
-      where a tag is not defined at all.
-      Additionally this policy checks if the variable `.Values.global.imagePullPolicy` is used in templates.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-imagePullPolicy"
-      validate:
-        message: >-
-          The imagePullPolicy must be set to `Always` when the `latest` tag is used, otherwise the value from
-          `.Values.global.imagePullPolicy` has to be used.
-        anyPattern:
-          - spec:
-              =(ephemeralContainers):
-                - (image): "*:latest | !*:*"
-                  imagePullPolicy: "Always"
-              =(initContainers):
-                - (image): "*:latest | !*:*"
-                  imagePullPolicy: "Always"
-              containers:
-                - (image): "*:latest | !*:*"
-                  imagePullPolicy: "Always"
-          - spec:
-              =(ephemeralContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "kyverno"
-              =(initContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "kyverno"
-              containers:
-                - (image): "!*:latest"
-                  imagePullPolicy: "kyverno"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-imagepullsecets.yaml
+++ b/.kyverno/policies/require-imagepullsecets.yaml
@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullsecrets"
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagepullsecrets"
+      validate:
+        message: "ImagePullSecrets are required."
+        pattern:
+          spec:
+            imagePullSecrets:
+              - name: "*"
+  validationFailureAction: "audit"
+...
--- a/.kyverno/policies/require-requests-limits.yaml
+++ b/.kyverno/policies/require-requests-limits.yaml
@@ -1,20 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-requests-limits"
-  annotations:
-    policies.kyverno.io/title: "Require resources cpu/memory request and limits."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      As application workloads share cluster resources, it is important to limit resources requested and consumed by
-      each Pod.
-      It is recommended to require resource requests and limits per Pod, especially for memory and CPU.
-      If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on
-      the LimitRange configuration.
-      This policy validates that all containers have specified requests for memory and CPU and a limit for memory.
 spec:
  background: true
  rules:
--- a/.kyverno/policies/template-storage.yaml
+++ b/.kyverno/policies/template-storage.yaml
@@ -4,13 +4,7 @@
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
-  name: "template-storage"
-  annotations:
-    policies.kyverno.io/title: "Validate storageClass and size templates."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy validates if `.Values.persistence.storageClassNames` variables are used in templates and if the size
-      of volumes can be customized by `.Values.persistence.size` variable.
+  name: "require-storage"
 spec:
  background: true
  rules:
@@ -18,9 +12,9 @@ spec:
        resources:
          kinds:
            - "StatefulSet"
-      name: "template-storageClassName-pod"
+      name: "require-storageclass-pod"
      validate:
-        message: "VolumeClaims inside pods needs to have storageClass set when templated."
+        message: "VolumeClaims inside pods need to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
@@ -30,9 +24,9 @@ spec:
        resources:
          kinds:
            - "PersistentVolumeClaim"
-      name: "template-storageClassName-pvc"
+      name: "require-storageclass-pvc"
      validate:
-        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
+        message: "Persistent Volume Claim need to have storageClassName set when templated."
        pattern:
          spec:
            storageClassName: "kyverno-test"
@@ -41,9 +35,9 @@ spec:
        resources:
          kinds:
            - "StatefulSet"
-      name: "template-requests-storage-pod"
+      name: "require-storage-size-pod"
      validate:
-        message: "VolumeClaims inside pods needs to have storageClass set when templated."
+        message: "VolumeClaims inside pods need to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
@@ -55,9 +49,9 @@ spec:
        resources:
          kinds:
            - "PersistentVolumeClaim"
-      name: "template-requests-storage-pvc"
+      name: "require-storage-size-pvc"
      validate:
-        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
+        message: "Persistent Volume Claim need to have storageClassName set when templated."
        pattern:
          spec:
            resources:
--- a/.kyverno/policies/require-tag-and-digest.yaml
+++ b/.kyverno/policies/require-tag-and-digest.yaml
@@ -1,18 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-tag-and-digest"
-  annotations:
-    policies.kyverno.io/title: "Require tag and digest for image."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      To ensure that containers are not compromised in container registry by pushing malicious code to the same tag, it
-      is required to reference images by setting a sha256 hashed digest.
-      Setting only the digest is complicated for humans to compare software versions, therefore in openDesk it is
-      required to reference container images by tag and digest.
 spec:
  background: true
  rules:
--- a/.kyverno/policies/restrict-image-registries.yaml
+++ b/.kyverno/policies/restrict-image-registries.yaml
@@ -1,16 +1,10 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
-  name: "template-image-registries"
-  annotations:
-    policies.kyverno.io/title: "Check image registry template"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy verifies that a custom external registry can be template to allow downloads from a private registry or
-      cache.
+  name: "restrict-image-registries"
 spec:
  background: true
  rules:
@@ -18,7 +12,7 @@ spec:
        resources:
          kinds:
            - "Pod"
-      name: "template-image-registries"
+      name: "validate-registries"
      validate:
        message: "Unknown image registry."
        pattern:
--- a/.kyverno/policies/template-ingress.yaml
+++ b/.kyverno/policies/template-ingress.yaml
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-ingress"
-  annotations:
-    policies.kyverno.io/title: "Validate openDesk Ingress templating"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy verifies that ingress variables are templated.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Ingress"
-      name: "template-ingressClassName"
-      validate:
-        message: "Verifies that ingressClassName can be customized by `.Values.ingress.ingressClassName` variable."
-        pattern:
-          spec:
-            ingressClassName: "kyverno"
-    - match:
-        resources:
-          kinds:
-            - "Ingress"
-      name: "template-tls-secretName"
-      validate:
-        message: "Verifies that tls.secretName can be customized by `.Values.ingress.tls.secretName` variable."
-        pattern:
-          spec:
-            tls:
-              - secretName: "kyverno-tls"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-replicas.yaml
+++ b/.kyverno/policies/template-replicas.yaml
@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-replicas"
-  annotations:
-    policies.kyverno.io/title: "Validate openDesk Pod replicas templating"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy verifies that `.Values.replicas.<app>` variables are templated.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Deployment"
-            - "StatefulSet"
-      name: "template-replicas"
-      validate:
-        message: "Verifies that replica count can be customized by `.Values.replicas.<app>` variable."
-        pattern:
-          spec:
-            replicas: 42
-
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-require-imagepullsecets.yaml
+++ b/.kyverno/policies/template-require-imagepullsecets.yaml
@@ -1,31 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-imagepullsecrets"
-  annotations:
-    policies.kyverno.io/title: "ImagePullSecrets template variable have to be implemented."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      It is recommended to cache images to ensure continuous image availability during network partitions, rate limiting
-      or registry outages.
-      These caches as well as a company proxy may require authentication which will be provided as ImagePullSecrets.
-      This is a openDesk test to ensure that environment variables are templated in Helmfile deployment.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "template-imagePullSecrets"
-      validate:
-        message: "ImagePullSecrets are required."
-        pattern:
-          spec:
-            imagePullSecrets:
-              - name: "kyverno-test"
-  validationFailureAction: "audit"
-...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,66 +1,3 @@
-## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
-
-
-### Bug Fixes
-
-* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
-* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
-* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
-* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
-* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
-* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
-* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
-* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
-* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
-* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
-* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
-* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
-* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
-
-## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)
-
-
-### Bug Fixes
-
-* **ci:** Remove creation of release artefacts, use the `images.yaml` and `charts.yaml` in `./helmfile/environments/default` for information about the artefacts instead. ([ee99eef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee99eefb72d3207866ffd1b3bd21a36bd55ad288))
-* **collabora:** Bump image to 23.05.9.4.1 ([9c32058](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c32058fcc21a14e9e66a46064ea044402638920))
-* **docs:** Add development.md and refactor `images.yaml` and `charts.yaml` ([a2b333b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a2b333b46277a4bb86b75ca04edb64e69efff916))
-* **helmfile:** YAML handling of seLinuxOptions and align overall `toYaml` syntax ([011ad2c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/011ad2cd6bfe552e04a598452e8814d4d1029152))
-* **nextcloud:** Update images digests ([bc18724](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc18724d70ffff749d5192487944e62233cf4376))
-* **openproject:** Bump to 13.3.1 ([7ee9e47](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ee9e47e8269334294c80093a359b247d86f5d62))
-
-## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
-
-
-### Bug Fixes
-
-* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
-* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
-* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
-* **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
-* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
-* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
-* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
-* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
-* **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
-* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
-
-## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
-
-
-### Bug Fixes
-
-* **ci:** Move main development repo OpenCoDE ([43718b8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/43718b8da2966b87fab8e206df449c923f6615e7))
-* **ci:** Run release pipeline only on pushes to main ([13dcb00](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13dcb004419b4efd8ded8c25e7afa41d10156be8))
-* **ci:** Update kyverno rules ([d9263c9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9263c90110df241adaef8d1a5df8e8d8ceda11b))
-* **docs:** Add missing footnote regarding Nubus ([bc6e4f8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc6e4f8e5dcc32cc476de579fd56dbade79b7c31))
-* **nextcloud:** Set admin priviledges for users in central IAM ([a3e415d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a3e415d575ba24b99e741994fb29d0f0cfd11d8a))
-* **univention-management-stack:** Scaling udm-rest-api ([57d0f61](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/57d0f61b2c3e789b72a0098907817c97fee69268))
-* **univention-management-stack:** Set Keycloak CSP header to allow session continuation in admin portal. ([a398e5a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a398e5aaf131c1f00b09e1776d6daf10f2c343ad))
-* **univention-management-stack:** UMS portal-server scalability ([b1b4c28](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b1b4c28618e0eca31b59719e9e1f2db8ecff7f5c))
-* **univention-management-stack:** Univention Portal upstream codefixes version bump ([c2f62f7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2f62f7c9487b2119b0d3efd98b40c92efb97c5d))
-* **univention-management-stack:** Update provisioning to fix high CPU usage when in idle ([d9c23bd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9c23bdf0b955c0b5e4c82dd1ee785b75ce18a3b))
-
 ## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)


--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->

@@ -11,13 +11,11 @@ SPDX-License-Identifier: Apache-2.0
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
-* [Development](#development)
 * [Releases](#releases)
 * [Components](#components)
 * [Feedback](#feedback)
 * [License](#license)
 * [Copyright](#copyright)
-* [Footnotes](#footnotes)
 <!-- TOC -->

 # Overview
@@ -27,17 +25,17 @@ Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.

 openDesk currently features the following functional main components:

-| Function             | Functional Component        | Component<br/>Version                                                                                          | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
-| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
-| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
-| Groupware            | OX Appsuite                 | [8.22](https://documentation.open-xchange.com/appsuite/releases/8.22/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
-| Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
-| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
+| -------------------- | --------------------------- | --------------------- | ----------------- |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
+| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
+| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
+| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
+| Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
+| Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
+| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
+| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.
@@ -77,10 +75,6 @@ Of course, further development also includes enhancing the documentation itself.
 - [Monitoring](./docs/monitoring.md)
 - [Theming](./docs/theming.md)

-# Development
-
-⟶ To understand the repository contents from a developer perspective please read the [Development](./docs/development.md) guide.
-
 # Releases

 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
@@ -89,10 +83,9 @@ Gitlab provides an
 [overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 of this project.

-Please find a list of the artefacts related to the release either in the source code archive attached to the release or
-in the files from the release's git-tag:
- `./helmfile/environments/default/images.yaml`
- `./helmfile/environments/default/charts.yaml`
+The following release artefacts are provided beside the default source code assets:
+- `chart-index.json`: An overview of all Helm charts used by the release.
+- `image-index.json`: An overview of all container images used by the release.

 ⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.

@@ -108,7 +101,7 @@ Related to the deployment / contents of this repository,
 please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).

 If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" in the OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung) of the [openDesk Info Repository](https://gitlab.opencode.de/bmi/opendesk/info).
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).

 # License

@@ -117,12 +110,3 @@ This project uses the following license: Apache-2.0
 # Copyright

 Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-
-# Footnotes
-
-[^1]: Nubus is the Cloud Portal and IAM from Univention.
-It is currently integrated as a product preview within openDesk therefore,
-not all resources like documentation and structured release notes are available,
-while the
-[source code can already be found on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/component-code/crossfunctional/univention).
-Please find updates regarding the Nubus at https://nubus.io.
--- a/docs/components.md
+++ b/docs/components.md
@@ -1,6 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Components</h1>
@@ -35,6 +34,7 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
+| Dovecot                     | Mail backend                   | Functional |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -44,8 +44,7 @@ they need to be replaced in production deployments.
 | Nextcloud                   | File share                     | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
-| OX Dovecot                  | Mail backend (IMAP)            | Functional |
-| Provisioning (OX Connector) | Groupware provisioning         | Functional |
+| Provisioning                | Backend provisioning           | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
@@ -74,7 +73,7 @@ flowchart TD

 ## Intercom Service (ICS)

-The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
+The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
 Handling authentication when the frontend of an application is using the API from another application is often a
 challenge.
 For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
@@ -114,13 +113,8 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows

 An overview of
- components that consume the LDAP service.
-  - The components accessing the LDAP using a component specific LDAP search account.
- components using Univention Keycloak as identity provider (IdP).
-  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
-  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
-    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
-    require an OIDC client to be configured in Keycloak.
+- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
+- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.

 Some components trust others to handle authentication for them.

--- a/docs/development.md
+++ b/docs/development.md
@@ -1,142 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-->
-
-<h1>Developing openDesk deployment automation</h1>
-
-Active development on the deployment is currently only available for project members.
-But contributions will be possible soon once the CLA process is sorted out.
-
-* [Overview](#overview)
-* [Default branch, `develop` and other branches](#default-branch-develop-and-other-branches)
-* [External artefacts - `charts.yaml` and `images.yaml`](#external-artefacts---chartsyaml-and-imagesyaml)
-  * [Linting](#linting)
-  * [Renovate](#renovate)
-  * [Mirroring](#mirroring)
-    * [Get new artefacts mirrored](#get-new-artefacts-mirrored)
-* [Creating new charts / images](#creating-new-charts--images)
-
-# Overview
-
-The following sketch provides an high level overview to get a basic understanding of the deployment relevant
-structure of this repository. An understanding of that structure is vital if you want to contribute to
-the development of the deployment automation of openDesk.
-
-```mermaid
-flowchart TD
-    A[./helmfile.yaml]-->B[./helmfile/apps/*all_configured_apps*/helmfile.yaml\nReferences the relevant app Helm\ncharts using details from 'charts.yaml']
-    B-->C[./values-*all_configured_components*.yaml.gotmpl\nValues to template the charts\nwith references to the `images.yaml`]
-    A-->D[./helmfile/environments/default/*\nwith just some examples below]
-    D-->F[charts.yaml]
-    D-->G[images.yaml]
-    D-->H[global.*]
-    D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
-    A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
-```
-
-The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
-global values files in `./environments/default`. It allows you to overwrite defaults by using one of the three predefined environments `dev`, `test`
-and `prod`.
-
-Before you look into any app specifc configuration it is recommended to review the contents of `./environments/default` to get an understanding of what
-details are maintained in there, as they are usually referenced by the app configurations.
-
-# Default branch, `develop` and other branches
-
-The `main` branch is configured to be the default branch, as visitors of the project on Open CoDE should see that
-branch by default.
-
-Please use the `develop` branch to diverge your own branch(es) from. See the [workflow guide](./workflow.md)
-for more details on naming conventions.
-
-There is a CI bot that automatically creates a merge request once you initially pushed your branch to Open CoDE.
-The merge request will of course target the `develop` branch, be in status `draft` and have you as assignee.
-
-In case you do not plan to actually merge from the branch you have pushed, please close or delete the autocreated MR.
-
-# External artefacts - `charts.yaml` and `images.yaml`
-
-The `charts.yaml` and `images.yaml` are the central place to reference external artefacts that are used for the deployment.
-
-Beside the deployment automation itself some tools work with the contents of the files:
-
- **Linting**: Ensures consistency of the file contents for the other tools.
- **Renovate**: Automatically create MRs that update the components to their latest version.
- **Mirror**: Mirror artefacts to Open CoDE.
-
-Please find details on these tools below.
-
-## Linting
-
-In the project's CI there is a step dedicated to lint the two yaml files, as we want them to be in
- alphabetical order regarding the components and
- in a logical order regarding the non-commented lines (registry > repository > tag).
-
-In the linting step the [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli) is used to apply the
-just mentioned sorting and the result is compared with the unsorted version. If there is a delta the linting fails and you probably
-want to fix it by running the CLI tool locally.
-
-**Note**: Please ensure that in component blocks you use comments only at the beginning of the block or at its end. Ideally you just stick
-with the many available examples in the yaml files.
-
-Example:
-```
-  synapse:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Element'
-    # upstreamRegistry: 'registry-1.docker.io'
-    # upstreamRepository: 'matrixdotorg/synapse'
-    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '91', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
-```
-
-## Renovate
-
-Uses a regular expression to match the values of the following attributes:
-
- `registry`
- `repository`
- `tag`
-
-Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
-
-## Mirroring
-
- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/oci-pull-mirror
-
-**Note:** The mirror is scheduled to run every hour at 42 minutes past the hour.
-
-openDesk strives to make all relevant artefacts available on Open CoDE so there is the mirroring process
-configured to pull artefacts that do not originate from Open CoDE into projects called `*-Mirror` within the
-[openDesk Components section](https://gitlab.opencode.de/bmi/opendesk/components).
-
-The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
- `# upstreamRegistry` *required*: To identify the source registry
- `# upstreamRepository` *required*: To identify the source repository
- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
- `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
-  in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
-  element here to define the version the mirror should start with.
-
-### Get new artefacts mirrored
-
-If you want new images or charts to be mirrored that are not yet included in one of the yaml files there are two options:
-
-You include them in your branch with all required annotations and either
-1. ask somebody from the platform development team to trigger the mirror's CI based on your branch or
-2. you get your branch merged to `develop` already.
-
-# Creating new charts / images
-
-When you create new Helm charts please check out the
-[openDesk Best Practises](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-best-practises)
-for Helm charts.
-
-You may also want to make use of our [standard CI](https://gitlab.opencode.de/bmi/opendesk/tooling/gitlab-config) to
-easily get Charts and Images that are signed, linted, scanned and released.
-Check out the `.gitlab-ci.yaml` files in the project's [Charts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts) or [Images](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images) to get an idea how little you need to do yourself.
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -82,6 +82,7 @@ openDesk certificate management disabled.

 Evaluation the openDesk deployment does not require any external service to start, but features may be limited.

+
 | Group    | Type                | Version | Tested against        |
 |----------|---------------------|---------|-----------------------|
 | Cache    | Memached            | `1.6.x` | Memached              |
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -20,42 +20,38 @@ Verified positive effects are marke with a check-mark in `Scaling (verified)` co
 marked with a gear.


-| Component                   | Name                                     | Scaling (effective) | Scaling (verified) |
-|-----------------------------|------------------------------------------|:-------------------:|:------------------:|
-| ClamAV                      | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.freshclam`                     |         :x:         |        :x:         |
-|                             | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
-| Collabora                   | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
-| CryptPad                    | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
-| Dovecot                     | `replicas.dovecot`                       |         :x:         |       :gear:       |
-| Element                     | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
-|                             | `replicas.synapse`                       |         :x:         |       :gear:       |
-|                             | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
-| Intercom Service            | `replicas.intercomService`               | :white_check_mark:  | :white_check_mark: |
-| Jitsi                       | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jvb `                          |         :x:         |        :x:         |
-| Keycloak                    | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
-| Memcached                   | `replicas.memcached`                     |       :gear:        |       :gear:       |
-| Minio                       | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
-| Nextcloud                   | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
-| OpenProject                 | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
-| Postfix                     | `replicas.postfix`                       |         :x:         |       :gear:       |
-| Redis                       | `replicas.redis`                         |       :gear:        |       :gear:       |
-| Univention Management Stack |                                          |       :gear:        |       :gear:       |
-|                             | `replicas.umsPortalFrontend`             | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.umsPortalServer`               | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.umsUdmRestApi`                 | :white_check_mark:  | :white_check_mark: |
-| XWiki                       | `replicas.xwiki`                         |         :x:         |       :gear:       |
+| Component        | Name                                     | Scaling (effective) | Scaling (verified) |
+|------------------|------------------------------------------|:-------------------:|:------------------:|
+| ClamAV           | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.freshclam`                     |         :x:         |        :x:         |
+|                  | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
+| Collabora        | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
+| CryptPad         | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
+| Dovecot          | `replicas.dovecot`                       |         :x:         |       :gear:       |
+| Element          | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
+|                  | `replicas.synapse`                       |         :x:         |       :gear:       |
+|                  | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
+| Intercom Service | `replicas.intercomService`               | :white_check_mark:  |       :gear:       |
+| Jitsi            | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jvb `                          |         :x:         |        :x:         |
+| Keycloak         | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
+| Memcached        | `replicas.memcached`                     |       :gear:        |       :gear:       |
+| Minio            | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
+| Nextcloud        | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
+| OpenProject      | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
+| Postfix          | `replicas.postfix`                       |         :x:         |       :gear:       |
+| Redis            | `replicas.redis`                         |       :gear:        |       :gear:       |
+| XWiki            | `replicas.xwiki`                         |         :x:         |       :gear:       |
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -1,6 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->

@@ -140,19 +139,17 @@ As a standard, the openDesk platform development team uses [reuse.software](http

 openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
 ```
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ```
 As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).

-**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
-
 ## Development workflow

 ### Disclaimer

 openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
+- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
 - openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.

 ### Workflow
@@ -228,28 +225,22 @@ gitGraph

 The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.

-1. Linting
-   - Blocking
-     - Licening: [reuse](https://github.com/fsfe/reuse-tool)
-     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
-   - Non Blocking
-     - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
-     - Formal: Yaml
 1. Deploy the full openDesk stack from scratch:
   - All deployment steps must be successful (green)
   - All tests from the end-to-end test set must be successful
-1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
+2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
   - Deploy the current merge target baseline (`develop` or `main`)
   - Update deploy from your QA branch into the instance from the previous step
-1. No showstopper found regarding
+3. No showstopper found regarding
   - SBOM compliance[^4]
   - Malware check
   - CVE check[^5]
   - Kubescape scan[^5]
+   - Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]

-Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
+Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.

-Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
+Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.

 ```mermaid
 flowchart TD
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -11,7 +11,7 @@ collabora:
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"

 fullnameOverride: "collabora"

@@ -19,9 +19,9 @@ grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
    annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}

 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -90,11 +90,11 @@ prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}

 replicaCount: {{ .Values.replicas.collabora }}

@@ -126,8 +126,7 @@ securityContext:
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
-      {{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -70,8 +70,7 @@ securityContext:
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}

 serviceAccount:
  create: true
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -13,40 +13,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
-      {{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
-      {{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
-      {{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
-      {{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
-      {{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -64,32 +59,28 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
-      {{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
-      {{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
-      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
-      {{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"


 releases:
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
-  endToEndEncryption: true
+  endToEndEncryption: false
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

@@ -15,6 +15,9 @@ configuration:
          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
        custom_css_variables:
          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
+        widget_types:
+          - jitsi
+          - net.nordeck

    "net.nordeck.element_web.module.widget_lifecycle":
      widget_permissions:
@@ -107,8 +110,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.element }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -35,7 +35,6 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}

 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -35,8 +35,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}

 extraEnvVars:
  - name: "ACCESS_TOKEN"
@@ -44,6 +43,8 @@ extraEnvVars:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
+  - name: "ENABLE_CRYPTO"
+    value: "false"

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -18,8 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -35,6 +35,5 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 0
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}

 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -79,8 +79,7 @@ containerSecurityContext:
  runAsGroup: 10991
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -3,7 +3,7 @@
 ---
 configuration:
  e2ee:
-    forceDisable: false
+    forceDisable: true

 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -18,8 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
-      {{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"

 releases:
  - name: "intercom-service"
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}

 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
-      {{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -23,8 +23,7 @@ containerSecurityContext:
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}

 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -68,6 +67,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
+      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -75,8 +75,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -116,6 +115,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
+      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -123,8 +123,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -138,6 +137,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
+      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -145,8 +145,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
@@ -161,6 +160,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
+      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -168,8 +168,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -207,8 +206,7 @@ patchJVB:
    runAsNonRoot: true
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -13,16 +13,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
-      {{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
-      {{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -47,20 +47,12 @@ configuration:
  ldap:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
-    adminGroupName: "managed-by-attribute-FileshareAdmin"
  objectstore:
    auth:
      accessKey:
-        value: {{ .Values.objectstores.nextcloud.username | quote }}
+        value: "nextcloud_user"
      secretKey:
-        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
-    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
-    host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-    region: {{ .Values.objectstores.nextcloud.region | quote }}
-    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
-    port: {{ .Values.objectstores.nextcloud.port | quote }}
-    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
-    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
+        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
  oidc:
    username:
      value: "opendesk-nextcloud"
@@ -95,8 +87,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}

 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -25,8 +25,7 @@ exporter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -36,12 +35,12 @@ exporter:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
-  replicaCount: {{ .Values.replicas.nextcloudExporter }}
+        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+  replicas: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}

@@ -79,8 +78,7 @@ php:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
@@ -94,12 +92,12 @@ php:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
-  replicaCount: {{ .Values.replicas.nextcloudPHP }}
+        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+  replicas: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}

@@ -120,8 +118,7 @@ apache2:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -133,7 +130,7 @@ apache2:
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
-  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
+  replicas: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -6,28 +6,24 @@ bases:
 ---
 repositories:
  # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
  - name: "dovecot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
-      {{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"

  # Open-Xchange
  - name: "open-xchange-repo"
-    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
-    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
-      {{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -66,8 +66,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}

 podSecurityContext:
  enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -40,8 +40,7 @@ nextcloud-integration-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}

 public-sector-ui:
  image:
@@ -68,8 +67,7 @@ public-sector-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}

 appsuite:
  appsuite-toolkit:
@@ -133,8 +131,7 @@ appsuite:
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
-        seLinuxOptions:
-          {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
+        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
@@ -359,8 +356,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}

  core-ui-middleware:
    enabled: true
@@ -402,8 +398,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
  core-cacheservice:
    enabled: false

@@ -433,8 +428,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}

  core-documents-collaboration:
    enabled: false
@@ -476,8 +470,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}

  core-imageconverter:
    enabled: true
@@ -507,8 +500,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}

  guard-ui:
    enabled: true
@@ -534,8 +526,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
  core-spellcheck:
    enabled: false

@@ -564,6 +555,5 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
 ...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
-      {{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -38,8 +38,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
-      {{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -20,13 +20,12 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}

 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -145,9 +144,7 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-backgroundReplicaCount: {{ .Values.replicas.openprojectWorker }}
-
-replicaCount: {{ .Values.replicas.openprojectWeb }}
+replicaCount: {{ .Values.replicas.openproject }}

 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
@@ -156,13 +153,13 @@ s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
+  pathStyle: "true"
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
  use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}

 seederJob:
  annotations:
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -10,8 +10,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
-      {{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "ox-connector"
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -20,7 +20,7 @@ oxConnector:
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
@@ -59,8 +59,6 @@ probes:
    failureThreshold: 30
    successThreshold: 1

-replicaCount: {{ .Values.replicas.oxConnector }}
-
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -85,8 +83,7 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}

 serviceAccount:
  create: true
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
-      {{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -24,8 +23,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
-      {{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"

  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -35,8 +33,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
-      {{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -46,8 +43,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
-      {{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -57,8 +53,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
-      {{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"

  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
@@ -68,8 +63,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\
-      {{ .Values.charts.istioResources.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -79,16 +73,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
-      {{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
-      {{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -98,24 +90,21 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
-      {{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
-      {{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
-      {{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"

 releases:
  - name: "opendesk-otterize"
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -15,8 +15,7 @@ clamd:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
@@ -42,8 +41,7 @@ containerSecurityContext:
  capabilities:
    drop: []
  privileged: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}

 freshclam:
  containerSecurityContext:
@@ -59,8 +57,7 @@ freshclam:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
@@ -92,8 +89,7 @@ icap:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
@@ -121,8 +117,7 @@ milter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -17,8 +17,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}

 global:
  imagePullSecrets:
@@ -61,7 +60,7 @@ podSecurityContext:
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"

-replicaCount: {{ .Values.replicas.mariadb }}
+replicaCount: 1

 resources:
  {{ .Values.resources.mariadb | toYaml | nindent 2 }}
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,8 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }}
-
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -16,8 +14,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -29,8 +29,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: false
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}

 defaultBuckets: "openproject,openxchange,ums,nextcloud"

@@ -63,13 +62,13 @@ livenessProbe:
  periodSeconds: 10
  timeoutSeconds: 10

-mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{ end }}
+mode: "standalone"

 metrics:
  serviceMonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}

 networkPolicy:
  enabled: false
@@ -89,13 +88,16 @@ provisioning:
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
-    - name: {{ .Values.objectstores.openproject.bucket | quote }}
+    - name: "openproject"
      versioning: true
      withLock: false
-    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+    - name: "openxchange"
+      versioning: true
+      withLock: false
+    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} 
      versioning: false
      withLock: false
-    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    - name: "nextcloud"
      versioning: true
      withLock: false
  policies:
@@ -111,6 +113,18 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
+    - name: "openxchange-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openxchange"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openxchange/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
    - name: "ums-bucket-policy"
      statements:
        - resources:
@@ -136,19 +150,25 @@ provisioning:
          actions:
            - "s3:*"
  users:
-    - username: {{ .Values.objectstores.openproject.username | quote }}
+    - username: "openproject_user"
      password: {{ .Values.secrets.minio.openprojectUser | quote }}
      disabled: false
      policies:
        - "openproject-bucket-policy"
      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
      password: {{ .Values.secrets.minio.umsUser | quote }}
      disabled: false
      policies:
        - "ums-bucket-policy"
      setPolicies: true
-    - username: {{ .Values.objectstores.nextcloud.username | quote }}
+    - username: "nextcloud_user"
      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
      disabled: false
      policies:
@@ -172,6 +192,6 @@ startupProbe:
  timeoutSeconds: 10

 statefulset:
-  replicaCount: {{ .Values.replicas.minio }}
+  replicaCount: {{ .Values.replicas.minioDistributed }}

 ...
--- a/helmfile/apps/services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/services/values-otterize.yaml.gotmpl
@@ -20,6 +20,8 @@ apps:
    enabled: {{ .Values.intercom.enabled }}
  jitsi:
    enabled: {{ .Values.jitsi.enabled }}
+  keycloak:
+    enabled: {{ .Values.keycloak.enabled }}
  mariadb:
    enabled: {{ .Values.mariadb.enabled }}
  memcached:
@@ -45,10 +47,6 @@ apps:
  xwiki:
    enabled: {{ .Values.xwiki.enabled }}

-ingressController:
-  {{ .Values.security.ingressController | toYaml | nindent 2 }}
-
-
 extraApps:
  clusterPostfix:
    enabled: {{ .Values.security.clusterPostfix.enabled }}
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -17,8 +17,7 @@ containerSecurityContext:
  runAsUser: 0
  runAsGroup: 0
  privileged: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}

 job:

@@ -27,7 +26,7 @@ podSecurityContext:
 postgres:
  user: "postgres"

-replicaCount: {{ .Values.replicas.postgres }}
+replicaCount: 1

 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -30,8 +30,7 @@ master:
    capabilities:
      drop:
        - "ALL"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
@@ -39,7 +38,28 @@ master:
    {{ .Values.resources.redis | toYaml | nindent 4 }}

 metrics:
-  enabled: false
+  enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.redisExporter.registry | quote }}
+    repository: {{ .Values.images.redisExporter.repository | quote }}
+    tag: {{ .Values.images.redisExporter.tag | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    additionalLabels:
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: {}
+    runAsUser: 1001
+    runAsGroup: 0
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL

 sentinel:
  enabled: false
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -12,144 +12,126 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\
-      {{ .Values.charts.umsGuardianManagementApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
  - name: "ums-guardian-management-ui-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\
-      {{ .Values.charts.umsGuardianManagementUi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
  - name: "ums-guardian-authorization-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\
-      {{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
  - name: "ums-open-policy-agent-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\
-      {{ .Values.charts.umsOpenPolicyAgent.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
  - name: "ums-ldap-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\
-      {{ .Values.charts.umsLdapServer.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
  - name: "ums-ldap-notifier-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapNotifier.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\
-      {{ .Values.charts.umsLdapNotifier.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
  - name: "ums-udm-rest-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUdmRestApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\
-      {{ .Values.charts.umsUdmRestApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
  - name: "ums-stack-data-ums-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataUms.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\
-      {{ .Values.charts.umsStackDataUms.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
  - name: "ums-stack-data-swp-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataSwp.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\
-      {{ .Values.charts.umsStackDataSwp.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
  - name: "ums-portal-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\
-      {{ .Values.charts.umsPortalServer.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
  - name: "ums-notifications-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsNotificationsApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\
-      {{ .Values.charts.umsNotificationsApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
  - name: "ums-portal-listener-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalListener.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\
-      {{ .Values.charts.umsPortalListener.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
  - name: "ums-portal-frontend-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalFrontend.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\
-      {{ .Values.charts.umsPortalFrontend.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
  - name: "ums-umc-gateway-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcGateway.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\
-      {{ .Values.charts.umsUmcGateway.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
  - name: "ums-umc-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\
-      {{ .Values.charts.umsUmcServer.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
  - name: "ums-selfservice-listener-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsSelfserviceListener.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\
-      {{ .Values.charts.umsSelfserviceListener.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
  - name: "ums-provisioning-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsProvisioning.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\
-      {{ .Values.charts.umsProvisioning.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"

  # Univention Keycloak Extensions
  - name: "ums-keycloak-extensions-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\
-      {{ .Values.charts.umsKeycloakExtensions.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
  # Univention Keycloak
  - name: "ums-keycloak-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
@@ -157,16 +139,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\
-      {{ .Values.charts.umsKeycloak.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
  - name: "ums-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\
-      {{ .Values.charts.umsKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -183,8 +163,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\
-      {{ .Values.charts.nginx.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"

 releases:
  - name: "ums-keycloak"
@@ -350,15 +329,6 @@ releases:
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

-  - name: "ums-provisioning-udm-listener"
-    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
-    version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-provisioning-udm-listener.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
  - name: "ums-guardian-management-api"
    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -7,7 +7,7 @@ guardianAuthorizationApi:
  guardianAuthzAdapterAppPersistencePort: "udm_data"
  guardianAuthzAdapterPolicyPort: "opa"
  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  guardianAuthzLoggingStructured: false
  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  home: "/guardian_service_dir"
@@ -55,7 +55,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}

 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -16,7 +16,7 @@ guardianManagementApi:
  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
  guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  guardianManagementLoggingStructured: false
  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  guardianManagementBaseUrl: "http://0.0.0.0:8000"
@@ -73,7 +73,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}

 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -46,7 +46,6 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}

 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -16,6 +16,9 @@ resources:

 securityContext:
  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
@@ -24,8 +27,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}

 volumes:
  claims:
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -23,70 +23,65 @@ extraVolumeMounts:
    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
    subPath: "opendeskProjectmanagement.schema"

-extraSecrets:
-  - name: ums-stack-openldap-credentials
-    stringData:
-      adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
+  repository: {{ .Values.images.umsLdapServer.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsLdapServer.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}

-waitForDependency:
-  image:
+  waitForDependency:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}

 ldapServer:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-    repository: {{ .Values.images.umsLdapServer.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsLdapServer.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
+  waitForSamlMetadata: true
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}

-  config:
-    domainName: "univention-organization.intranet"
-    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
-    samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
-    samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-  credentialSecret:
-    name: ums-stack-openldap-credentials
-    key: adminPassword
-      
 persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-legacy:
-  sharedRunSize: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
+  sharedData:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
+  sharedRun:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}

-resources:
-  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
-
-initResources:
-  {{ .Values.resources.umsLdapServerInit | toYaml | nindent 2 }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 102
-  fsGroupChangePolicy: "Always"
-  sysctls:
-    - name: "net.ipv4.ip_unprivileged_port_start"
-      value: "1"
-
-containerSecurityContext:
-  enabled: true
+securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  runAsUser: 101
-  runAsGroup: 102
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
+
+service:
+  type: "ClusterIP"
+
+resources:
+  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}

 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -28,7 +28,6 @@ postgresql:
    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-    existingSecret: "ums-notifications-api-postgresql-credentials"

 resources:
  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
@@ -45,11 +44,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}

-extraSecrets:
-  - name: ums-notifications-api-postgresql-credentials
-    stringData:
-      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -46,7 +46,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}

 ...
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -597,8 +597,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}

 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -83,8 +83,6 @@ image:
        path: "/univention/portal/custom/"
    tls: {}

-replicaCount: {{ .Values.replicas.umsPortalFrontend }}
-
 resources:
  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}

@@ -112,6 +110,5 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -41,10 +41,10 @@ portalListener:
  udmApiUsername: "cn=admin"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  objectStorageEndpoint: "http://minio:9000"
+  objectStorageBucket: "ums"
+  objectStorageAccessKeyId: "ums_user"
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}

 resources:
  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
@@ -79,7 +79,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}

 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -16,60 +16,44 @@ portalServer:
  editable: "false"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
  ucsInternalPath: "portal-data"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageEndpoint: "http://minio:9000"
+  objectStorageBucket: "ums"
+  objectStorageAccessKeyId: "ums_user"
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
  centralNavigation:
    enabled: true
-    
-  credentialSecret:
-    name: "ums-portal-server-minio-credentials"
-
-replicaCount: {{ .Values.replicas.umsPortalServer }}
+    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}

 resources:
  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-  sysctls:
-    - name: "net.ipv4.ip_unprivileged_port_start"
-      value: "1"
-
-containerSecurityContext:
+securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}

-
-extraSecrets:
-  - name: ums-portal-server-minio-credentials
-    stringData:
-      accessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-      secretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  - name: ums-portal-server-authenticator-credentials
-    stringData:
-      authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-
-extraVolumes:
-  - name: authenticator-secret
-    secret:
-      secretName: ums-portal-server-authenticator-credentials
-
-extraVolumeMounts:
-  - name: authenticator-secret
-    mountPath: "/var/secrets/authenticator.secret"
-    subPath: "authenticator.secret"
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
@@ -1,33 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
-  repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-config:
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  tlsMode: "off"
-  natsHost: "ums-provisioning-nats"
-  natsPort: "4222"
-  natsUser: "udmlistener"
-  natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
-  internalApiHost: "ums-provisioning-api"
-  eventsUsernameUdm: "udmproducer"
-  eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
-
-resources:
-  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
-...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -4,22 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---

-api:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  config:
-    rootPath: "/univention/provisioning-api"
-  resources:
-    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
-  credentialSecretName: "ums-provisioning-api-credentials"
-
 dispatcher:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
@@ -31,191 +15,123 @@ dispatcher:
      - name: {{ . | quote }}
      {{- end }}
  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
-  config:
-    UDM_HOST: "ums-udm-rest-api"
-    UDM_PORT: 80
-  credentialSecretName: "ums-provisioning-dispatcher-credentials"
-  
-prefill:
-  image: 
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
+
+events-and-consumer-api:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
+    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
+  rootPath: "/univention/provisioning-api"
+  ingress:
+    # copied from values-common.yaml.gotmpl
+    # Intentionally not using the Ingress configuration of the UMS stack at the
+    # moment, since it does depend on rewriting capabilities of the ingress
+    # controller. Those are encapsulated into the release "stack-gateway" so that
+    # the compatibility with all ingress controllers is increased.
+    enabled: false
+    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  resources:
-    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: false
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
+
+udm-listener:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
  config:
-    UDM_HOST: "ums-udm-rest-api"
-    UDM_PORT: 80
-  credentialSecretName: "ums-provisioning-prefill-credentials"
+    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+    ldapHost: {{ .Values.ldap.host | quote }}
+    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  resources:
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+    privileged: false
+    seccompProfile:
+      type: "RuntimeDefault"
+    runAsUser: 0
+    runAsGroup: 0
+    runAsNonRoot: false
+    readOnlyRootFilesystem: false
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}

 nats:
-  affinity: ""
-  nameOverride: ""
-  bundled: true
-  connection:
-    host: "ums-provisioning-nats"
-    port: 4222
-  config:
-    authorization:
-      enabled: true
-      users:
-        - user: "$NATS_USER"
-          password: "$NATS_PASSWORD"
-          permissions:
-            publish: ">"
-            subscribe: ">"
-        - user: "$NATS_API_USER"
-          password: "$NATS_API_PASSWORD"
-          permissions:
-            publish: ">"
-            subscribe: ">"
-        - user: "$NATS_DISPATCHER_USER"
-          password: "$NATS_DISPATCHER_PASSWORD"
-          permissions:
-            publish: ">"
-            subscribe: ">"
-        - user: "$NATS_PREFILL_USER"
-          password: "$NATS_PREFILL_PASSWORD"
-          permissions:
-            publish: ">"
-            subscribe: ">"
-        - user: "$NATS_UDMLISTENER_USER"
-          password: "$NATS_UDMLISTENER_PASSWORD"
-          permissions:
-            publish: ">"
-            subscribe: ">"
-        - user: "$NATS_ADMIN_USER"
-          password: "$NATS_ADMIN_PASSWORD"
-          permissions:
-            publish: ">"
-            subscribe: ">"
-  resources:
-    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
-
-  extraEnvVars:
-    - name: NATS_USER
-      value: "master_admin"
-    - name: NATS_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-nats-credentials
-          key: admin_password
-    - name: NATS_ADMIN_USER
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-api-credentials
-          key: ADMIN_NATS_USER
-    - name: NATS_ADMIN_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-api-credentials
-          key: ADMIN_NATS_PASSWORD
-    - name: NATS_API_USER
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-api-credentials
-          key: NATS_USER
-    - name: NATS_API_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-api-credentials
-          key: NATS_PASSWORD
-    - name: NATS_DISPATCHER_USER
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-dispatcher-credentials
-          key: NATS_USER
-    - name: NATS_DISPATCHER_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-dispatcher-credentials
-          key: NATS_PASSWORD
-    - name: NATS_PREFILL_USER
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-prefill-credentials
-          key: NATS_USER
-    - name: NATS_PREFILL_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-prefill-credentials
-          key: NATS_PASSWORD
-    - name: NATS_UDMLISTENER_USER
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-udmlistener-credentials
-          key: NATS_USER
-    - name: NATS_UDMLISTENER_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: ums-provisioning-udmlistener-credentials
-          key: NATS_PASSWORD
-
-extraSecrets:
-  - name: ums-provisioning-nats-credentials
-    stringData:
-      admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
-  - name: ums-provisioning-api-credentials
-    stringData:
-      NATS_USER: "api"
-      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
-      ADMIN_NATS_USER: "admin"
-      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
-      UDM_HOST: "udm-rest-api"
-      ADMIN_USERNAME: "admin"
-      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
-      DISPATCHER_USERNAME: "dispatcher"
-      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
-      PREFILL_USERNAME: "prefill"
-      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
-      EVENTS_USERNAME_UDM: "udmproducer"
-      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
-  - name: ums-provisioning-dispatcher-credentials
-    stringData:
-      NATS_USER: "dispatcher"
-      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
-      DISPATCHER_USERNAME: "dispatcher"
-      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
-  - name: ums-provisioning-prefill-credentials
-    stringData:
-      NATS_USER: "prefill"
-      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
-      UDM_USERNAME: "cn=admin"
-      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-      PREFILL_USERNAME: "prefill"
-      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
-  - name: ums-provisioning-udmlistener-credentials
-    stringData:
-      NATS_USER: "udmlistener"
-      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-  sysctls:
-    - name: "net.ipv4.ip_unprivileged_port_start"
-      value: "1"
-
-
+  global:
+    image:
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      pullSecretNames: {{ .Values.global.imagePullSecrets }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
+  container:
+    image:
+      registry: {{ .Values.global.imageRegistry }}
+      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
+      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  natsBox:
+    container:
+      image:
+        registry: {{ .Values.global.imageRegistry }}
+        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
+        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
+        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  reloader:
+    image:
+      repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
+      tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
+      registry: {{ .Values.global.imageRegistry }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 ...
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -73,7 +73,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}

 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -29,8 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}

 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -29,8 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}

 stackDataContext:
  idpSamlMetadataUrlInternal: null
@@ -47,12 +46,7 @@ stackDataContext:
  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
-  initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
-  umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
-  umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
-  umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
-  umcMemcachedUsername: "selfservice"
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}

 stackDataUms:
  loadDevData: true
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -53,8 +53,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}

 storeDav:
  auth:
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -14,51 +14,51 @@ extraVolumeMounts:
    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
    subPath: "flag_to_group_mapping.json"

+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
+  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
 resources:
  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}

-initResources:
-  {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 2 }}
-
-replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-
-containerSecurityContext:
+securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}

 udmRestApi:
-  secretRef: ums-udm-rest-api-credentials
-  ldap:
-    uri: "ldap://{{ .Values.ldap.host }}:389"
-    baseDN: {{ .Values.ldap.baseDn | quote }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
-    repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-
-extraSecrets:
-  - name: ums-udm-rest-api-credentials
-    stringData:
-      ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-      machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  # TODO: Stub value currently
+  caCert: ""
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  # TODO: Secret should be entered without b64enc
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}

 ...
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -58,7 +58,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}

 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -53,8 +53,7 @@ memcached:
  bundled: false
  auth:
    username: null
-    # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
-    password: "password"
+    password: null
  server: {{ .Values.cache.umsSelfservice.host | quote }}

 postgresql:
@@ -95,16 +94,14 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}

 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
-  caCert: "Cg=="
-  certPem: "Cg=="
-  privateKey: "Cg=="
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  # TODO: Secret should be entered without b64enc
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
  smtpSecret: {{ .Values.smtp.password | quote }}
  privateKeyFile: "/var/secrets/ssl/tls.key"

--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -66,8 +66,7 @@ containerSecurityContext:
  runAsUser: 1000
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}

 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -27,10 +27,6 @@ handler:
  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
  appConfig:
    captchaProtectionEnable: false
-    deviceProtectionEnable: true
-    ipProtectionEnable: true
-    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-    newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
    smtpPassword: {{ .Values.smtp.password | quote }}
    smtpHost: {{ .Values.smtp.host | quote }}
    smtpPort: {{ .Values.smtp.port | quote }}
@@ -48,15 +44,12 @@ handler:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
 postgresql:
  enabled: false
 proxy:
-  appConfig:
-    logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
@@ -78,14 +71,6 @@ proxy:
        path: "/resources"
      - pathType: "Prefix"
        path: "/fingerprintjs"
-      - pathType: "Exact"
-        path: "/univention/meta.json"
-        backend:
-          service:
-            name: "ums-stack-gateway"
-            port:
-              name: "http"
-
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
@@ -104,8 +89,7 @@ proxy:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -25,7 +25,7 @@ config:
    user: {{ .Values.databases.keycloak.username | quote }}
    database: {{ .Values.databases.keycloak.name | quote }}
    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  enableMetrics: true
  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
@@ -44,8 +44,7 @@ containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}

 podSecurityContext:
  fsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -45,8 +45,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}

 service:
  type: "ClusterIP"
@@ -281,6 +280,12 @@ serverBlock: |
      proxy_pass http://ums-portal-frontend:80/;
    }

+    ## ums-provisioning
+    location /univention/provisioning-api/ {
+      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
+      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
+    }
+
    ## guardian
    location /univention/guardian/management-ui {
      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\
-      {{ .Values.charts.xwiki.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"

 releases:
  - name: "xwiki"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -36,8 +36,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}

 customConfigs:
  xwiki.cfg:
@@ -162,8 +161,7 @@ properties:
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "{{ .Values.theme.texts.productName }} Wissen - $!tdoc.displayTitle"

-cluster:
-  replicas: {{ .Values.replicas.xwiki }}
+replicaCount: {{ .Values.replicas.xwiki }}

 resources:
  {{ .Values.resources.xwiki | toYaml | nindent 2 }}
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -14,6 +14,6 @@ debug:
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
-  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}`
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
  enabled: false
 ...
--- a/Show More
+++ b/Show More