chore(release): 0.9.0 [skip ci]

# [0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.8.1...v0.9.0) (2024-07-24)

### Bug Fixes

* **collabora:** Update to 24.04.5.1.1. ([8a2d951](8a2d951c3b))
* **collabora:** Update to 24.04.5.1.2. ([74d444e](74d444e2d6))
* **docs:** Update workflow.md. ([fd3df7d](fd3df7df67))
* **docu:** Update documentation on integration uses cases ([#95](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/95)). ([382af1d](382af1dfb9))
* **helmfile:** Add S3 bucket for migrations. ([972020f](972020f946))
* **helmfile:** Streamline prefixes for customizable defaults. UPGRADES: See `./docs/migrations.md` for more details. ([26a7641](26a7641a5a))
* **jitsi:** Raise memory limit for jicofo and jvb as required by upstream product. ([fe923bb](fe923bb9cd))
* **keycloak:** Support for custom OIDC Clients and ClientScopes. ([46412d1](46412d1a9e))
* **nextcloud:** Support templating of default quota and `*_retention_obligation` settings ([#93](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/93)). ([23ef1d5](23ef1d557b))
* **nextcloud:** Update to 28.0.7 including latest apps for 28. ([671f57a](671f57a809))
* **nextcloud:** Update to 28.0.7 including the apps, fix admin panel warnings ([#94](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/94)). Updated `cluster.networking.cidr` potentially requires manual migration, see `docs/migrations.md` for details. ([63f8394](63f8394e04))
* **openproject:** Bump to 14.3.0 and update Helm chart to 7.0.0. ([6b609ed](6b609edc4a))
* **openproject:** Support for adding token to enable OpenProject Premium. ([dfaf4be](dfaf4be640))
* **xwiki:** Add email address mapping to LDAP sync; Fix hostname `null` value in notification links. ([1067e72](1067e725b3))
* **xwiki:** Remove .rtf and .odt export options as they are currently non functional. ([b806d51](b806d51311))
* **xwiki:** Update to 16.4. ([db7f5d6](db7f5d60bd))
* **xwiki:** Update to 16.4.1. ([e54aaab](e54aaab072))

### Features

* **authentication:** Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage. ([b4570a9](b4570a9a87))

.gitlab-ci.yml

@@ -36,9 +36,11 @@ stages:
   - "env-cleanup"
   - "env"
   - "pre-services-deploy"
+  - "migrations-pre"
   - "basic-services-deploy"
   - "component-deploy-stage-1"
   - "component-deploy-stage-2"
+  - "migrations-post"
   - "lint"
   - "tests"
   - "env-stop"
@@ -77,6 +79,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_MIGRATIONS:
+    description: "Deploy K8s job for migrations (pre & post)."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_SERVICES:
     description: "Enable Service deployment."
     value: "no"
@@ -208,6 +216,7 @@ env-cleanup:
         done
         kubectl delete pvc --all --namespace ${NAMESPACE};
         kubectl delete jobs --all --namespace ${NAMESPACE};
+        kubectl delete configmaps --all --namespace ${NAMESPACE};
       else
         helmfile destroy --namespace ${NAMESPACE};
       fi
@@ -250,6 +259,30 @@ policies-deploy:
     COMPONENT: "services"
     ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 
+migrations-pre:
+  stage: "migrations-pre"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-pre"
+
+migrations-post:
+  stage: "migrations-post"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-post"
+
 services-deploy:
   stage: "basic-services-deploy"
   extends: ".deploy-common"

CHANGELOG.md

@@ -1,3 +1,31 @@
+# [0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.8.1...v0.9.0) (2024-07-24)
+
+
+### Bug Fixes
+
+* **collabora:** Update to 24.04.5.1.1. ([8a2d951](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8a2d951c3b59c3f8ddb508ad8f95798774b7c4b0))
+* **collabora:** Update to 24.04.5.1.2. ([74d444e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/74d444e2d6065082be3ca90373a4d3b1836ea7a8))
+* **docs:** Update workflow.md. ([fd3df7d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd3df7df6740d8e54b433c039d294843582e8947))
+* **docu:** Update documentation on integration uses cases ([#95](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/95)). ([382af1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/382af1dfb966b5d10da4790212d6422a4a8c5618))
+* **helmfile:** Add S3 bucket for migrations. ([972020f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/972020f946d8238e65b1c1e2942682c797306e1a))
+* **helmfile:** Streamline prefixes for customizable defaults. UPGRADES: See `./docs/migrations.md` for more details. ([26a7641](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/26a7641a5ab764196af6bbe26d97907de86f541e))
+* **jitsi:** Raise memory limit for jicofo and jvb as required by upstream product. ([fe923bb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fe923bb9cd58873957adb018c1410d33bb4d8f3a))
+* **keycloak:** Support for custom OIDC Clients and ClientScopes. ([46412d1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/46412d1a9e4547dea8d0da3e322400ea148edf19))
+* **nextcloud:** Support templating of default quota and `*_retention_obligation` settings ([#93](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/93)). ([23ef1d5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/23ef1d557bc0fdf6faac59f7a287f1ef1b302404))
+* **nextcloud:** Update to 28.0.7 including latest apps for 28. ([671f57a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/671f57a809eb4bb791698cda39f7711ac4833334))
+* **nextcloud:** Update to 28.0.7 including the apps, fix admin panel warnings ([#94](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/94)). Updated `cluster.networking.cidr` potentially requires manual migration, see `docs/migrations.md` for details. ([63f8394](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/63f8394e044670a89a642e933600b68ff740a102))
+* **openproject:** Bump to 14.3.0 and update Helm chart to 7.0.0. ([6b609ed](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6b609edc4a60601ca45372b4fc691f0ac7c9ed93))
+* **openproject:** Support for adding token to enable OpenProject Premium. ([dfaf4be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dfaf4be640209f5908815cceaf29db591212ddaa))
+* **xwiki:** Add email address mapping to LDAP sync; Fix hostname `null` value in notification links. ([1067e72](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1067e725b3dabce4ddfeb60b4cbe9e5b4d0db0e5))
+* **xwiki:** Remove .rtf and .odt export options as they are currently non functional. ([b806d51](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b806d51311c6d406ea3c93842601ddf5dbd13bb3))
+* **xwiki:** Update to 16.4. ([db7f5d6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db7f5d60bdae437cebe58ab10f928a4a348e1ee3))
+* **xwiki:** Update to 16.4.1. ([e54aaab](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e54aaab072f31713b5172e4bab9ba7e9ca9c5c26))
+
+
+### Features
+
+* **authentication:** Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage. ([b4570a9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b4570a9a873efa6c896fe543ab0ba3b94fd086c0))
+
 ## [0.8.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.8.0...v0.8.1) (2024-07-01)
 
 

README.md

@@ -36,9 +36,9 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.2.0](https://www.openproject.org/docs/release-notes/14-2-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.3.0](https://www.openproject.org/docs/release-notes/14-3-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.4.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.5.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

docs/enhanced-configuration/matrix-federation.md

@@ -37,10 +37,11 @@ If not used it is also set to `opendesk.domain.tld`.
 The following setting can disable federation:
 
 ```yaml
-externalServices:
-  matrix:
-    federation:
-      enabled: false
+functional:
+  externalServices:
+    matrix:
+      federation:
+        enabled: false
 ```
 
 ## Separate Matrix domain

docs/getting-started.md

@@ -3,7 +3,7 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 -->
 
-<h1>Getting stated</h1>
+<h1>Getting started</h1>
 
 This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
 
@@ -195,7 +195,8 @@ If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to pr
 ```yaml
 cluster:
   networking:
-    cidr: "127.0.0.0/8"
+    cidr:
+      - "127.0.0.0/8"
 ```
 
 ### Ingress

docs/migrations.md

@@ -3,10 +3,12 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 -->
 
-<h1>Migrations</h1>
+<h1>Upgrade migrations</h1>
 
 * [Disclaimer](#disclaimer)
 * [From v0.8.1](#from-v081)
+  * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
+  * [Updated customizable template attributes](#updated-customizable-template-attributes)
   * [`migrations` S3 bucket](#migrations-s3-bucket)
 
 # Disclaimer
@@ -17,7 +19,21 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this
 
 # From v0.8.1
 
+## Updated `cluster.networking.cidr`
+
+- Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1), please update your setup accordingly if you explicitly set this value.
+- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
+
+## Updated customizable template attributes
+
+- Action: Please ensure you update you custom deployment values according with the updated default value structure.
+- References:
+  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
+  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
+  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
+  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
+
 ## `migrations` S3 bucket
 
-- Commit: [1e834fee](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/commit/1e834fee9db6bdb948f31c994d5ab309e6f86947)
-- Action: Please ensure you add a bucket `migrations` to your S3.
+- Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
+- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)

docs/requirements.md

@@ -33,11 +33,11 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 
 The following minimal requirements are thought for initial evaluation deployment:
 
-| Spec | Value                                                |
-|------|------------------------------------------------------|
-| CPU  | 8 Cores of x64 or x86 CPU (ARM is not supported yet) |
-| RAM  | 16 GB, recommended 32 GB                             |
-| Disk | HDD or SSD, >10 GB                                   |
+| Spec | Value                                                 |
+| ---- | ----------------------------------------------------- |
+| CPU  | 12 Cores of x64 or x86 CPU (ARM is not supported yet) |
+| RAM  | 32 GB, more recommended                               |
+| Disk | HDD or SSD, >10 GB                                    |
 
 # Kubernetes
 

docs/workflow.md

@@ -22,8 +22,8 @@ SPDX-License-Identifier: Apache-2.0
       * [Branch workflows](#branch-workflows)
         * [`main`](#main)
         * [`develop`](#develop)
-        * [`docu`](#docu)
-        * [`mntn`](#mntn)
+        * [`docs`](#docs)
+        * [`fix`](#fix)
         * [`feat`](#feat)
       * [Branch names](#branch-names)
       * [Commit messages / Conventional Commits](#commit-messages--conventional-commits)
@@ -169,8 +169,8 @@ The basic facts for the flow are:
   - Developers can create sub-branches from their feature branch(es) as needed.
 - When a *feature* branch gets pushed a Merge Request in `Draft` state is automatically created.
 - We know three types of *feature* branches:
-  - `docu`: Doing just documentation changes
-  - `mntn`: Maintenance of the openDesk software components and minor configurational changes
+  - `docs`: Doing just documentation changes
+  - `fix`: Maintenance of the openDesk software components and minor configurational changes
   - `feat`: All changes that do not fall into the two categories above, especially
     - supplier deliverables and
     - configurational changes that have a significant impact on openDesk users or require migrations[^1]
@@ -185,21 +185,21 @@ gitGraph
     checkout "develop"
     commit id: "QA 'nightly develop'"
     commit id: "  "
-    branch "docu"
-    checkout "docu"
+    branch "docs"
+    checkout "docs"
     commit id: "Documentation commits" type: HIGHLIGHT
     checkout "develop"
-    merge "docu"
+    merge "docs"
     checkout "main"
     merge "develop" tag: "No release"
     checkout "develop"
     commit id: "   "
-    branch "mntn"
-    checkout "mntn"
+    branch "fix"
+    checkout "fix"
     commit id: "Maintenance commits" type: HIGHLIGHT
-    commit id: "QG 'mntn'" type: REVERSE
+    commit id: "QG 'fix'" type: REVERSE
     checkout "develop"
-    merge "mntn"
+    merge "fix"
     commit id: "QA 'release merge'" type: REVERSE
     checkout "main"
     merge "develop" tag: "Patch or minor release"
@@ -231,7 +231,7 @@ The Standard Quality Gate addresses quality assurance steps that should be execu
 1. Linting
    - Blocking
      - Licensing: [reuse](https://github.com/fsfe/reuse-tool)
-     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
+     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in [development.md](./development.md).
    - Non Blocking
      - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
      - Formal: Yaml
@@ -277,8 +277,8 @@ This section will explain the workflow for each branch (type) based on the Gitfl
 
 - `QA 'nightly main'`: Execute the SQG based on the most recent release. The upgrade test environment should be a long-standing environment that only gets built from scratch with the previous technical release when something breaks the environment.
 - Merge points: We are using the [Semantic Release convention](https://github.com/semantic-release/semantic-release) which itself is based on the [Semantic Versioning (SemVer) notation](https://semver.org) to automatically create technical releases on the merge points.
-  - "No release": When a merge from `develop` includes only changes from `docu` branches the merge into `main` will only consist of `docs` or `chore` commits. No new release will be generated by that merge.
-  - "Patch or minor release": When changes from `mntn` branches get merged these might contain `fix` or `feat` commits causing a new technical release to be built with an updated version on Patch or Minor level.
+  - "No release": When a merge from `develop` includes only changes from `docs` branches the merge into `main` will only consist of `docs` or `chore` commits. No new release will be generated by that merge.
+  - "Patch or minor release": When changes from `fix` branches get merged these might contain `fix` or `feat` commits causing a new technical release to be built with an updated version on Patch or Minor level.
   - "Minor or major release": When changes from `feat` branches get merged these might contain `feat` commits even with breaking changes, causing a technical release to be built with an updated version on Minor or Major level.
 - "Manual Functional Release Activities": Technical releases are loosely coupled to functional releases. The additional activities for a functional release select an existing technical release as a basis to generate the artifacts required for a functional release, for example:
   - Conduct additional manual explorative and regression tests.
@@ -289,19 +289,19 @@ This section will explain the workflow for each branch (type) based on the Gitfl
 - `QA 'nightly develop'`: Follows the same approach as `QA 'nightly main'` - execute the SQG based in this case on the head revision of the `develop` branch.
 - `QA 'release merge'`: The Merge Request for this merge has to be created manually by members of the platform development team. It should document:
   - That the SQG was successfully executed upon the to-be merged state - it could be done explicitly or based on a `QA 'nightly develop'`
-  - In case of `mntn` changes that usually how no test automation: Changes have been verified by a member of the platform development team.
+  - In case of `fix` changes that usually how no test automation: Changes have been verified by a member of the platform development team.
   - That the changes have been reviewed by at least two members of the platform development team giving their approval on the Merge Request.
-- Merge points (from `docu`, `mntn`, and `feat` branches): No additional activity on these merge points as the QA is ensured before the merge in the just-named branch types.
+- Merge points (from `docs`, `fix`, and `feat` branches): No additional activity on these merge points as the QA is ensured before the merge in the just-named branch types.
 
-##### `docu`
+##### `docs`
 
-Branches of type `docu` only contain the commits themselves and have to adhere to the workflow basic fact that:
+Branches of type `docs` only contain the commits themselves and have to adhere to the workflow basic fact that:
 > All merges into `develop` or `main` require two approvals from the platform development team.
 
-##### `mntn`
+##### `fix`
 
-Besides the actual changes being committed in an `mntn` branch there is only the:
-- `QG 'mntn'`: In addition to validating the actual change the owner of the branch has to ensure the successful execution of the SQG.
+Besides the actual changes being committed in an `fix` branch there is only the:
+- `QG 'fix'`: In addition to validating the actual change the owner of the branch has to ensure the successful execution of the SQG.
 
 ##### `feat`
 
@@ -318,47 +318,29 @@ This branch type requires the most activities on top of the actual development:
 
 #### Branch names
 
-Branches created from the `develop` branch have to adhere to the following notation: `<party[-developer]>/<type>/<component>/<details>`:
+Branches created from the `develop` branch have to adhere to the following notation: `<type>/<responsible_developer>/<details>`:
 
-- `<party[-developer]>`: An identifier for the developing party optionally plus the name of the developer or team working on that branch. The following two-letter shorthand notations should be used for the owner:
-  - Suppliers
-    - `co`: Collabora
-    - `cp`: CryptPad
-    - `el`: Element
-    - `nc`: Nextcloud
-    - `nd`: Nordeck
-    - `op`: OpenProject
-    - `ox`: Open-Xchange
-    - `uv`: Univention
-    - `xw`: XWiki
-  - Other
-    - `pd`: (openDesk) Platform Development
-    - `xx`: Other, not one of the parties mentioned before
-
-- `<type>`: Based on the branch types described in this document valid values for type are
-  - `docu`
-  - `mntn`
+- `<type>`: From the list of branch types explained above:
+  - `docs`
+  - `fix`
   - `feat`
-
-- `<component>`: Valid components are
+- `<responsible_developer>`: Something that makes you identifiable as owner of the branch, e.g. the first letter of your first name followed by your family name.
+- `<details>`: A very short note about what is going to happen in the branch and ideally what component is affected from the following list of components:
   - `helmfile`
   - `ci`
-  - `cross-functional`
   - `docs`
   - `collabora`
   - `cryptpad`
   - `element`
   - `jitsi`
   - `nextcloud`
+  - `nubus`
   - `open-xchange`
   - `openproject`
   - `services`
-  - `univention-management-stack`
   - `xwiki`
 
-- `<details>`: A very short note about what is going to happen in the branch
-
-Example: `pd-tom/fix/open-xchange/bump_to_8.76`.
+Example: `feat/tmueller/bump_nextcloud_to_29.0.0`.
 
 **Note**: The above naming convention is not enforced yet, but please ensure you make use of it.
 
@@ -367,7 +349,7 @@ Example: `pd-tom/fix/open-xchange/bump_to_8.76`.
 Commit messages must adhere to the [Conventional Commit standard](https://www.conventionalcommits.org/en/v1.0.0/#summary). Commits that do not adhere to the standard get rejected by either [Gitlab push rules](https://docs.gitlab.com/ee/user/project/repository/push_rules.html) or the CI.
 
 ```text
-<type>(<scope>): [path/to/issue#1] <short summary>
+<type>(<scope>): [path/to/issue#1] <short summary>.
   │       │              │                │
   │       │              |                └─> Summary in present tense, sentence case, with no period at the end
   │       │              |
@@ -378,7 +360,7 @@ Commit messages must adhere to the [Conventional Commit standard](https://www.co
   └─> Commit Type: chore, ci, docs, feat, fix
 ```
 
-Example: `fix(univention-management-stack): Update standard session timeout of openDesk realm in Keycloak`
+Example: `fix(open-xchange): Bump to 8.26 to heal issue with functional mailbox provisioning.`
 
 **Beware**: The commit messages are an essential part of the [technical releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases) as the release's notes are generated from the messages.
 

helmfile/apps/collabora/values.yaml.gotmpl

@@ -17,11 +17,11 @@ fullnameOverride: "collabora"
 
 grafana:
   dashboards:
-    enabled: {{ .Values.grafana.dashboards.enabled }}
+    enabled: {{ .Values.monitoring.grafana.dashboards.enabled }}
     labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 6 }}
     annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}
 
 image:
   repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -88,13 +88,13 @@ podSecurityContext:
 
 prometheus:
   servicemonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
     labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
   rules:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
     additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 
 replicaCount: {{ .Values.replicas.collabora }}
 

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
   username: "meetings-bot"

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
   username: "uvs"

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -42,7 +42,7 @@ configuration:
         sender_localpart: intercom-service
 
     smtp:
-      senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
       host: {{ .Values.smtp.host | quote }}
       port: {{ .Values.smtp.port }}
       username: {{ .Values.smtp.username | quote }}
@@ -52,6 +52,9 @@ configuration:
       clientId: "opendesk-matrix"
       clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
       issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
+      scopes:
+        - "openid"
+        - "opendesk-matrix-scope"
 
     turn:
       sharedSecret: {{ .Values.turn.credentials | quote }}
@@ -91,7 +94,7 @@ containerSecurityContext:
     {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 
 federation:
-  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
+  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
   ingress:
     host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
     enabled: {{ .Values.ingress.enabled }}

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -27,7 +27,7 @@ containerSecurityContext:
     {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/migrations-post/helmfile-child.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-post"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...

helmfile/apps/migrations-post/helmfile.yaml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/migrations-post/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "POST"
+...

helmfile/apps/migrations-pre/helmfile-child.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-pre"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...

helmfile/apps/migrations-pre/helmfile.yaml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/migrations-pre/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "PRE"
+...

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -14,7 +14,7 @@ additionalAnnotations:
   intents.otterize.com/service-name: "opendesk-nextcloud-php"
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 
 configuration:
   administrator:
@@ -35,6 +35,9 @@ configuration:
         value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
     host: {{ .Values.cache.nextcloud.host | quote }}
     port: {{ .Values.cache.nextcloud.port | quote }}
+  collabora:
+    # internalWopiUrl: ""
+    wopiAllowlist: {{ join " " .Values.cluster.networking.cidr | quote }}
   database:
     host: {{ .Values.databases.nextcloud.host | quote }}
     port: {{ .Values.databases.nextcloud.port | quote }}
@@ -78,13 +81,13 @@ configuration:
         value: {{ .Values.smtp.password | quote }}
     host: {{ .Values.smtp.host | quote }}
     port: {{ .Values.smtp.port | quote }}
-    fromAddress: {{ .Values.localpartNoReply | quote }}
+    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
     mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
   quota:
-    default: "{{ .Values.filestore.quota.default }} GB"
+    default: "{{ .Values.functional.filestore.quota.default }} GB"
     retentionObligation:
-      trashbin: {{ .Values.filestore.nextcloud.retentionObligation.trashbin | quote }}
-      versions: {{ .Values.filestore.nextcloud.retentionObligation.versions | quote }}
+      trashbin: {{ .Values.functional.filestore.nextcloud.retentionObligation.trashbin | quote }}
+      versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}
 
   serverinfo:
     token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
@@ -106,7 +109,7 @@ containerSecurityContext:
     {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 
 debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -34,13 +34,13 @@ exporter:
     tag: {{ .Values.images.nextcloudExporter.tag | quote }}
   prometheus:
     serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
       labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudExporter }}
   resources:
     {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -66,6 +66,7 @@ php:
           value: "nextcloud_user"
         password:
           value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+    trustedProxies: {{ join " " .Values.cluster.networking.cidr | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -84,7 +85,7 @@ php:
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
   debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
     repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,13 +93,13 @@ php:
     tag: {{ .Values.images.nextcloudPHP.tag | quote }}
   prometheus:
     serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
       labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudPHP }}
   resources:
     {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
@@ -107,6 +108,7 @@ apache2:
   configuration:
     php:
       host: "opendesk-nextcloud-php.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
+    trustedProxies: {{ join " " .Values.cluster.networking.cidr | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -143,4 +145,5 @@ apache2:
   replicaCount: {{ .Values.replicas.nextcloudApache2 }}
   resources:
     {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
+
 ...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -31,7 +31,7 @@ dovecot:
     introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"
-  loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
+  loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
 
   submission:
     enabled: true

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -11,8 +11,8 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
   openproject:

helmfile/apps/openproject/values.yaml.gotmpl

@@ -67,7 +67,7 @@ environment:
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
@@ -132,7 +132,7 @@ openproject:
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     identifier: "opendesk-openproject"
     provider: "keycloak"
-    scope: "[openid,opendesk]"
+    scope: "[openid,opendesk-openproject-scope]"
     secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
     tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
     userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -12,7 +12,7 @@ issuerRef:
   name: {{ .Values.certificate.issuerRef.name | quote }}
 
 cleanup:
-  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}
 
 wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -67,9 +67,9 @@ mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{
 
 metrics:
   serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
     additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
 
 networkPolicy:
   enabled: false

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -51,7 +51,7 @@ postfix:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
   rspamdHost: ""
   relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
-  relayNets: {{ .Values.cluster.networking.cidr | quote}}
+  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   smtpSASLAuthEnable: "yes"
   smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpUseTLS: "yes"

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -17,10 +17,15 @@ image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
+  custom:
+    clientScopes:
+      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
+    clients:
+      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -29,14 +34,20 @@ config:
       enabled: true
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
   twoFactorSettings:
-    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
-  custom:
+    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+  opendesk:
+    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
+    # to LDAP group membership to ensure a user cannot access an application without the required
+    # group membership.
+    # ToDo:
+    # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
     clientScopes:
       - name: "read_contacts"
         protocol: "openid-connect"
       - name: "write_contacts"
         protocol: "openid-connect"
-      - name: "opendesk"
+      - name: "opendesk-openproject-scope"
+        description: "Scope for the claims required by openDesk's OpenProject instance."
         protocol: "openid-connect"
         protocolMappers:
           - name: "opendesk_useruuid"
@@ -61,6 +72,306 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
+          - name: "opendeskProjectmanagementAdmin"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "opendeskProjectmanagementAdmin"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "openproject_admin"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "given name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "firstName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "given_name"
+              jsonType.label: "String"
+          - name: "family name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "lastName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "family_name"
+              jsonType.label: "String"
+      - name: "opendesk-jitsi-scope"
+        description: "Scope for the claims required by openDesk's Jitsi instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-nextcloud-scope"
+        description: "Scope for the claims required by openDesk's Nextcloud instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+      - name: "opendesk-matrix-scope"
+        description: "Scope for the claims required by openDesk's Matrix instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-xwiki-scope"
+        description: "Scope for the claims required by openDesk's XWiki instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-dovecot-scope"
+        description: "Scope for the claims required by openDesk's Dovecot instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+      - name: "opendesk-oxappsuite-scope"
+        description: "Scope for the claims required by openDesk's OX Appuite instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
     clients:
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
@@ -74,7 +385,7 @@ config:
         attributes:
           backchannel.logout.session.required: false
         defaultClientScopes:
-          - "opendesk"
+          - "opendesk-dovecot-scope"
       - name: "opendesk-intercom"
         clientId: "opendesk-intercom"
         protocol: "openid-connect"
@@ -128,7 +439,6 @@ config:
               claim.name: "phoenixusername"
               jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
           - "offline_access"
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
@@ -142,8 +452,7 @@ config:
         fullScopeAllowed: true
         authorizationServicesEnabled: false
         defaultClientScopes:
-          - "opendesk"
-          - "profile"
+          - "opendesk-jitsi-scope"
       - name: "opendesk-matrix"
         clientId: "opendesk-matrix"
         protocol: "openid-connect"
@@ -165,12 +474,9 @@ config:
           backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
-        optionalClientScopes:
-          - "email"
-          - "profile"
-        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
-        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
+          - "opendesk-matrix-scope"
+      # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
+      # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
       - name: "matrix"
         clientId: "matrix"
         protocol: "openid-connect"
@@ -183,6 +489,8 @@ config:
         authorizationServicesEnabled: false
         attributes:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes: []
+        optionalClientScopes: []
       - name: "opendesk-nextcloud"
         clientId: "opendesk-nextcloud"
         protocol: "openid-connect"
@@ -199,21 +507,8 @@ config:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
-          - "email"
+          - "opendesk-nextcloud-scope"
           - "read_contacts"
           - "write_contacts"
       - name: "opendesk-openproject"
@@ -233,22 +528,8 @@ config:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "opendeskProjectmanagementAdmin"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "opendeskProjectmanagementAdmin"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "openproject_admin"
-              jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
-          - "email"
-          - "profile"
+          - "opendesk-openproject-scope"
       - name: "opendesk-oxappsuite"
         clientId: "opendesk-oxappsuite"
         protocol: "openid-connect"
@@ -265,20 +546,8 @@ config:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
+          - "opendesk-oxappsuite-scope"
           - "read_contacts"
           - "write_contacts"
       - name: "opendesk-xwiki"
@@ -298,10 +567,7 @@ config:
           backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
-          - "address"
-          - "email"
-          - "profile"
+          - "opendesk-xwiki-scope"
       - name: "guardian-management-api"
         clientId: "guardian-management-api"
         rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -505,7 +771,6 @@ config:
               claim.name: "dn"
               jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
           - "web-origins"
           - "acr"
           - "roles"
@@ -594,7 +859,6 @@ config:
               access.token.claim: true
               userinfo.token.claim: false
 
-
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -674,7 +674,7 @@ stack-data-swp:
 
   stackDataSwp:
     udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    {{- if .Values.admin.portal.deploymentInformation.enabled }}
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
     systemInformation:
       deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
       releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
@@ -1062,8 +1062,8 @@ keycloak-bootstrap:
     imagePullPolicy: {{ .Values.global.imagePullPolicy }}
 
   cleanup:
-    deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-    keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+    deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
   keycloak:
     connection:
@@ -1172,7 +1172,7 @@ keycloak-extensions:
       ipProtectionEnable: true
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -1319,7 +1319,7 @@ stack-gateway:
       proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
 
 
-      {{ if .Values.externalServices.nubus.udmRestApi.enabled }}
+      {{ if .Values.functional.externalServices.nubus.udmRestApi.enabled }}
       ## udm-rest-api
       location /univention/udm/ {
         # The UDM Rest API does return on some endpoints a lot of headers

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -60,14 +60,19 @@ customConfigs:
     xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
     ## Allow short update cycles of the LDAP group cache
     xwiki.authentication.ldap.groupcache_expiration: 300
+    ## Mapping for XWiki attributes to the respective LDAP attributes
+    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
 
   xwiki.properties:
+    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
+    wikiInitializer.initialRequest.xwiki.contextPath: "/"
+    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
     oidc.clientid: "opendesk-xwiki"
     oidc.endpoint.token.auth_method: "client_secret_basic"
     oidc.endpoint.userinfo.method: "GET"
     oidc.logoutMechanism: "rpInitiated"
     oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
-    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.scope: "openid,opendesk-xwiki-scope"
     oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     oidc.skipped: false
     oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
@@ -82,6 +87,7 @@ customConfigs:
     workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
     workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     openoffice.serverType: "0"
+    notifications.emails.live.graceTime: "5"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
@@ -127,8 +133,11 @@ properties:
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
   ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
@@ -158,7 +167,7 @@ properties:
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-    "sn,givenname,uid"
+    "sn,givenname,uid,mailPrimaryAddress"
   ## Restrict user import in the UI to global administrators
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
   ## Enable group and user synchronization

helmfile/environments/default/charts.yaml

@@ -46,7 +46,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.17"
+    version: "1.1.20"
     verify: true
   cryptpad:
     # providerCategory: "Supplier"
@@ -192,6 +192,16 @@ charts:
     name: "memcached"
     version: "6.7.1"
     verify: true
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
+    name: "opendesk-migrations"
+    version: "1.0.1"
+    verify: true
   minio:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -210,7 +220,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "2.1.0"
+    version: "3.0.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -220,7 +230,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "2.1.0"
+    version: "3.0.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -240,7 +250,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "1.1.0"
+    version: "2.1.0"
     verify: true
   openproject:
     # providerCategory: "Supplier"
@@ -252,7 +262,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "5.3.0"
+    version: "7.0.0"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/cluster.yaml

@@ -15,8 +15,9 @@ cluster:
   networking:
     # Kubernetes internal cluster domain.
     domain: "cluster.local"
-    # Kubernetes cluster network CIDR.
-    cidr: "10.0.0.0/8"
+    # Kubernetes cluster network CIDRs.
+    cidr:
+      - "10.0.0.0/8"
     # Ingress-gateway IP - only relevant for "NodePort" cluster services.
     # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
     # you need to provide the public (load-balanced) ingress gateways ip address.

helmfile/environments/default/debug.yaml

@@ -1,16 +1,16 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-cleanup:
-  # Keep Pods/Job logs after successful run.
-  deletePodsOnSuccess: true
-  # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
-  deletePodsOnSuccessTimeout: 60
-  # Keep persistence on deletion of this release.
-  keepPVCOnDelete: false
-  # Keep additional resources, like certificates on deletion of this release.
-  keepRessourceOnDelete: true
 debug:
+  cleanup:
+    # Keep Pods/Job logs after successful run.
+    deletePodsOnSuccess: true
+    # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
+    deletePodsOnSuccessTimeout: 60
+    # Keep persistence on deletion of this release.
+    keepPVCOnDelete: false
+    # Keep additional resources, like certificates on deletion of this release.
+    keepRessourceOnDelete: true
   # should activate debug output in all components and even allow e.g. successfully executed jobs
   # to stay available. This is going to be implemented on a case by case basis when we actually
   # need debugging in a component.

helmfile/environments/default/functional.yaml

@@ -1,43 +1,49 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-authentication:
-  twoFactor:
-    # Define a list of groups to enable 2FA for.
-    # Note: Removing a group from the list will not disable 2FA for the removed group.
-    groups:
-      - "Domain Admins"
+functional:
+  admin:
+    portal:
+      deploymentInformation:
+        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
+        enabled: true
 
-externalServices:
-  nubus:
-    udmRestApi:
-      # Enable to make the UDM REST API from the Nubus stack externally available.
-      enabled: false
-  matrix:
-    federation:
-      # Disable to not support Matrix federation with your installation.
-      enabled: true
+  authentication:
+    twoFactor:
+      # Define a list of groups to enable 2FA for.
+      # Note: Removing a group from the list will not disable 2FA for the removed group.
+      groups:
+        - "Domain Admins"
+    oidc:
+      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
+      clients: ~
+      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
+      clientScopes: ~
 
-admin:
-  portal:
-    deploymentInformation:
-      # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
-      enabled: true
+  externalServices:
+    nubus:
+      udmRestApi:
+        # Enable to make the UDM REST API from the Nubus stack externally available.
+        enabled: false
+    matrix:
+      federation:
+        # Disable to not support Matrix federation with your installation.
+        enabled: true
 
-filestore:
-  quota:
-    # Set the default quota for all users in GB
-    default: 1
-  # Nextcloud specific configuration
-  nextcloud:
-    retentionObligation:
-      # yamllint disable rule:line-length
-      # Set Nextcloud's `trashbin_retention_obligation`
-      # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
-      trashbin: "auto"
-      # Set Nextcloud's `versions_retention_obligation`
-      # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
-      versions: "auto"
-      # yamllint enable rule:line-length
+  filestore:
+    quota:
+      # Set the default quota for all users in GB
+      default: 1
+    # Nextcloud specific configuration
+    nextcloud:
+      retentionObligation:
+        # yamllint disable rule:line-length
+        # Set Nextcloud's `trashbin_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
+        trashbin: "auto"
+        # Set Nextcloud's `versions_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
+        versions: "auto"
+        # yamllint enable rule:line-length
 
 ...

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.8.1"
+    releaseVersion: "v0.9.0"
 ...

helmfile/environments/default/global.gotmpl

@@ -23,4 +23,39 @@ global:
   #
   helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
   imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    cryptpad: "cryptpad"
+    element: "chat"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    matrixNeoBoardWidget: "matrix-neoboard-widget"
+    matrixNeoChoiceWidget: "matrix-neochoice-widget"
+    matrixNeoDateFixBot: "matrix-neodatefix-bot"
+    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
+    minioApi: "minio"
+    minioConsole: "minio-console"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    synapse: "matrix"
+    synapseFederation: "matrix-federation"
+    univentionManagementStack: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
 ...

helmfile/environments/default/global.yaml

@@ -1,42 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-## The global properties are used to configure multiple charts at once.
-#
-global:
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    cryptpad: "cryptpad"
-    element: "chat"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    matrixNeoBoardWidget: "matrix-neoboard-widget"
-    matrixNeoChoiceWidget: "matrix-neochoice-widget"
-    matrixNeoDateFixBot: "matrix-neodatefix-bot"
-    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "minio"
-    minioConsole: "minio-console"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    synapse: "matrix"
-    synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define the policy to pull container images.
-  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
-  #
-  imagePullPolicy: "IfNotPresent"
-...

helmfile/environments/default/images.yaml

@@ -20,7 +20,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.4.2.1@sha256:268b586d48848958f9a0329f1ce6849f842d1ab2413a3c45ddf2f2dd249efc9a"
+    tag: "24.04.5.2.1@sha256:583f3764661fdce99c5a97019b732db1bed9f9b333d70640ac99a6953c493666"
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -198,6 +198,14 @@ images:
     registry: "registry-1.docker.io"
     repository: "bitnami/memcached"
     tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -221,7 +229,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
+    tag: "1.1.24@sha256:c9222da8be7af12c9076b41d1a14e019725afc075e1aaa2b727be21c1bf45f10"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -237,7 +245,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.4.0@sha256:a54aa29220569c6e8367996429851d5880b2d93afd37180f3ea0bccf6df8c2c5"
+    tag: "1.4.4@sha256:b70c159d6a1827748ca1f8fe0b9fd5b011eaed8719172105e1e9c8b8d776cf97"
   nextcloudPHP:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -245,7 +253,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.9.0@sha256:425e2bc1e18a6e5b8cb2d4ec103353b2d7af4211d93bef062ff9752a1cb168d8"
+    tag: "1.10.3@sha256:e659ab95d0d3a33d4937354449c12fa46fe2669a866bbf432a9d729bed6d54f7"
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -253,7 +261,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
+    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "OpenProject"
@@ -263,7 +271,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.2.0@sha256:b4ea55b925de4fc8760ccf30268f0a2d472c4204bd4fc512720e8757489335d6"
+    tag: "14.3.0@sha256:922621b394c1a60e1c427b866284ac636b35717f03bde89302131ad369fbf9ad"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"

helmfile/environments/default/monitoring.yaml

@@ -1,25 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-prometheus:
-  serviceMonitors:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
-  podMonitors:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
-  prometheusRules:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
+monitoring:
+  prometheus:
+    serviceMonitors:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
+    podMonitors:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
+    prometheusRules:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
 
-
-grafana:
-  dashboards:
-    enabled: false
-    labels:
-      grafana_dashboard: "1"
-    annotations:
+  grafana:
+    dashboards:
+      enabled: false
+      labels:
+        grafana_dashboard: "1"
+      annotations:
 ...

helmfile/environments/default/objectstores.yaml

@@ -1,7 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 objectstores:
   migrations:

helmfile/environments/default/opendesk_main.gotmpl

@@ -0,0 +1,76 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+#
+# Note: Currently only single namespace deployments are supported.
+---
+certificates:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavDistributed:
+  enabled: false
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavSimple:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+collabora:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+cryptpad:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+dovecot:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+element:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+home:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+intercom:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+jitsi:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+mariadb:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+memcached:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+migrations:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+minio:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+nextcloud:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+openproject:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxAppsuite:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxConnector:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postfix:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postgresql:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+redis:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+univentionManagementStack:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+xwiki:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+...

helmfile/environments/default/resources.yaml

@@ -69,10 +69,11 @@ resources:
     requests:
       cpu: 0.1
       memory: "384Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jicofo:
     limits:
       cpu: 99
-      memory: "512Mi"
+      memory: "3584Mi"
     requests:
       cpu: 0.1
       memory: "256Mi"
@@ -90,10 +91,11 @@ resources:
     requests:
       cpu: "10m"
       memory: "48Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jvb:
     limits:
       cpu: 99
-      memory: "768Mi"
+      memory: "3584Mi"
     requests:
       cpu: 0.1
       memory: "384Mi"

helmfile/environments/default/selinux.yaml

@@ -30,6 +30,7 @@ seLinuxOptions:
   matrixNeoDateFixWidget: ~
   matrixUserVerificationService: ~
   memcached: ~
+  migrations: ~
   milter: ~
   minio: ~
   nextcloudApache2: ~

helmfile/environments/default/smtp.gotmpl

@@ -8,6 +8,5 @@ smtp:
   port: 587
   username: ""
   password: {{ env "SMTP_PASSWORD" | quote }}
-
-localpartNoReply: "no-reply"
+  localpartNoReply: "no-reply"
 ...

helmfile/environments/default/workplace.yaml

@@ -1,49 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-certificates:
-  enabled: true
-clamavDistributed:
-  enabled: false
-clamavSimple:
-  enabled: true
-collabora:
-  enabled: true
-cryptpad:
-  enabled: true
-dovecot:
-  enabled: true
-element:
-  enabled: true
-home:
-  enabled: true
-intercom:
-  enabled: true
-jitsi:
-  enabled: true
-mariadb:
-  enabled: true
-memcached:
-  enabled: true
-minio:
-  enabled: true
-nextcloud:
-  enabled: true
-openproject:
-  enabled: true
-oxAppsuite:
-  enabled: true
-oxConnector:
-  enabled: true
-postfix:
-  enabled: true
-postgresql:
-  enabled: true
-redis:
-  enabled: true
-univentionManagementStack:
-  enabled: true
-xwiki:
-  enabled: true
-...

helmfile/shared/migrations.yaml.gotmpl

@@ -0,0 +1,59 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+
+migrations:
+  runId: 1
+  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
+  namespace: {{ .Values.migrations.namespace | quote }}
+  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  failOnUnexpectedState: true
+  credentials:
+    keycloakAdminUsername: "kcadmin"
+    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  urls:
+    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
+  repository: {{ .Values.images.migrations.repository | quote }}
+  tag: {{ .Values.images.migrations.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+...

helmfile_generic.yaml

@@ -6,11 +6,13 @@
 #
 helmfiles:
   # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/services/helmfile-child.yaml"
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
     values: &values
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/default/*.gotmpl"
       - {{ toYaml .Values | nindent 8 }}
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
   - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
     values: *values
   - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
@@ -35,5 +37,7 @@ helmfiles:
     values: *values
   - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
     values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
 missingFileHandler: "Error"
 ...