fix(nubus): Update token exchange

fix(nubus): Remove UMC (SAML) Keycloak client
2025-12-08 16:28:36 +01:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-10 11:19:34 +00:00 · 2025-11-10 11:19:34 +00:00
62 changed files with 291 additions and 548 deletions
--- a/README.md
+++ b/README.md
@@ -38,12 +38,12 @@ openDesk currently features the following functional main components:
 | Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.4.0](https://github.com/suitenumerique/docs/releases/tag/v3.4.0)                           | Online documentation/welcome document available in installed application                                                              |
 | Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2025.6.0](https://github.com/cryptpad/cryptpad/releases/tag/2025.6.0)                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                          | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.43](https://documentation.open-xchange.com/appsuite/releases/8.43/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.15.2](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.15.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.5.1](https://www.openproject.org/docs/release-notes/16-5-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -129,7 +129,7 @@ An overview of
 - components that consume the LDAP service.
  - The components access the LDAP using a component-specific LDAP search account.
 - components using Univention Keycloak as an identity provider (IdP).
-  - All components use OAuth2 / OIDC flows.
+  - The components should use OAuth2 / OIDC flows if not otherwise denoted.
  - All components have a client configured in Keycloak.
 Some components trust others to handle authentication for them.
@@ -148,7 +148,7 @@ flowchart TD
 D-->K
 O-->K
 X-->K
- P-->K
+ P-->|SAML|K
 E[Element]-->K
 J[Jitsi]-->K
 I[IntercomService]-->K
@@ -184,6 +184,11 @@ sequenceDiagram
    Note over Browser: User is authenticated
 ```
 > [!note]
 > Nubus' Portal and UMC still use [SAML 2.0](https://www.oasis-open.org/standard/saml/) to authenticate
 > users. However, Nubus will switch to OIDC in an upcoming release, eliminating the use of SAML in openDesk
 > altogether.
 ## Keycloak
 [Keycloak](https://www.keycloak.org/) is an open-source identity and access management solution for web based applications and services. It provides features such as single sign-on, multi-factor authentication, user federation, and centralized user management.
--- a/docs/data-storage.md
+++ b/docs/data-storage.md
@@ -70,7 +70,6 @@ XWiki,PersistentVolume,1
 | -------------------- | ------------ | -------- | --------------------------------------------------------------------------------- | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
 | **ClamAV**           | PVC          | No       | ClamAV Database                                                                   | `clamav-database-clamav-simple-0`              | `/var/lib/clamav`                                                                                         |
 | **Dovecot**          | PVC          | Yes      | openDesk CE only: User mail directories                                           | `dovecot`                                      | `/srv/mail`                                                                                               |
 |                      | PVC          | No       | openDesk EE only: Metacache directory                                             | `var-lib-dovecot-dovecot-0`                    | `/var/lib/dovecot`                                                                                        |
 |                      | S3           | Yes      | openDesk EE only: User mail                                                       | `dovecot`                                      | `dovecot`                                                                                                 |
 |                      | Cassandra    | Yes      | openDesk EE only: Metadata and ACLs                                               | `dovecot_dictmap`, `dovecot_acl`               |                                                                                                           |
 | **Element/Synapse**  | PostgreSQL   | Yes      | Application's main database                                                       | `matrix`                                       |                                                                                                           |
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -8,19 +8,14 @@ SPDX-License-Identifier: Apache-2.0
 <!-- TOC -->
 * [Disclaimer](#disclaimer)
 * [Deprecation warnings](#deprecation-warnings)
-* [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
+* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [Versions ≥ v1.10.0](#versions--v1100)
+  * [Versions &GreaterEqual; v1.9.0](#versions--v190)
-    * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
+    * [Pre-upgrade to versions &GreaterEqual; v1.9.0](#pre-upgrade-to-versions--v190)
      * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
    * [Post-upgrade to versions ≥ v1.10.0](#post-upgrade-to-versions--v1100)
      * [New application default: Dovecot full-text search index configuration](#new-application-default-dovecot-full-text-search-index-configuration)
  * [Versions ≥ v1.9.0](#versions--v190)
    * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190)
      * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
      * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
-  * [Versions ≥ v1.8.0](#versions--v180)
+  * [Versions &GreaterEqual; v1.8.0](#versions--v180)
-    * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180)
+    * [Pre-upgrade to versions &GreaterEqual; v1.8.0](#pre-upgrade-to-versions--v180)
      * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
      * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc)
      * [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts)
@@ -29,39 +24,39 @@ SPDX-License-Identifier: Apache-2.0
      * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour)
      * [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default)
      * [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject)
-  * [Versions ≥ v1.7.0](#versions--v170)
+  * [Versions &GreaterEqual; v1.7.0](#versions--v170)
-    * [Pre-upgrade to versions ≥ v1.7.0](#pre-upgrade-to-versions--v170)
+    * [Pre-upgrade to versions &GreaterEqual; v1.7.0](#pre-upgrade-to-versions--v170)
      * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
      * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
-    * [Post-upgrade to versions ≥ v1.7.0](#post-upgrade-to-versions--v170)
+    * [Post-upgrade to versions &GreaterEqual; v1.7.0](#post-upgrade-to-versions--v170)
      * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
-  * [Versions ≥ v1.6.0](#versions--v160)
+  * [Versions &GreaterEqual; v1.6.0](#versions--v160)
-    * [Pre-upgrade to versions ≥ v1.6.0](#pre-upgrade-to-versions--v160)
+    * [Pre-upgrade to versions &GreaterEqual; v1.6.0](#pre-upgrade-to-versions--v160)
      * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets)
      * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
      * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
-    * [Post-upgrade to versions ≥ v1.6.0](#post-upgrade-to-versions--v160)
+    * [Post-upgrade to versions &GreaterEqual; v1.6.0](#post-upgrade-to-versions--v160)
      * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
-  * [Versions ≥ v1.4.0](#versions--v140)
+  * [Versions &GreaterEqual; v1.4.0](#versions--v140)
-    * [Pre-upgrade to versions ≥ v1.4.0](#pre-upgrade-to-versions--v140)
+    * [Pre-upgrade to versions &GreaterEqual; v1.4.0](#pre-upgrade-to-versions--v140)
      * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
-  * [Versions ≥ v1.3.0](#versions--v130)
+  * [Versions &GreaterEqual; v1.3.0](#versions--v130)
-    * [Pre-upgrade to versions ≥ v1.3.0](#pre-upgrade-to-versions--v130)
+    * [Pre-upgrade to versions &GreaterEqual; v1.3.0](#pre-upgrade-to-versions--v130)
      * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
-  * [Versions ≥ v1.2.0](#versions--v120)
+  * [Versions &GreaterEqual; v1.2.0](#versions--v120)
-    * [Pre-upgrade to versions ≥ v1.2.0](#pre-upgrade-to-versions--v120)
+    * [Pre-upgrade to versions &GreaterEqual; v1.2.0](#pre-upgrade-to-versions--v120)
      * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
      * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
-  * [Versions ≥ v1.1.2](#versions--v112)
+  * [Versions &GreaterEqual; v1.1.2](#versions--v112)
-    * [Pre-upgrade to versions ≥ v1.1.2](#pre-upgrade-to-versions--v112)
+    * [Pre-upgrade to versions &GreaterEqual; v1.1.2](#pre-upgrade-to-versions--v112)
      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
-  * [Versions ≥ v1.1.1](#versions--v111)
+  * [Versions &GreaterEqual; v1.1.1](#versions--v111)
-    * [Pre-upgrade to versions ≥ v1.1.1](#pre-upgrade-to-versions--v111)
+    * [Pre-upgrade to versions &GreaterEqual; v1.1.1](#pre-upgrade-to-versions--v111)
      * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
      * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
-  * [Versions ≥ v1.1.0](#versions--v110)
+  * [Versions &GreaterEqual; v1.1.0](#versions--v110)
-    * [Pre-upgrade to versions ≥ v1.1.0](#pre-upgrade-to-versions--v110)
+    * [Pre-upgrade to versions &GreaterEqual; v1.1.0](#pre-upgrade-to-versions--v110)
      * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
      * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
      * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
@@ -71,10 +66,10 @@ SPDX-License-Identifier: Apache-2.0
      * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
      * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
      * [External requirements: Redis 7.4](#external-requirements-redis-74)
-    * [Post-upgrade to versions ≥ v1.1.0](#post-upgrade-to-versions--v110)
+    * [Post-upgrade to versions &GreaterEqual; v1.1.0](#post-upgrade-to-versions--v110)
      * [XWiki fix-ups](#xwiki-fix-ups)
-  * [Versions ≥ v1.0.0](#versions--v100)
+  * [Versions &GreaterEqual; v1.0.0](#versions--v100)
-    * [Pre-upgrade to versions ≥ v1.0.0](#pre-upgrade-to-versions--v100)
+    * [Pre-upgrade to versions &GreaterEqual; v1.0.0](#pre-upgrade-to-versions--v100)
      * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
      * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
      * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
@@ -82,17 +77,17 @@ SPDX-License-Identifier: Apache-2.0
      * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
      * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
      * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
-    * [Post-upgrade to versions ≥ v1.0.0](#post-upgrade-to-versions--v100)
+    * [Post-upgrade to versions &GreaterEqual; v1.0.0](#post-upgrade-to-versions--v100)
      * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
      * [Optional Cleanup](#optional-cleanup)
 * [Automated migrations - Details](#automated-migrations---details)
-  * [Versions ≥ v1.6.0 (automated)](#versions--v160-automated)
+  * [Versions &GreaterEqual; v1.6.0 (automated)](#versions--v160-automated)
-    * [Versions ≥ v1.6.0 migrations-post](#versions--v160-migrations-post)
+    * [Versions &GreaterEqual; v1.6.0 migrations-post](#versions--v160-migrations-post)
-  * [Versions ≥ v1.2.0 (automated)](#versions--v120-automated)
+  * [Versions &GreaterEqual; v1.2.0 (automated)](#versions--v120-automated)
-    * [Versions ≥ v1.2.0 migrations-pre](#versions--v120-migrations-pre)
+    * [Versions &GreaterEqual; v1.2.0 migrations-pre](#versions--v120-migrations-pre)
-    * [Versions ≥ v1.2.0 migrations-post](#versions--v120-migrations-post)
+    * [Versions &GreaterEqual; v1.2.0 migrations-post](#versions--v120-migrations-post)
-  * [Versions ≥ v1.1.0 (automated)](#versions--v110-automated)
+  * [Versions &GreaterEqual; v1.1.0 (automated)](#versions--v110-automated)
-  * [Versions ≥ v1.0.0 (automated)](#versions--v100-automated)
+  * [Versions &GreaterEqual; v1.0.0 (automated)](#versions--v100-automated)
  * [Related components and artifacts](#related-components-and-artifacts)
  * [Development](#development)
 <!-- TOC -->
@@ -149,8 +144,7 @@ matching that constraint, though our links always point to the newest patch rele
 <!-- IMPORTANT: Make sure to mark mandatory releases if an automatic migration requires a previous update to be installed -->
 | Version                                                                                 | Mandatory | Pre-Upgrade                                                                                                                 | Post-Upgrade                            | Minimum Required Previous Version            |
-| ---------------------------------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------- | ---------------------------------------------------- |
+|-----------------------------------------------------------------------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|----------------------------------------------|
 | [v1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | --        | [Pre](#pre-upgrade-to-versions--v1100)                                                                                         | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first               |
 | [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | --        | [Pre](#pre-upgrade-to-versions--v190)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
 | [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | --        | [Pre](#pre-upgrade-to-versions--v180)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
 | [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | --        | [Pre](#pre-upgrade-to-versions--v170)                                                                                       | [Post](#post-upgrade-to-versions--v170) | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
@@ -177,39 +171,6 @@ If you would like more details about the automated migrations, please read secti
 > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from
 > version 1.7.0 to version 1.7.1.
 ## Versions &GreaterEqual; v1.10.0
 ### Pre-upgrade to versions &GreaterEqual; v1.10.0
 #### New Helmfile default: Nubus provisioning debug container no longer deployed
 **Target group:** All deployments that make use of the debugging container for Nubus' provisioning stack called "nats-box",
 The [nats-box](https://github.com/nats-io/nats-box), a handy tool when it comes to debugging the Nubus provisioning stack, is no longer enabled in openDesk by default.
 To re-enable the nats-box for your deployment you have to set:
 ```
 technical.nubus.provisioning.nats.natsBox.enabled: true
 ```
 > [!note]
 > The nats-box also gets enabled when setting `debug.enabled: true`, but that should only be used in non-production scenarios and enabled debug
 > accross the whole deployment.
 ### Post-upgrade to versions &GreaterEqual; v1.10.0
 #### New application default: Dovecot full-text search index configuration
 **Target group:** All openDesk Enterprise deployments using the groupware module.
 Due to a configurational change the full-text search indexes of Dovecot Pro need to be rebuilt.
 Run the following command inside the Dovecot container:
 ```shell
 set -x; for d in /var/lib/dovecot/*/*; do uuid=$(basename "$d"); [[ $uuid =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]] || continue; doveadm fts rescan -u "$uuid"; doveadm index -u "$uuid" -q '*'; done
 ```
 ## Versions &GreaterEqual; v1.9.0
 ### Pre-upgrade to versions &GreaterEqual; v1.9.0
@@ -276,7 +237,7 @@ The portal has been migrated to use OIDC for single sign-on by default. This int
  - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above.
 > [!note]
-> The SAML Client for the Nubus portal is still preserved in Keycloak and is going to be removed with openDesk 1.10.0.
+> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases.
 #### New application default: XWiki blocks self-registration of user accounts
--- a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
@@ -47,10 +47,7 @@ ingress:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 podAnnotations:
-  intents.otterize.com/service-name: "collabora-controller"
+  {{ .Values.annotations.coco.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.coco.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 securityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -35,7 +35,7 @@ collabora:
    {{- end }}
    {{- if .Values.apps.collaboraController.enabled }}
    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
-    --o:monitors.monitor[0]=ws://collabora-controller-cool-controller.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:9000/controller/ws
+    --o:monitors.monitor[0]=ws://collabora-controller-cool-controller:9000/controller/ws
    --o:monitors.monitor[0][@retryInterval]=5
    {{- end }}
  username: "collabora-internal-admin"
@@ -110,10 +110,7 @@ ingress:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 podAnnotations:
-  intents.otterize.com/service-name: "collabora"
+  {{ .Values.annotations.collabora.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.collabora.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  fsGroup: 1001
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -55,10 +55,7 @@ persistence:
  enabled: false
 podAnnotations:
-  intents.otterize.com/service-name: "cryptpad"
+  {{ .Values.annotations.cryptpad.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.cryptpad.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  fsGroup: 4001
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -143,10 +143,7 @@ ingress:
    {{ .Values.annotations.element.ingress | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-element"
+  {{ .Values.annotations.element.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.element.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -44,10 +44,7 @@ ingress:
    {{ .Values.annotations.elementMatrixNeoboardWidget.ingress | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "matrix-neoboard-widget"
+  {{ .Values.annotations.elementMatrixNeoboardWidget.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixNeoboardWidget.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -44,10 +44,7 @@ ingress:
    {{ .Values.annotations.elementMatrixNeochoiceWidget.ingress | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "matrix-neochoice-widget"
+  {{ .Values.annotations.elementMatrixNeochoiceWidget.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixNeochoiceWidget.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -25,10 +25,7 @@ image:
 fullnameOverride: "matrix-neodatefix-bot-bootstrap"
 podAnnotations:
-  intents.otterize.com/service-name: "values-matrix-neodatefix-bot-bootstrap"
+  {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixNeodatefixBotBootstrap.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 securityContext:
  allowPrivilegeEscalation: false
@@ -45,7 +42,7 @@ securityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
-serviceAccount:
+podAnnotations:
-  annotations:
+  {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.serviceAccount | toYaml | nindent 2 }}
-    {{ .Values.annotations.elementMatrixNeodatefixBotBootstrap.serviceAccount | toYaml | nindent 4 }}
+
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -90,10 +90,7 @@ persistence:
    {{ .Values.annotations.elementMatrixNeodatefixBot.persistence | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "matrix-neodatefix-bot"
+  {{ .Values.annotations.elementMatrixNeodatefixBot.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixNeodatefixBot.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -49,10 +49,7 @@ ingress:
    {{ .Values.annotations.elementMatrixNeodatefixWidget.ingress | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "matrix-neodatefix-widget"
+  {{ .Values.annotations.elementMatrixNeodatefixWidget.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixNeodatefixWidget.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -25,10 +25,7 @@ image:
 fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-matrix-user-verification-service-bootstrap"
+  {{ .Values.annotations.elementMatrixUserVerificationServiceBootstrap.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixUserVerificationServiceBootstrap.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 securityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -44,10 +44,7 @@ image:
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-matrix-user-verification-service"
+  {{ .Values.annotations.elementMatrixUserVerificationService.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementMatrixUserVerificationService.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-admin.yaml.gotmpl
@@ -56,12 +56,7 @@ cron:
    repository: {{ .Values.images.elementSyncAdmins.repository | quote }}
    tag: {{ .Values.images.elementSyncAdmins.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations:
    intents.otterize.com/service-name: "opendesk-synapse-admin-cron"
 #fullnameOverride: "opendesk-synapse-admin"
 podAnnotations:
  intents.otterize.com/service-name: "opendesk-synapse-admin"
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }}
  repository: {{ .Values.images.elementSynapseAdmin.repository | quote }}
--- a/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl
@@ -16,6 +16,4 @@ image:
  tag: {{ .Values.images.elementPipe.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-synapse-adminbot-pipe"
 podAnnotations:
  intents.otterize.com/service-name: "opendesk-synapse-adminbot-pipe"
 ...
--- a/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl
@@ -20,6 +20,4 @@ ingress:
  enabled: {{ .Values.ingress.enabled }}
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations:
  intents.otterize.com/service-name: "opendesk-synapse-adminbot-web"
 ...
--- a/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl
@@ -16,6 +16,4 @@ image:
  tag: {{ .Values.images.elementPipe.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-synapse-auditbot-pipe"
 podAnnotations:
  intents.otterize.com/service-name: "opendesk-synapse-auditbot-pipe"
 ...
--- a/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl
@@ -51,6 +51,4 @@ image:
  url: {{ .Values.images.elementGroupsync.repository | quote }}
  tag: {{ .Values.images.elementGroupsync.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations:
  intents.otterize.com/service-name: "opendesk-synapse-groupsync"
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -56,10 +56,7 @@ ingress:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-synapse-web"
+  {{ .Values.annotations.elementSynapseWeb.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementSynapseWeb.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -250,10 +250,7 @@ persistence:
    {{ .Values.annotations.elementSynapse.persistence | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-synapse"
+  {{ .Values.annotations.elementSynapse.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementSynapse.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -49,10 +49,7 @@ ingress:
    {{ .Values.annotations.elementWellKnown.ingress | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-well-known"
+  {{ .Values.annotations.elementWellKnown.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.elementWellKnown.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -111,10 +111,9 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
    {{- if .Values.annotations.jitsiWeb.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "jitsi-web"
+      {{ .Values.annotations.jitsiWeb.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.jitsiWeb.pod }}
      {{ . | toYaml | nindent 6 }}
    {{- end }}
  prosody:
    image:
@@ -165,10 +164,9 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
    {{- if .Values.annotations.jitsiProsody.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "jitsi-prosody"
+      {{ .Values.annotations.jitsiProsody.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.jitsiProsody.pod }}
      {{ . | toYaml | nindent 6 }}
    {{- end }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
@@ -193,10 +191,9 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
    {{- if .Values.annotations.jitsiJicofo.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "jitsi-jicofo"
+      {{ .Values.annotations.jitsiJicofo.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.jitsiJicofo.pod }}
      {{ . | toYaml | nindent 6 }}
    {{- end }}
  jigasi:
    replicaCount: {{ .Values.replicas.jigasi }}
@@ -227,10 +224,9 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
    {{- if .Values.annotations.jitsiJigasi.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "jitsi-jigasi"
+      {{ .Values.annotations.jitsiJigasi.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.jitsiJigasi.pod }}
      {{ . | toYaml | nindent 6 }}
    {{- end }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
@@ -264,10 +260,9 @@ jitsi:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
    {{- if .Values.annotations.jitsiJvb.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "jitsi-jvb"
+      {{ .Values.annotations.jitsiJvb.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.jitsiJvb.pod }}
      {{ . | toYaml | nindent 6 }}
    {{- end }}
    metrics:
      prometheusAnnotations:
@@ -293,10 +288,9 @@ jitsi:
      # Chart does not allow to template more
      capabilities:
        add: ["SYS_ADMIN"]
    {{- if .Values.annotations.jitsiJibri.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "jitsi-jibri"
+      {{ .Values.annotations.jitsiJibri.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.jitsiJibri.pod }}
      {{ . | toYaml | nindent 6 }}
    {{- end }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -10,7 +10,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 additionalAnnotations:
-  intents.otterize.com/service-name: "opendesk-nextcloud-management"
+  intents.otterize.com/service-name: "opendesk-nextcloud-php"
  {{- with .Values.annotations.nextcloudNextcloudMgmt.additional }}
  {{ . | toYaml | nindent 2}}
  {{- end }}
--- a/helmfile/apps/nextcloud/values-nextcloud-notifypush.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-notifypush.yaml.gotmpl
@@ -10,6 +10,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-notifypush"
  {{- with .Values.annotations.nextcloudNotifyPush.additional }}
  {{ . | toYaml | nindent 4 }}
  {{- end }}
@@ -113,10 +114,7 @@ metrics:
      {{ .Values.annotations.nextcloudNotifyPush.serviceMetrics | toYaml | nindent 6 }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-nextcloud-notifypush"
+  {{ .Values.annotations.nextcloudNotifyPush.pod | toYaml | nindent 4 }}
  {{- with .Values.annotations.nextcloudNotifyPush.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  fsGroup: 101
 # prometheus:
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -39,10 +39,7 @@ exporter:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
+    {{ .Values.annotations.nextcloudExporter.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nextcloudExporter.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -79,7 +76,7 @@ aio:
            topologyKey: "kubernetes.io/hostname"
  additionalAnnotations:
-    intents.otterize.com/service-name: "opendesk-nextcloud-aio-cron"
+    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
    {{- with .Values.annotations.nextcloudAio.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
@@ -180,10 +177,7 @@ aio:
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
+    {{ .Values.annotations.nextcloudAio.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nextcloudAio.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    fsGroup: 101
  prometheus:
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -117,20 +117,11 @@ backend:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "impress-backend"
+    {{ .Values.annotations.notesBackend.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.notesBackend.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podAnnotationsCreateUser:
-    intents.otterize.com/service-name: "impress-create-user"
+    {{ .Values.annotations.notesBackend.createUserJob | toYaml | nindent 4 }}
    {{- with .Values.annotations.notesBackend.createUserJob }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podAnnotationsMigrate:
-    intents.otterize.com/service-name: "impress-migrate"
+    {{ .Values.annotations.notesBackend.migrateJob | toYaml | nindent 4 }}
    {{- with .Values.annotations.notesBackend.migrateJob }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 1000
@@ -198,10 +189,7 @@ frontend:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "impress-frontend"
+    {{ .Values.annotations.notesFrontend.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.notesFrontend.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 1000
@@ -269,10 +257,7 @@ y-provider:
      {{ .Values.annotations.notesYProvider.ingressCollaborationWS | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
  podAnnotations:
-    intents.otterize.com/service-name: "impress-y-provider"
+    {{ .Values.annotations.notesYProvider.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.notesYProvider.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 1001
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -109,10 +109,7 @@ ingress:
    {{ .Values.annotations.nubusIntercomService.ingress | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "intercom-service"
+  {{ .Values.annotations.nubusIntercomService.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.nubusIntercomService.pod }}
  {{ . | toYaml | nindent 2}}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -42,10 +42,7 @@ configuration:
      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "nubus-nginx-s3-gateway"
+  {{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.nubusNginxS3Gateway.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 resources:
  {{ .Values.resources.nginxS3Gateway | toYaml | nindent 2 }}
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -183,22 +183,26 @@ keycloak:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}
    # NOTE: The subchart "keycloak" does not yet support
    # "global.imagePullPolicy". The local configuration can be removed once it
    # does have this feature.
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  ingress:
    enabled: false
  keycloak:
    auth:
      username: "kcadmin"
-      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      # TODO: Pending secrets refactoring to be able to provide the value directly
      existingSecret:
        name: "ums-opendesk-keycloak-credentials"
        keyMapping:
          adminPassword: "admin_password"
    login:
      messages:
        de:
          loginTitle: "Anmeldung bei {{ .Values.theme.texts.productName }}"
        en:
          loginTitle: "Sign in to {{ .Values.theme.texts.productName }}"
    features:
      enabled:
        - "admin-fine-grained-authz:v1"
        - "token-exchange"
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
    {{- with .Values.annotations.nubusKeycloak.pod }}
@@ -266,6 +270,7 @@ nubusTwofaHelpdesk:
 nubusNotificationsApi:
  enabled: false
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
    {{- with .Values.annotations.nubusNotificationsApi.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
@@ -303,10 +308,7 @@ nubusNotificationsApi:
    annotations:
      {{ .Values.annotations.nubusNotificationsApi.persistence | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-notifications-api"
+    {{ .Values.annotations.nubusNotificationsApi.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusNotificationsApi.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  postgresql:
    connection:
      host: {{ .Values.databases.umsNotificationsApi.host | quote }}
@@ -333,6 +335,7 @@ nubusNotificationsApi:
 nubusPortalFrontend:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-frontend"
    {{- with .Values.annotations.nubusPortalFrontend.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
@@ -408,10 +411,7 @@ nubusPortalFrontend:
    annotations:
      {{ .Values.annotations.nubusPortalFrontend.persistence | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-frontend"
+    {{ .Values.annotations.nubusPortalFrontend.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusPortalFrontend.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  portalFrontend:
    branding:
      css: {{ .Values.theme.styles.portal.main | toJson }}
@@ -440,6 +440,12 @@ nubusKeycloakExtensions:
  keycloak:
    auth:
      username: "kcadmin"
      # TODO: Pending secrets refactoring in component chart. This will refer to
      # the secret generated by the keycloak subchart.
      existingSecret:
        name: "ums-opendesk-keycloak-credentials"
        keyMapping:
          adminPassword: "admin_password"
  proxy:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
@@ -447,6 +453,13 @@ nubusKeycloakExtensions:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
      tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
      # NOTE: The subchart "keycloak-extensions" does not yet support
      # "global.imagePullPolicy".
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    # NOTE: Remove once the keycloak-extensions subchart respects
    # "global.imagePullSecrets".
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    ingress:
      annotations:
        nginx.org/proxy-buffer-size: "8k"
@@ -542,6 +555,13 @@ nubusKeycloakExtensions:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
      repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
      tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
      # NOTE: The subchart "keycloak-extensions" does not yet support
      # "global.imagePullPolicy".
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    # NOTE: Remove once the keycloak-extensions subchart respects
    # "global.imagePullSecrets".
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
      {{- with .Values.annotations.nubusKeycloakExtensions.handlerPod }}
@@ -594,7 +614,7 @@ nubusPortalConsumer:
  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
  resources:
    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  initResources:
+  resourcesWaitForDependency:
    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
  containerSecurityContext:
    seccompProfile:
@@ -642,6 +662,7 @@ nubusPortalConsumer:
 nubusPortalServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-server"
    {{- with .Values.annotations.nubusPortalServer.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
@@ -686,10 +707,7 @@ nubusPortalServer:
    annotations:
      {{ .Values.annotations.nubusPortalServer.persistence | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-server"
+    {{ .Values.annotations.nubusPortalServer.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusPortalServer.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  portalServer:
    centralNavigation:
      enabled: true
@@ -817,10 +835,7 @@ nubusUdmRestApi:
    annotations:
      {{ .Values.annotations.nubusUdmRestApi.persistence | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-udm-rest-api"
+    {{ .Values.annotations.nubusUdmRestApi.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusUdmRestApi.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end}}
  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
  resources:
    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
@@ -879,7 +894,7 @@ nubusLdapServer:
  additionalAnnotations:
    {{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }}
  additionalAnnotations:
-    {{ .Values.annotations.nubusLdapServer.additional | toYaml | nindent 4 }}
+    intents.otterize.com/service-name: "ums-ldap-server"
  dhInitcontainer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
@@ -902,10 +917,7 @@ nubusLdapServer:
    size: {{ .Values.persistence.storages.nubusLdapServerData.size | quote }}
    storageClass: {{ coalesce .Values.persistence.storages.nubusLdapServerData.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-ldap-server"
+    {{ .Values.annotations.nubusLdapServer.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusLdapServer.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
  replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
  replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
@@ -931,6 +943,7 @@ nubusProvisioning:
    {{ .Values.annotations.nubusProvisioning.additional | toYaml | nindent 4 }}
  api:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-api"
      {{- with .Values.annotations.nubusProvisioning.apiAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
@@ -949,10 +962,7 @@ nubusProvisioning:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
    podAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-api"
+      {{ .Values.annotations.nubusProvisioning.apiPod | toYaml | nindent 6 }}
      {{- with .Values.annotations.nubusProvisioning.apiPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    resources:
      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
  containerSecurityContext:
@@ -971,6 +981,7 @@ nubusProvisioning:
      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
  dispatcher:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
      {{- with .Values.annotations.nubusProvisioning.dispatcherAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
@@ -982,24 +993,20 @@ nubusProvisioning:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
    podAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
+      {{ .Values.annotations.nubusProvisioning.dispatcherPod | toYaml | nindent 6 }}
      {{- with .Values.annotations.nubusProvisioning.dispatcherPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    resources:
      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
  nats:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-nats"
      {{- with .Values.annotations.nubusProvisioning.natsAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    auth:
      adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote }}
    config:
      cluster:
        replicas: {{ .Values.replicas.umsProvisioningNats }}
      createUsers:
        adminUser:
          auth:
            password: {{ .Values.secrets.nats.natsAdminPassword | quote }}
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
@@ -1019,12 +1026,19 @@ nubusProvisioning:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
        repository: {{ .Values.images.nubusNats.repository }}
        tag: {{ .Values.images.nubusNats.tag }}
        # NOTE: The subchart does not yet fully support
        # "global.imagePullPolicy". This can be removed once the subchart has
        # been adjusted.
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    natsBox:
      enabled: {{ or .Values.technical.nubus.provisioning.nats.natsBox.enabled .Values.debug.enabled }}
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
        repository: {{ .Values.images.nubusNatsBox.repository }}
        tag: {{ .Values.images.nubusNatsBox.tag }}
        # NOTE: The subchart does not yet fully support
        # "global.imagePullPolicy". This can be removed once the subchart has
        # been adjusted.
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    persistence:
      size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
 #      storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
@@ -1042,12 +1056,10 @@ nubusProvisioning:
    serviceAccount:
      create: true
  podAnnotations:
-    intents.otterize.com/service-name: "ums-provisioning-nats"
+    {{ .Values.annotations.nubusProvisioning.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusProvisioning.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  prefill:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-prefill"
      {{- with .Values.annotations.nubusProvisioning.prefillAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
@@ -1059,14 +1071,12 @@ nubusProvisioning:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
    podAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-prefill"
+      {{ .Values.annotations.nubusProvisioning.prefillPod | toYaml | nindent 6 }}
      {{- with .Values.annotations.nubusProvisioning.prefillPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    resources:
      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
  udmTransformer:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
      {{- with .Values.annotations.nubusProvisioning.udmTransformerAdditional }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
@@ -1078,10 +1088,7 @@ nubusProvisioning:
      auth:
        password: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
    podAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
+      {{ .Values.annotations.nubusProvisioning.udmTransformerPod | toYaml | nindent 6 }}
      {{- with .Values.annotations.nubusProvisioning.udmTransformerPod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    resources:
      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
  replicaCount:
@@ -1152,10 +1159,7 @@ nubusUdmListener:
    size: {{ .Values.persistence.storages.nubusUdmListener.size | quote }}
 #    storageClass: -- coalesce .Values.persistence.storages.nubusUdmListener.storageClassName .Values.persistence.storageClassNames.RWO | quote --
  podAnnotations:
-    intents.otterize.com/service-name: "ums-provisioning-udm-listener"
+    {{ .Values.annotations.nubusUdmListener.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusUdmListener.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  replicaCount: {{ .Values.replicas.umsUdmListener }}
  resources:
    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
@@ -1186,8 +1190,6 @@ nubusSelfServiceConsumer:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
  initResources:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
    {{- with .Values.annotations.nubusSelfserviceConsumer.pod }}
@@ -1198,6 +1200,8 @@ nubusSelfServiceConsumer:
      password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
  resources:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  resourcesWaitForDependency:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
  serviceAccount:
    annotations:
@@ -1211,9 +1215,9 @@ nubusSelfServiceConsumer:
 # Nubus services
 nubusStackDataUms:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-stack-data-ums"
    argocd.argoproj.io/hook: "Sync"
    argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
    intents.otterize.com/service-name: "ums-stack-data-ums"
    {{- with .Values.annotations.nubusStackDataUms.additional }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
@@ -1258,15 +1262,11 @@ nubusStackDataUms:
        host: {{ .Values.cache.umsSelfservice.host | quote }}
    postgresql:
      auth:
        database: {{ .Values.databases.umsSelfservice.name | quote }}
        username: {{ .Values.databases.umsSelfservice.username | quote }}
      connection:
        host: {{ .Values.databases.umsSelfservice.host | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-stack-data-ums"
+    {{ .Values.annotations.nubusStackDataUms.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusStackDataUms.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  resources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
  stackDataContext:
@@ -1453,14 +1453,9 @@ nubusUmcServer:
    bundled: false
    server: {{ .Values.cache.umsSelfservice.host | quote }}
    auth:
-      # The memcached connection is not authenticated in openDesk but the umc-server pod needs a secret it can mount.
+      password: ""
      password: "stub-value"
      existingSecret: null
  podAnnotations:
-    intents.otterize.com/service-name: "ums-umc-server"
+    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusUmcServer.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
  podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}"
  postgresql:
@@ -1556,10 +1551,7 @@ nubusUmcGateway:
  initResources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-umc-gateway"
+    {{ .Values.annotations.nubusUmcGateway.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.nubusUmcGateway.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  serviceAccount:
    annotations:
@@ -1601,9 +1593,15 @@ nubusKeycloakBootstrap:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
    # NOTE: The subchart does not yet fully support
    # "global.imagePullPolicy". This can be removed once the subchart has
    # been adjusted.
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  keycloak:
    auth:
      username: "kcadmin"
      existingSecret:
        name: "ums-opendesk-keycloak-credentials"
  ldap:
    auth:
      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
@@ -1638,6 +1636,9 @@ extraSecrets:
  - name: "ums-opendesk-guardian-client-secret"
    stringData:
      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
  - name: "ums-opendesk-keycloak-credentials"
    stringData:
      admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
  - name: "ums-keycloak-postgresql-opendesk-credentials"
    stringData:
      keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -531,6 +531,7 @@ config:
        attributes:
          use.refresh.tokens: true
          backchannel.logout.session.required: true
          # set the two attributes below to enable token exchange for a client
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
          backchannel.logout.revoke.offline.tokens: true
@@ -637,6 +638,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-oxappsuite-scope"
          - "read_contacts"
@@ -678,6 +681,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-matrix-scope"
      {{ end }}
@@ -698,6 +703,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-nextcloud-scope"
          - "read_contacts"
@@ -721,6 +728,8 @@ config:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-openproject-scope"
      {{ end }}
@@ -741,6 +750,8 @@ config:
          backchannel.logout.session.required: false
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
          standard.token.exchange.enabled: true
          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
      {{ end }}
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -33,18 +33,13 @@ dovecot:
    password:
      value: {{ .Values.databases.dovecotACL.password | default .Values.secrets.cassandra.dovecotACLUser | quote }}
    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
    masterPassword:
      value: {{ .Values.secrets.dovecot.sharedMailboxesMasterPassword | quote }}
  objectStorage:
    bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
    cacheTmpfs: {{ if .Values.technical.dovecot.objectStorage.cacheTmpfs }}true{{ else }}false{{ end }}
    encryption:
      privateKey:
        value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
      publicKey:
        value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
    fsCacheSize: {{ .Values.technical.dovecot.objectStorage.fsCacheSize | quote }}
    ftsCacheSize: {{ .Values.technical.dovecot.objectStorage.ftsCacheSize | quote }}
    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    username: {{ .Values.objectstores.dovecot.username | quote }}
    password:
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -126,10 +126,7 @@ persistence:
    {{ .Values.annotations.openxchangeDovecot.persistence | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "open-xchange-dovecot"
+  {{ .Values.annotations.openxchangeDovecot.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.openxchangeDovecot.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 resources:
  {{ .Values.resources.dovecot | toYaml | nindent 2 }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -3,7 +3,6 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 additionalAnnotations:
  intents.otterize.com/service-name: "open-xchange-bootstrap"
  argocd.argoproj.io/hook: "Sync"
  argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
  {{- with .Values.annotations.openxchangeBootstrap.additional }}
--- a/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl
@@ -5,7 +5,6 @@
 appsuite:
  core-mw:
    podAnnotations:
      intents.otterize.com/service-name: "open-xchange-core-mw"
      logging.open-xchange.com/format: "appsuite-json"
      {{- with .Values.annotations.openxchangeEnterpriseContactPicker.appsuiteCoreMwPod }}
      {{ . | toYaml | nindent 6 }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -31,10 +31,7 @@ nextcloud-integration-ui:
    - name: {{ . | quote }}
  {{- end }}
  podAnnotations:
-    intents.otterize.com/service-name: "open-xchange-nextcloud-integration-ui"
+    {{ .Values.annotations.openxchangeNextcloudIntegrationUi.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.openxchangeNextcloudIntegrationUi.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
@@ -69,10 +66,7 @@ public-sector-ui:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }}
  podAnnotations:
-    intents.otterize.com/service-name: "open-xchange-public-sector-ui"
+    {{ .Values.annotations.openxchangePublicSectorUi.pod | toYaml | nindent 4 }}
    {{- with .Values.annotations.openxchangePublicSectorUi.pod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
@@ -317,10 +311,7 @@ appsuite:
    jolokiaPassword: {{ .Values.secrets.oxAppSuite.jolokiaPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-core-mw"
+      {{ .Values.annotations.openxchangeAppsuiteCoreMw.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreMw.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    serviceAccount:
      annotations:
        {{ .Values.annotations.openxchangeAppsuiteCoreMw.serviceAccount | toYaml | nindent 8 }}
@@ -347,10 +338,7 @@ appsuite:
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      replicaCount: {{ .Values.replicas.openxchangeGotenberg }}
      podAnnotations:
-        intents.otterize.com/service-name: "open-xchange-gotenberg"
+        {{ .Values.annotations.openxchangeAppsuiteCoreMw.gotenbergPod | toYaml | nindent 8 }}
        {{- with .Values.annotations.openxchangeAppsuiteCoreMw.gotenbergPod }}
        {{ . | toYaml | nindent 8 }}
        {{- end }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
@@ -363,6 +351,7 @@ appsuite:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
        seLinuxOptions:
@@ -780,10 +769,7 @@ appsuite:
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    replicaCount: {{ .Values.replicas.openxchangeCoreUI }}
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-core-ui"
+      {{ .Values.annotations.openxchangeAppsuiteCoreUi.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreUi.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
@@ -820,10 +806,7 @@ appsuite:
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-core-ui-middleware"
+      {{ .Values.annotations.openxchangeAppsuiteCoreUiMiddleware.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreUiMiddleware.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }}
    resources:
@@ -872,10 +855,7 @@ appsuite:
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    {{- if .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-core-documentconverter"
+      {{ .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreDocumentconverter.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    {{- end }}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
@@ -927,10 +907,7 @@ appsuite:
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-guidedtours"
+      {{ .Values.annotations.openxchangeAppsuiteCoreGuidedtours.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreGuidedtours.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
@@ -974,10 +951,7 @@ appsuite:
          secretKey: "."
    {{- if .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod }}
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-core-imageconverter"
+      {{ .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreImageconverter.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    {{- end }}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
@@ -1013,8 +987,7 @@ appsuite:
      repository: {{ .Values.images.openxchangeGuardUI.repository | quote }}
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    podAnnotations:
+    podAnnotations: {}
      intents.otterize.com/service-name: "open-xchange-guard-ui"
    replicaCount: {{ .Values.replicas.openxchangeGuardUI }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
@@ -1050,10 +1023,7 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    podAnnotations:
-      intents.otterize.com/service-name: "open-xchange-core-user-guide"
+      {{ .Values.annotations.openxchangeAppsuiteCoreUserGuide.pod | toYaml | nindent 6 }}
      {{- with .Values.annotations.openxchangeAppsuiteCoreUserGuide.pod }}
      {{ . | toYaml | nindent 6 }}
      {{- end }}
    replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -68,10 +68,7 @@ persistence:
  #storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "open-xchange-connector"
+  {{ .Values.annotations.nubusOxConnector.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.nubusOxConnector.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 replicaCount: {{ .Values.replicas.oxConnector }}
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -91,10 +91,7 @@ postfix:
  virtualTransport: "lmtps:dovecot:24"
 podAnnotations:
-  intents.otterize.com/service-name: "open-xchange-postfix"
+  {{ .Values.annotations.openxchangePostfix.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.openxchangePostfix.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 replicaCount: {{ .Values.replicas.postfix }}
--- a/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-migrations-post/values.yaml.gotmpl
@@ -5,10 +5,7 @@ additionalAnnotations:
  {{ .Values.annotations.opendeskMigrationsPost.additional | toYaml | nindent 2 }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-migrations-post"
+  {{ .Values.annotations.opendeskMigrationsPost.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.opendeskMigrationsPost.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 serviceAccount:
  annotations:
--- a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
@@ -74,10 +74,7 @@ job:
  enabled: true
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-openproject-bootstrap"
+  {{ .Values.annotations.openprojectBootstrap.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.openprojectBootstrap.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -116,10 +116,7 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "opendesk-static-files"
+  {{ .Values.annotations.opendeskServicesStaticFiles.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.opendeskServicesStaticFiles.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl
@@ -10,18 +10,12 @@ additionalAnnotations:
  {{ .Values.annotations.opendeskServicesOtterize.additional | toYaml | nindent 2 }}
 apps:
  cassandra:
    enabled: {{ .Values.apps.cassandra.enabled }}
  certificates:
    enabled: {{ .Values.apps.certificates.enabled }}
  clamavDistributed:
    enabled: {{ .Values.apps.clamavDistributed.enabled }}
  clamavSimple:
    enabled: {{ .Values.apps.clamavSimple.enabled }}
  collabora:
    enabled: {{ .Values.apps.collabora.enabled }}
  collaboraController:
    enabled: {{ .Values.apps.collaboraController.enabled }}
  cryptpad:
    enabled: {{ .Values.apps.cryptpad.enabled }}
  dkimpy:
@@ -30,12 +24,6 @@ apps:
    enabled: {{ .Values.apps.dovecot.enabled }}
  element:
    enabled: {{ .Values.apps.element.enabled }}
  elementAdmin:
    enabled: {{ .Values.apps.elementAdmin.enabled }}
  elementGroupsync:
    enabled: {{ .Values.apps.elementGroupsync.enabled }}
  home:
    enabled: {{ .Values.apps.home.enabled }}
  jitsi:
    enabled: {{ .Values.apps.jitsi.enabled }}
  mariadb:
@@ -54,7 +42,7 @@ apps:
    enabled: {{ .Values.apps.nubus.enabled }}
  openproject:
    enabled: {{ .Values.apps.openproject.enabled }}
-  oxAppSuite:
+  oxAppsuite:
    enabled: {{ .Values.apps.oxAppSuite.enabled }}
  postfix:
    enabled: {{ .Values.apps.postfix.enabled }}
@@ -62,8 +50,6 @@ apps:
    enabled: {{ .Values.apps.postgresql.enabled }}
  redis:
    enabled: {{ .Values.apps.redis.enabled }}
  staticFiles:
    enabled: {{ .Values.apps.staticFiles.enabled }}
  xwiki:
    enabled: {{ .Values.apps.xwiki.enabled }}
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -131,10 +131,7 @@ persistence:
  enabled: false
 podAnnotations:
-  intents.otterize.com/service-name: "openproject"
+  {{ .Values.annotations.openproject.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.openproject.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 postgresql:
  bundled: false
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -73,10 +73,8 @@ persistence:
  storageClass: {{ coalesce .Values.persistence.storages.cassandra.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "cassandra"
+  {{ .Values.annotations.cassandra.pod | toYaml | nindent 2 }}
-  {{- with .Values.annotations.cassandra.pod }}
+
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
  fsGroup: 1001
--- a/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl
@@ -26,10 +26,7 @@ clamd:
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "clamav-distributed"
+    {{ .Values.annotations.servicesExternalClamavDistributed.clamdPod | toYaml | nindent 4 }}
    {{- with .Values.annotations.servicesExternalClamavDistributed.clamdPod }}
    {{ .  | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -84,10 +81,7 @@ freshclam:
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "clamav-freshclam"
+    {{ .Values.annotations.servicesExternalClamavDistributed.freshclamPod | toYaml | nindent 4 }}
    {{- with .Values.annotations.servicesExternalClamavDistributed.freshclamPod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -135,10 +129,7 @@ icap:
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "clamav-icap"
+    {{ .Values.annotations.servicesExternalClamavDistributed.icapPod | toYaml | nindent 4 }}
    {{- with .Values.annotations.servicesExternalClamavDistributed.icapPod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -178,10 +169,7 @@ milter:
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations:
-    intents.otterize.com/service-name: "clamav-milter"
+    {{ .Values.annotations.servicesExternalClamavDistributed.milterPod | toYaml | nindent 4 }}
    {{- with .Values.annotations.servicesExternalClamavDistributed.milterPod }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
  podSecurityContext:
    enabled: true
    fsGroup: 101
--- a/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl
@@ -44,10 +44,7 @@ persistence:
    {{ .Values.annotations.servicesExternalClamavSimple.persistence | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "clamav-simple"
+  {{ .Values.annotations.servicesExternalClamavSimple.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.servicesExternalClamavSimple.pod }}
  {{ .  | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-dkimpy.yaml.gotmpl
@@ -30,10 +30,7 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "dkimpy-milter"
+  {{ .Values.annotations.servicesExternalDkimpy.service | toYaml | nindent 2 }}
  {{- with .Values.annotations.servicesExternalDkimpy.service }}
  {{ .  | toYaml | nindent 2 }}
  {{- end }}
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/services-external/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-mariadb.yaml.gotmpl
@@ -78,7 +78,6 @@ persistence:
    {{ .Values.annotations.servicesExternalMariadb.persistence | toYaml | nindent 4 }}
 podAnnotations:
  intents.otterize.com/service-name: "mariadb"
  argocd.argoproj.io/hook: "PostSync"
  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
  {{- with .Values.annotations.servicesExternalMariadb.pod }}
--- a/helmfile/apps/services-external/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-memcached.yaml.gotmpl
@@ -34,10 +34,8 @@ image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations:
-  intents.otterize.com/service-name: "memcached"
+  {{ .Values.annotations.servicesExternalMemcached.pod | toYaml | nindent 2 }}
-  {{- with .Values.annotations.servicesExternalMemcached.pod }}
+
  {{ .  | toYaml | nindent 2 }}
  {{- end}}
 replicaCount: {{ .Values.replicas.memcached }}
 resources:
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -134,10 +134,7 @@ provisioning:
      withLock: false
    {{- end }}
  podAnnotations:
-    intents.otterize.com/service-name: "minio-provisioning"
+    {{ .Values.annotations.servicesExternalMinio.provisioningPod | toYaml | nindent 4 }}
    {{- with .Values.annotations.servicesExternalMinio.provisioningPod }}
    {{ .  | toYaml | nindent 4}}
    {{- end }}
  policies:
    - name: "migrations-bucket-policy"
      statements:
@@ -274,10 +271,7 @@ provisioning:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "minio"
+  {{ .Values.annotations.servicesExternalMinio.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.servicesExternalMinio.pod }}
  {{ . | toYaml | nindent 2 }}
  {{- end }}
 readinessProbe:
  enabled: true
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -41,10 +41,7 @@ persistence:
    {{ .Values.annotations.servicesExternalPostfix.persistence | toYaml | nindent 4 }}
 podAnnotations:
-  intents.otterize.com/service-name: "postfix"
+  {{ .Values.annotations.servicesExternalPostfix.pod | toYaml | nindent 2 }}
  {{- with .Values.annotations.servicesExternalPostfix.pod }}
  {{ . | toYaml | nindent 2}}
  {{- end}}
 podSecurityContext:
  enabled: true
@@ -109,6 +106,8 @@ postfix:
  virtualTransport: "lmtps:dovecot:24"
  {{- end }}
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.postfix }}
 resources:
--- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
@@ -115,7 +115,6 @@ persistence:
    {{ .Values.annotations.servicesExternalPostgresql.persistence | toYaml | nindent 4 }}
 podAnnotations:
  intents.otterize.com/service-name: "postgresql"
  argocd.argoproj.io/hook: "PostSync"
  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
  {{- with .Values.annotations.servicesExternalPostgresql.pod}}
--- a/helmfile/apps/services-external/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-redis.yaml.gotmpl
@@ -44,10 +44,7 @@ master:
    annotations:
      {{ .Values.annotations.servicesExternalRedis.masterPersistence | toYaml | nindent 6 }}
  podAnnotations:
-    intents.otterize.com/service-name: "redis"
+    {{ .Values.annotations.servicesExternalRedis.masterPod | toYaml | nindent 4 }}
    {{- with .Values.annotations.servicesExternalRedis.masterPod }}
    {{ . | toYaml | nindent 4  }}
    {{- end }}
  resources:
    {{ .Values.resources.redis | toYaml | nindent 4 }}
  service:
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -6,12 +6,12 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
    name: "dovecot"
-    version: "3.2.1"
+    version: "3.2.0-authcache"
    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.23.294"
+    version: "1.21.244"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -5,7 +5,7 @@ images:
  collabora:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.6.3.1@sha256:9ea79433e71db3b9056f47a0c8324a3a4f23f78b2412222991abf63969a714f1"
+    tag: "25.04.5.3.1@sha256:d22407cd3bd83dd832f986a697d81c1a4642f55129c76a5a20e637274ce7bf62"
  dovecot:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
@@ -17,5 +17,5 @@ images:
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.43.68@sha256:56d7c1fefb0ba3d56165ae45f455f233287c419ad89f296829eaeb27a57c4a22"
+    tag: "8.41.58@sha256:da4aff1b890a463b01cc2c6b75c56fc5fe887d9ec5d2c7065535c083385044b6"
 ...
--- a/helmfile/environments/default/annotations.yaml.gotmpl
+++ b/helmfile/environments/default/annotations.yaml.gotmpl
@@ -376,12 +376,7 @@ annotations:
    clamdPod: ~
    clamdService: ~
    clamdServiceAccount: ~
    icapCommon: ~
    icapPod: ~
    icapService: ~
    icapServiceAccount: ~
    freshclamCommon: ~
    freshclamPod: ~
    freshclamService: ~
    freshclamServiceAccount: ~
    milterCommon: ~
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -65,7 +65,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/charts-mirror"
    name: "cool-controller"
-    version: "1.1.10"
+    version: "1.1.6"
    verify: false
  cryptpad:
    # providerCategory: "Supplier"
@@ -97,7 +97,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
    name: "dovecot"
-    version: "3.2.1"
+    version: "3.2.0"
    verify: true
  element:
    # providerCategory: "Platform"
@@ -321,7 +321,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.15.2"
+    version: "1.14.0"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -351,7 +351,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.6.0"
+    version: "2.7.0-trossner-token-exchange"
    verify: true
  opendeskStaticFiles:
    # providerCategory: "Platform"
@@ -405,7 +405,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.25.251"
+    version: "2.23.206"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -415,7 +415,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
    name: "opendesk-open-xchange-bootstrap"
-    version: "4.0.2"
+    version: "4.0.1"
    verify: true
  oxConnector:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -50,14 +50,14 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.6.3.1@sha256:ade67ba25db8909308a0f498364c62172b482dfc1b4f80e33c1b01f7c164d8ac"
+    tag: "25.04.5.3.1@sha256:0e1ccf43308121c657936510de27244057c3826777a491495a0f7e55a196bc59"
  collaboraController:
    # Enterprise Component
    # providerCategory: "Supplier"
    # providerResponsible: "Collabora"
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images-mirror/cool-controller"
-    tag: "1.1.6@sha256:7935f21bf75cdddbbbd01754d8d0458014a68ab64b08121c8fca7a2715e0d85b"
+    tag: "1.1.3@sha256:552b63fd748ec873bd286c4d9ea0cf675f349f35a9ca2a69d2962336e4bc5f83"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -380,7 +380,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/blocklist-cleanup"
-    tag: "0.41.4@sha256:6313e41aaebb6904ca461896ac9633eb05b33bf30b87d83d81852935e8cf0302"
+    tag: "0.40.0@sha256:1b4d388196b144327bc55376225675b1df8d23fdaffc85bb9e350c3c94fa0eb5"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -390,7 +390,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.99.20@sha256:37af6f2a8ed7b5156e01f126c83797c70485353673d92b60d904af97bd309b0c"
+    tag: "0.99.0@sha256:52ef05c1e682e6c706f70632206be1b427a1a346a32ae3bff1566386f75e68af"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -400,7 +400,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api"
-    tag: "3.0.0@sha256:d2849b25ddd0322e1bef6c1e7b16f59fb63f35b0924f99f200bc22de834d9a2d"
+    tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5"
  nubusGuardianManagementApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -410,7 +410,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api"
-    tag: "3.0.0@sha256:f3c9af13d50632a7e2232f675408b5559fb9ca314b7babf367cf4db80b62ebea"
+    tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2"
  nubusGuardianManagementUi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -420,7 +420,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
-    tag: "3.0.0@sha256:b90d496a323353c71e29938a6b1980655fb3aefe53bab455da865e3202b7f0f8"
+    tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
  nubusGuardianProvisioning:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -440,7 +440,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak"
-    tag: "0.4.1@sha256:482f3108ce775bb028cefa763a21d7af71b3d55e2e1800724ab9cabcd60ba2c6"
+    tag: "0.2.5@sha256:499006904d262bdd334b54583c359c7e34b521697d5fda32ea977d856bfa93d2"
  nubusKeycloakBootstrap:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -450,7 +450,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.19.10@sha256:29dbac967a71c11f2f2920a1a4c109b473fe5edf542a2f5b9dc843a4c0c29fe6"
+    tag: "0.17.5@sha256:08e2aa0bc0eb7b4bb80498e71ae21ee3de74eb985b46e7c3dd1502e96312d080"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -460,7 +460,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.23.2@sha256:2a67c9ace51a610397776c17f3542231c9fbce411cfa56d9346b47f66478e416"
+    tag: "0.20.0@sha256:227c7cba4eee15c626abbc77ca06b8b61a9dece04c986a9fa2e97b13d0458fe0"
  nubusKeycloakExtensionProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -470,7 +470,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.23.2@sha256:03a05abd9b759ddf2fa537d61e09a54f1a772121f391e136000eeed44a254189"
+    tag: "0.20.0@sha256:bd075d33c16926ab4c123ac3a8673209664647f35324dfdebd95c6662ee05b2c"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -480,7 +480,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.47.5@sha256:cc8edd9dfa3cf552396bc1ada9a8a18e2db33b53ab1705bfc392c4a423cfeb96"
+    tag: "0.47.0@sha256:1d00e0bb1575defce42c84eb5139b5b4f7d0942111b339044c2bdf58ed0b025e"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -490,7 +490,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.47.5@sha256:1a81ef8431aa6a7b021032ce57e5907e27c69dc6603b455793911a7d581889e8"
+    tag: "0.47.0@sha256:3be012680b2da2db4ac468ae948d8514622a245b4e3e00385bbf778e836720b1"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -498,7 +498,7 @@ images:
    # upstreamRepository: 'natsio/nats-box'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-box"
-    tag: "0.18.1-nonroot@sha256:ec2f58b953916b4804d6636bf6a625bab7894d1b71319bc7865b3e70ab5e3f6f"
+    tag: "0.16.0-nonroot@sha256:f486ca86dfc9b72a2310ea720994a94ce55e447ad01daccd2fb33d61f322dc51"
  nubusLdapServerLeaderElector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -508,7 +508,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.47.5@sha256:abf2e9af9c8d22dde23144cb6344b5e9b0e39d778d28e70d97b0f1b82dd28a5d"
+    tag: "0.47.0@sha256:9b6754e7213f1fa13a12cb593bfe718643f6945ad111bbe1d5f71d7ce5729225"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -518,7 +518,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.41.4@sha256:c27e4d4cf5a15607c249c8d917e57f698d4d5388967c1ff6151185957eacb779"
+    tag: "0.40.0@sha256:1ad952c039140ef1985712201f7bae7cbe9eba66086e0d3f475759e1c181b843"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -526,7 +526,7 @@ images:
    # upstreamRepository: 'library/nats'
    registry: "registry-1.docker.io"
    repository: "library/nats"
-    tag: "2.11.9@sha256:4e97bea2e69ffe4449cdc9b4c7fa707984aa9a4c090bf2faf5441cb6c97c99a4"
+    tag: "2.10.26@sha256:736d575e60135ce1d50fc206675d48d0e57dcaa0704f696f0cb4b5f6dadd49d7"
  nubusNatsBox:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -534,7 +534,7 @@ images:
    # upstreamRepository: 'natsio/nats-box'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-box"
-    tag: "0.18.1-nonroot@sha256:ec2f58b953916b4804d6636bf6a625bab7894d1b71319bc7865b3e70ab5e3f6f"
+    tag: "0.16.0-nonroot@sha256:f486ca86dfc9b72a2310ea720994a94ce55e447ad01daccd2fb33d61f322dc51"
  nubusNatsReloader:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -542,7 +542,7 @@ images:
    # upstreamRepository: 'natsio/nats-server-config-reloader'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-server-config-reloader"
-    tag: "0.18.3@sha256:41271dc1b9e1027867ee0e63aa2866c89ca8272a4f88991f6ebec34eb12dee3b"
+    tag: "0.17.1@sha256:f364bb8330d3430666ca09f17c6a43bfaefde32f0f3e79d4a41c588c29936e99"
  nubusNotificationsApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -552,7 +552,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.86.0@sha256:522c4d0a42d2c0b37219f5af4fba7fceb60d070719970ef2754a00ca916f67be"
+    tag: "0.80.2@sha256:94b18841018cb7353a95a9c4ef2d5460f82a9ceb0bba97275b8064806e3e8a1c"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -578,7 +578,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa"
-    tag: "3.0.0@sha256:85539fb7854fac6ba1b874d639188ee0a33743dc16dad0113c54763f2984fc9d"
+    tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4"
  nubusOxExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -598,7 +598,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.86.0@sha256:80ed7c8300365a3dc4c504d4f0f4f8f1c3f9cfc883508a8ea794d63629a9b086"
+    tag: "0.80.2@sha256:c719ada025e0ad629516017ed26803c15cee50572f45896b41a6b066b1fe593e"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -608,7 +608,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.86.0@sha256:1799413fe8cbc6d9cb97656be95a99786a382a3558a7720b7fe62a38c84bdd22"
+    tag: "0.80.2@sha256:cde5547ef1c2d5da55fb41bdae7248ba8514ab4f200822709ca9a99f483a1cc8"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -618,7 +618,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "67", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.86.0@sha256:d4e34b42662dbd433dd5d647c6fcfa8f2a0d71fe65c0c6efeebe80d4f13b226d"
+    tag: "0.80.2@sha256:8b40acc66459058dc0cade33793aba2737cdc20ef75968ca2b21d9aa569c9ecc"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -628,7 +628,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.86.0@sha256:33a3a7d44fa084d74449dc8f7d5f5d2551b02abee16fe4ec6d4972e134c56906"
+    tag: "0.80.2@sha256:9a8f6950e7bf1086075d1c36ea0ad914a61e1198883e8d4926d688c88b8e67cc"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -638,7 +638,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.63.0@sha256:3773333a12b786db6cea5fc0ecd5e74ba3f276ca084cd1ae8b6665bda86b72c1"
+    tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -648,7 +648,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.63.0@sha256:c1687ff385d5bd30e0590472f02de85a3f182b75dc4edd5cf9d063e1db488b4d"
+    tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -658,7 +658,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.63.0@sha256:b93400fecc19bba79ae0f0498b07d18bf9ffb0fc03b9ed25a18f3b6d3be9cc9d"
+    tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -668,7 +668,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.63.0@sha256:6dcb696920137973b24f90bb8f6045c2dffd8bc201b0cc62aed43e1a01e5aa0e"
+    tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -678,7 +678,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.63.0@sha256:da5486cf5d6a30e7d95270db8a6735c82813805e7bce882ff51a2f47faad086f"
+    tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -688,7 +688,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.31@sha256:b6d1a145e8a3f43b54be1d7d737da1527347e93c9894943c17469cd153f77ccf"
+    tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -698,7 +698,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.41.4@sha256:d3476100f4174d991faa43ce20630175a1fc33011258887dd52bafad1e779189"
+    tag: "0.40.0@sha256:7d39c0defda20fc58da19389216d9a80f479a731dca682d834dd8bd00b80e20f"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -708,7 +708,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.53.5@sha256:7044228155c8fcb939684855d5b405dd1b066d91c8a5df75676518d88e140ab3"
+    tag: "0.51.2@sha256:c76860852133b9bbc91eb6d81a6592a5f451be9234376933ddb4d827e0f08515"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -718,7 +718,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.53.5@sha256:1ec839c07492b2f1d6897643b71c284aa2d507cd05f1a0f1696dfdff1885eb20"
+    tag: "0.51.3@sha256:00f8cc2e7ee98d3988b1db924ca67783e9a645204ae2c388c7afadc50f22bb12"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -762,7 +762,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.6.0@sha256:11fcbc357a5a4e724bb1164e43a93c713f73e5efb52212d75cfc845becbf64c0"
+    tag: "16.5.1@sha256:0e29ae9fcee825b76d62e10e374c10ad40da20ba9c0e584839645bb68e6167bf"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -796,7 +796,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.23@sha256:99fce43d3a836192eabdade2caa8ffc735919549971a839d76e0b19822246cb7"
+    tag: "8.6.21@sha256:71b4819d42a808d57951405ab6215ff9fafae43e3f10a9f388484b7fbe28849e"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -806,7 +806,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.43.66@sha256:018eacea8c0b2f63d06b84ddd98fddf02e70eb09d0ced93ed5db968125e82613"
+    tag: "8.41.58@sha256:a4c169d13a928d5532fc200be6c7c76c1d18f0579b8dbdb514583f62ac9fe8c7"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -816,7 +816,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.43.2@sha256:994d6c6b5459671eafd7501914f90e28f5fe15f5bc7bad067e860715f2d52306"
+    tag: "8.41.1@sha256:108974ea42a4cf22ea1b37b975928881b6c23a2949b51781812f5b1260873aa4"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -826,7 +826,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.9@sha256:78a95447094fdb43db178241758d1b057a26919e496265bd5806e7a723ddc8bb"
+    tag: "2.1.8@sha256:1853e6e2b780936a18b11c208b4b39ce094e49d25830c22c5658c27274e5b7fc"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -836,7 +836,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.43.2076323368@sha256:cce878736082f89751d0ebcf5a5ad12c4535292023bc3961395b511b27d0ec7f"
+    tag: "8.41.1547156@sha256:fadee7a76ffa91e0be7ec643f3315806787ac2eea4b0bb271201a58580a5f456"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -846,7 +846,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.43.1941@sha256:36559f726604d08149ebc0667ed5853f143a629b7bcc529f81a38f9b7fca8c54"
+    tag: "8.41.1875@sha256:839d73bdc7b158beee5e157df4b49004c9f4f2df1afb65c1e4bae51f9f67a213"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -866,7 +866,7 @@ images:
    # upstreamMirrorStartFrom: ["4", "2", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.33.6@sha256:23bf9c4156b34a6fe5db1e51c826884426b62d2440794369b8524cb8b745a003"
+    tag: "8.33.4@sha256:e73afec3d549943379fdb12dde1ab14d53c6fafac221e2512c6641ac71c65b3f"
  openxchangeImageConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -876,7 +876,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.43.2553@sha256:206a8a08d6e1e1c330e5a92aefdfe1631f249b420dceb0c6301e90940af08826"
+    tag: "8.41.2194@sha256:8b3085642fea2bc0ab64b6a8256ce4c00952e84d4c233edd05d458a8d82045f9"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -1000,19 +1000,19 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?[0-9A-Z]*-mariadb.+$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?\d?-mariadb.+$'
-    # upstreamMirrorStartFrom: ["17", "4", "7"]
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "17.4.7-mariadb-jetty-alpine@sha256:28ce6382b7ec3d403136f1b8ab11d5738c3c0e7830db3f030c5af8a38d5e93a5"
+    tag: "17.4.4-1-mariadb-jetty-alpine@sha256:0182dbb610a4c80b253e63e73ccc2487a07579baf259df4c874d860754127b4c"
  xwikiPostgres:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?[0-9A-Z]*-postgres.+$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-?\d?-postgres.+$'
-    # upstreamMirrorStartFrom: ["17", "4", "7"]
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "17.4.7-postgres-jetty-alpine@sha256:d534ace977a3a988e83945c73f15d4fd5c082d7b9b5b8ae1134569be5e023c96"
+    tag: "17.4.4-1-postgres-jetty-alpine@sha256:2da4c175a418b1b8a09e8b25006bfc6f6f22fd449bc2e77dac31c0b56c444b94"
 ...
--- a/helmfile/environments/default/persistence.yaml.gotmpl
+++ b/helmfile/environments/default/persistence.yaml.gotmpl
@@ -16,8 +16,6 @@ persistence:
      size: "1Gi"
      storageClassName: ~
    dovecot:
      # With Dovecot CE this is used for the mail storage.
      # Dovecot Pro (EE) uses this storage for the metacache,
      size: "1Gi"
      storageClassName: ~
    mariadb:
@@ -36,7 +34,6 @@ persistence:
      size: "1Gi"
      storageClassName: ~
    nubusProvisioningNats:
      # For production and load test environments "10Gi" is recommended.
      size: "1Gi"
      storageClassName: ~
    # This option was introduced with openDesk 1.6. For now we want to use the Helm charts default empty string
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -122,7 +122,6 @@ secrets:
    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum | quote }}
  dovecot:
    doveadm: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum | quote }}
    sharedMailboxesMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "sharedMailboxesMasterPassword" | sha1sum | quote }}
  xwiki:
    superadminpassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum | quote }}
  intercom:
--- a/helmfile/environments/default/technical.yaml.gotmpl
+++ b/helmfile/environments/default/technical.yaml.gotmpl
@@ -2,39 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 technical:
  # Collabora related technical settings
  collabora:
    # Defines the value for the start parameter `-o:num_prespawn_children`
    numPrespawnChildren: 4
  # Dovecot EE related settings
  dovecot:
    objectStorage:
      # Size of objectstore fs cache
      fsCacheSize: "2G"
      # Size of fts cache
      ftsCacheSize: "2G"
      # Wether fs and fts cache should reside in RAM (tmpfs) or not
      # If this value is true, the cache sizes of the fs cache + fts cache
      # must be considered additionally to Dovecot's memory footprint.
      cacheTmpfs: false
  # Nubus related settings
  nubus:
    # Nubus provisioning framework that is being used to actively provision data internally within
    # Nubus e.g. for the portal or self service as well as externally, e.g. to OX App Suite.
    provisioning:
      # NATS including NATS JetStream is the queueing used by Nubus' provisioning.
      # Ref.: https://nats.io/about/
      nats:
        # The NATS Box is a container for debugging NATS messages using a CLI tool.
        # Ref.: https://github.com/nats-io/nats-box
        natsBox:
          # Enable the NATS Box container for the deployment. Will also be enabled in case of
          # `.Values.debug.enabled: true`
          enabled: false
  # Groupware related technical settings
  oxAppSuite:
    provisioning:
Author	SHA1	Message	Date
Thorsten Roßner	89308abd5e	fix(nubus): Update token exchange	2025-11-10 11:19:34 +00:00
Thorsten Roßner	9ad99d643d	fix(nubus): Remove `UMC` (SAML) Keycloak client	2025-11-10 11:19:34 +00:00
Thorsten Roßner	3549e28771	fix(nubus): Update token exchange	2025-11-10 11:19:34 +00:00