feat(helm): Update upstream version

Signed-off-by: Axel Lender <lender@b1-systems.de>
feat(helm): Template support for XWiki external secrets
2025-12-06 15:31:38 +01:00 · 2025-09-23 08:14:46 +02:00 · 2025-09-23 08:14:46 +02:00 · 2025-09-23 08:14:46 +02:00 · 2025-09-19 14:15:53 +00:00 · 2025-09-19 14:15:53 +00:00
31 changed files with 490 additions and 140 deletions
--- a/.gitlab/merge_request_templates/Bugfix.md
+++ b/.gitlab/merge_request_templates/Bugfix.md
@@ -14,16 +14,19 @@ Explain for the reviewer how the change addresses the issue, providing some insi
 Provida a link to the issue or document the required details below.
 In case it is a GitLab issue, reference it at the end of the commit message in square brackets, like `[#123]`
 Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of.
-### Before the Fix
+### Steps to reproduce
 1. ...
-### After the Fix
+### Actual behaviour
-Provide steps for QA or reviewers to test the fix and mention anything reviewers should be aware of:
+*Based on the "Steps to reproduce" explain what the user sees while the bug isn't fixed.*
-1. ...
+### Expected behaviour
 *Based on the "Steps to reproduce" explain what the user gets to see with the bug fix merged.*
 ## 🔄 Requirements for migrations
@@ -39,7 +42,6 @@ Set labels:
 ```
 /label ~"MR-Type::Bugfix"
 /label ~"PO::👀"
 /label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@@ -2,7 +2,12 @@ Thank you for your contribution!
 Please follow these simple guidelines to continue:
 - Select a MR template in case you contribution is covers more than simple documentation/non functional changes:
  - `Update`: Major/minor updates of openDesk core applications, the ones listed on the [README.md](../../README.md). Main commit should be `feat(component): ...`
  - `Bugfix`: For (bug)fixes in the platform or non-update/feature releases of the openDesk core applications. Main commit should be `fix(component): ...`
  - `Feature`: An update in the platform providing support for a specific feature. Main commit should be `feat(component): ...`
  - `Other`: All other changes.
  - In case you just do a `chore`/`docs` commit, you can skip the templates from above.
 - Create MRs early and use the "draft" state to show that this MR isn't ready for review and merge.
 - Flag the MR "ready" as soon as it can be reviewed and QA'd.
 - Always assign the MR to yourself and set somebody from the development team as reviewer. If you do not know whom to chose leave the reviewer empty.
- Select one of the templates in case your contribution contains more than simple documentation updates and follow the templates instructions.
+- Flag the MR "ready" as soon as it can be reviewed and QA'd.
--- a/.gitlab/merge_request_templates/Feature.md
+++ b/.gitlab/merge_request_templates/Feature.md
@@ -29,7 +29,6 @@ Set labels:
 ```
 /label ~"MR-Type::Feature"
 /label ~"PO::👀"
 /label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/.gitlab/merge_request_templates/Other.md
+++ b/.gitlab/merge_request_templates/Other.md
@@ -23,7 +23,6 @@ Set labels:
 ```
 /label ~"MR-Type::Other"
 /label ~"PO::👀"
 /label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/.gitlab/merge_request_templates/Update.md
+++ b/.gitlab/merge_request_templates/Update.md
@@ -5,12 +5,12 @@
 ## 📋 Changelog/Release Notes
- [ ] [README.md](../../README.md) component table updated including the link to the related release notes
+- [ ] [README.md](../../README.md) component table updated including the link to the related release notes of the updated application.
- [ ] Provide significant improvements you'd like to see in the openDesk release notes. If you have a lot of details to provide or someone else is providing the details, please use a comment on the MR and link the comment in here.
+- [ ] Provide significant improvements you would like to see in the [openDesk release notes](https://www.opendesk.eu/en/blog/opendesk-1-6). If you have a lot of details to provide or someone else is providing the details, you can use a comment on this MR and provide a link here.
 ## 🔄 Requirements for migrations
- [ ] Minimum version of the application required in existing depoyments to update/upgrade:
+- [ ] Minimum version of the application required in existing deployments to update/upgrade:
 - [ ] Describe manual steps required to update existing deployments. This especially applies if the upgrade includes any breaking changes:
 - [ ] Any other considerations in context of the update:
@@ -23,7 +23,6 @@ Set labels:
 ```
 /label ~"MR-Type::AppUpdate"
 /label ~"PO::👀"
 /label ~"Tech Lead::👀"
 /label ~"QA::👀"
 /label ~"Testautomation::👀"
 ```
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Testing](#testing)
 * [Permissions](#permissions)
 * [Releases](#releases)
-* [Data Storage](#data-storage)
+* [Data storage](#data-storage)
 * [Feedback](#feedback)
 * [Development](#development)
 * [License](#license)
@@ -32,18 +32,17 @@ For production use, the [openDesk Enterprise Edition](./README-EE.md) is recomme
 openDesk currently features the following functional main components:
-| Function             | Functional Component        | License                                                                                | Component<br/>Version                                                                                                        | Upstream Documentation                                                                                                                |
+| Function             | Functional component        | License                                                                                | Component<br/>version                                                                         | Upstream documentation                                                                                                                |
-|----------------------|-----------------------------|----------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
+|----------------------|-----------------------------|----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Chat                 | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse),                              | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                                                   | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                    | [For the most recent release](https://element.io/user-guide)                                                                          |
-| Chat widgets         | Nordeck widgets             | Apache-2.0                                                                             |                                                                                                                              | [For the most recent release](https://nordeck.net/element-widgets)                                                                    |
+| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.4.0](https://github.com/suitenumerique/docs/releases/tag/v3.4.0)                           | Online documentation/welcome document available in installed application                                                              |
-| Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                          | Online documentation/welcome document available in installed application                                                              |
+| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2025.6.0](https://github.com/cryptpad/cryptpad/releases/tag/2025.6.0)                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
-| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                       | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
+| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                          | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
-| File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.6](https://nextcloud.com/de/changelog/#31-0-6)                                                                         | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
+| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.41](https://documentation.open-xchange.com/appsuite/releases/8.41/)                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
-| Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.39](https://documentation.open-xchange.com/appsuite/releases/8.39/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                             | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
+| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.13.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.13.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.4.1](https://www.openproject.org/docs/release-notes/16-4-1/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.1](https://www.openproject.org/docs/release-notes/16-2-1/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.4](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
@@ -109,7 +108,7 @@ in the files from the release's git-tag:
 Find more information in our [Workflow documentation](./docs/developer/workflow.md).
-# Data Storage
+# Data storage
 More information about different data storages used within openDesk are described in the
 [Data Storage documentation](./docs/data-storage.md).
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -218,6 +218,9 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 > **Note**<br>
 > Because the `ums-keycloak-extensions-handler` is sending frequent requests (one per second) to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.
 > **Note**<br>
 > While you can set the standard log levels like `INFO`, `DEBUG`, `TRACE` etc. you can also set class specific logs by comma separating the details in the `KC_LOG_LEVEL` environment variable like e.g. `INFO,org.keycloak.protocol.oidc.endpoints:TRACE`. The example sets the overall loglevel to `INFO` but provides trace logs for `org.keycloak.protocol.oidc.endpoints`.
 ### Accessing the Keycloak admin console
 Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -38,6 +38,8 @@ access openDesk.
    ```yaml
    certificate:
      selfSigned: true
      caCertificate:
        create: false
    ```
 3. Create a Kubernetes secret named `opendesk-certificates-tls` of type `kubernetes.io/tls` containing either a valid
@@ -50,6 +52,10 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
 5. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
 trust store password.
 > **Note**<br>
 > XWiki does not support the use of an existing secret to access the keystore. Therefore you have to set the password
 > from step 5 also as `secrets.certificates.password`.
 ## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
 This option is useful when you do not have a trusted certificate available and can't fetch a certificate from
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -0,0 +1,38 @@
 <!--
 SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>External Secrets</h1>
 This document covers how to utilise external secrets and special requirements.
 <!-- TOC -->
 * [General](#general)
 * [Components](#components)
  * [XWiki](#xwiki)
 <!-- TOC -->
 # General
 For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
 The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
 # Components
 This section covers information and special requirements to external secrets that some Helm Charts expect.
 ## XWiki
 Properties listed in the file of the external secret will overwrite plain values.
 Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in external secrets listed in `propertiesSecret` have to be formatted as follows:
 ```yaml
 stringData:
  propertiesFile: |
    propertie1=propertie1Value
    propertie2=propertie2Value
    propertie3=propertie3Value
 ```
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,6 +10,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
  * [v1.7.1+](#v171)
    * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
      * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module)
  * [v1.7.0+](#v170)
    * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
      * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
@@ -100,8 +103,10 @@ This section provides an overview of potential changes to be part of the next ma
 - `functional.portal.link*` (see `functional.yaml.gotmpl` for details) are going to be moved into the `theme.*` tree, we are also going to move the icons used for the links currently found under `theme.imagery.portalEntries` in this step.
 - We will explicitly set the [database schema configuration](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HConfigurethenamesofdatabaseschemas) for XWiki to avoid the use of the `public` schema.
- `persistance.storages.oxConnector.storageClassName` and `persistance.storages.nubusUdmListener.storageClassName` will be templated in Helmfile requiring you to template them explicitly if their current default values differs from the global value set in `persistence.storageClassNames.RWO`.
+- Adding support for `storageClassName` templating of various components requiring upgrading of the existing PVCs:
- The currently used Helm chart for Notes will be replaced requiring some config updates.
+  - `persistence.storages.oxConnector.storageClassName`
  - `persistence.storages.nubusUdmListener.storageClassName`
  - `persistence.storages.nubusProvisioningNats.storageClassName`
 # Automated migrations - Overview and mandatory upgrade path
@@ -125,11 +130,49 @@ If you would like more details about the automated migrations, please read secti
 # Manual checks/actions
 ## v1.7.1+
 ### Pre-upgrade to v1.7.1+
 #### New Helmfile default: Restricting characters for directory and filenames in fileshare module
 **Target group:** All openDesk deployments using the fileshare module, as they may already contain files or directories with characters that are now restricted.
 openDesk now enforces restrictions on the characters allowed in directory and filenames by explicitly disallowing the following set: `* " | ? ; : \ / ~ < >`
 The reason is that desktop clients can not handle all characters due to restrictions in the underlying operating system and therefor syncing these directories and/or files will fail.
 This change was introduced because desktop clients cannot reliably handle certain characters due to operating system limitations, causing file synchronization to fail when these characters are present.
 For existing deployments, any files or directories containing restricted characters must be renamed before updates within the file or (sub)directory can succeed.
 Nextcloud provides tooling for renaming affected files using an [`occ command`](https://docs.nextcloud.com/server/latest/admin_manual/occ_command.html#sanitize-filenames) that can be executed by the operator, the command also supports a dry-run mode.
 You can customize the default restriction settings in `functional.yaml.gotmpl`:
 ```
 functional:
  filestore:
    naming:
      forbiddenChars:
        - '*'
        - '"'
        - '|'
        - '?'
        - ';'
        - ':'
        - '\'
        - '/'
        - '~'
        - '<'
        - '>'
 ```
 ## v1.7.0+
 ### Pre-upgrade to v1.7.0+
-### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
+#### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
 **Target group:** All openDesk Enterprise deployments initiated from the project root using `helmfile_generic.yaml.gotmpl`
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -143,6 +143,22 @@ securityContext:
    drop:
      - "ALL"
    add:
      # For secuity reasons, esp. when macros are enabled, Collabora isolates all documents workspaces
      # from each other. This isolation can work in three different ways. Collabora will automatically
      # select the best option.
      # - Using linux user namespaces is the most efficient one. You can test if user namespaces are
      #   available by running `unshare -Ur bash` in the Collabora Pod. If it returns
      #   `unshare: unshare failed: Operation not permitted`
      #   user namespaces are not available.
      #   Capabilities required: none
      #   Note: A container runtime still could gate syscalls like `unshare` with `CAP_SYSADMIN`. You could
      #         try using a custom seccompProfile in that case.
      #         Ref.: https://github.com/CollaboraOnline/online/blob/master/docker/cool-seccomp-profile.json
      # - Linking the documents and runtime environment into their own context.
      #   Capabilities required: `CAP_SYSADMIN`, `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
      # - Copying the documents and runtime environment into their own context,
      #   having impact on the performance.
      #   Capabilities required: `CAP_SYSCHROOT`, `CHOWN`, `FOWNER`
      - "CHOWN"
      - "FOWNER"
      - "SYS_CHROOT"
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -176,8 +176,7 @@ configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
-  # A sane default for windows clients would be: `* " | & ? , ; : \ / ~ < >`
+  forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}
  forbiddenChars: "* \" | & ? , ; : \\ / ~ < >"
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -7,7 +7,6 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 exporter:
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
    {{- with .Values.annotations.nextcloudExporter.additional }}
@@ -59,6 +58,23 @@ exporter:
      {{ .Values.annotations.nextcloudExporter.serviceAccount | toYaml | nindent 6 }}
 aio:
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 1
          podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: "app.kubernetes.io/name"
                  operator: "In"
                  values:
                    - "aio"
                - key: "app.kubernetes.io/instance"
                  operator: "In"
                  values:
                    - "opendesk-nextcloud"
            topologyKey: "kubernetes.io/hostname"
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
    {{- with .Values.annotations.nextcloudAio.additional }}
--- a/helmfile/apps/notes/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/notes/helmfile-child.yaml.gotmpl
@@ -11,6 +11,13 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
  - name: "notes-customization-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.notesCustomization.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notesCustomization.registry }}/{{ .Values.charts.notesCustomization.repository }}"
 releases:
  - name: "impress"
@@ -24,6 +31,17 @@ releases:
      {{- end }}
    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800
  - name: "impress-customization"
    chart: "notes-customization-repo/{{ .Values.charts.notesCustomization.name }}"
    version: "{{ .Values.charts.notesCustomization.version }}"
    wait: true
    values:
      - "values-customization.yaml.gotmpl"
      {{- range .Values.customization.release.notesCustomization }}
      - {{ . }}
      {{- end }}
    installed: {{ .Values.apps.notes.enabled }}
    timeout: 1800
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/notes/values-customization.yaml.gotmpl
+++ b/helmfile/apps/notes/values-customization.yaml.gotmpl
@@ -0,0 +1,8 @@
 # SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 frontend:
  runtimeEnvs:
    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
    PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
 ...
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -27,7 +27,7 @@ backend:
      {{- end }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
  ingressAdmin:
-    enabled: true
+    enabled: false
    annotations:
      {{ .Values.annotations.notesBackend.ingressAdmin | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
@@ -131,15 +131,23 @@ backend:
  service:
    annotations:
      {{ .Values.annotations.notesBackend.service | toYaml | nindent 6 }}
  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
    - name: "customization-volume"
      configMap:
        name: "impress-customization"
    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      secret:
        secretName: "opendesk-certificates-ca-tls"
        items:
          - key: "ca.crt"
            path: "ca-certificates.crt"
    {{- end }}
  extraVolumeMounts:
    - name: "customization-volume"
      mountPath: "/app/impress/configuration/theme/default.json"
      subPath: "theme.json"
    {{- if .Values.certificate.selfSigned }}
    - name: "trusted-cert-secret-volume"
      mountPath: "/usr/local/lib/python3.12/site-packages/certifi/cacert.pem"
      subPath: "ca-certificates.crt"
@@ -161,11 +169,6 @@ frontend:
    annotations:
      {{ .Values.annotations.notesFrontend.ingressMedia | toYaml | nindent 6 }}
    ingressClassName: {{ .Values.ingress.ingressClassName }}
  extraEnvVars:
    - name: "ICS_BASE_URL"
      value: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
    - name: "PORTAL_BASE_URL"
      value: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
  configuration:
    objectStoreHost: {{ printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain | quote }}
  resources:
@@ -197,6 +200,14 @@ frontend:
  serviceMedia:
    annotations:
      {{ .Values.annotations.notesFrontend.service | toYaml | nindent 6 }}
  extraVolumes:
    - name: "customization-volume"
      configMap:
        name: "impress-customization"
  extraVolumeMounts:
    - name: "customization-volume"
      mountPath: "/usr/share/nginx/html/runtime-env.js"
      subPath: "runtime-env.js"
 y-provider:
  image:
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -595,6 +595,7 @@ nubusPortalConsumer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -699,6 +700,7 @@ nubusPortalServer:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
      existingSecret: null
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -714,6 +716,8 @@ nubusPortalServer:
    featureToggles:
      notifications_api: false
      centered_layout: true
      # Also enable adjustments in helmfile/files/theme/portal/stylesheet.css when enabling left_sidebar
      left_sidebar: false
      newsfeed: {{ and .Values.apps.xwiki.enabled .Values.functional.portal.newsfeed.enabled }}
      umc_session_refresh: true
      welcome_message: {{ .Values.functional.portal.welcomeMessage.enabled }}
@@ -1037,7 +1041,7 @@ nubusProvisioning:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    persistence:
      size: {{ .Values.persistence.storages.nubusProvisioningNats.size }}
-      storageClass: {{ coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+#      storageClassName: -- coalesce .Values.persistence.storages.nubusProvisioningNats.storageClassName .Values.persistence.storageClassNames.RWO | quote --
    reloader:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
@@ -1451,6 +1455,8 @@ nubusUmcServer:
      password: ""
  podAnnotations:
    {{ .Values.annotations.nubusUmcServer.pod | toYaml | nindent 4 }}
  # Ref.: https://docs.software-univention.de/nubus-kubernetes-operation/1.x/en/reference.html#envvar-nubusUmcServer.podManagementPolicy
  podManagementPolicy: "{{ if gt .Values.replicas.umsUmcServer 4 }}Parallel{{ else }}OrderedReady{{ end }}"
  postgresql:
    bundled: false
    connection:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -380,6 +380,7 @@ appsuite:
        {{- if .Values.functional.groupware.davSupport.enabled }}
        open-xchange-authentication-application-storage-rdb: "enabled"
        {{- end }}
        open-xchange-mail-categories: "enabled"
    properties:
      com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
      com.openexchange.UIWebPath: "/appsuite/"
@@ -465,6 +466,40 @@ appsuite:
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
      # Mail Categories
      # Ref.: https://documentation.open-xchange.com/8/middleware/mail/mail_categories.html
      com.openexchange.mail.categories: "true"
      com.openexchange.mail.categories.general.name.fallback: "General"
      com.openexchange.mail.categories.general.name.de_DE: "Allgemein"
      com.openexchange.mail.categories.identifiers: "newsletter,invites,socialmedia"
      com.openexchange.mail.categories.newsletter.flag: "$newsletter"
      com.openexchange.mail.categories.newsletter.name.fallback: "Newsletter"
      com.openexchange.mail.categories.newsletter.name.de_DE: "Newsletter"
      com.openexchange.mail.categories.newsletter.description: "Emails containing newsletters or promotional content"
      com.openexchange.mail.categories.newsletter.description.de_DE: "E-Mails mit Newslettern oder Werbeinhalten"
      com.openexchange.mail.categories.newsletter.icon: "megaphone"
      com.openexchange.mail.categories.invites.flag: "$invites"
      com.openexchange.mail.categories.invites.name.fallback: "Invitations"
      com.openexchange.mail.categories.invites.name.de_DE: "Einladungen"
      com.openexchange.mail.categories.invites.description: "Emails with event invitations and RSVPs"
      com.openexchange.mail.categories.invites.description.de_DE: "E-Mails mit Veranstaltungseinladungen und Rückmeldungen"
      com.openexchange.mail.categories.invites.icon: "calendar-check"
      com.openexchange.mail.categories.socialmedia.flag: "$socialmedia"
      com.openexchange.mail.categories.socialmedia.name.fallback: "Social Media"
      com.openexchange.mail.categories.socialmedia.name.de_DE: "Soziale Medien"
      com.openexchange.mail.categories.socialmedia.description: "Updates and notifications from social media platforms"
      com.openexchange.mail.categories.socialmedia.description.de_DE: "Aktualisierungen und Benachrichtigungen von sozialen Medien"
      com.openexchange.mail.categories.socialmedia.icon: "people"
      com.openexchange.mail.user.categories.identifiers: "uc1,uc2,uc3"
      com.openexchange.mail.categories.uc1.flag: "$uc1"
      com.openexchange.mail.categories.uc1.name.fallback: "Your category 1"
      com.openexchange.mail.categories.uc1.name.de_DE: "Eigene Kategorie 1"
      com.openexchange.mail.categories.uc2.flag: "$uc2"
      com.openexchange.mail.categories.uc2.name.fallback: "Your category 2"
      com.openexchange.mail.categories.uc2.name.de_DE: "Eigene Kategorie 2"
      com.openexchange.mail.categories.uc3.flag: "$uc3"
      com.openexchange.mail.categories.uc3.name.fallback: "Your category 3"
      com.openexchange.mail.categories.uc3.name.de_DE: "Eigene Kategorie 3"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -494,6 +529,19 @@ appsuite:
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: {{ .Values.debug.enabled | quote }}
      {{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
      # Client Onboarding
      com.openexchange.client.onboarding.mail.imap.host: {{ .Values.global.domain | quote }}
      com.openexchange.client.onboarding.mail.imap.port: "993"
      com.openexchange.client.onboarding.mail.imap.secure: "true"
      com.openexchange.client.onboarding.mail.imap.requireTls: "false"
      com.openexchange.client.onboarding.mail.smtp.host: {{ .Values.global.domain | quote }}
      com.openexchange.client.onboarding.mail.smtp.port: "587"
      com.openexchange.client.onboarding.mail.smtp.secure: "false"
      com.openexchange.client.onboarding.mail.smtp.requireTls: "true"
      {{- else }}
      com.openexchange.client.onboarding.enabled: "false"
      {{- end }}
      # DAV
      {{- if .Values.functional.groupware.davSupport.enabled }}
      com.openexchange.caldav.enabled: "true"
@@ -594,7 +642,8 @@ appsuite:
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
-      # Categories
+      # Features
      io.ox/core//features/signatureDesigner: "true"
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -42,11 +42,11 @@ assets:
  notes:
    subdomain: {{ .Values.global.hosts.notes }}
    paths:
-      - path: "/favicon.ico"
+      - path: "/assets/favicon-light.ico"
        data: {{ .Values.theme.imagery.notes.faviconIco }}
-      - path: "/favicon.png"
+      - path: "/assets/favicon-dark.png"
        data: {{ .Values.theme.imagery.notes.faviconPng }}
-      - path: "/favicon-dark.png"
+      - path: "/assets/favicon-light.png"
        data: {{ .Values.theme.imagery.notes.faviconPng }}
  openproject:
    subdomain: {{ .Values.global.hosts.openproject }}
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -20,13 +20,19 @@ imagePullSecrets:
  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 javaOpts:
  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
  {{- end }}
  {{- if .Values.certificate.selfSigned }}
  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
  - "-Djavax.net.ssl.trustStoreType=jks"
-  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+  {{- end }}
 javaOptsSecrets:
  {{- if .Values.certificate.selfSigned }}
  trustStorePassword:
    option: "-Djavax.net.ssl.trustStorePassword="
    value: {{ .Values.secrets.certificates.password }}
    secret:
      name: {{ .Values.externalSecrets.certificates.password.name | quote }}
      key: {{ .Values.externalSecrets.certificates.password.key | quote }}
  {{- end }}
 externalDB:
@@ -39,7 +45,18 @@ externalDB:
  user: {{ .Values.databases.xwiki.username | quote }}
  host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
  customKeyRef:
    {{- if or (.Values.externalSecrets.mariadb.rootPassword.name) (.Values.externalSecrets.postgresql.xwikiUser.name) }}
    enabled: true
    {{- else }}
    enabled: false
    {{- end }}
    {{- if eq .Values.databases.xwiki.type "mariadb" }}
    name: {{ .Values.externalSecrets.mariadb.rootPassword.name | quote }}
    key: {{ .Values.externalSecrets.mariadb.rootPassword.key | quote }}
    {{- else }}
    name: {{ .Values.externalSecrets.postgresql.xwikiUser.name | quote }}
    key: {{ .Values.externalSecrets.postgresql.xwikiUser.key | quote }}
    {{- end }}
 securityContext:
  enabled: true
@@ -70,23 +87,17 @@ customConfigs:
    xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
    ## Enable the synchronization of the LDAP profile picture
    xwiki.authentication.ldap.update_photo: 1
    {{ if .Values.debug.enabled }}
    ## Password of "superadmin" user, disables account if not password is set
    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
    {{ end }}
    ## LDAP Server configuration
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
    ## Allow short update cycles of the LDAP group cache
    xwiki.authentication.ldap.groupcache_expiration: 300
    ## Mapping for XWiki attributes to the respective LDAP attributes
    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
  xwiki.properties:
    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
    distribution.defaultUI: "com.xwiki.projects.swp:xwiki-swp-flavor-enterprise-main"
@@ -100,7 +111,6 @@ customConfigs:
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
    oidc.scope: "openid,opendesk-xwiki-scope"
    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
@@ -112,12 +122,38 @@ customConfigs:
    url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    openoffice.serverType: "0"
    openoffice.autoStart: "false"
    openoffice.homePath: "/tmp"
    notifications.emails.live.graceTime: "5"
 customConfigsSecrets:
  xwiki.cfg:
    {{ if .Values.debug.enabled }}
    ## Password of "superadmin" user, disables account if not password is set
    xwiki.superadminpassword:
      value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
      secret:
        name: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
        key: {{ .Values.externalSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
    {{ end }}
    xwiki.authentication.ldap.bind_pass:
      value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
      secret:
        name: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.name | quote }}
        key: {{ .Values.externalSecrets.nubus.ldapSearch.xwiki.key | quote }}
  xwiki.properties:
    oidc.secret:
      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
      secret:
        name: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.name | quote }}
        key: {{ .Values.externalSecrets.keycloak.clientSecret.xwiki.key | quote }}
    workplaceServices.portalSecret:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
      secret:
        name: {{ .Values.externalSecrets.centralnavigation.apiKey.name | quote }}
        key: {{ .Values.externalSecrets.centralnavigation.apiKey.key | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
@@ -171,6 +207,9 @@ properties:
  ## This option overwrites the LDAP group mappings including all dynamically created mappings,
  # therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
  ## Collabora ODT / DOCX export
  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.isEnabled": 1
  "property:xwiki:Collabora.Code.Configuration^Collabora.Code.ConfigurationClass.server": "http://collabora:9980"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -216,6 +255,14 @@ properties:
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "Wissen - $!tdoc.displayTitle - {{ .Values.theme.texts.productName }}"
  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
  "licenses": "{{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
  {{- end }}
 ## Properties listed in the secret file will overwrite plain values
 propertiesSecret:
  name: {{ .Values.externalSecrets.xwiki.propertiesSecret.name | quote }}
  key: {{ .Values.externalSecrets.xwiki.propertiesSecret.key | quote }}
 cluster:
  replicas: {{ .Values.replicas.xwiki }}
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -12,6 +12,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.19.197"
+    version: "1.21.244"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -13,9 +13,9 @@ images:
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.3@sha256:2a60cf286952f7762ddb32c3de2bb1359a657d739b507f8b077504fe5d0c7c11"
+    tag: "1.6.9@sha256:3d9f2db7d3f38f3ba86d3ad3b46d98e566c18a9545f3ca14fc357b1944b41c5c"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.39.70@sha256:94b6e9325dfa4c91587b761946151987dd49000727ab81d10a41fdc7c17ae2cb"
+    tag: "8.41.58@sha256:da4aff1b890a463b01cc2c6b75c56fc5fe887d9ec5d2c7065535c083385044b6"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -24,7 +24,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "3.1.2"
+    version: "3.1.3"
    verify: true
  clamav:
    # providerCategory: "Platform"
@@ -34,7 +34,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "opendesk-clamav"
-    version: "4.0.6"
+    version: "4.0.7"
    verify: true
  clamavSimple:
    # providerCategory: "Platform"
@@ -44,7 +44,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "clamav-simple"
-    version: "4.0.6"
+    version: "4.0.7"
    verify: true
  collabora:
    # providerCategory: "Supplier"
@@ -139,7 +139,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.19.0"
+    version: "2.19.5"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -149,7 +149,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "3.2.0"
+    version: "3.3.0"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -249,27 +249,27 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "4.4.1"
+    version: "4.4.3"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "4.4.1"
+    version: "4.4.3"
    verify: true
  nextcloudNotifyPush:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-notifypush"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-notifypush"
-    version: "4.4.1"
+    version: "4.4.3"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -285,7 +285,7 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
    name: "nginx-s3-gateway"
@@ -295,11 +295,21 @@ charts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
-    # packageName=bmi/opendesk/components/platform-development/charts/opendesk-impress
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress/impress"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
    name: "impress"
-    version: "1.0.1"
+    version: "1.0.2"
    verify: true
  notesCustomization:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization/impress-customization"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress-customization"
    name: "impress-customization"
    version: "1.0.0"
    verify: true
  nubus:
    # providerCategory: "Supplier"
@@ -311,7 +321,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.12.0"
+    version: "1.13.1"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -395,7 +405,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.21.167"
+    version: "2.23.206"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -417,7 +427,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ox-connector"
-    version: "0.27.7"
+    version: "0.27.9"
    verify: true
  postfix:
    # providerCategory: "Platform"
@@ -525,6 +535,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
    name: "xwiki"
-    version: "1.4.4"
+    version: "1.5.4"
    verify: false
 ...
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -51,6 +51,7 @@ customization:
    opendeskNextcloudNotifyPush: {}
    # notes
    notes: {}
    notesCustomization: {}
    # nubus
    ums: {}
    intercomService: {}
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -0,0 +1,40 @@
 {{/*
 SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 externalSecrets:
  centralnavigation:
    apiKey:
      name: ~
      key: ~
  certificates:
    password:
      name: ~
      key: ~
  keycloak:
    clientSecret:
      xwiki:
        name: ~
        key: ~
  nubus:
    ldapSearch:
      xwiki:
        name: ~
        key: ~
  mariadb:
    rootPassword:
      name: ~
      key: ~
  postgresql:
    xwikiUser:
      name: ~
      key: ~
  xwiki:
    xwikiSuperadminpassword:
      name: ~
      key: ~
    propertiesSecret:
      name: ~
      key: ~
 ...
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -128,6 +128,25 @@ functional:
      enabled: true
  filestore:
    # Settings related to directory and filenames
    naming:
      # Disallowed characters for directory and file names.
      # Some operating systems do not support these characters, preventing affected clients from syncing files.
      #
      # Note: After changing the settings below and redeploying Nextcloud, restart the `aio` Pod(s) to
      # apply the changes.
      forbiddenChars:
        - '*'
        - '"'
        - '|'
        - '?'
        - ';'
        - ':'
        - '\'
        - '/'
        - '~'
        - '<'
        - '>'
    quota:
      # Set the default quota for all users in gigabyte
      default: 1
@@ -136,8 +155,12 @@ functional:
    sharing:
      # External shares
      external:
-        # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+        # Enables sharing of files with external participants (create external links, send links by mail and allow
-        # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+        # external upload in shared folders).
        # When you enable external sharing it is still possible to use the groupfolder feature and block external
        # sharing for defined groupfolder(s).
        # Note: If you disable this option existing external shares stop working, when re-enabling it the old
        # shares are available again.
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
@@ -190,8 +213,10 @@ functional:
  migration:
    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
-      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
+      # Note: Turn on temporary for migration purposes only.
-      # `secrets.oxAppSuite.migrationsMasterPassword`.
+      # Will enable master password auth in Dovecot and add an additional OX App Suite Core Middelware Pod in the
      # role `migration` that is master password enabled. The Pod is accessible through a ClusterIP.
      # Master password is defined in `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false
  portal:
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.7.1"
+    releaseVersion: "v1.8.0"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -63,10 +63,11 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "cryptpad/cryptpad"
-    # upstreamMirrorTagFilterRegEx: '^opendesk-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^version-(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["2025", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
-    tag: "opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17"
+    tag: "version-2025.6.0@sha256:7711c08792637534445e6f1e42407149c2568ae0490b83ea36c06ba395389dec"
  dkimpy:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -160,7 +161,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.19.0@sha256:ebb4e721f4daebf5a206359978b327e85f2d51b9bf145576778ca3b5983920f8"
+    tag: "2.19.5@sha256:4f1bccfd29889e1edd093c8e35c9486919984faf55ca92b787a6a7aca3729e47"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -170,7 +171,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
+    tag: "stable-10431@sha256:21ae6f3e9139ca1beea630756060b66f1a6221005f45e35df35d4bf9f69a4cc3"
  jicofo:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -180,7 +181,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
+    tag: "stable-10431@sha256:6857b0cad627cde79f6e21c1c40843b14d70dd43e627537c60449d448ce14769"
  jigasi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -190,7 +191,7 @@ images:
    # upstreamMirrorStartFrom: ["9955"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
-    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
+    tag: "stable-10431@sha256:9bcb35444296ab007b24a8ccecd6c1eacc0f01fccf4223e7f8ac340464f4a52e"
  jitsi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -200,7 +201,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
+    tag: "stable-10431@sha256:47f57fb67d95a2d3b5fa6edf93916b4922e1599278c0f9dd16cc30f432c75511"
  jitsiKeycloakAdapter:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -210,7 +211,7 @@ images:
    # upstreamMirrorStartFrom: ["2023", "12", "14"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20250314@sha256:2e24db127ab266b90b8fd371ce547e7f9619b6be3fefed30906867b1ce368697"
+    tag: "v20250911@sha256:716fb9ba2e866d74cbbd6241a8c75335e48ba25ec2d35f4678e83dd3156bc87c"
  jitsiPatchJVB:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -220,7 +221,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "32", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
-    tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
+    tag: "1.33.4@sha256:681609aff6bf316acf464d9c9e369d84c49d50be6379247291b01ac311a7f5f5"
  jvb:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -230,7 +231,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
+    tag: "stable-10431@sha256:64f8a368f593a30d5388d9643b1b0af7b4a09f03f6e585e50cdbff398b5f8918"
  mariadb:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -332,7 +333,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.3@sha256:93fc967cebb24508b5903c15a83af5c038aa006a5c091a41a7bcd81ae14a69bb"
+    tag: "2.10.10@sha256:b994d3d1e0664056122dc5275fdf0a4ec7215d9dc5e8b3c030c31a366eda9aa0"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -356,7 +357,7 @@ images:
    # upstreamRepository: "lasuite/impress-backend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.9.0-docs-v3.2.1-backend@sha256:17c16e4e00b15e4637d01553d56e7eecb7a477bec48677d1e7fb07b04c48d2b8"
+    tag: "1.11.0-docs-v3.4.0-backend@sha256:a07acb86ee260fd9242c4173a01c67c36552d149a2af91220348bdb588c19bf5"
  notesFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -364,7 +365,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.9.0-docs-v3.2.1-frontend@sha256:328d5a8bf41875eb5945229adfc4a52eb2fef109e25d980910ee77edd4bc1887"
+    tag: "1.11.0-docs-v3.4.0-frontend@sha256:e7316700442455419ebb2e37fe2ae246bb90a7d09ad30477df608b5eb6089095"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -392,7 +393,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.97.0@sha256:0c4a92f892d54ca3669b33391fb1fb6b45f6a9c43080beacd0d3fa061b0826ab"
+    tag: "0.97.5@sha256:43371a04f951d733419e508af4dc4fe7d27a71fd6b616d93568bb304d5d8fe4c"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -452,7 +453,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.15.2@sha256:207cb4355cead96c8dbfc5c89f77e591c226ebbcac1079c08e6f0eeb8183acea"
+    tag: "0.16.3@sha256:8b455b329b6364580b7ab85d704c6ac5f025da7b313611b1f7cf66ca07f41c52"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -482,7 +483,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.46.0@sha256:2856ea8767e5fa93d0bfcb7211397e121e2792a731825381400dedbdd8ff6a7b"
+    tag: "0.46.2@sha256:96cfd086f7df7f60ab18ee2c76a6b910011d506c488863d7819727977ee32f72"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -492,7 +493,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.46.0@sha256:5a1612c58f4edb2e42060ac2f927414574d5689c52cbd813f5b2eca0c7c5f75c"
+    tag: "0.46.2@sha256:88a7fb8ca353cd5e32357489cca75eec9b0cfc1802e66ad14365cc1971f7f639"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -510,7 +511,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.46.0@sha256:688dd37bc472d752d8e4a727374ce13ffdd3fcd65a598f39a8cf54c56d3988e0"
+    tag: "0.46.2@sha256:8314b3d683168bd33e3bc5ba8b4689db10f302d409c8966d7620d2c7617bd7f3"
  nubusLdapUpdateUniventionObjectIdentifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -520,7 +521,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "34", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-update-univention-object-identifier"
-    tag: "0.39.1@sha256:3c1ff735df4f4c133bdb3d6a833cc081c7a31e8efcb84c63ed046cd6840469e5"
+    tag: "0.39.4@sha256:49677ee61dd6aff0e87ff9bde2f032a939749e4097f461307d064566c380c6e2"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -554,7 +555,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.74.1@sha256:3613be84aa991fcd15f6cf47f32bc61345ec660c1a5bf9c3e3e843e8b803b9c4"
+    tag: "0.79.4@sha256:b4e2fc6631e35a97ad920437b645fa4212a3ef7c563c1b048dc282535f9f7634"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -590,7 +591,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "10", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.27.7@sha256:c0ec68bbd79707de8f4d8efe7aa2b0d907ea3207865fed7a0c8e8ef1806ef70d"
+    tag: "0.27.9@sha256:e059d4e521284b21b5aa3664e9c3261be1a195d112004542b56a784165f8ea9e"
  nubusPortalConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -600,7 +601,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.74.1@sha256:1d9b7e890ee46aa4a2a78ab2e7734ac4bf037f86631a43964d1d8fab17772987"
+    tag: "0.79.4@sha256:757bfea13aba02805e671b6dfee98f5e97e7ed83d8cbd933e33dc8f3e06e140c"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -610,7 +611,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "28", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.74.1@sha256:cb3c3e4188cfde1d2091790bed38495bf4aa05b54c88e76fd78923db25502c1a"
+    tag: "0.79.4@sha256:15a01dd58bdb309a54acaeb6722c497dd8f40e1269b7ae023813c4d33f73ac97"
  nubusPortalFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -620,7 +621,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "67", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.74.1@sha256:c96209ceb0220b4f05472ba8273a96ed4e526ba5b37f82876aa21a030603cf95"
+    tag: "0.79.4@sha256:8dd1ac0122312e81413699c7d7535c0a35b0e7f9d36fbda0edba388bc1d91917"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -630,7 +631,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.74.1@sha256:1f143b81c7c72754784f9399999c2fcb0d34ac7ec0db6fdefb790a1c2ab4ec62"
+    tag: "0.79.4@sha256:a4ed5cad22516e153cdffec2d658724d68effd22b60478f179fa7d6e5e0451ad"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -640,7 +641,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.60.2@sha256:356f28afe6354b91a5473c8e3f3c647ae6aca0cf7de47f4e47f6e7acf7a5ab7c"
+    tag: "0.60.10@sha256:6307e9e1ddad0e6f3285ca11b758902f8c377a5d3de6a59b3437accb8475848f"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -650,7 +651,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.60.2@sha256:3e4fd557abc8350a8d7725ade0103ade7dc28f1ea31cfc981e03e9ce51fa7244"
+    tag: "0.60.10@sha256:9d5f4e4a2668605349fa6cd6973c7a6acbc2ef95a37e72834c6525ac9e464740"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -660,7 +661,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.60.2@sha256:23eec4905847ab050a83834f6d70419182601838da4687882c93100842ff349f"
+    tag: "0.60.10@sha256:8ea46658e66fb5be81968dcf00397b741f61d4fd84c8210b9761412e67109cd0"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -670,7 +671,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.60.2@sha256:38c2db4e270f67b2d97423ca727fc2a8030dce73a93bd2967d2682844d3bf480"
+    tag: "0.60.10@sha256:fb0d96fa7b382b7d8eec9e262711e1291a0991ade185b39ee604400d4bd5fa9b"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -680,7 +681,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.60.2@sha256:df38dc8528f0eec1f44db45a8156697d0424bd008c65a1619de15b6ac586d1a0"
+    tag: "0.60.10@sha256:62b98f3e2c19de298878f5679577bfcbddacec742015d6f20b998a549318e810"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -690,7 +691,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.19.0@sha256:4215533c7c4497e02666cf04ee77ab866263ae6e595758e8b63018b257e972ad"
+    tag: "0.19.4@sha256:ca9865114fd35fcc1dbe1a5660a3b69d04a8f568cf15286069342e45f0c7ea91"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -700,7 +701,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.39.1@sha256:62324c259bdd8e6273aeaf93df44405ef5e42ca17281d19e2a0d86f4f44b742e"
+    tag: "0.39.4@sha256:195a1889d67e3848bad238e400dba446521f689649b0e691a788b734b4b5a26a"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -710,7 +711,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.49.0@sha256:a6b779fc7f214f045fe04783d7d137b1dca15dcfafa369508225ab7734bc0287"
+    tag: "0.50.3@sha256:faf08a490d9e99b4b07398bf23a0694ea2ff2e58296dfa6f712a6b7f12583c9d"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -720,7 +721,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.49.0@sha256:94efec7b3559c27b54984d75f43d248139091255b4978ef7bf0219eb6f6d2e48"
+    tag: "0.50.3@sha256:41f68c7636253763a18779ff4c38fd02a9903cdb38d955d23cc79cf97efcbe5c"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -764,7 +765,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.2.1@sha256:4b0c0589ad21b727cf4a7c896f8f446607319ac3ff476855f7576b5eb1173cff"
+    tag: "16.4.1@sha256:b80443fc9fe1bf9ed475897316208b394cca4e730ae8ca34944373245cc0a4f5"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -798,7 +799,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.19@sha256:2c8abc8385090bac03c4540c176ec9c51cd73b0a5a477840d7250ead10701770"
+    tag: "8.6.21@sha256:71b4819d42a808d57951405ab6215ff9fafae43e3f10a9f388484b7fbe28849e"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -808,7 +809,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.39.71@sha256:eb5a1e124e8d98aeac2bd32dab8ec690aa71c8e49e5c57916452c471e1afd628"
+    tag: "8.41.58@sha256:a4c169d13a928d5532fc200be6c7c76c1d18f0579b8dbdb514583f62ac9fe8c7"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -818,7 +819,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.39.1@sha256:d25119e36689231d09d747c32c14439d073318f6fd7d084761525579b636ee93"
+    tag: "8.41.1@sha256:108974ea42a4cf22ea1b37b975928881b6c23a2949b51781812f5b1260873aa4"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -828,7 +829,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.3@sha256:5a9259ef6cb155a8e5b94d567af00d8899934550565fbf109ab17200cf5df7f4"
+    tag: "2.1.8@sha256:1853e6e2b780936a18b11c208b4b39ce094e49d25830c22c5658c27274e5b7fc"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -838,7 +839,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.39.1471602@sha256:4a02e72caca3e21c2919960167f28962de7e70161dad6f7916e8d3b8e104768e"
+    tag: "8.41.1547156@sha256:fadee7a76ffa91e0be7ec643f3315806787ac2eea4b0bb271201a58580a5f456"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -848,7 +849,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.39.1842@sha256:a405aface2a9a187c66b2862bc724ee075ebc0209c931abd3478f3cafaf137f7"
+    tag: "8.41.1875@sha256:839d73bdc7b158beee5e157df4b49004c9f4f2df1afb65c1e4bae51f9f67a213"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -878,7 +879,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.39.2122@sha256:d025984017d9a70473a4217bd9b815df08cfa9941137e6f02c024917061313a6"
+    tag: "8.41.2194@sha256:8b3085642fea2bc0ab64b6a8256ce4c00952e84d4c233edd05d458a8d82045f9"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -898,7 +899,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "2", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
+    tag: "2.5.0@sha256:e7838687b30eb7d4976e9e0c99d23cdc0cc59b1f38d322dc8562905a723218bf"
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -908,7 +909,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "4", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.27.7@sha256:de5153eca1607686f7c42e8bfc89103d346947e779e40c4f63992009a3ee2fef"
+    tag: "0.27.9@sha256:749a59c7ae9eb7882448fce5441bf05aba84ef4ee6d8107e63d22267faa40763"
  postfix:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -942,7 +943,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
+    tag: "stable-10431@sha256:792618fff60c6e0eb4facb221e3477b2249cabeaf0479753ac7a6b98c075fd20"
  redis:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -1002,19 +1003,19 @@ images:
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-mariadb.+$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-mariadb.+$'
-    # upstreamMirrorStartFrom: ["0", "12"]
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.25-mariadb-jetty-alpine@sha256:7175ef5e454b4eb0f6fd6a92a9503d8a680db3ca97b25c3a4eedac9c9bfbcdaf"
+    tag: "17.4.4-mariadb-jetty-alpine@sha256:069dfcc11b7373eb1b30757144adb90cf661386503bece866a0c728ee89bb47d"
  xwikiPostgres:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
    # upstreamRegistry: "https://git.xwikisas.com:5050"
    # upstreamRepository: "xwikisas/swp/xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-postgres.+$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-postgres.+$'
-    # upstreamMirrorStartFrom: ["0", "23"]
+    # upstreamMirrorStartFrom: ["17", "4", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.25-postgres-jetty-alpine@sha256:1bfc57a65f8bc6b059d550791699b5afa33b91db8d4c75ca8f6f3d2299f7c335"
+    tag: "17.4.4-postgres-jetty-alpine@sha256:fd567fe4f499d0a0919ed02558e313284f4475d928f126c6800c2410d2a61d39"
 ...
--- a/helmfile/environments/default/resources.yaml.gotmpl
+++ b/helmfile/environments/default/resources.yaml.gotmpl
@@ -293,7 +293,7 @@ resources:
  openproject:
    limits:
      cpu: 99
-      memory: "2Gi"
+      memory: "3Gi"
    requests:
      cpu: 0.1
      memory: "768Mi"
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
@@ -95,6 +95,16 @@
  --layout-height-header: 63px;
  /* Keycloak user screens logo */
  --login-logo: url("/opendesk-static-files/login/logo.svg") no-repeat center;
  /* Unified topbar feature */
  /**
  --left-sidenav-close-button-border-radius: 100%;
  --waffle-icon-height: 4rem;
  --left-sidenavigation-border-radius: 0 1rem 1rem 0;
  --left-sidenavigation-close-button-radius: 1rem;
  --left-sidenavigation-hover-bg-color: var(--bgc-underlay);
  --left-sidenavigation-active-bg-color: #D3D7DE;
  --waffle-icon-background-color: #EEEFF2;
  */
 }
 button {
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -22,7 +22,7 @@ migrations:
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  environmentDetails:
-    {{ ( omit .Values "theme" ) | toYaml | nindent 4 }}
+    {{ ( omit .Values "theme" "functional" ) | toYaml | nindent 4 }}
  cleanup: false
 containerSecurityContext:
Author	SHA1	Message	Date
Axel Lender	a357f300d0	feat(helm): Update upstream version Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-09-23 08:14:46 +02:00
Axel Lender	4a50180361	feat(helm): Template support for XWiki external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-09-23 08:14:46 +02:00
Axel Lender	533b1c5923	feat(helmfile): Add support for external secrets in XWiki Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-09-23 08:14:46 +02:00
Thorsten Roßner	ca05ff9c1c	docs(self-signed-certificates.md): [bmi/opendesk/deployment/opendesk#230] Add missing `caCertificate` setting to example	2025-09-19 14:15:53 +00:00
Thorsten Roßner	795bb7394e	chore(functional.yaml.gotmpl): Improve comment on `filestore.sharing.external.enabled`	2025-09-19 14:15:53 +00:00
Thomas Kaltenbrunner	c63665040c	feat(notes): Update from 3.2.1 to 3.4.0	2025-09-19 14:15:53 +00:00
Thorsten Roßner	69f20057cd	chore(helmfile): Streamline `upstreamRepository` entries in `charts.yaml.gotmpl`	2025-09-19 14:15:53 +00:00
Viktor Pracht	4da1c5d9e3	feat(open-xchange): Enable mail categories	2025-09-19 15:22:26 +02:00
Thorsten Roßner	2e708a75b6	fix(opendesk-certificates): [bmi/opendesk/deployment/opendesk#236] Update Helm chart to add `commonName` to certificate	2025-09-18 08:54:08 +02:00
Thorsten Roßner	dee7525649	fix(clamav): [bmi/opendesk/deployment/opendesk#234] Update Helm chart to support conditional proxy credentials	2025-09-18 08:49:28 +02:00
Viktor Pracht	c50b817795	feat(open-xchange): Update from 8.40 to 8.41	2025-09-18 08:46:12 +02:00
Thorsten Roßner	21e6d7fd8b	chore(collabora): Add context information on `securityContext.capabilities.add`	2025-09-18 06:36:03 +00:00
Thorsten Roßner	6f9f926cc5	docs(self-signed-certificates): Update "Option 1" regarding the JKS secret	2025-09-18 06:36:03 +00:00
Thorsten Roßner	40f15fbd36	chore(mr-templates): Cleanup	2025-09-18 06:36:03 +00:00
emrah	e138610d29	feat(jitsi): Upgrade from stable-9955 to stable-10431	2025-09-18 06:36:03 +00:00
Franz Kuntke	7b1f9a7e9b	chore(helmfile): Set `global.systemInformation.releaseVersion` to `v1.8.0`	2025-09-17 15:26:18 +02:00
Oliver Günther	f5483d1a3b	feat(openproject): Update OpenProject from 16.3.2 to 16.4.1	2025-09-17 13:05:58 +02:00
Thorsten Roßner	23dfe0aaa6	feat(cryptpad): Update from 2024.6.1 to 2025.6.0	2025-09-15 12:32:35 +02:00
Thorsten Roßner	2dc76ae34c	chore(kyverno): Remove `functional.*` from migration details	2025-09-15 12:11:39 +02:00
Thorsten Roßner	6703eb03d5	docs(debugging.md): Add info how to set fine granular log levels for Keycloak	2025-09-15 11:35:57 +02:00
Thorsten Roßner	49e3fbf533	chore(functional.yaml.gotmpl): Update comment on `migration.oxAppSuite.enabled`	2025-09-11 16:39:12 +02:00
Thorsten Roßner	5a2c1fcf98	feat(nextcloud): Expose `forbiddenChars` in `functional.yaml.gotmpl`; review `migrations.md` for required upgrade steps	2025-09-11 16:39:08 +02:00
Norbert Tretkowski	ba77f2b11c	fix(ox-connector): Update from v0.27.7 to v0.27.9	2025-09-09 11:11:47 +02:00
Norbert Tretkowski	3305dfa5fb	fix(intercom-service): Update from v2.19.0 to v2.19.5	2025-09-09 11:11:47 +02:00
Norbert Tretkowski	35424b88d6	feat(nubus): Update from 1.12.0 to 1.13.1	2025-09-09 11:11:44 +02:00
Thorsten Roßner	ce4874a922	chore(openproject): Avoid OOM kills in dev deployments	2025-09-09 08:04:24 +00:00
Thorsten Roßner	813e92c1b0	feat(xwiki): Update from 16.10.5 to 17.4.4 and configure openDesk's Collabora for `.odt`, `.rtf` and `.docx` export of wiki pages	2025-09-09 08:04:24 +00:00
Thomas Kaltenbrunner	d8fc3e04f5	fix(open-xchange): Add client onboarding for mail	2025-09-08 12:23:52 +00:00
Thorsten Roßner	70178bb512	chore(mr-templates): Update based on feedback from technical weekly	2025-09-04 11:23:02 +02:00
Thorsten Roßner	d90e3ff92f	chore(mr-templates): Update `Default.md` to provide details on template selection	2025-09-04 11:23:02 +02:00
Thorsten Roßner	f848b9a0f4	fix(nextcloud): Update from 31.0.6 to 31.0.7 including the latest app versions	2025-09-04 11:22:59 +02:00
Oliver Günther	f77f3291ca	feat(openproject): Update OpenProject from 16.2.1 to 16.3.2	2025-09-02 14:26:43 +00:00
Viktor Pracht	c70a0bdc4c	feat(open-xchange): Update from 8.39 to 8.40	2025-09-02 12:23:55 +00:00
Niels Lindenthal	5ab706e204	chore(README.md): Streamline sentence based capitalization	2025-09-01 07:45:31 +02:00