feat(element): Featuretoggle for presence propagation

feat(element): Reduced presence values to one for all presence features
feat(element): Default for Element status disabled
2025-12-07 16:01:37 +01:00 · 2024-07-31 08:24:43 +02:00 · 2024-07-30 16:09:29 +02:00 · 2024-07-30 15:00:25 +02:00 · 2024-07-30 13:26:02 +02:00 · 2024-07-30 12:20:57 +02:00
41 changed files with 834 additions and 295 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,9 +36,11 @@ stages:
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
+  - "migrations-pre"
  - "basic-services-deploy"
  - "component-deploy-stage-1"
  - "component-deploy-stage-2"
+  - "migrations-post"
  - "lint"
  - "tests"
  - "env-stop"
@@ -77,6 +79,12 @@ variables:
    options:
      - "yes"
      - "no"
+  DEPLOY_MIGRATIONS:
+    description: "Deploy K8s job for migrations (pre & post)."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
  DEPLOY_SERVICES:
    description: "Enable Service deployment."
    value: "no"
@@ -208,6 +216,7 @@ env-cleanup:
        done
        kubectl delete pvc --all --namespace ${NAMESPACE};
        kubectl delete jobs --all --namespace ${NAMESPACE};
+        kubectl delete configmaps --all --namespace ${NAMESPACE};
      else
        helmfile destroy --namespace ${NAMESPACE};
      fi
@@ -250,6 +259,30 @@ policies-deploy:
    COMPONENT: "services"
    ADDITIONAL_ARGS: "-l name=opendesk-otterize"

+migrations-pre:
+  stage: "migrations-pre"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-pre"
+
+migrations-post:
+  stage: "migrations-post"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-post"
+
 services-deploy:
  stage: "basic-services-deploy"
  extends: ".deploy-common"
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.2.0](https://www.openproject.org/docs/release-notes/14-2-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.4.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.5.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/enhanced-configuration/matrix-federation.md
+++ b/docs/enhanced-configuration/matrix-federation.md
@@ -37,10 +37,11 @@ If not used it is also set to `opendesk.domain.tld`.
 The following setting can disable federation:

 ```yaml
-externalServices:
-  matrix:
-    federation:
-      enabled: false
+functional:
+  externalServices:
+    matrix:
+      federation:
+        enabled: false
 ```

 ## Separate Matrix domain
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0

 * [Disclaimer](#disclaimer)
 * [From v0.8.1](#from-v081)
+  * [Updated customizable template attributes](#updated-customizable-template-attributes)
  * [`migrations` S3 bucket](#migrations-s3-bucket)

 # Disclaimer
@@ -17,7 +18,16 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this

 # From v0.8.1

+## Updated customizable template attributes
+
+- Action: Please ensure you update you custom deployment values according with the updated default value structure.
+- References:
+  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
+  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
+  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
+  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
+
 ## `migrations` S3 bucket

- Commit: [1e834fee](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/commit/1e834fee9db6bdb948f31c994d5ab309e6f86947)
- Action: Please ensure you add a bucket `migrations` to your S3.
+- Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
+- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -17,11 +17,11 @@ fullnameOverride: "collabora"

 grafana:
  dashboards:
-    enabled: {{ .Values.grafana.dashboards.enabled }}
+    enabled: {{ .Values.monitoring.grafana.dashboards.enabled }}
    labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 6 }}
    annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}

 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -88,13 +88,13 @@ podSecurityContext:

 prometheus:
  servicemonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
    labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
  rules:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 6 }}

 replicaCount: {{ .Values.replicas.collabora }}

--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
  username: "meetings-bot"
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
  username: "uvs"
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -40,9 +40,14 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
+    use_presence: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
+    presence: 
+      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
+    
+    

    smtp:
-      senderAddress: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
      host: {{ .Values.smtp.host | quote }}
      port: {{ .Values.smtp.port }}
      username: {{ .Values.smtp.username | quote }}
@@ -52,6 +57,9 @@ configuration:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
+      scopes:
+        - "openid"
+        - "opendesk-matrix-scope"

    turn:
      sharedSecret: {{ .Values.turn.credentials | quote }}
@@ -91,7 +99,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}

 federation:
-  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
+  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
  ingress:
    host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
    enabled: {{ .Values.ingress.enabled }}
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -27,7 +27,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/migrations-post/helmfile-child.yaml
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-post"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...
--- a/helmfile/apps/migrations-post/helmfile.yaml
+++ b/helmfile/apps/migrations-post/helmfile.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/values.yaml.gotmpl
@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "POST"
+...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-pre"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...
--- a/helmfile/apps/migrations-pre/helmfile.yaml
+++ b/helmfile/apps/migrations-pre/helmfile.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/values.yaml.gotmpl
@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "PRE"
+...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -14,7 +14,7 @@ additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

 configuration:
  administrator:
@@ -78,13 +78,13 @@ configuration:
        value: {{ .Values.smtp.password | quote }}
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
-    fromAddress: {{ .Values.localpartNoReply | quote }}
+    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
    mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  quota:
-    default: "{{ .Values.filestore.quota.default }} GB"
+    default: "{{ .Values.functional.filestore.quota.default }} GB"
    retentionObligation:
-      trashbin: {{ .Values.filestore.nextcloud.retentionObligation.trashbin | quote }}
-      versions: {{ .Values.filestore.nextcloud.retentionObligation.versions | quote }}
+      trashbin: {{ .Values.functional.filestore.nextcloud.retentionObligation.trashbin | quote }}
+      versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}

  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
@@ -106,7 +106,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}

 debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -34,13 +34,13 @@ exporter:
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -84,7 +84,7 @@ php:
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,13 +92,13 @@ php:
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  prometheus:
    serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
      labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
    prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -11,8 +11,8 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

 config:
  openproject:
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -67,7 +67,7 @@ environment:
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
@@ -132,7 +132,7 @@ openproject:
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    identifier: "opendesk-openproject"
    provider: "keycloak"
-    scope: "[openid,opendesk]"
+    scope: "[openid,opendesk-openproject-scope]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -12,7 +12,7 @@ issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}

 cleanup:
-  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}

 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -67,9 +67,9 @@ mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{

 metrics:
  serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
    additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}

 networkPolicy:
  enabled: false
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -17,10 +17,15 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

 config:
+  custom:
+    clientScopes:
+      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
+    clients:
+      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -29,14 +34,20 @@ config:
      enabled: true
      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
  twoFactorSettings:
-    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
-  custom:
+    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+  opendesk:
+    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
+    # to LDAP group membership to ensure a user cannot access an application without the required
+    # group membership.
+    # ToDo:
+    # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
    clientScopes:
      - name: "read_contacts"
        protocol: "openid-connect"
      - name: "write_contacts"
        protocol: "openid-connect"
-      - name: "opendesk"
+      - name: "opendesk-openproject-scope"
+        description: "Scope for the claims required by openDesk's OpenProject instance."
        protocol: "openid-connect"
        protocolMappers:
          - name: "opendesk_useruuid"
@@ -61,6 +72,306 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
+          - name: "opendeskProjectmanagementAdmin"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "opendeskProjectmanagementAdmin"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "openproject_admin"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "given name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "firstName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "given_name"
+              jsonType.label: "String"
+          - name: "family name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "lastName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "family_name"
+              jsonType.label: "String"
+      - name: "opendesk-jitsi-scope"
+        description: "Scope for the claims required by openDesk's Jitsi instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-nextcloud-scope"
+        description: "Scope for the claims required by openDesk's Nextcloud instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+      - name: "opendesk-matrix-scope"
+        description: "Scope for the claims required by openDesk's Matrix instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-xwiki-scope"
+        description: "Scope for the claims required by openDesk's XWiki instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-dovecot-scope"
+        description: "Scope for the claims required by openDesk's Dovecot instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+      - name: "opendesk-oxappsuite-scope"
+        description: "Scope for the claims required by openDesk's OX Appuite instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
    clients:
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
@@ -74,7 +385,7 @@ config:
        attributes:
          backchannel.logout.session.required: false
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-dovecot-scope"
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
        protocol: "openid-connect"
@@ -128,7 +439,6 @@ config:
              claim.name: "phoenixusername"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
@@ -142,8 +452,7 @@ config:
        fullScopeAllowed: true
        authorizationServicesEnabled: false
        defaultClientScopes:
-          - "opendesk"
-          - "profile"
+          - "opendesk-jitsi-scope"
      - name: "opendesk-matrix"
        clientId: "opendesk-matrix"
        protocol: "openid-connect"
@@ -165,12 +474,9 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk"
-        optionalClientScopes:
-          - "email"
-          - "profile"
-        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
-        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
+          - "opendesk-matrix-scope"
+      # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
+      # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
      - name: "matrix"
        clientId: "matrix"
        protocol: "openid-connect"
@@ -183,6 +489,8 @@ config:
        authorizationServicesEnabled: false
        attributes:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes: []
+        optionalClientScopes: []
      - name: "opendesk-nextcloud"
        clientId: "opendesk-nextcloud"
        protocol: "openid-connect"
@@ -199,21 +507,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
-          - "email"
+          - "opendesk-nextcloud-scope"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-openproject"
@@ -233,22 +528,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "opendeskProjectmanagementAdmin"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "opendeskProjectmanagementAdmin"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "openproject_admin"
-              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
-          - "email"
-          - "profile"
+          - "opendesk-openproject-scope"
      - name: "opendesk-oxappsuite"
        clientId: "opendesk-oxappsuite"
        protocol: "openid-connect"
@@ -265,20 +546,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
+          - "opendesk-oxappsuite-scope"
          - "read_contacts"
          - "write_contacts"
      - name: "opendesk-xwiki"
@@ -298,10 +567,7 @@ config:
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
-          - "opendesk"
-          - "address"
-          - "email"
-          - "profile"
+          - "opendesk-xwiki-scope"
      - name: "guardian-management-api"
        clientId: "guardian-management-api"
        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -505,7 +771,6 @@ config:
              claim.name: "dn"
              jsonType.label: "String"
        defaultClientScopes:
-          - "opendesk"
          - "web-origins"
          - "acr"
          - "roles"
@@ -594,7 +859,6 @@ config:
              access.token.claim: true
              userinfo.token.claim: false

-
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -674,7 +674,7 @@ stack-data-swp:

  stackDataSwp:
    udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    {{- if .Values.admin.portal.deploymentInformation.enabled }}
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
    systemInformation:
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
@@ -1062,8 +1062,8 @@ keycloak-bootstrap:
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}

  cleanup:
-    deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-    keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+    deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

  keycloak:
    connection:
@@ -1172,7 +1172,7 @@ keycloak-extensions:
      ipProtectionEnable: true
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
@@ -1319,7 +1319,7 @@ stack-gateway:
      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;


-      {{ if .Values.externalServices.nubus.udmRestApi.enabled }}
+      {{ if .Values.functional.externalServices.nubus.udmRestApi.enabled }}
      ## udm-rest-api
      location /univention/udm/ {
        # The UDM Rest API does return on some endpoints a lot of headers
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -60,14 +60,19 @@ customConfigs:
    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
+    ## Mapping for XWiki attributes to the respective LDAP attributes
+    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"

  xwiki.properties:
+    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
+    wikiInitializer.initialRequest.xwiki.contextPath: "/"
+    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
    oidc.clientid: "opendesk-xwiki"
    oidc.endpoint.token.auth_method: "client_secret_basic"
    oidc.endpoint.userinfo.method: "GET"
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
-    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.scope: "openid,opendesk-xwiki-scope"
    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
@@ -82,6 +87,7 @@ customConfigs:
    workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    openoffice.serverType: "0"
+    notifications.emails.live.graceTime: "5"

 ingress:
  enabled: {{ .Values.ingress.enabled }}
@@ -127,8 +133,11 @@ properties:
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
@@ -158,7 +167,7 @@ properties:
  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-    "sn,givenname,uid"
+    "sn,givenname,uid,mailPrimaryAddress"
  ## Restrict user import in the UI to global administrators
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
  ## Enable group and user synchronization
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -46,7 +46,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.17"
+    version: "1.1.20"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
@@ -78,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -88,7 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -180,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  memcached:
    # providerCategory: "Community"
@@ -192,6 +192,16 @@ charts:
    name: "memcached"
    version: "6.7.1"
    verify: true
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
+    name: "opendesk-migrations"
+    version: "1.0.1"
+    verify: true
  minio:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -240,7 +250,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "1.1.0"
+    version: "2.1.0"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -346,7 +356,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -356,7 +366,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -366,7 +376,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  ums:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -1,16 +1,16 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-cleanup:
-  # Keep Pods/Job logs after successful run.
-  deletePodsOnSuccess: true
-  # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
-  deletePodsOnSuccessTimeout: 60
-  # Keep persistence on deletion of this release.
-  keepPVCOnDelete: false
-  # Keep additional resources, like certificates on deletion of this release.
-  keepRessourceOnDelete: true
 debug:
+  cleanup:
+    # Keep Pods/Job logs after successful run.
+    deletePodsOnSuccess: true
+    # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
+    deletePodsOnSuccessTimeout: 60
+    # Keep persistence on deletion of this release.
+    keepPVCOnDelete: false
+    # Keep additional resources, like certificates on deletion of this release.
+    keepRessourceOnDelete: true
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -1,43 +1,55 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-authentication:
-  twoFactor:
-    # Define a list of groups to enable 2FA for.
-    # Note: Removing a group from the list will not disable 2FA for the removed group.
-    groups:
+functional:
+  admin:
+    portal:
+      deploymentInformation:
+        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
+        enabled: true
+
+  authentication:
+    twoFactor:
+      # Define a list of groups to enable 2FA for.
+      # Note: Removing a group from the list will not disable 2FA for the removed group.
+      groups:
      - "Domain Admins"
+    oidc:
+      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
+      clients: ~
+      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
+      clientScopes: ~

-externalServices:
-  nubus:
-    udmRestApi:
-      # Enable to make the UDM REST API from the Nubus stack externally available.
+  externalServices:
+    nubus:
+      udmRestApi:
+        # Enable to make the UDM REST API from the Nubus stack externally available.
+        enabled: false
+    matrix:
+      federation:
+        # Disable to not support Matrix federation with your installation.
+        enabled: true
+
+  filestore:
+    quota:
+      # Set the default quota for all users in GB
+      default: 1
+    # Nextcloud specific configuration
+    nextcloud:
+      retentionObligation:
+        # yamllint disable rule:line-length
+        # Set Nextcloud's `trashbin_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
+        trashbin: "auto"
+        # Set Nextcloud's `versions_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
+        versions: "auto"
+        # yamllint enable rule:line-length
+        
+  dataProtection:
+    matrixPresence:
+      # Enable to allow information about the user presence status to be shared.
+      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
-  matrix:
-    federation:
-      # Disable to not support Matrix federation with your installation.
-      enabled: true
-
-admin:
-  portal:
-    deploymentInformation:
-      # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
-      enabled: true
-
-filestore:
-  quota:
-    # Set the default quota for all users in GB
-    default: 1
-  # Nextcloud specific configuration
-  nextcloud:
-    retentionObligation:
-      # yamllint disable rule:line-length
-      # Set Nextcloud's `trashbin_retention_obligation`
-      # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
-      trashbin: "auto"
-      # Set Nextcloud's `versions_retention_obligation`
-      # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
-      versions: "auto"
-      # yamllint enable rule:line-length
  
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -23,4 +23,39 @@ global:
  #
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    cryptpad: "cryptpad"
+    element: "chat"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    matrixNeoBoardWidget: "matrix-neoboard-widget"
+    matrixNeoChoiceWidget: "matrix-neochoice-widget"
+    matrixNeoDateFixBot: "matrix-neodatefix-bot"
+    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
+    minioApi: "minio"
+    minioConsole: "minio-console"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    synapse: "matrix"
+    synapseFederation: "matrix-federation"
+    univentionManagementStack: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -1,42 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
---
-## The global properties are used to configure multiple charts at once.
-#
-global:
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    cryptpad: "cryptpad"
-    element: "chat"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    matrixNeoBoardWidget: "matrix-neoboard-widget"
-    matrixNeoChoiceWidget: "matrix-neochoice-widget"
-    matrixNeoDateFixBot: "matrix-neodatefix-bot"
-    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "minio"
-    minioConsole: "minio-console"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    synapse: "matrix"
-    synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define the policy to pull container images.
-  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
-  #
-  imagePullPolicy: "IfNotPresent"
-...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.4.2.1@sha256:268b586d48848958f9a0329f1ce6849f842d1ab2413a3c45ddf2f2dd249efc9a"
+    tag: "24.04.5.2.1@sha256:583f3764661fdce99c5a97019b732db1bed9f9b333d70640ac99a6953c493666"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -198,6 +198,14 @@ images:
    registry: "registry-1.docker.io"
    repository: "bitnami/memcached"
    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -221,7 +229,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
+    tag: "1.1.22@sha256:8bfa92fcfdcb2fee1b3560a623ffb319fcfcc7e5fbcc20d631df747427e88f84"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -237,7 +245,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.4.0@sha256:a54aa29220569c6e8367996429851d5880b2d93afd37180f3ea0bccf6df8c2c5"
+    tag: "1.4.2@sha256:a4c12a624c76b44c8305a768ced33e2b9af9497ff9cfa639045df846d89fbda4"
  nextcloudPHP:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -245,7 +253,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.9.0@sha256:425e2bc1e18a6e5b8cb2d4ec103353b2d7af4211d93bef062ff9752a1cb168d8"
+    tag: "1.10.1@sha256:8eb5ac95eaea69e0928e48aa5a121cbf10f359be4679040da8464810e9d799ff"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -253,7 +261,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
+    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "OpenProject"
--- a/helmfile/environments/default/monitoring.yaml
+++ b/helmfile/environments/default/monitoring.yaml
@@ -1,25 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-prometheus:
-  serviceMonitors:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
-  podMonitors:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
-  prometheusRules:
-    enabled: false
-    labels:
-      release: "kube-prometheus-stack"
+monitoring:
+  prometheus:
+    serviceMonitors:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
+    podMonitors:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"
+    prometheusRules:
+      enabled: false
+      labels:
+        release: "kube-prometheus-stack"

-
-grafana:
-  dashboards:
-    enabled: false
-    labels:
-      grafana_dashboard: "1"
-    annotations:
+  grafana:
+    dashboards:
+      enabled: false
+      labels:
+        grafana_dashboard: "1"
+      annotations:
 ...
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -1,7 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 objectstores:
  migrations:
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -0,0 +1,76 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+#
+# Note: Currently only single namespace deployments are supported.
+---
+certificates:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavDistributed:
+  enabled: false
+  namespace: {{ env "NAMESPACE" | quote }}
+clamavSimple:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+collabora:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+cryptpad:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+dovecot:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+element:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+home:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+intercom:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+jitsi:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+mariadb:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+memcached:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+migrations:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+minio:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+nextcloud:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+openproject:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxAppsuite:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+oxConnector:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postfix:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+postgresql:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+redis:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+univentionManagementStack:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+xwiki:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
+...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -69,10 +69,11 @@ resources:
    requests:
      cpu: 0.1
      memory: "384Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jicofo:
    limits:
      cpu: 99
-      memory: "512Mi"
+      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
@@ -90,10 +91,11 @@ resources:
    requests:
      cpu: "10m"
      memory: "48Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jvb:
    limits:
      cpu: 99
-      memory: "768Mi"
+      memory: "3584Mi"
    requests:
      cpu: 0.1
      memory: "384Mi"
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -30,6 +30,7 @@ seLinuxOptions:
  matrixNeoDateFixWidget: ~
  matrixUserVerificationService: ~
  memcached: ~
+  migrations: ~
  milter: ~
  minio: ~
  nextcloudApache2: ~
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -8,6 +8,5 @@ smtp:
  port: 587
  username: ""
  password: {{ env "SMTP_PASSWORD" | quote }}
-
-localpartNoReply: "no-reply"
+  localpartNoReply: "no-reply"
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -1,49 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-certificates:
-  enabled: true
-clamavDistributed:
-  enabled: false
-clamavSimple:
-  enabled: true
-collabora:
-  enabled: true
-cryptpad:
-  enabled: true
-dovecot:
-  enabled: true
-element:
-  enabled: true
-home:
-  enabled: true
-intercom:
-  enabled: true
-jitsi:
-  enabled: true
-mariadb:
-  enabled: true
-memcached:
-  enabled: true
-minio:
-  enabled: true
-nextcloud:
-  enabled: true
-openproject:
-  enabled: true
-oxAppsuite:
-  enabled: true
-oxConnector:
-  enabled: true
-postfix:
-  enabled: true
-postgresql:
-  enabled: true
-redis:
-  enabled: true
-univentionManagementStack:
-  enabled: true
-xwiki:
-  enabled: true
-...
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -0,0 +1,59 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+
+migrations:
+  runId: 1
+  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
+  namespace: {{ .Values.migrations.namespace | quote }}
+  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  failOnUnexpectedState: true
+  credentials:
+    keycloakAdminUsername: "kcadmin"
+    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  urls:
+    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
+  repository: {{ .Values.images.migrations.repository | quote }}
+  tag: {{ .Values.images.migrations.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+...
--- a/helmfile_generic.yaml
+++ b/helmfile_generic.yaml
@@ -6,11 +6,13 @@
 #
 helmfiles:
  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/services/helmfile-child.yaml"
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
    values: &values
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/default/*.gotmpl"
      - {{ toYaml .Values | nindent 8 }}
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
  - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
    values: *values
  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
@@ -35,5 +37,7 @@ helmfiles:
    values: *values
  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
    values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
 missingFileHandler: "Error"
 ...
Author	SHA1	Message	Date
Sven Andersen	6afcf9aba5	feat(element): Featuretoggle for presence propagation	2024-07-31 08:24:43 +02:00
Sven Andersen	bd0b08b4cf	feat(element): Reduced presence values to one for all presence features	2024-07-30 16:09:29 +02:00
Sven Andersen	879014e068	feat(element): Default for Element status disabled	2024-07-30 15:00:25 +02:00
Sven Andersen	e734ec2e1b	feat(element): Functional test for toggle element presence	2024-07-30 13:26:02 +02:00
Sven Andersen	5976684a9a	feat(element): Implement toggle for userpresence within element-synapse and removed it from client	2024-07-30 12:20:57 +02:00
Sven Andersen	c3679341b0	feat(element): Use_presence into values-element	2024-07-30 11:30:48 +02:00
Sven Andersen	be5c55583c	feat(element): Implement toggle for presence Status for older Element Versions	2024-07-30 09:45:27 +02:00
Sven Andersen	5b5e53ab4b	fix(element): Removed latest Tag	2024-07-29 10:22:55 +02:00
Sven Andersen	1c26600ac2	fix(element): Bump element chart	2024-07-29 10:19:17 +02:00
Sven Andersen	0e99cbb834	feat(element): Changed element chart to test presence	2024-07-29 08:34:00 +02:00
Sven Andersen	2a59b836f1	fix(element): Insert presence into homeserver config	2024-07-26 15:04:12 +02:00
Sven Andersen	2fa55ec38a	feat(element): Typo in Template	2024-07-26 14:27:42 +02:00
Sven Andersen	cdf01cfde9	feat(element): Disable presence with approach from Thorsten	2024-07-26 14:03:49 +02:00
Sven Andersen	30fd4229c5	feat(element): Reverted change presence	2024-07-26 10:55:57 +02:00
Sven Andersen	82c40d47b0	feat(element): Homeserver presence false	2024-07-26 09:44:23 +02:00
Sven Andersen	e7f14149a3	feat(element): Presence enabled false	2024-07-25 11:23:33 +02:00
openDesk Bot	74d444e2d6	fix(collabora): Update to 24.04.5.1.2.	2024-07-18 07:53:49 +02:00
openDesk Bot	8a2d951c3b	fix(collabora): Update to 24.04.5.1.1.	2024-07-17 10:39:37 +02:00
Thorsten Roßner	46412d1a9e	fix(keycloak): Support for custom OIDC Clients and ClientScopes.	2024-07-17 10:39:37 +02:00
Thorsten Roßner	26a7641a5a	fix(helmfile): Streamline prefixes for customizable defaults. UPGRADES: See `./docs/migrations.md` for more details.	2024-07-17 10:39:16 +02:00
Thorsten Roßner	671f57a809	fix(nextcloud): Update to 28.0.7 including latest apps for 28.	2024-07-16 08:25:55 +00:00
Thorsten Roßner	fe923bb9cd	fix(jitsi): Raise memory limit for jicofo and jvb as required by upstream product.	2024-07-16 04:35:43 +00:00
Thorsten Roßner	b4570a9a87	feat(authentication): Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage.	2024-07-15 17:50:35 +02:00
Thorsten Roßner	1067e725b3	fix(xwiki): Add email address mapping to LDAP sync; Fix hostname `null` value in notification links.	2024-07-10 16:31:04 +00:00