fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard to 1.14.0

Signed-off-by: Milton Moura <miltonmoura@gmail.com>
fix(element): Update to EW release image and related release charts
2025-12-09 00:38:34 +01:00 · 2024-03-14 12:58:27 -01:00 · 2024-02-28 12:28:22 -01:00 · 2024-02-28 10:58:10 -01:00 · 2024-02-28 09:26:27 -01:00 · 2024-02-27 16:38:10 -01:00
76 changed files with 1502 additions and 1699 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,4 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -12,7 +11,6 @@ include:
  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
    ref: "main"
  - local: "/.gitlab/lint/lint-opendesk.yml"
    rules:
      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -20,7 +18,7 @@ include:
      - when: "always"
  - local: "/.gitlab/lint/lint-kyverno.yml"
    rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
        when: "never"
      - when: "always"
@@ -36,6 +34,7 @@ stages:
  - "component-deploy-stage-2"
  - "tests"
  - "env-stop"
  - "generate-release-assets"
  - ".post"
 variables:
@@ -43,15 +42,14 @@ variables:
    description: "The name of namespaces to deploy to."
    value: ""
  CLUSTER:
-    description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
-        repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
+      sovereign-workplace-env included above."
        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    value: "dev"
  MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a seed to be used for generation of all internal secrets. Same seed will result in same secrets."
+    description: "Optional: Provide a passphrase to be used for password generation."
    value: ""
  ENV_STOP_BEFORE:
-    description: "Stop environment/delete namespace for the deployment."
+    description: "Stop environment/delete namespace for the deployment"
    value: "no"
    options:
      - "yes"
@@ -454,7 +452,7 @@ avscan-prepare:
          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "always"
    - when: "never"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
+  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
  script:
    - |
      cat << 'EOF' > dynamic-scans.yml
@@ -510,6 +508,34 @@ avscan-start:
        job: "avscan-prepare"
    strategy: "depend"
 generate-release-assets:
  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
    - if: >
        $JOB_AVSCAN_ENABLED != 'false' &&
        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "on_success"
    - when: "never"
  script:
    - |
      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
      cd opendesk-asset-generator
      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
      ./opendesk_asset_generator.py
      mv ./build_artefacts ${CI_PROJECT_DIR}
      cd ..
      rm -rf opendesk-asset-generator
      ls -l ./build_artefacts
  artifacts:
    paths:
      - "./build_artefacts/chart-index.json"
      - "./build_artefacts/image-index.json"
  tags: []
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
 # Declare .environments which is in environments repository. In case it is not available
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
@@ -548,6 +574,8 @@ generate-release-version:
      when: "on_success"
 release:
  dependencies:
    - "generate-release-assets"
  rules:
    - if: >
        $JOB_AVSCAN_ENABLED != 'false' &&
@@ -568,7 +596,7 @@ release:
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+      # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
@@ -581,7 +609,16 @@ release:
      {
        "branches": ["main"],
        "plugins": [
-          "@semantic-release/gitlab",
+          ["@semantic-release/gitlab",
            {
              "assets": [
                { "path": "./build_artefacts/chart-index.json",
                  "label": "Chart Index JSON" },
                { "path": "./build_artefacts/image-index.json",
                  "label": "Image Index JSON" },
              ]
            }
          ],
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
@@ -600,5 +637,6 @@ release:
      EOF
    - "semantic-release"
  needs:
    - "generate-release-assets"
    - "generate-docs"
 ...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,50 +1,3 @@
 ## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
 ### Bug Fixes
 * **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
 * **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
 * **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
 * **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
 * **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
 * **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
 * **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
 * **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
 * **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
 * **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
 * **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
 * **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
 * **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
 ## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)
 ### Bug Fixes
 * **ci:** Remove creation of release artefacts, use the `images.yaml` and `charts.yaml` in `./helmfile/environments/default` for information about the artefacts instead. ([ee99eef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee99eefb72d3207866ffd1b3bd21a36bd55ad288))
 * **collabora:** Bump image to 23.05.9.4.1 ([9c32058](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c32058fcc21a14e9e66a46064ea044402638920))
 * **docs:** Add development.md and refactor `images.yaml` and `charts.yaml` ([a2b333b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a2b333b46277a4bb86b75ca04edb64e69efff916))
 * **helmfile:** YAML handling of seLinuxOptions and align overall `toYaml` syntax ([011ad2c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/011ad2cd6bfe552e04a598452e8814d4d1029152))
 * **nextcloud:** Update images digests ([bc18724](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc18724d70ffff749d5192487944e62233cf4376))
 * **openproject:** Bump to 13.3.1 ([7ee9e47](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ee9e47e8269334294c80093a359b247d86f5d62))
 ## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
 ### Bug Fixes
 * **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
 * **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
 * **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
 * **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
 * **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
 * **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
 * **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
 * **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
 * **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
 * **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
 ## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -11,7 +11,6 @@ SPDX-License-Identifier: Apache-2.0
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
 * [Development](#development)
 * [Releases](#releases)
 * [Components](#components)
 * [Feedback](#feedback)
@@ -27,17 +26,17 @@ Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 openDesk currently features the following functional main components:
-| Function             | Functional Component        | Component<br/>Version                                                                                          | Upstream Documentation                                                                                                                       |
+| Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
-| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- | --------------------- | ----------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
-| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
+| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
-| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
-| Groupware            | OX Appsuite                 | [8.22](https://documentation.open-xchange.com/appsuite/releases/8.22/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
-| Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
+| Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
-| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
-| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
+| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
-| Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.
@@ -77,10 +76,6 @@ Of course, further development also includes enhancing the documentation itself.
 - [Monitoring](./docs/monitoring.md)
 - [Theming](./docs/theming.md)
 # Development
 ⟶ To understand the repository contents from a developer perspective please read the [Development](./docs/development.md) guide.
 # Releases
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
@@ -89,10 +84,9 @@ Gitlab provides an
 [overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 of this project.
-Please find a list of the artefacts related to the release either in the source code archive attached to the release or
+The following release artefacts are provided beside the default source code assets:
-in the files from the release's git-tag:
+- `chart-index.json`: An overview of all Helm charts used by the release.
- `./helmfile/environments/default/images.yaml`
+- `image-index.json`: An overview of all container images used by the release.
 - `./helmfile/environments/default/charts.yaml`
 ⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
@@ -108,7 +102,7 @@ Related to the deployment / contents of this repository,
 please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
 If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" in the OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung) of the [openDesk Info Repository](https://gitlab.opencode.de/bmi/opendesk/info).
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 # License
--- a/docs/components.md
+++ b/docs/components.md
@@ -1,6 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Components</h1>
@@ -35,6 +34,7 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
 | Dovecot                     | Mail backend                   | Functional |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -44,8 +44,7 @@ they need to be replaced in production deployments.
 | Nextcloud                   | File share                     | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
-| OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| Provisioning                | Backend provisioning           | Functional |
 | Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
@@ -74,7 +73,7 @@ flowchart TD
 ## Intercom Service (ICS)
-The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
+The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
 Handling authentication when the frontend of an application is using the API from another application is often a
 challenge.
 For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
@@ -114,13 +113,8 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows
 An overview of
- components that consume the LDAP service.
+- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
-  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
 - components using Univention Keycloak as identity provider (IdP).
  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
    require an OIDC client to be configured in Keycloak.
 Some components trust others to handle authentication for them.
--- a/docs/development.md
+++ b/docs/development.md
@@ -1,142 +0,0 @@
 <!--
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Developing openDesk deployment automation</h1>
 Active development on the deployment is currently only available for project members.
 But contributions will be possible soon once the CLA process is sorted out.
 * [Overview](#overview)
 * [Default branch, `develop` and other branches](#default-branch-develop-and-other-branches)
 * [External artefacts - `charts.yaml` and `images.yaml`](#external-artefacts---chartsyaml-and-imagesyaml)
  * [Linting](#linting)
  * [Renovate](#renovate)
  * [Mirroring](#mirroring)
    * [Get new artefacts mirrored](#get-new-artefacts-mirrored)
 * [Creating new charts / images](#creating-new-charts--images)
 # Overview
 The following sketch provides an high level overview to get a basic understanding of the deployment relevant
 structure of this repository. An understanding of that structure is vital if you want to contribute to
 the development of the deployment automation of openDesk.
 ```mermaid
 flowchart TD
    A[./helmfile.yaml]-->B[./helmfile/apps/*all_configured_apps*/helmfile.yaml\nReferences the relevant app Helm\ncharts using details from 'charts.yaml']
    B-->C[./values-*all_configured_components*.yaml.gotmpl\nValues to template the charts\nwith references to the `images.yaml`]
    A-->D[./helmfile/environments/default/*\nwith just some examples below]
    D-->F[charts.yaml]
    D-->G[images.yaml]
    D-->H[global.*]
    D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
    A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
 ```
 The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
 global values files in `./environments/default`. It allows you to overwrite defaults by using one of the three predefined environments `dev`, `test`
 and `prod`.
 Before you look into any app specifc configuration it is recommended to review the contents of `./environments/default` to get an understanding of what
 details are maintained in there, as they are usually referenced by the app configurations.
 # Default branch, `develop` and other branches
 The `main` branch is configured to be the default branch, as visitors of the project on Open CoDE should see that
 branch by default.
 Please use the `develop` branch to diverge your own branch(es) from. See the [workflow guide](./workflow.md)
 for more details on naming conventions.
 There is a CI bot that automatically creates a merge request once you initially pushed your branch to Open CoDE.
 The merge request will of course target the `develop` branch, be in status `draft` and have you as assignee.
 In case you do not plan to actually merge from the branch you have pushed, please close or delete the autocreated MR.
 # External artefacts - `charts.yaml` and `images.yaml`
 The `charts.yaml` and `images.yaml` are the central place to reference external artefacts that are used for the deployment.
 Beside the deployment automation itself some tools work with the contents of the files:
 - **Linting**: Ensures consistency of the file contents for the other tools.
 - **Renovate**: Automatically create MRs that update the components to their latest version.
 - **Mirror**: Mirror artefacts to Open CoDE.
 Please find details on these tools below.
 ## Linting
 In the project's CI there is a step dedicated to lint the two yaml files, as we want them to be in
 - alphabetical order regarding the components and
 - in a logical order regarding the non-commented lines (registry > repository > tag).
 In the linting step the [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli) is used to apply the
 just mentioned sorting and the result is compared with the unsorted version. If there is a delta the linting fails and you probably
 want to fix it by running the CLI tool locally.
 **Note**: Please ensure that in component blocks you use comments only at the beginning of the block or at its end. Ideally you just stick
 with the many available examples in the yaml files.
 Example:
 ```
  synapse:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Element'
    # upstreamRegistry: 'registry-1.docker.io'
    # upstreamRepository: 'matrixdotorg/synapse'
    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ['1', '91', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
 ```
 ## Renovate
 Uses a regular expression to match the values of the following attributes:
 - `registry`
 - `repository`
 - `tag`
 Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
 ## Mirroring
 - See also: https://gitlab.opencode.de/bmi/opendesk/tooling/oci-pull-mirror
 **Note:** The mirror is scheduled to run every hour at 42 minutes past the hour.
 openDesk strives to make all relevant artefacts available on Open CoDE so there is the mirroring process
 configured to pull artefacts that do not originate from Open CoDE into projects called `*-Mirror` within the
 [openDesk Components section](https://gitlab.opencode.de/bmi/opendesk/components).
 The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
 - `# upstreamRepository` *required*: To identify the source repository
 - `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
  in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
  element here to define the version the mirror should start with.
 ### Get new artefacts mirrored
 If you want new images or charts to be mirrored that are not yet included in one of the yaml files there are two options:
 You include them in your branch with all required annotations and either
 1. ask somebody from the platform development team to trigger the mirror's CI based on your branch or
 2. you get your branch merged to `develop` already.
 # Creating new charts / images
 When you create new Helm charts please check out the
 [openDesk Best Practises](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-best-practises)
 for Helm charts.
 You may also want to make use of our [standard CI](https://gitlab.opencode.de/bmi/opendesk/tooling/gitlab-config) to
 easily get Charts and Images that are signed, linted, scanned and released.
 Check out the `.gitlab-ci.yaml` files in the project's [Charts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts) or [Images](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images) to get an idea how little you need to do yourself.
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -82,6 +82,7 @@ openDesk certificate management disabled.
 Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
 | Group    | Type                | Version | Tested against        |
 |----------|---------------------|---------|-----------------------|
 | Cache    | Memached            | `1.6.x` | Memached              |
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -1,6 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -140,19 +139,17 @@ As a standard, the openDesk platform development team uses [reuse.software](http
 openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
 ```
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ```
 As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).
 **Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
 ## Development workflow
 ### Disclaimer
 openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
+- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
 - openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.
 ### Workflow
@@ -228,28 +225,22 @@ gitGraph
 The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.
 1. Linting
   - Blocking
     - Licening: [reuse](https://github.com/fsfe/reuse-tool)
     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
   - Non Blocking
     - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
     - Formal: Yaml
 1. Deploy the full openDesk stack from scratch:
   - All deployment steps must be successful (green)
   - All tests from the end-to-end test set must be successful
-1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
+2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
   - Deploy the current merge target baseline (`develop` or `main`)
   - Update deploy from your QA branch into the instance from the previous step
-1. No showstopper found regarding
+3. No showstopper found regarding
   - SBOM compliance[^4]
   - Malware check
   - CVE check[^5]
   - Kubescape scan[^5]
   - Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]
-Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
+Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
-Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
+Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
 ```mermaid
 flowchart TD
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -11,7 +11,7 @@ collabora:
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 fullnameOverride: "collabora"
@@ -19,9 +19,9 @@ grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
    annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -90,11 +90,11 @@ prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
 replicaCount: {{ .Values.replicas.collabora }}
@@ -126,8 +126,7 @@ securityContext:
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
    {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -70,8 +70,7 @@ securityContext:
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
    {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
 serviceAccount:
  create: true
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -107,8 +107,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
    {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -35,7 +35,6 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -35,8 +35,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
 extraEnvVars:
  - name: "ACCESS_TOKEN"
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -18,8 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -35,6 +35,5 @@ securityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 0
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
    {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -79,8 +79,7 @@ containerSecurityContext:
  runAsGroup: 10991
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -18,8 +18,7 @@ containerSecurityContext:
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
    {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -23,8 +23,7 @@ containerSecurityContext:
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -68,6 +67,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -75,8 +75,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -116,6 +115,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -123,8 +123,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -138,6 +137,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -145,8 +145,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
@@ -161,6 +160,7 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -168,8 +168,7 @@ jitsi:
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -207,8 +206,7 @@ patchJVB:
    runAsNonRoot: true
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -51,16 +51,9 @@ configuration:
  objectstore:
    auth:
      accessKey:
-        value: {{ .Values.objectstores.nextcloud.username | quote }}
+        value: "nextcloud_user"
      secretKey:
-        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
    host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    region: {{ .Values.objectstores.nextcloud.region | quote }}
    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
    port: {{ .Values.objectstores.nextcloud.port | quote }}
    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
  oidc:
    username:
      value: "opendesk-nextcloud"
@@ -95,8 +88,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -25,8 +25,7 @@ exporter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
      {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -36,11 +35,11 @@ exporter:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -79,8 +78,7 @@ php:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
      {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
@@ -94,11 +92,11 @@ php:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
@@ -120,8 +118,7 @@ apache2:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
      {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -6,7 +6,7 @@ bases:
 ---
 repositories:
  # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
  - name: "dovecot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
@@ -18,8 +18,6 @@ repositories:
  # Open-Xchange
  - name: "open-xchange-repo"
    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
@@ -27,7 +25,7 @@ repositories:
      {{ .Values.charts.openXchangeAppSuite.repository }}"
  # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -66,8 +66,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -40,8 +40,7 @@ nextcloud-integration-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
      {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
 public-sector-ui:
  image:
@@ -68,8 +67,7 @@ public-sector-ui:
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
      {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
 appsuite:
  appsuite-toolkit:
@@ -133,8 +131,7 @@ appsuite:
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
-        seLinuxOptions:
+        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
          {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
@@ -359,8 +356,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
        {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
  core-ui-middleware:
    enabled: true
@@ -402,8 +398,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
        {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
  core-cacheservice:
    enabled: false
@@ -433,8 +428,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
        {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
  core-documents-collaboration:
    enabled: false
@@ -476,8 +470,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
        {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
  core-imageconverter:
    enabled: true
@@ -507,8 +500,7 @@ appsuite:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
        {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
  guard-ui:
    enabled: true
@@ -534,8 +526,7 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
        {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
  core-spellcheck:
    enabled: false
@@ -564,6 +555,5 @@ appsuite:
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions:
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
        {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
 ...
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -38,8 +38,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -20,13 +20,12 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
    {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -156,13 +155,13 @@ s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
+  pathStyle: "true"
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
  use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
 seederJob:
  annotations:
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -20,7 +20,7 @@ oxConnector:
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
@@ -85,8 +85,7 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 serviceAccount:
  create: true
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -15,8 +15,7 @@ clamd:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
      {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
@@ -42,8 +41,7 @@ containerSecurityContext:
  capabilities:
    drop: []
  privileged: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
    {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
 freshclam:
  containerSecurityContext:
@@ -59,8 +57,7 @@ freshclam:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
      {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
@@ -92,8 +89,7 @@ icap:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
      {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
@@ -121,8 +117,7 @@ milter:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
      {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
    {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -17,8 +17,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
    {{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -16,8 +16,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
    {{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -29,8 +29,7 @@ containerSecurityContext:
  readOnlyRootFilesystem: false
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
    {{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
 defaultBuckets: "openproject,openxchange,ums,nextcloud"
@@ -69,7 +68,7 @@ metrics:
  serviceMonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
 networkPolicy:
  enabled: false
@@ -89,13 +88,16 @@ provisioning:
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
-    - name: {{ .Values.objectstores.openproject.bucket | quote }}
+    - name: "openproject"
      versioning: true
      withLock: false
    - name: "openxchange"
      versioning: true
      withLock: false
    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
      versioning: false
      withLock: false
-    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    - name: "nextcloud"
      versioning: true
      withLock: false
  policies:
@@ -111,6 +113,18 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "openxchange-bucket-policy"
      statements:
        - resources:
            - "arn:aws:s3:::openxchange"
          effect: "Allow"
          actions:
            - "s3:*"
        - resources:
            - "arn:aws:s3:::openxchange/*"
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "ums-bucket-policy"
      statements:
        - resources:
@@ -136,19 +150,25 @@ provisioning:
          actions:
            - "s3:*"
  users:
-    - username: {{ .Values.objectstores.openproject.username | quote }}
+    - username: "openproject_user"
      password: {{ .Values.secrets.minio.openprojectUser | quote }}
      disabled: false
      policies:
        - "openproject-bucket-policy"
      setPolicies: true
    - username: "openxchange_user"
      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
      disabled: false
      policies:
        - "openxchange-bucket-policy"
      setPolicies: true
    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
      password: {{ .Values.secrets.minio.umsUser | quote }}
      disabled: false
      policies:
        - "ums-bucket-policy"
      setPolicies: true
-    - username: {{ .Values.objectstores.nextcloud.username | quote }}
+    - username: "nextcloud_user"
      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
      disabled: false
      policies:
--- a/helmfile/apps/services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/services/values-otterize.yaml.gotmpl
@@ -20,6 +20,8 @@ apps:
    enabled: {{ .Values.intercom.enabled }}
  jitsi:
    enabled: {{ .Values.jitsi.enabled }}
  keycloak:
    enabled: {{ .Values.keycloak.enabled }}
  mariadb:
    enabled: {{ .Values.mariadb.enabled }}
  memcached:
@@ -45,10 +47,6 @@ apps:
  xwiki:
    enabled: {{ .Values.xwiki.enabled }}
 ingressController:
  {{ .Values.security.ingressController | toYaml | nindent 2 }}
 extraApps:
  clusterPostfix:
    enabled: {{ .Values.security.clusterPostfix.enabled }}
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -17,8 +17,7 @@ containerSecurityContext:
  runAsUser: 0
  runAsGroup: 0
  privileged: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
    {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
 global:
  imagePullSecrets:
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -14,8 +14,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
    {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
 job:
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -30,8 +30,7 @@ master:
    capabilities:
      drop:
        - "ALL"
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
      {{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -350,15 +350,6 @@ releases:
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-provisioning-udm-listener"
    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
    version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
    values:
      - "values-common.yaml.gotmpl"
      - "values-provisioning-udm-listener.yaml.gotmpl"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-guardian-management-api"
    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -7,7 +7,7 @@ guardianAuthorizationApi:
  guardianAuthzAdapterAppPersistencePort: "udm_data"
  guardianAuthzAdapterPolicyPort: "opa"
  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  guardianAuthzLoggingStructured: false
  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  home: "/guardian_service_dir"
@@ -55,7 +55,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
    {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -16,7 +16,7 @@ guardianManagementApi:
  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
  guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  guardianManagementLoggingStructured: false
  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  guardianManagementBaseUrl: "http://0.0.0.0:8000"
@@ -73,7 +73,6 @@ securityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  readOnlyRootFilesystem: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
    {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -46,7 +46,6 @@ securityContext:
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
    {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -16,6 +16,9 @@ resources:
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
@@ -24,8 +27,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
    {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
 volumes:
  claims:
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -23,70 +23,65 @@ extraVolumeMounts:
    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
    subPath: "opendeskProjectmanagement.schema"
-extraSecrets:
+image:
-  - name: ums-stack-openldap-credentials
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-    stringData:
+  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-      adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsLdapServer.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
-waitForDependency:
+  waitForDependency:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 ldapServer:
-  image:
+  waitForSamlMetadata: true
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    repository: {{ .Values.images.umsLdapServer.repository | quote }}
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsLdapServer.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  config:
    domainName: "univention-organization.intranet"
    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
    samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
    samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
    samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
  credentialSecret:
    name: ums-stack-openldap-credentials
    key: adminPassword
 persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  sharedData:
-  size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-legacy:
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  sharedRunSize: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
+  sharedRun:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-resources:
+securityContext:
  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
 initResources:
  {{ .Values.resources.umsLdapServerInit | toYaml | nindent 2 }}
 podSecurityContext:
  enabled: true
  fsGroup: 102
  fsGroupChangePolicy: "Always"
  sysctls:
    - name: "net.ipv4.ip_unprivileged_port_start"
      value: "1"
 containerSecurityContext:
  enabled: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  runAsUser: 101
+    add:
-  runAsGroup: 102
+      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
-  runAsNonRoot: true
+  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
 service:
  type: "ClusterIP"
 resources:
  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -28,7 +28,6 @@ postgresql:
    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
    existingSecret: "ums-notifications-api-postgresql-credentials"
 resources:
  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
@@ -45,11 +44,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
    {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
 extraSecrets:
  - name: ums-notifications-api-postgresql-credentials
    stringData:
      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -46,7 +46,6 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
    {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -597,8 +597,7 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
    {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -112,6 +112,5 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
    {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -41,10 +41,10 @@ portalListener:
  udmApiUsername: "cn=admin"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
 resources:
  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
@@ -79,7 +79,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
    {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -16,60 +16,46 @@ portalServer:
  editable: "false"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
  ucsInternalPath: "portal-data"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageBucket: "ums"
  objectStorageAccessKeyId: "ums_user"
  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
  centralNavigation:
    enabled: true
-    
+    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  credentialSecret:
    name: "ums-portal-server-minio-credentials"
 replicaCount: {{ .Values.replicas.umsPortalServer }}
 resources:
  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
-podSecurityContext:
+securityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
  sysctls:
    - name: "net.ipv4.ip_unprivileged_port_start"
      value: "1"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  enabled: true
+    add:
-  runAsUser: 1000
+      - "CHOWN"
-  runAsGroup: 1000
+      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
-  runAsNonRoot: true
+  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
 extraSecrets:
  - name: ums-portal-server-minio-credentials
    stringData:
      accessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
      secretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
  - name: ums-portal-server-authenticator-credentials
    stringData:
      authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
 extraVolumes:
  - name: authenticator-secret
    secret:
      secretName: ums-portal-server-authenticator-credentials
 extraVolumeMounts:
  - name: authenticator-secret
    mountPath: "/var/secrets/authenticator.secret"
    subPath: "authenticator.secret"
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
@@ -1,33 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
  repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 config:
  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  tlsMode: "off"
  natsHost: "ums-provisioning-nats"
  natsPort: "4222"
  natsUser: "udmlistener"
  natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
  internalApiHost: "ums-provisioning-api"
  eventsUsernameUdm: "udmproducer"
  eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
 resources:
  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -4,22 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 api:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  config:
    rootPath: "/univention/provisioning-api"
  resources:
    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
  credentialSecretName: "ums-provisioning-api-credentials"
 dispatcher:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
@@ -31,191 +15,123 @@ dispatcher:
      - name: {{ . | quote }}
      {{- end }}
  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  config:
+  securityContext:
-    UDM_HOST: "ums-udm-rest-api"
+    allowPrivilegeEscalation: false
-    UDM_PORT: 80
+    capabilities:
-  credentialSecretName: "ums-provisioning-dispatcher-credentials"
+      drop:
-  
+        - "ALL"
-prefill:
+    privileged: false
-  image: 
+    seccompProfile:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
+      type: "RuntimeDefault"
-    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
+    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
 events-and-consumer-api:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
+    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  rootPath: "/univention/provisioning-api"
  ingress:
    # copied from values-common.yaml.gotmpl
    # Intentionally not using the Ingress configuration of the UMS stack at the
    # moment, since it does depend on rewriting capabilities of the ingress
    # controller. Those are encapsulated into the release "stack-gateway" so that
    # the compatibility with all ingress controllers is increased.
    enabled: false
    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  resources:
-    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
 udm-listener:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  config:
-    UDM_HOST: "ums-udm-rest-api"
+    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    UDM_PORT: 80
+    ldapHost: {{ .Values.ldap.host | quote }}
-  credentialSecretName: "ums-provisioning-prefill-credentials"
+    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  resources:
    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
      add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 0
    runAsGroup: 0
    runAsNonRoot: false
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
 nats:
-  affinity: ""
+  global:
-  nameOverride: ""
+    image:
-  bundled: true
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  connection:
+      pullSecretNames: {{ .Values.global.imagePullSecrets }}
-    host: "ums-provisioning-nats"
+      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
-    port: 4222
+  container:
-  config:
+    image:
-    authorization:
+      registry: {{ .Values.global.imageRegistry }}
-      enabled: true
+      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
-      users:
+      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
-        - user: "$NATS_USER"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-          password: "$NATS_PASSWORD"
+  natsBox:
-          permissions:
+    container:
-            publish: ">"
+      image:
-            subscribe: ">"
+        registry: {{ .Values.global.imageRegistry }}
-        - user: "$NATS_API_USER"
+        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
-          password: "$NATS_API_PASSWORD"
+        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
-          permissions:
+        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-            publish: ">"
+  reloader:
-            subscribe: ">"
+    image:
-        - user: "$NATS_DISPATCHER_USER"
+      repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
-          password: "$NATS_DISPATCHER_PASSWORD"
+      tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
-          permissions:
+      registry: {{ .Values.global.imageRegistry }}
-            publish: ">"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
            subscribe: ">"
        - user: "$NATS_PREFILL_USER"
          password: "$NATS_PREFILL_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_UDMLISTENER_USER"
          password: "$NATS_UDMLISTENER_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
        - user: "$NATS_ADMIN_USER"
          password: "$NATS_ADMIN_PASSWORD"
          permissions:
            publish: ">"
            subscribe: ">"
  resources:
    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
  extraEnvVars:
    - name: NATS_USER
      value: "master_admin"
    - name: NATS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-nats-credentials
          key: admin_password
    - name: NATS_ADMIN_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: ADMIN_NATS_USER
    - name: NATS_ADMIN_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: ADMIN_NATS_PASSWORD
    - name: NATS_API_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: NATS_USER
    - name: NATS_API_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-api-credentials
          key: NATS_PASSWORD
    - name: NATS_DISPATCHER_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-dispatcher-credentials
          key: NATS_USER
    - name: NATS_DISPATCHER_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-dispatcher-credentials
          key: NATS_PASSWORD
    - name: NATS_PREFILL_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-prefill-credentials
          key: NATS_USER
    - name: NATS_PREFILL_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-prefill-credentials
          key: NATS_PASSWORD
    - name: NATS_UDMLISTENER_USER
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-udmlistener-credentials
          key: NATS_USER
    - name: NATS_UDMLISTENER_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ums-provisioning-udmlistener-credentials
          key: NATS_PASSWORD
 extraSecrets:
  - name: ums-provisioning-nats-credentials
    stringData:
      admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
  - name: ums-provisioning-api-credentials
    stringData:
      NATS_USER: "api"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
      ADMIN_NATS_USER: "admin"
      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
      UDM_HOST: "udm-rest-api"
      ADMIN_USERNAME: "admin"
      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
      DISPATCHER_USERNAME: "dispatcher"
      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
      PREFILL_USERNAME: "prefill"
      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
      EVENTS_USERNAME_UDM: "udmproducer"
      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
  - name: ums-provisioning-dispatcher-credentials
    stringData:
      NATS_USER: "dispatcher"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
      DISPATCHER_USERNAME: "dispatcher"
      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
  - name: ums-provisioning-prefill-credentials
    stringData:
      NATS_USER: "prefill"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
      UDM_USERNAME: "cn=admin"
      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
      PREFILL_USERNAME: "prefill"
      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
  - name: ums-provisioning-udmlistener-credentials
    stringData:
      NATS_USER: "udmlistener"
      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
  sysctls:
    - name: "net.ipv4.ip_unprivileged_port_start"
      value: "1"
 ...
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl
@@ -73,7 +73,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
    {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl
@@ -29,8 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
    {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -29,8 +29,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
    {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
 stackDataContext:
  idpSamlMetadataUrlInternal: null
@@ -49,10 +48,6 @@ stackDataContext:
  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
  initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
  umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
  umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
  umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
  umcMemcachedUsername: "selfservice"
 stackDataUms:
  loadDevData: true
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl
@@ -53,8 +53,7 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
    {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
 storeDav:
  auth:
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -14,51 +14,53 @@ extraVolumeMounts:
    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
    subPath: "flag_to_group_mapping.json"
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 resources:
  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
 initResources:
  {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-podSecurityContext:
+securityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  enabled: true
+    add:
-  runAsUser: 1000
+      - "CHOWN"
-  runAsGroup: 1000
+      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
-  runAsNonRoot: true
+  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
 udmRestApi:
-  secretRef: ums-udm-rest-api-credentials
+  # TODO: Stub value currently
-  ldap:
+  caCert: ""
-    uri: "ldap://{{ .Values.ldap.host }}:389"
+  # TODO: Secret should be entered without b64enc
-    baseDN: {{ .Values.ldap.baseDn | quote }}
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  image:
+  # TODO: Secret should be entered without b64enc
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
    repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
 extraSecrets:
  - name: ums-udm-rest-api-credentials
    stringData:
      ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
      machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl
@@ -58,7 +58,6 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
    {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -53,8 +53,7 @@ memcached:
  bundled: false
  auth:
    username: null
-    # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
+    password: null
    password: "password"
  server: {{ .Values.cache.umsSelfservice.host | quote }}
 postgresql:
@@ -95,16 +94,14 @@ securityContext:
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
    {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
-  caCert: "Cg=="
+  # TODO: Secret should be entered without b64enc
-  certPem: "Cg=="
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  privateKey: "Cg=="
+  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  smtpSecret: {{ .Values.smtp.password | quote }}
  privateKeyFile: "/var/secrets/ssl/tls.key"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -66,8 +66,7 @@ containerSecurityContext:
  runAsUser: 1000
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
    {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
 podAnnotations:
  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -27,10 +27,6 @@ handler:
  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
  appConfig:
    captchaProtectionEnable: false
    deviceProtectionEnable: true
    ipProtectionEnable: true
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
    newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
    smtpPassword: {{ .Values.smtp.password | quote }}
    smtpHost: {{ .Values.smtp.host | quote }}
    smtpPort: {{ .Values.smtp.port | quote }}
@@ -48,15 +44,12 @@ handler:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
      {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
 postgresql:
  enabled: false
 proxy:
  appConfig:
    logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
@@ -78,14 +71,6 @@ proxy:
        path: "/resources"
      - pathType: "Prefix"
        path: "/fingerprintjs"
      - pathType: "Exact"
        path: "/univention/meta.json"
        backend:
          service:
            name: "ums-stack-gateway"
            port:
              name: "http"
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
@@ -104,8 +89,7 @@ proxy:
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
-    seLinuxOptions:
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
      {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
  resources:
    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -25,7 +25,7 @@ config:
    user: {{ .Values.databases.keycloak.username | quote }}
    database: {{ .Values.databases.keycloak.name | quote }}
    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  enableMetrics: true
  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
@@ -44,8 +44,7 @@ containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
  runAsNonRoot: true
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
    {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
 podSecurityContext:
  fsGroup: 1000
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -45,8 +45,7 @@ containerSecurityContext:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
    {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
 service:
  type: "ClusterIP"
@@ -281,6 +280,12 @@ serverBlock: |
      proxy_pass http://ums-portal-frontend:80/;
    }
    ## ums-provisioning
    location /univention/provisioning-api/ {
      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
    }
    ## guardian
    location /univention/guardian/management-ui {
      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -36,8 +36,7 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
-  seLinuxOptions:
+  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
    {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}
 customConfigs:
  xwiki.cfg:
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -14,6 +14,6 @@ debug:
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
-  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}`
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
  enabled: false
 ...
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -1,7 +1,7 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.5.81"
+    releaseVersion: "v0.5.78"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -1,5 +1,4 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
@@ -10,7 +9,9 @@ global:
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
    dimension: "integration"
    element: "chat"
    etherpad: "etherpad"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -4,28 +4,20 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
  nextcloud:
    bucket: "nextcloud"
    endpoint: ""
    region: "eu-west-1"
    secretKey: ""
    username: "nextcloud_user"
    storageClass: "STANDARD"
    useSSL: true
    pathStyle: true
    port: 443
  openproject:
    backend: "minio"
    bucket: "openproject"
    endpoint: ""
-    region: "eu-west-1"
+    region: ""
-    secretKey: ""
+    secret: ""
    username: "openproject_user"
    pathStyle: true
    useIAMProfile: ""
  univentionManagementStack:
    backend: "minio"
    bucket: "ums"
    endpoint: ""
-    region: "eu-west-1"
+    region: ""
-    secretKey: ""
+    secret: ""
    username: "ums_user"
    useIAMProfile: ""
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -396,13 +396,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsLdapServerInit:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsNotificationsApi:
    limits:
      cpu: 99
@@ -438,35 +431,7 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsProvisioningEventsAndConsumerApi:
+  umsProvisioning:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningDispatcher:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningPrefill:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningUdmListener:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningNats:
    limits:
      cpu: 99
      memory: "1Gi"
@@ -508,13 +473,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsUdmRestApiInit:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsUmcGateway:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -1,6 +1,5 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -30,21 +29,6 @@ secrets:
    storeDavUsers:
      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
    provisioning:
      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
  nats:
    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
  postgresql:
    postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
    keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
@@ -93,8 +77,10 @@ secrets:
    jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
    jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
    jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
  etherpad:
    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
  whiteboard:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
  centralnavigation:
    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
  redis:
--- a/helmfile/environments/default/security.yaml
+++ b/helmfile/environments/default/security.yaml
@@ -7,9 +7,4 @@ security:
  clusterPostfix:
    enabled: false
    namespace: ""
  ingressController:
    podSelector:
      matchLabels:
        app.kubernetes.io/name: "ingress-nginx"
    namespace: "ingress-nginx"
 ...
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -7,7 +7,6 @@
 ---
 seLinuxOptions:
  clamavSimple: ~
  clamav: ~
  clamd: ~
  collabora: ~
  cryptpad: ~
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -19,6 +19,8 @@ intercom:
  enabled: true
 jitsi:
  enabled: true
 keycloak:
  enabled: true
 mariadb:
  enabled: true
 memcached:
Author	SHA1	Message	Date
Milton Moura	e0ff58a3a4	fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard to 1.14.0 Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-03-14 12:58:27 -01:00
Milton Moura	c9cca9e357	fix(element): Update to EW release image and related release charts Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 12:28:22 -01:00
Milton Moura	2b7ce2ae49	fix(element): Final tests before final MR Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 10:58:10 -01:00
Milton Moura	54e4664bf2	fix(element): Add widget toggles module config Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 09:26:27 -01:00
Milton Moura	89e4af80d2	feat(element): Adds Widget toggles module and e2ee + sticky room EW fixes Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-27 16:38:10 -01:00
Milton Moura	7f2b39cb46	feat(element): Enable E2EE for Element Web and NeoDateFix Bot Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-23 07:51:14 +00:00