fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard to 1.14.0

Signed-off-by: Milton Moura <miltonmoura@gmail.com>
fix(element): Update to EW release image and related release charts
2025-12-06 07:21:36 +01:00 · 2024-03-14 12:58:27 -01:00 · 2024-02-28 12:28:22 -01:00 · 2024-02-28 10:58:10 -01:00 · 2024-02-28 09:26:27 -01:00 · 2024-02-27 16:38:10 -01:00
63 changed files with 1053 additions and 288 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,7 +3,7 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "main"
+    ref: "v2.3.2"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
@@ -11,8 +11,6 @@ include:
  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
-    rules:
-      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
  - local: "/.gitlab/lint/lint-opendesk.yml"
    rules:
      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -197,7 +195,7 @@ env-start:
    name: "${NAMESPACE}"
    on_stop: "env-stop"
  extends: ".deploy-common"
-  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -378,7 +376,7 @@ env-stop:
  environment:
    name: "${NAMESPACE}"
    action: "stop"
-  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  needs: []
  rules:
    - if: >
@@ -448,7 +446,10 @@ run-tests:
 avscan-prepare:
  stage: ".pre"
  rules:
-    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+          $JOB_AVSCAN_ENABLED != 'false' &&
+          $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "always"
    - when: "never"
  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
@@ -481,7 +482,8 @@ avscan-prepare:
      yq '.images
      | with_entries(.key |= "scan-" + .)
      | .[].extends=".container-clamav"
-      | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
+      | with(.[]; .variables.CONTAINER_IMAGE = .repository
+      | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
      | del(.[].repository)
      | del(.[].tag)
      | del(.[].registry)'
@@ -494,7 +496,10 @@ avscan-prepare:
 avscan-start:
  stage: "scan"
  rules:
-    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "always"
    - when: "never"
  trigger:
@@ -507,7 +512,10 @@ generate-release-assets:
  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "on_success"
    - when: "never"
  script:
@@ -528,7 +536,7 @@ generate-release-assets:
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"

-# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
+# Declare .environments which is in environments repository. In case it is not available
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
  cache: {}
@@ -559,14 +567,20 @@ reuse-linter:

 generate-release-version:
  rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false'"
+    - if: >
+        $JOB_RELEASE_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "on_success"

 release:
  dependencies:
    - "generate-release-assets"
  rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "on_success"
  script:
    - >
@@ -582,7 +596,7 @@ release:
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+      # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,14 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
-    @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
-    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.3\
+    @sha256:4630299fddf4248af1ad04528f0435d78f5b2694a154c99fe72b960260a7be61"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.4\
+    @sha256:386e84e2c85c33537479e4bb1e1fe744c9cce5e87bcb9a3a384dcdc1727c19c0"

 .common:
  cache: {}
  needs: []
-  tags:
-    - "docker"
+  tags: []
 ...
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -27,7 +27,14 @@ lint-kyverno:
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
+    - >
+      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
+      -d ${CI_PROJECT_DIR}/.kyverno
+      -t required
+      -s manifest
+      -f opendesk.yaml
+      --skip-tests true
+      ${APP}
    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - "cd ${CI_PROJECT_DIR}/.kyverno"
    - "kyverno test ."
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 pod:
@@ -12,7 +12,7 @@ pod:
      - "Pod"
      - "DaemonSet"
  - name: "disallow-default-serviceaccount"
-    rule: "require-sa"
+    rule: "disallow-default-serviceAccountName"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -20,8 +20,8 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "require-imagepullsecrets"
-    rule: "require-imagepullsecrets"
+  - name: "template-imagepullsecrets"
+    rule: "template-imagePullSecrets"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -30,7 +30,7 @@ pod:
      - "Pod"
      - "DaemonSet"
  - name: "disallow-latest-tag"
-    rule: "validate-image-tag"
+    rule: "disallow-latest-tag"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -38,8 +38,17 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "require-imagepullpolicy-always"
-    rule: "require-imagepullpolicy-always"
+  - name: "disallow-latest-tag"
+    rule: "require-image-tag-or-digest"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-imagepullpolicy"
+    rule: "require-imagePullPolicy"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -55,23 +64,23 @@ pod:
      - "Deployment"
      - "Pod"
      - "DaemonSet"
-  - name: "require-storage"
-    rule: "require-storageclass-pvc"
+  - name: "template-storage"
+    rule: "template-storageClassName-pod"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
-  - name: "require-storage"
-    rule: "require-storageclass-pod"
+  - name: "template-storage"
+    rule: "template-storageClassName-pvc"
    type: "required"
    kinds:
      - "StatefulSet"
-  - name: "require-storage"
-    rule: "require-storage-size-pvc"
+  - name: "template-storage"
+    rule: "template-requests-storage-pod"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
-  - name: "require-storage"
-    rule: "require-storage-size-pod"
+  - name: "template-storage"
+    rule: "template-requests-storage-pvc"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -84,8 +93,8 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
-  - name: "restrict-image-registries"
-    rule: "validate-registries"
+  - name: "template-image-registries"
+    rule: "template-image-registries"
    type: "required"
    kinds:
      - "StatefulSet"
@@ -165,4 +174,119 @@ pod:
      - "Job"
      - "Pod"
      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-empty-seLinuxOptions"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "require-default-procMount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "require-containersecuritycontext"
+    rule: "restrict-sysctls"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-docker-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-containerd-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-crio-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-container-sock-mounts"
+    rule: "validate-dockerd-sock-mount"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-namespaces"
+    rule: "disallow-host-namespaces"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-path"
+    rule: "disallow-host-path"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-ports"
+    rule: "disallow-host-ports"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "disallow-host-process"
+    rule: "disallow-host-process"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
+      - "Job"
+      - "Pod"
+      - "DaemonSet"
+  - name: "template-ingress"
+    rule: "template-ingressClassName"
+    type: "required"
+    kinds:
+      - "Ingress"
+  - name: "template-ingress"
+    rule: "template-tls-secretName"
+    type: "required"
+    kinds:
+      - "Ingress"
+  - name: "template-replicas"
+    rule: "template-replicas"
+    type: "required"
+    kinds:
+      - "StatefulSet"
+      - "Deployment"
 ...
--- a/.kyverno/policies/disallow-container-sock-mounts.yaml
+++ b/.kyverno/policies/disallow-container-sock-mounts.yaml
@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-container-sock-mounts"
+  annotations:
+    policies.kyverno.io/title: "Disallow CRI socket mounts"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Container daemon socket bind mounts allow access to the container engine on the node.
+      This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should
+      not be allowed.
+      This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
+      In addition to or replacement of this policy, preventing users from mounting the parent directories
+      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
+spec:
+  background: true
+  rules:
+    - name: "validate-docker-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the Docker Unix socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/docker.sock"
+          - spec:
+              =(volumes):
+    - name: "validate-containerd-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the Containerd Unix socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/containerd/containerd.sock"
+          - spec:
+              =(volumes):
+    - name: "validate-crio-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the CRI-O Unix socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/crio/crio.sock"
+          - spec:
+              =(volumes):
+    - name: "validate-dockerd-sock-mount"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: "Use of the Docker CRI socket is not allowed."
+        anyPattern:
+          - spec:
+              =(volumes):
+                - =(hostPath):
+                    path: "!/var/run/cri-dockerd.sock"
+          - spec:
+              =(volumes):
--- a/.kyverno/policies/disallow-default-serviceaccount.yaml
+++ b/.kyverno/policies/disallow-default-serviceaccount.yaml
@@ -1,10 +1,20 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "disallow-default-serviceaccount"
+  annotations:
+    policies.kyverno.io/title: "Prevent default ServiceAccount privilege escalation"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Kubernetes automatically creates a ServiceAccount object named default for every namespace in your cluster.
+      These default service accounts get no permissions by default.
+      Accidental or intended assignment of permissions on the default service account results in elevated permissions
+      for all pods with default service account assigned.
+      This risk can be mitigated by creating a custom ServiceAccount for each application or reduce the risk by disable
+      auto mounting the default service account into the pod.
 spec:
  background: true
  rules:
@@ -12,11 +22,15 @@ spec:
        resources:
          kinds:
            - "Pod"
-      name: "require-sa"
+      name: "disallow-default-serviceAccountName"
      validate:
-        message: "serviceAccountName must be set to anything other than 'default'."
-        pattern:
-          spec:
-            serviceAccountName: "!default"
+        message: >-
+          Field serviceAccountName must be set to anything other than 'default'.
+          When serviceAccountName is 'default' then automountServiceAccountToken must set to 'false' .
+        anyPattern:
+          - spec:
+              serviceAccountName: "!default"
+          - spec:
+              automountServiceAccountToken: "false"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/disallow-host-namespaces.yaml
+++ b/.kyverno/policies/disallow-host-namespaces.yaml
@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-namespaces"
+  annotations:
+    policies.kyverno.io/title: "Disallow Host Namespaces"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access
+      to shared information and can be used to elevate privileges.
+      Pods should not be allowed access to host namespaces.
+      This policy ensures fields which make use of these host namespaces are unset or set to `false`.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-namespaces"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
+          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
+        pattern:
+          spec:
+            =(hostPID): "false"
+            =(hostIPC): "false"
+            =(hostNetwork): "false"
--- a/.kyverno/policies/disallow-host-path.yaml
+++ b/.kyverno/policies/disallow-host-path.yaml
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-path"
+  annotations:
+    policies.kyverno.io/title: "Disallow hostPath"
+    policies.kyverno.io/subject: "Pod,Volume"
+    policies.kyverno.io/description: >-
+      HostPath volumes let Pods use host directories and volumes in containers.
+      Using host resources can be used to access shared data or escalate privileges and should not be allowed.
+      This policy ensures no hostPath volumes are in use.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-path"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
+        anyPattern:
+          - spec:
+              =(volumes):
+                - X(hostPath): "null"
+          - spec:
+              =(volumes):
--- a/.kyverno/policies/disallow-host-ports.yaml
+++ b/.kyverno/policies/disallow-host-ports.yaml
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-ports"
+  annotations:
+    policies.kyverno.io/title: "Disallow hostPorts"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum
+      restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-ports"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
+          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
+          must either be unset or set to `0`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(ports):
+                  - =(hostPort): 0
+            =(initContainers):
+              - =(ports):
+                  - =(hostPort): 0
+            containers:
+              - =(ports):
+                  - =(hostPort): 0
--- a/.kyverno/policies/disallow-host-process.yaml
+++ b/.kyverno/policies/disallow-host-process.yaml
@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "disallow-host-process"
+  annotations:
+    policies.kyverno.io/title: "Disallow hostProcess"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node.
+      Privileged access to the host is disallowed in the baseline policy.
+      HostProcess pods are an alpha feature as of Kubernetes v1.22.
+      This policy ensures the `hostProcess` field, if present, is set to `false`.
+spec:
+  background: true
+  rules:
+    - name: "disallow-host-process"
+      match:
+        any:
+          - resources:
+              kinds:
+                - "Pod"
+      validate:
+        message: >-
+          HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
+          spec.containers[*].securityContext.windowsOptions.hostProcess,
+          spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
+          spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to
+          `false`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
+            =(initContainers):
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
+            containers:
+              - =(securityContext):
+                  =(windowsOptions):
+                    =(hostProcess): "false"
--- a/.kyverno/policies/disallow-latest-tag.yaml
+++ b/.kyverno/policies/disallow-latest-tag.yaml
@@ -1,10 +1,18 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "disallow-latest-tag"
+  annotations:
+    policies.kyverno.io/title: "Disallow usage of latest tag"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      The ':latest' tag is mutable and can lead to unexpected errors if the image changes.
+      A best practice is to use an immutable tag that maps to a specific version of an application Pod.
+      This policy validates that the image specifies a tag and that it is not called `latest`.
+      Defining no image tag or digest result in the container engine retrieving the latest tag.
 spec:
  background: true
  rules:
@@ -12,7 +20,7 @@ spec:
        resources:
          kinds:
            - "Pod"
-      name: "validate-image-tag"
+      name: "disallow-latest-tag"
      validate:
        message: "Using a mutable image tag e.g. 'latest' is not allowed."
        pattern:
@@ -23,5 +31,27 @@ spec:
              - image: "!*:latest"
            containers:
              - image: "!*:latest"
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-image-tag-or-digest"
+      validate:
+        message: "A image tag or a digest is required, otherwise latest tag is chosen."
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - image: "*:*"
+              =(initContainers):
+                - image: "*:*"
+              containers:
+                - image: "*:*"
+          - spec:
+              =(ephemeralContainers):
+                - image: "*@*"
+              =(initContainers):
+                - image: "*@*"
+              containers:
+                - image: "*@*"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-containersecuritycontext.yaml
+++ b/.kyverno/policies/require-containersecuritycontext.yaml
@@ -1,10 +1,16 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-containersecuritycontext"
+  annotations:
+    policies.kyverno.io/title: "ContainerSecurityContext best practices are set."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      The containerSecurityContext is the most important security-related section because it has the highest precedence
+      and restricts the container to its minimal privileges.
 spec:
  background: true
  rules:
@@ -169,5 +175,70 @@ spec:
              - securityContext:
                  runAsNonRoot: true

+    - name: "require-empty-seLinuxOptions"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: "SELinux options have to be unset."
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  seLinuxOptions:
+            =(initContainers):
+              - securityContext:
+                  seLinuxOptions:
+            containers:
+              - securityContext:
+                  seLinuxOptions:
+
+    - name: "require-default-procMount"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: >-
+          Changing the proc mount from the default is not allowed. The fields
+          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
+          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
+          set to `Default`.
+        pattern:
+          spec:
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(procMount): "Default"
+            =(initContainers):
+              - =(securityContext):
+                  =(procMount): "Default"
+            containers:
+              - =(securityContext):
+                  =(procMount): "Default"
+
+    - name: "restrict-sysctls"
+      match:
+        resources:
+          kinds:
+            - "Pod"
+      validate:
+        message: >-
+          Setting additional sysctls above the allowed type is not allowed.
+          The field spec.securityContext.sysctls must be unset or not use any other names
+          than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
+          net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
+          net.ipv4.ping_group_range.
+        pattern:
+          spec:
+            =(securityContext):
+              =(sysctls):
+                - =(name): >-
+                    kernel.shm_rmid_forced |
+                    net.ipv4.ip_local_port_range |
+                    net.ipv4.ip_unprivileged_port_start |
+                    net.ipv4.tcp_syncookies |
+                    net.ipv4.ping_group_range
+
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-health-and-liveness-check.yaml
+++ b/.kyverno/policies/require-health-and-liveness-check.yaml
@@ -1,10 +1,20 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-health-and-liveness-check"
+  annotations:
+    policies.kyverno.io/title: "Disallow usage of latest tag"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments,
+      restarts, and upgrades.
+      For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are
+      running or need to be restarted.
+      A `readinessProbe` is used by Services and Pods to determine if the Pod is ready to receive network traffic.
+      This policy validates that all containers have livenessProbe and readinessProbe defined.
 spec:
  background: true
  rules:
@@ -14,8 +24,9 @@ spec:
            - "Pod"
      name: "require-health-and-liveness-check"
      validate:
-        message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
-          must be set to a value greater than 0."
+        message: >-
+          Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds must be set to a
+          value greater than 0.
        pattern:
          spec:
            containers:
--- a/.kyverno/policies/require-imagepullpolicy-always.yaml
+++ b/.kyverno/policies/require-imagepullpolicy-always.yaml
@@ -1,40 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-imagepullpolicy-always"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-imagepullpolicy-always"
-      validate:
-        message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
-        anyPattern:
-          - spec:
-              =(ephemeralContainers):
-                - (image): "*:latest"
-                  imagePullPolicy: "Always"
-              =(initContainers):
-                - (image): "*:latest"
-                  imagePullPolicy: "Always"
-              containers:
-                - (image): "*:latest"
-                  imagePullPolicy: "Always"
-          - spec:
-              =(ephemeralContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "IfNotPresent"
-              =(initContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "IfNotPresent"
-              containers:
-                - (image): "!*:latest"
-                  imagePullPolicy: "IfNotPresent"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-imagepullpolicy.yaml
+++ b/.kyverno/policies/require-imagepullpolicy.yaml
@@ -0,0 +1,51 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "require-imagepullpolicy"
+  annotations:
+    policies.kyverno.io/title: "Disallow usage of latest tag"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to
+      ensure later pulls get an updated image in case the latest tag gets updated.
+      This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or
+      where a tag is not defined at all.
+      Additionally this policy checks if the variable `.Values.global.imagePullPolicy` is used in templates.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "require-imagePullPolicy"
+      validate:
+        message: >-
+          The imagePullPolicy must be set to `Always` when the `latest` tag is used, otherwise the value from
+          `.Values.global.imagePullPolicy` has to be used.
+        anyPattern:
+          - spec:
+              =(ephemeralContainers):
+                - (image): "*:latest | !*:*"
+                  imagePullPolicy: "Always"
+              =(initContainers):
+                - (image): "*:latest | !*:*"
+                  imagePullPolicy: "Always"
+              containers:
+                - (image): "*:latest | !*:*"
+                  imagePullPolicy: "Always"
+          - spec:
+              =(ephemeralContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "kyverno"
+              =(initContainers):
+                - (image): "!*:latest"
+                  imagePullPolicy: "kyverno"
+              containers:
+                - (image): "!*:latest"
+                  imagePullPolicy: "kyverno"
+  validationFailureAction: "audit"
+...
--- a/.kyverno/policies/require-imagepullsecets.yaml
+++ b/.kyverno/policies/require-imagepullsecets.yaml
@@ -1,23 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-imagepullsecrets"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-imagepullsecrets"
-      validate:
-        message: "ImagePullSecrets are required."
-        pattern:
-          spec:
-            imagePullSecrets:
-              - name: "*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-requests-limits.yaml
+++ b/.kyverno/policies/require-requests-limits.yaml
@@ -1,10 +1,20 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-requests-limits"
+  annotations:
+    policies.kyverno.io/title: "Require resources cpu/memory request and limits."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      As application workloads share cluster resources, it is important to limit resources requested and consumed by
+      each Pod.
+      It is recommended to require resource requests and limits per Pod, especially for memory and CPU.
+      If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on
+      the LimitRange configuration.
+      This policy validates that all containers have specified requests for memory and CPU and a limit for memory.
 spec:
  background: true
  rules:
--- a/.kyverno/policies/require-tag-and-digest.yaml
+++ b/.kyverno/policies/require-tag-and-digest.yaml
@@ -1,10 +1,18 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-tag-and-digest"
+  annotations:
+    policies.kyverno.io/title: "Require tag and digest for image."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      To ensure that containers are not compromised in container registry by pushing malicious code to the same tag, it
+      is required to reference images by setting a sha256 hashed digest.
+      Setting only the digest is complicated for humans to compare software versions, therefore in openDesk it is
+      required to reference container images by tag and digest.
 spec:
  background: true
  rules:
--- a/.kyverno/policies/template-image-registries.yaml
+++ b/.kyverno/policies/template-image-registries.yaml
@@ -1,10 +1,16 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
-  name: "restrict-image-registries"
+  name: "template-image-registries"
+  annotations:
+    policies.kyverno.io/title: "Check image registry template"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy verifies that a custom external registry can be template to allow downloads from a private registry or
+      cache.
 spec:
  background: true
  rules:
@@ -12,7 +18,7 @@ spec:
        resources:
          kinds:
            - "Pod"
-      name: "validate-registries"
+      name: "template-image-registries"
      validate:
        message: "Unknown image registry."
        pattern:
--- a/.kyverno/policies/template-ingress.yaml
+++ b/.kyverno/policies/template-ingress.yaml
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-ingress"
+  annotations:
+    policies.kyverno.io/title: "Validate openDesk Ingress templating"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy verifies that ingress variables are templated.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Ingress"
+      name: "template-ingressClassName"
+      validate:
+        message: "Verifies that ingressClassName can be customized by `.Values.ingress.ingressClassName` variable."
+        pattern:
+          spec:
+            ingressClassName: "kyverno"
+    - match:
+        resources:
+          kinds:
+            - "Ingress"
+      name: "template-tls-secretName"
+      validate:
+        message: "Verifies that tls.secretName can be customized by `.Values.ingress.tls.secretName` variable."
+        pattern:
+          spec:
+            tls:
+              - secretName: "kyverno-tls"
+  validationFailureAction: "audit"
+...
--- a/.kyverno/policies/template-replicas.yaml
+++ b/.kyverno/policies/template-replicas.yaml
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-replicas"
+  annotations:
+    policies.kyverno.io/title: "Validate openDesk Pod replicas templating"
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy verifies that `.Values.replicas.<app>` variables are templated.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Deployment"
+            - "StatefulSet"
+      name: "template-replicas"
+      validate:
+        message: "Verifies that replica count can be customized by `.Values.replicas.<app>` variable."
+        pattern:
+          spec:
+            replicas: 42
+
+  validationFailureAction: "audit"
+...
--- a/.kyverno/policies/template-require-imagepullsecets.yaml
+++ b/.kyverno/policies/template-require-imagepullsecets.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: "kyverno.io/v1"
+kind: "ClusterPolicy"
+metadata:
+  name: "template-imagepullsecrets"
+  annotations:
+    policies.kyverno.io/title: "ImagePullSecrets template variable have to be implemented."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      It is recommended to cache images to ensure continuous image availability during network partitions, rate limiting
+      or registry outages.
+      These caches as well as a company proxy may require authentication which will be provided as ImagePullSecrets.
+      This is a openDesk test to ensure that environment variables are templated in Helmfile deployment.
+spec:
+  background: true
+  rules:
+    - match:
+        resources:
+          kinds:
+            - "Pod"
+      name: "template-imagePullSecrets"
+      validate:
+        message: "ImagePullSecrets are required."
+        pattern:
+          spec:
+            imagePullSecrets:
+              - name: "kyverno-test"
+  validationFailureAction: "audit"
+...
--- a/.kyverno/policies/template-storage.yaml
+++ b/.kyverno/policies/template-storage.yaml
@@ -4,7 +4,13 @@
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
-  name: "require-storage"
+  name: "template-storage"
+  annotations:
+    policies.kyverno.io/title: "Validate storageClass and size templates."
+    policies.kyverno.io/subject: "Pod"
+    policies.kyverno.io/description: >-
+      This policy validates if `.Values.persistence.storageClassNames` variables are used in templates and if the size
+      of volumes can be customized by `.Values.persistence.size` variable.
 spec:
  background: true
  rules:
@@ -12,9 +18,9 @@ spec:
        resources:
          kinds:
            - "StatefulSet"
-      name: "require-storageclass-pod"
+      name: "template-storageClassName-pod"
      validate:
-        message: "VolumeClaims inside pods need to have storageClass set when templated."
+        message: "VolumeClaims inside pods needs to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
@@ -24,9 +30,9 @@ spec:
        resources:
          kinds:
            - "PersistentVolumeClaim"
-      name: "require-storageclass-pvc"
+      name: "template-storageClassName-pvc"
      validate:
-        message: "Persistent Volume Claim need to have storageClassName set when templated."
+        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
        pattern:
          spec:
            storageClassName: "kyverno-test"
@@ -35,9 +41,9 @@ spec:
        resources:
          kinds:
            - "StatefulSet"
-      name: "require-storage-size-pod"
+      name: "template-requests-storage-pod"
      validate:
-        message: "VolumeClaims inside pods need to have storageClass set when templated."
+        message: "VolumeClaims inside pods needs to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
@@ -49,9 +55,9 @@ spec:
        resources:
          kinds:
            - "PersistentVolumeClaim"
-      name: "require-storage-size-pvc"
+      name: "template-requests-storage-pvc"
      validate:
-        message: "Persistent Volume Claim need to have storageClassName set when templated."
+        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
        pattern:
          spec:
            resources:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
+## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
+
+
+### Bug Fixes
+
+* **ci:** Move main development repo OpenCoDE ([43718b8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/43718b8da2966b87fab8e206df449c923f6615e7))
+* **ci:** Run release pipeline only on pushes to main ([13dcb00](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13dcb004419b4efd8ded8c25e7afa41d10156be8))
+* **ci:** Update kyverno rules ([d9263c9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9263c90110df241adaef8d1a5df8e8d8ceda11b))
+* **docs:** Add missing footnote regarding Nubus ([bc6e4f8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc6e4f8e5dcc32cc476de579fd56dbade79b7c31))
+* **nextcloud:** Set admin priviledges for users in central IAM ([a3e415d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a3e415d575ba24b99e741994fb29d0f0cfd11d8a))
+* **univention-management-stack:** Scaling udm-rest-api ([57d0f61](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/57d0f61b2c3e789b72a0098907817c97fee69268))
+* **univention-management-stack:** Set Keycloak CSP header to allow session continuation in admin portal. ([a398e5a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a398e5aaf131c1f00b09e1776d6daf10f2c343ad))
+* **univention-management-stack:** UMS portal-server scalability ([b1b4c28](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b1b4c28618e0eca31b59719e9e1f2db8ecff7f5c))
+* **univention-management-stack:** Univention Portal upstream codefixes version bump ([c2f62f7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2f62f7c9487b2119b0d3efd98b40c92efb97c5d))
+* **univention-management-stack:** Update provisioning to fix high CPU usage when in idle ([d9c23bd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9c23bdf0b955c0b5e4c82dd1ee785b75ce18a3b))
+
 ## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)


--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Feedback](#feedback)
 * [License](#license)
 * [Copyright](#copyright)
+* [Footnotes](#footnotes)
 <!-- TOC -->

 # Overview
@@ -110,3 +111,12 @@ This project uses the following license: Apache-2.0
 # Copyright

 Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+
+# Footnotes
+
+[^1]: Nubus is the Cloud Portal and IAM from Univention.
+It is currently integrated as a product preview within openDesk therefore,
+not all resources like documentation and structured release notes are available,
+while the
+[source code can already be found on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/component-code/crossfunctional/univention).
+Please find updates regarding the Nubus at https://nubus.io.
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -70,4 +70,3 @@ grafana:
 |:----------|-----------------------------------|-------------------------|---------------------|
 | Collabora | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |
 | Nextcloud | :white_check_mark:                | :x:                     | :x:                 |
-| XWiki     | :white_check_mark:                | :x:                     | :x:                 |
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -20,38 +20,42 @@ Verified positive effects are marke with a check-mark in `Scaling (verified)` co
 marked with a gear.


-| Component        | Name                                     | Scaling (effective) | Scaling (verified) |
-|------------------|------------------------------------------|:-------------------:|:------------------:|
-| ClamAV           | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.freshclam`                     |         :x:         |        :x:         |
-|                  | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
-| Collabora        | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
-| CryptPad         | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
-| Dovecot          | `replicas.dovecot`                       |         :x:         |       :gear:       |
-| Element          | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
-|                  | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
-|                  | `replicas.synapse`                       |         :x:         |       :gear:       |
-|                  | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
-| Intercom Service | `replicas.intercomService`               | :white_check_mark:  |       :gear:       |
-| Jitsi            | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
-|                  | `replicas.jvb `                          |         :x:         |        :x:         |
-| Keycloak         | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
-| Memcached        | `replicas.memcached`                     |       :gear:        |       :gear:       |
-| Minio            | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
-| Nextcloud        | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
-|                  | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
-| OpenProject      | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
-| Postfix          | `replicas.postfix`                       |         :x:         |       :gear:       |
-| Redis            | `replicas.redis`                         |       :gear:        |       :gear:       |
-| XWiki            | `replicas.xwiki`                         |         :x:         |       :gear:       |
+| Component                   | Name                                     | Scaling (effective) | Scaling (verified) |
+|-----------------------------|------------------------------------------|:-------------------:|:------------------:|
+| ClamAV                      | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.freshclam`                     |         :x:         |        :x:         |
+|                             | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
+| Collabora                   | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
+| CryptPad                    | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
+| Dovecot                     | `replicas.dovecot`                       |         :x:         |       :gear:       |
+| Element                     | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
+|                             | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
+|                             | `replicas.synapse`                       |         :x:         |       :gear:       |
+|                             | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
+| Intercom Service            | `replicas.intercomService`               | :white_check_mark:  | :white_check_mark: |
+| Jitsi                       | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
+|                             | `replicas.jvb `                          |         :x:         |        :x:         |
+| Keycloak                    | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
+| Memcached                   | `replicas.memcached`                     |       :gear:        |       :gear:       |
+| Minio                       | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
+| Nextcloud                   | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
+| OpenProject                 | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
+| Postfix                     | `replicas.postfix`                       |         :x:         |       :gear:       |
+| Redis                       | `replicas.redis`                         |       :gear:        |       :gear:       |
+| Univention Management Stack |                                          |       :gear:        |       :gear:       |
+|                             | `replicas.umsPortalFrontend`             | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.umsPortalServer`               | :white_check_mark:  | :white_check_mark: |
+|                             | `replicas.umsUdmRestApi`                 | :white_check_mark:  | :white_check_mark: |
+| XWiki                       | `replicas.xwiki`                         |         :x:         |       :gear:       |
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
+      {{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -13,35 +13,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
+      {{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
+      {{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
+      {{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
+      {{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
+      {{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -59,28 +64,32 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
+      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
+      {{ .Values.charts.matrixNeodatefixBot.repository }}"


 releases:
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
-  endToEndEncryption: false
+  endToEndEncryption: true
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

@@ -15,9 +15,6 @@ configuration:
          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
        custom_css_variables:
          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
-        widget_types:
-          - jitsi
-          - net.nordeck

    "net.nordeck.element_web.module.widget_lifecycle":
      widget_permissions:
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -43,8 +43,6 @@ extraEnvVars:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
-  - name: "ENABLE_CRYPTO"
-    value: "false"

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -3,7 +3,7 @@
 ---
 configuration:
  e2ee:
-    forceDisable: true
+    forceDisable: false

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
+      {{ .Values.charts.intercomService.repository }}"

 releases:
  - name: "intercom-service"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
+      {{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -13,14 +13,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
+      {{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
+      {{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -47,6 +47,7 @@ configuration:
  ldap:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
+    adminGroupName: "managed-by-attribute-FileshareAdmin"
  objectstore:
    auth:
      accessKey:
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -40,7 +40,7 @@ exporter:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
-  replicas: {{ .Values.replicas.nextcloudExporter }}
+  replicaCount: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}

@@ -97,7 +97,7 @@ php:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
-  replicas: {{ .Values.replicas.nextcloudPHP }}
+  replicaCount: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}

@@ -130,7 +130,7 @@ apache2:
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
-  replicas: {{ .Values.replicas.nextcloudApache2 }}
+  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -13,14 +13,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
+      {{ .Values.charts.dovecot.repository }}"

  # Open-Xchange
  - name: "open-xchange-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
+      {{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
+      {{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
+      {{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -144,7 +144,9 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-replicaCount: {{ .Values.replicas.openproject }}
+backgroundReplicaCount: {{ .Values.replicas.openprojectWorker }}
+
+replicaCount: {{ .Values.replicas.openprojectWeb }}

 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
+      {{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "ox-connector"
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -59,6 +59,8 @@ probes:
    failureThreshold: 30
    successThreshold: 1

+replicaCount: {{ .Values.replicas.oxConnector }}
+
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
+      {{ .Values.charts.otterize.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -23,7 +24,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
+      {{ .Values.charts.certificates.repository }}"

  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -33,7 +35,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
+      {{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -43,7 +46,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
+      {{ .Values.charts.mariadb.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -53,7 +57,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
+      {{ .Values.charts.postfix.repository }}"

  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
@@ -63,7 +68,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\
+      {{ .Values.charts.istioResources.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -73,14 +79,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
+      {{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
+      {{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -90,21 +98,24 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
+      {{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
+      {{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
+      {{ .Values.charts.minio.repository }}"

 releases:
  - name: "opendesk-otterize"
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -60,7 +60,7 @@ podSecurityContext:
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"

-replicaCount: 1
+replicaCount: {{ .Values.replicas.mariadb }}

 resources:
  {{ .Values.resources.mariadb | toYaml | nindent 2 }}
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,6 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }}
+
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -62,7 +62,7 @@ livenessProbe:
  periodSeconds: 10
  timeoutSeconds: 10

-mode: "standalone"
+mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{ end }}

 metrics:
  serviceMonitor:
@@ -94,7 +94,7 @@ provisioning:
    - name: "openxchange"
      versioning: true
      withLock: false
-    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }} 
+    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
      versioning: false
      withLock: false
    - name: "nextcloud"
@@ -192,6 +192,6 @@ startupProbe:
  timeoutSeconds: 10

 statefulset:
-  replicaCount: {{ .Values.replicas.minioDistributed }}
+  replicaCount: {{ .Values.replicas.minio }}

 ...
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -26,7 +26,7 @@ podSecurityContext:
 postgres:
  user: "postgres"

-replicaCount: 1
+replicaCount: {{ .Values.replicas.postgres }}

 global:
  imagePullSecrets:
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -12,126 +12,144 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\
+      {{ .Values.charts.umsGuardianManagementApi.repository }}"
  - name: "ums-guardian-management-ui-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\
+      {{ .Values.charts.umsGuardianManagementUi.repository }}"
  - name: "ums-guardian-authorization-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\
+      {{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
  - name: "ums-open-policy-agent-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\
+      {{ .Values.charts.umsOpenPolicyAgent.repository }}"
  - name: "ums-ldap-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\
+      {{ .Values.charts.umsLdapServer.repository }}"
  - name: "ums-ldap-notifier-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapNotifier.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\
+      {{ .Values.charts.umsLdapNotifier.repository }}"
  - name: "ums-udm-rest-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUdmRestApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\
+      {{ .Values.charts.umsUdmRestApi.repository }}"
  - name: "ums-stack-data-ums-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataUms.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\
+      {{ .Values.charts.umsStackDataUms.repository }}"
  - name: "ums-stack-data-swp-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataSwp.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\
+      {{ .Values.charts.umsStackDataSwp.repository }}"
  - name: "ums-portal-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\
+      {{ .Values.charts.umsPortalServer.repository }}"
  - name: "ums-notifications-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsNotificationsApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\
+      {{ .Values.charts.umsNotificationsApi.repository }}"
  - name: "ums-portal-listener-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalListener.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\
+      {{ .Values.charts.umsPortalListener.repository }}"
  - name: "ums-portal-frontend-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalFrontend.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\
+      {{ .Values.charts.umsPortalFrontend.repository }}"
  - name: "ums-umc-gateway-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcGateway.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\
+      {{ .Values.charts.umsUmcGateway.repository }}"
  - name: "ums-umc-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\
+      {{ .Values.charts.umsUmcServer.repository }}"
  - name: "ums-selfservice-listener-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsSelfserviceListener.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\
+      {{ .Values.charts.umsSelfserviceListener.repository }}"
  - name: "ums-provisioning-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsProvisioning.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\
+      {{ .Values.charts.umsProvisioning.repository }}"

  # Univention Keycloak Extensions
  - name: "ums-keycloak-extensions-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\
+      {{ .Values.charts.umsKeycloakExtensions.repository }}"
  # Univention Keycloak
  - name: "ums-keycloak-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
@@ -139,14 +157,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\
+      {{ .Values.charts.umsKeycloak.repository }}"
  - name: "ums-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\
+      {{ .Values.charts.umsKeycloakBootstrap.repository }}"
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -163,7 +183,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\
+      {{ .Values.charts.nginx.repository }}"

 releases:
  - name: "ums-keycloak"
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl
@@ -83,6 +83,8 @@ image:
        path: "/univention/portal/custom/"
    tls: {}

+replicaCount: {{ .Values.replicas.umsPortalFrontend }}
+
 resources:
  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}

--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -27,6 +27,8 @@ portalServer:
    enabled: true
    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}

+replicaCount: {{ .Values.replicas.umsPortalServer }}
+
 resources:
  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}

--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -46,7 +46,8 @@ stackDataContext:
  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
+  initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}

 stackDataUms:
  loadDevData: true
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -27,6 +27,8 @@ image:
 resources:
  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}

+replicaCount: {{ .Values.replicas.umsUdmRestApi }}
+
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -13,7 +13,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\
+      {{ .Values.charts.xwiki.repository }}"

 releases:
  - name: "xwiki"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -161,7 +161,8 @@ properties:
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "{{ .Values.theme.texts.productName }} Wissen - $!tdoc.displayTitle"

-replicaCount: {{ .Values.replicas.xwiki }}
+cluster:
+  replicas: {{ .Values.replicas.xwiki }}

 resources:
  {{ .Values.resources.xwiki | toYaml | nindent 2 }}
@@ -173,11 +174,4 @@ service:
 volumePermissions:
  enabled: true

-prometheus:
-  javaagent:
-    enabled: {{ .Values.prometheus.podMonitors.enabled }}
-  podmonitor:
-    enabled: {{ .Values.prometheus.podMonitors.enabled }}
-    labels:
-      {{- toYaml .Values.prometheus.podMonitors.labels | nindent 6 }}
 ...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -86,7 +86,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -98,7 +98,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -160,7 +160,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neoboard-widget"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -172,7 +172,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neochoice-widget"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -184,7 +184,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-bot"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -196,7 +196,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-widget"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -208,7 +208,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -280,7 +280,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "1.0.6"
+    version: "1.0.7"
    verify: true
    # @supplier: "openDesk"

@@ -405,7 +405,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -417,7 +417,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -429,7 +429,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -651,7 +651,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "stack-data-swp"
-    version: "0.41.8"
+    version: "0.44.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -665,7 +665,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "stack-data-ums"
-    version: "0.41.8"
+    version: "0.44.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -1,7 +1,7 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.5.77"
+    releaseVersion: "v0.5.78"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -50,7 +50,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.8.2@sha256:0595292e824c039e9c088a845b3d49c6be93d46f9f99090783eb20cb1fc27227"
+    tag: "1.11.0@sha256:633cc31a4c312cdb072136247ac382463ddbc458a5c57e139241394acee9baaf"
    # @supplier: "Element"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '8', '0']
@@ -174,7 +174,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.4.0@sha256:da04d6c3c3e07ec1fcb6ecec245adc48897f107a2ab84c39d8924de951744d9f"
+    tag: "1.14.0@sha256:c15bbe47e7d04f25fedf9cafce8825254db2b968e3c97cf9a507891efc0992e3"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '4', '0']
@@ -198,7 +198,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
-    tag: "2.7.0@sha256:31e7b1fae0bdd3d712f8be1472f5b90dd567994c09a14aa5522a4ce94a1a7507"
+    tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['2', '7', '0']
@@ -210,7 +210,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
-    tag: "1.6.0@sha256:d213a410d6fb92f63aafa26517a55ffded5cf47b5314dfadc6e28ce8ede4965f"
+    tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '6', '0']
@@ -586,7 +586,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.41.5@sha256:9978e5eae3846e3c32effb2e602136d8855aaec287fb280a54b311defab2fbf3"
+    tag: "0.44.0@sha256:c08d619880537c03ebdcdc19fa9746bf5098e3810d85487d47676f3846c6b16c"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '41', '5']
@@ -730,7 +730,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.14.0@sha256:6f96a7479728e07c3d3311c85e1d14f7ef45f4d5bc5c9a008ce62203ef232f79"
+    tag: "0.19.0@sha256:7c80f703faf720da159c405a140c1029fd8c12def61653737e2a772982012d5c"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
@@ -742,7 +742,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.14.0@sha256:5c86167d3a6ff7e85ff7e870596dd9864c1802b4f622c1f2378472744d4c4c34"
+    tag: "0.19.0@sha256:7fff6db5151b9aecffdfcd429b6eefb36a96ca14c5384183aa4246b5c0c8b133"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
@@ -754,7 +754,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.14.0@sha256:d608db0692f9638e53101dabaf7749a9fbc29c316194f1977bd8986444f9f472"
+    tag: "0.19.0@sha256:9a19e3a0990fba1dd2cdb1fd96ab53dcfba23717291ca1b0c87d8ed19b4c2c46"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '4']
@@ -764,24 +764,24 @@ images:
    # upstreamRegistry=registry.souvap-univention.de
    # upstreamRepository=souvap/tooling/images/univention/dispatcher
    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/dispatcher"
-    tag: "0.9.5@sha256:35bfe36c0f44070a514074804f740e9f3d60d2d1386757067d392bc2ebef9f84"
+    registry: "registry.souvap-univention.de"
+    repository: "souvap/tooling/images/univention/dispatcher"
+    tag: "0.11.1@sha256:e3f9f185c21ff893a654e0f08ebd6c59ce4d7513150cac530792ad656348ecfa"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '5']
+    # @mirrorFrom: ['0', '11', '1']

  umsProvisioningEventsAndConsumerApi:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
    # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/events-and-consumer-api"
-    tag: "0.9.5@sha256:e8e9c40ccad460e4c837b7c0108de04b1ab9faf4d385ffd280e5326731a3116b"
+    registry: "registry.souvap-univention.de"
+    repository: "souvap/tooling/images/univention/events-and-consumer-api"
+    tag: "0.11.1@sha256:c56c862e9687a9bcc0d3f808bf12b67fbc457cc1bb10d82505706572078282d6"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '5']
+    # @mirrorFrom: ['0', '11', '1']

  umsProvisioningNats:
    # renovate:
@@ -818,12 +818,12 @@ images:
    # upstreamRegistry=registry.souvap-univention.de
    # upstreamRepository=souvap/tooling/images/univention/udm-listener
    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-listener"
-    tag: "0.9.5@sha256:4550913a415e0ab17701a4475f87461836b74546cb9a89d452ac607e5b5dfdfb"
+    registry: "registry.souvap-univention.de"
+    repository: "souvap/tooling/images/univention/udm-listener"
+    tag: "0.11.1@sha256:27e01c9941d19a60ced4aeac84a64a4ef566d764302ac892256b9b5dc3d7548f"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '5']
+    # @mirrorFrom: ['0', '11', '1']

  umsSelfserviceInvitation:
    # renovate:
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -10,7 +10,7 @@ persistence:
    dovecot: "1Gi"
    mariadb: "1Gi"
    matrixNeoDateFixBot: "1Gi"
-    minio: "1Gi"
+    minio: "10Gi"
    postfix: "1Gi"
    postgresql: "1Gi"
    prosody: "1Gi"
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -1,6 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+# Before increasing the replicas of components, please consult the scaling documentation at "docs/scaling.md" to ensure
+# that scaling of the respective component is possible and has the desired effect.
 replicas:
  # clamav-simple
  clamav: 1
@@ -21,6 +23,7 @@ replicas:
  jitsiKeycloakAdapter: 1
  jvb: 1
  keycloak: 1
+  mariadb: 1
  matrixNeoBoardWidget: 1
  matrixNeoChoiceWidget: 1
  matrixNeoDateFixBot: 1
@@ -29,15 +32,21 @@ replicas:
  memcached: 1
  # clamav-distributed
  milter: 1
-  minioDistributed: 4
+  minio: 1
  nextcloudApache2: 1
  nextcloudExporter: 1
  nextcloudPHP: 1
-  openproject: 1
+  openprojectWeb: 1
+  openprojectWorker: 1
+  oxConnector: 1
  postfix: 1
+  postgres: 1
  redis: 1
  synapse: 1
  synapseWeb: 1
+  umsPortalFrontend: 1
+  umsPortalServer: 1
+  umsUdmRestApi: 1
  wellKnown: 1
  xwiki: 1
 ...
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -14,16 +14,21 @@ secrets:
  univentionManagementStack:
    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
    ldapSearch:
-      keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum | quote }}
-      nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum | quote }}
-      dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum | quote }}
-      ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum | quote }}
-      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum | quote }}
-      xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum | quote }}
+      keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
+      nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_nextcloud" | sha1sum | quote }}
+      dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_dovecot" | sha1sum | quote }}
+      ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_ox" | sha1sum | quote }}
+      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_openproject" | sha1sum | quote }}
+      xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_xwiki" | sha1sum | quote }}
    defaultAccounts:
-      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
-      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
-      adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
+      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "default_accounts_user_password" | sha1sum | quote }}
+      adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "default_accounts_user_admin" | sha1sum | quote }}
+    systemAccounts:
+      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
+      sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
+    storeDavUsers:
+      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
+      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
  postgresql:
    postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
    keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -16,7 +16,7 @@ seLinuxOptions:
  icap: ~
  intercom: ~
  # The Jibri Helm chart does not support setting the securityContext externally.
-  #jibri: ~
+  # jibri: ~
  jicofo: ~
  jitsi: ~
  jitsiKeycloakAdapter: ~
--- a/helmfile/environments/test/values.yaml.gotmpl
+++ b/helmfile/environments/test/values.yaml.gotmpl
@@ -5,6 +5,9 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imagePullSecrets:
+    - "kyverno-test"
+  imagePullPolicy: "kyverno"
 persistence:
  storageClassNames:
    RWX: "kyverno-test"
@@ -25,6 +28,56 @@ persistence:
      ldapServerShared: "42Gi"
      portalListener: "42Gi"
      selfserviceListener: "42Gi"
-      storeDav: "42Gi"
    xwiki: "42Gi"
+ingress:
+  ingressClassName: "kyverno"
+  tls:
+    enabled: true
+    secretName: "kyverno-tls"
+replicas:
+  # clamav-simple
+  clamav: 42
+  # clamav-distributed
+  clamd: 42
+  collabora: 42
+  cryptpad: 42
+  dovecot: 42
+  element: 42
+  # clamav-distributed
+  freshclam: 42
+  # clamav-distributed
+  icap: 42
+  intercomService: 42
+  jibri: 42
+  jicofo: 42
+  jitsi: 42
+  jitsiKeycloakAdapter: 42
+  jvb: 42
+  keycloak: 42
+  mariadb: 42
+  matrixNeoBoardWidget: 42
+  matrixNeoChoiceWidget: 42
+  matrixNeoDateFixBot: 42
+  matrixNeoDateFixWidget: 42
+  matrixUserVerificationService: 42
+  memcached: 42
+  # clamav-distributed
+  milter: 42
+  minio: 42
+  nextcloudApache2: 42
+  nextcloudExporter: 42
+  nextcloudPHP: 42
+  openprojectWeb: 42
+  openprojectWorker: 42
+  oxConnector: 42
+  postfix: 42
+  postgres: 42
+  redis: 42
+  synapse: 42
+  synapseWeb: 42
+  umsPortalFrontend: 42
+  umsPortalServer: 42
+  umsUdmRestApi: 42
+  wellKnown: 42
+  xwiki: 42
 ...
Author	SHA1	Message	Date
Milton Moura	e0ff58a3a4	fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard to 1.14.0 Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-03-14 12:58:27 -01:00
Milton Moura	c9cca9e357	fix(element): Update to EW release image and related release charts Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 12:28:22 -01:00
Milton Moura	2b7ce2ae49	fix(element): Final tests before final MR Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 10:58:10 -01:00
Milton Moura	54e4664bf2	fix(element): Add widget toggles module config Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 09:26:27 -01:00
Milton Moura	89e4af80d2	feat(element): Adds Widget toggles module and e2ee + sticky room EW fixes Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-27 16:38:10 -01:00
Milton Moura	7f2b39cb46	feat(element): Enable E2EE for Element Web and NeoDateFix Bot Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-23 07:51:14 +00:00
Thorsten Roßner	de190bfb7d	chore(release): 0.5.78 [skip ci] ## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23) ### Bug Fixes * ci: Move main development repo OpenCoDE ([`43718b8`](`43718b8da2`)) * ci: Run release pipeline only on pushes to main ([`13dcb00`](`13dcb00441`)) * ci: Update kyverno rules ([`d9263c9`](`d9263c9011`)) * docs: Add missing footnote regarding Nubus ([`bc6e4f8`](`bc6e4f8e5d`)) * nextcloud: Set admin priviledges for users in central IAM ([`a3e415d`](`a3e415d575`)) * univention-management-stack: Scaling udm-rest-api ([`57d0f61`](`57d0f61b2c`)) * univention-management-stack: Set Keycloak CSP header to allow session continuation in admin portal. ([`a398e5a`](`a398e5aaf1`)) * univention-management-stack: UMS portal-server scalability ([`b1b4c28`](`b1b4c28618`)) * univention-management-stack: Univention Portal upstream codefixes version bump ([`c2f62f7`](`c2f62f7c94`)) * univention-management-stack: Update provisioning to fix high CPU usage when in idle ([`d9c23bd`](`d9c23bdf0b`))	2024-02-23 06:05:20 +00:00
Thorsten Roßner	bc6e4f8e5d	fix(docs): Add missing footnote regarding Nubus	2024-02-22 20:17:00 +01:00
Thorsten Roßner	a398e5aaf1	fix(univention-management-stack): Set Keycloak CSP header to allow session continuation in admin portal.	2024-02-22 18:47:53 +00:00
jconde	57d0f61b2c	fix(univention-management-stack): Scaling udm-rest-api	2024-02-22 19:42:01 +01:00
Dominik Kaminski	d9263c9011	fix(ci): Update kyverno rules	2024-02-21 12:04:33 +00:00
openDesk Bot	d9c23bdf0b	fix(univention-management-stack): Update provisioning to fix high CPU usage when in idle	2024-02-21 11:39:44 +00:00
jconde	c2f62f7c94	fix(univention-management-stack): Univention Portal upstream codefixes version bump	2024-02-19 17:05:05 +01:00
jconde	d087b979fe	docs(univention-management-stack): Intercom Service scalability	2024-02-19 13:09:11 +01:00
jconde	b1b4c28618	fix(univention-management-stack): UMS portal-server scalability	2024-02-17 14:02:27 +00:00
Thorsten Roßner	a3e415d575	fix(nextcloud): Set admin priviledges for users in central IAM	2024-02-17 13:14:25 +01:00
Dominik Kaminski	17fa80d20a	ci(gitlab): Use direct dependency proxy url	2024-02-16 21:15:16 +01:00
Dominik Kaminski	13dcb00441	fix(ci): Run release pipeline only on pushes to main	2024-02-16 14:30:59 +01:00
Thorsten Roßner	43718b8da2	fix(ci): Move main development repo OpenCoDE	2024-02-16 13:33:48 +01:00