chore(release): 0.7.1 [skip ci]

## [0.7.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.7.0...v0.7.1) (2024-05-21)

### Bug Fixes

* **ci:** Add Renovate dependency update automation. ([650c41c](650c41c3f0))
* **cryptpad:** Update Helm chart v0.0.19 and include CryptPad app in Helmfile deployment. ([931ed95](931ed95ce1))
* **docu:** Add IdP federation documentation. ([7167055](7167055303))
* **docu:** Rename SYNAPSE_DOMAIN to MATRIX_DOMAIN. If you use SYNAPSE_DOMAIN in your deployment, ensure you set the MATRIX_DOMAIN accordingly before upgrading. ([96baa6c](96baa6cc15))
* **element:** Provide certificate for alternative Synapse domain. ([88ac239](88ac2396e6))
* **helmfile:** Use Open CoDE as default registry for Univention helm chart ([#71](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/71)). ([4e56ce4](4e56ce4073))
* **jitsi:** Bump images to stable-9457-2. ([1d47fa6](1d47fa681a))
* **jitsi:** Raise Jibri memory limits to fullfil Jibri's 2Gi /dev/shm requirement and update Helm chart; To update an existing installation you need to manually delete the `jitsi-prosody` stateful set before the update e.g. `kubectl -n <your_namespace> delete --cascade=orphan statefulsets jitsi-prosody`. Ensure you use the `--cascade=orphan` part, otherwise you have to remove and reinstall the complete deployment. ([6570c13](6570c13f3a))
* **nextcloud:** Bump to 28.0.5 incl. latest app versions. ([04d9372](04d9372cfc))
* **nubus:** Bump Keycloak to 24.0.3. ([923533d](923533d7b7))
* **nubus:** Enable 2FA for group "Domain Admins" by default. ([1179669](11796699bb))
* **nubus:** Update keycloak-bootstap and keycloak-extensions. ([1c6666f](1c6666fe45))
* **open-xchange:** Support change of username. ([b2cfa8b](b2cfa8b996))
* **openproject:** Bump version to 14.0.1, update Helm chart to 4.5.0. ([e085211](e0852119e8))

.gitlab-ci.yml

@@ -26,6 +26,7 @@ include:
 
 stages:
   - ".pre"
+  - "renovate"
   - "scan"
   - "automr"
   - "env-cleanup"
@@ -60,7 +61,8 @@ variables:
       - "yes"
       - "no"
   DEBUG_ENABLED:
-    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific\
+     configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
     value: "no"
     options:
       - "yes"
@@ -149,6 +151,12 @@ variables:
     options:
       - "yes"
       - "no"
+  RUN_RENOVATE:
+    description: "Triggers the Renovate based check for dependency updates."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   TESTS_BRANCH:
     description: "Branch of E2E-tests on which the test pipeline is triggered"
     value: "main"
@@ -539,12 +547,15 @@ avscan-start:
 
 # Overwrite shared settings
 .common-semantic-release:
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release-patched:1.0.0"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release-patched:latest"
   tags: []
 
 conventional-commits-linter:
   rules:
-    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+    - if: >
+          $RUN_RENOVATE == "yes" ||
+          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
+          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
       when: "never"
     - when: "always"
 
@@ -623,4 +634,21 @@ release:
     - "semantic-release"
   needs:
     - "generate-docs"
+
+renovate:
+  rules:
+    - if: >
+        $RUN_RENOVATE == "yes"
+      when: "on_success"
+  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
+  variables:
+    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    # Increase the renovatebot log level on stdout
+    LOG_LEVEL: "DEBUG"
+  script:
+    - "renovate ${RENOVATE_EXTRA_FLAGS}"
+  stage: "renovate"
+
 ...

.gitlab/lint/lint-opendesk.yml

@@ -7,6 +7,11 @@ include:
 lint-opendesk:
   extends: ".lint-common"
   image: "${OPENDESK_CI_CLI_IMAGE}"
+  rules:
+    - if: >
+        $RUN_RENOVATE == "yes"
+      when: "never"
+    - when: "always"
   script:
     - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
     - "git diff --exit-code"

.gitlab/merge_request_templates/Default.md

@@ -0,0 +1,16 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Summary
+
+- *describe the reason for/content of the MR*
+
+# Commits
+
+%{all_commits}
+
+# Authors
+
+%{co_authored_by}

.renovate/config.yaml

@@ -0,0 +1,90 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+# Platform type of repository
+platform: "gitlab"
+
+# Enable onboarding merge request
+onboarding: false
+
+# If set to true: keep repository data between runs instead of deleting the data
+persistRepoData: false
+
+# Controls Renovate's behavior regarding repository config files such as renovate.json
+requireConfig: "ignored"
+
+# List of Repositories
+# See: https://docs.renovatebot.com/configuration-options/
+repositories:
+  - repository: "bmi/opendesk/deployment/opendesk"
+    # Set the branch to read current dependency state from, this is especially useful during
+    # renovate setup when looking into your feature branch or when your default branch is
+    # not the one you want to check on.
+    baseBranches: [ "develop" ]
+    # Prefix to use for all branch names created by renovate bot (default: "renovate/")
+    branchPrefix: "renovate/"
+    # Lowercase merge request and commit titles ("never" = leave titles untouched )
+    commitMessageLowerCase: "never"
+    # Commit scope to use if Semantic Commits are enabled (fix(<scope>)...)
+    semanticCommitScope: "renovate"
+    # Commit type to use if Semantic Commits are enabled (default: "chore")
+    semanticCommitType: "chore"
+    # Enable dependency dashboard
+    dependencyDashboard: true
+    # Include package files only within these defined paths
+    includePaths:
+      - "helmfile/environments/default/images.yaml"
+      - "helmfile/environments/default/charts.yaml"
+    customManagers:
+      - customType: "regex"
+        fileMatch:
+          - "helmfile/environments/default/images.yaml"
+        datasourceTemplate: "docker"
+        matchStrings:
+          # yamllint disable rule:line-length rule:quoted-strings
+          - ' providerResponsible: "(?<depType>.+?)"[\s\S]+? upstreamRegistry: "(?<registryUrl>.+?)"[\s\S]+? upstreamRepository: "(?<depName>.+?)"[\s\S]+? tag: "(?<currentValue>[^@]+)@(?<currentDigest>sha256:[a-f0-9]+)"'
+          # yamllint enable rule:line-length rule:quoted-strings
+      - customType: "regex"
+        fileMatch:
+          - "helmfile/environments/default/charts.yaml"
+        datasourceTemplate: "docker"
+        matchStrings:
+          # yamllint disable rule:line-length rule:quoted-strings
+          - ' providerResponsible: "(?<depType>.+?)"[\s\S]+? upstreamRegistry: "(?<registryUrl>.+?)"[\s\S]+? upstreamRepository: "(?<depName>.+?)"[\s\S]+? version: "(?<currentValue>.+?)"'
+          # yamllint enable rule:line-length rule:quoted-strings
+    # Rules for matching packages
+    packageRules:
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "openDesk" ]
+        groupName: "Platform"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Collabora" ]
+        groupName: "Collabora"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Element" ]
+        groupName: "Element"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Nordeck" ]
+        groupName: "Nordeck"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Open-Xchange" ]
+        groupName: "Open-Xchange"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "OpenProject" ]
+        groupName: "OpenProject"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "OpenProject" ]
+        groupName: "OpenProject"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Univention" ]
+        groupName: "Univention"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "XWiki" ]
+        groupName: "XWiki"
+    # Add merge request labels
+    labels:
+      - "renovate"
+    # Enable custom regex manager only
+    enabledManagers:
+      - "custom.regex"
+...

CHANGELOG.md

@@ -1,3 +1,23 @@
+## [0.7.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.7.0...v0.7.1) (2024-05-21)
+
+
+### Bug Fixes
+
+* **ci:** Add Renovate dependency update automation. ([650c41c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/650c41c3f04b6c7c04a1d5eca76aba7f75e14b96))
+* **cryptpad:** Update Helm chart v0.0.19 and include CryptPad app in Helmfile deployment. ([931ed95](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/931ed95ce16d5be6bde7ea1c1140406f00fef060))
+* **docu:** Add IdP federation documentation. ([7167055](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7167055303bdbe9ad677b16635089c0328a849ff))
+* **docu:** Rename SYNAPSE_DOMAIN to MATRIX_DOMAIN. If you use SYNAPSE_DOMAIN in your deployment, ensure you set the MATRIX_DOMAIN accordingly before upgrading. ([96baa6c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/96baa6cc15bac8d3ce315132699e301093d5d6d8))
+* **element:** Provide certificate for alternative Synapse domain. ([88ac239](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/88ac2396e6888e0f28a80ceebaa0f51d2ba436ee))
+* **helmfile:** Use Open CoDE as default registry for Univention helm chart ([#71](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/71)). ([4e56ce4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4e56ce4073105003dffbcaa91af473c1f707cd13))
+* **jitsi:** Bump images to stable-9457-2. ([1d47fa6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1d47fa681adf29e4b4ca432a9d5390972098d2e0))
+* **jitsi:** Raise Jibri memory limits to fullfil Jibri's 2Gi /dev/shm requirement and update Helm chart; To update an existing installation you need to manually delete the `jitsi-prosody` stateful set before the update e.g. `kubectl -n <your_namespace> delete --cascade=orphan statefulsets jitsi-prosody`. Ensure you use the `--cascade=orphan` part, otherwise you have to remove and reinstall the complete deployment. ([6570c13](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6570c13f3a3ad5864de5afe6afb4c60483cd489f))
+* **nextcloud:** Bump to 28.0.5 incl. latest app versions. ([04d9372](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/04d9372cfccc80145962faf4c2387949a43c8f2c))
+* **nubus:** Bump Keycloak to 24.0.3. ([923533d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/923533d7b7527de728f73813397ed0c2a0427da5))
+* **nubus:** Enable 2FA for group "Domain Admins" by default. ([1179669](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/11796699bb551f8b83badd13204654c880b65efe))
+* **nubus:** Update keycloak-bootstap and keycloak-extensions. ([1c6666f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1c6666fe45fb7acd83c26b5f2b808fce3fb9e20b))
+* **open-xchange:** Support change of username. ([b2cfa8b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b2cfa8b9965ce50f593295c80c363bad7ef0454e))
+* **openproject:** Bump version to 14.0.1, update Helm chart to 4.5.0. ([e085211](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e0852119e8e248431f51a86e3bd5177cef0b1e93))
+
 # [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
 
 

README.md

@@ -37,8 +37,8 @@ openDesk currently features the following functional main components:
 | Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.0.1](https://www.openproject.org/docs/release-notes/14-0-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
-| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
+| Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [23.05.10.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.

docs/development.md

@@ -84,12 +84,12 @@ with the many available examples in the yaml files.
 Example:
 ```
   synapse:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Element'
+    # providerResponsible: "Element"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'matrixdotorg/synapse'
+    # upstreamRepository: "matrixdotorg/synapse"
     # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '91', '2']
+    # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
     tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
@@ -99,9 +99,9 @@ Example:
 
 Uses a regular expression to match the values of the following attributes:
 
-- `registry`
+- `# upstreamRegistry` *required*: Attribute's value must be prefixed with `https://` for Renovate.
-- `repository`
+- `# upstreamrepository` *required*
-- `tag`
+- `tag` *required*
 
 Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
 
@@ -118,7 +118,7 @@ configured to pull artefacts that do not originate from Open CoDE into projects
 The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
 - `# upstreamRepository` *required*: To identify the source repository
-- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
+- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
   in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
   element here to define the version the mirror should start with.

docs/enhanced-configuration.md

@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # Overview
 
-The follownig enhanced configuration use cases are described in separate documents.
+The following enhanced configuration use cases are described in separate documents.
 
 - [Separate mail & Matrix domain](enhanced-configuration/separate-mail-matrix-domain.md)
 - [Federation with external identity provider](enhanced-configuration/idp-federation.md)

docs/enhanced-configuration/separate-mail-matrix-domain.md

@@ -66,3 +66,20 @@ This setup requires also a different DNS setup:
 | _matrix._tcp.my_organization.tld | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
 
 *Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.
+
+If you want to use other Matrix clients,
+e.g., Element Messenger for [iOS](https://apps.apple.com/de/app/element-messenger/id1083446067)
+or [Android](https://play.google.com/store/apps/details?id=im.vector.app),
+you need to create a JSON file with the following contents that is served from
+`https://my_organization.tld/.well-known/matrix/client`:
+
+```json
+{
+  "m.homeserver": {
+    "base_url": "https://matrix.opendesk.domain.tld"
+  }
+}
+```
+
+This ensures clients know where to find the Matrix protocol endpoint when users specify `my_organization.tld`
+as their homeserver.

helmfile.yaml

@@ -12,6 +12,7 @@ helmfiles:
   - path: "helmfile/apps/open-xchange/helmfile.yaml"
   - path: "helmfile/apps/nextcloud/helmfile.yaml"
   - path: "helmfile/apps/collabora/helmfile.yaml"
+  - path: "helmfile/apps/cryptpad/helmfile.yaml"
   - path: "helmfile/apps/jitsi/helmfile.yaml"
   - path: "helmfile/apps/element/helmfile.yaml"
   - path: "helmfile/apps/openproject/helmfile.yaml"

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -247,6 +247,8 @@ appsuite:
     propertiesFiles:
       /opt/open-xchange/etc/AdminDaemon.properties:
         MASTER_ACCOUNT_OVERRIDE: "true"
+      /opt/open-xchange/etc/AdminUser.properties:
+        USERNAME_CHANGEABLE: "true"
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -28,6 +28,8 @@ config:
     intraCluster:
       enabled: true
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  twoFactorSettings:
+    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
   custom:
     clientScopes:
       - name: "read_contacts"

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -440,7 +440,7 @@ portal-server:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 
 provisioning:
-  enabled: true
+  enabled: false
   api:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -463,8 +463,6 @@ provisioning:
         - name: {{ . | quote }}
         {{- end }}
     credentialSecretName: "ums-provisioning-dispatcher-credentials"
-    config:
-      UDM_HOST: "ums-udm-rest-api"
   prefill:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
@@ -476,19 +474,69 @@ provisioning:
         - name: {{ . | quote }}
         {{- end }}
     credentialSecretName: "ums-provisioning-prefill-credentials"
-  register_consumers:
+  nats:
-    image:
+    config:
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+      authorization:
-      repository: {{ .Values.images.umsWaitForDependency.repository }}
+        enabled: false
-      pullPolicy: {{ .Values.global.imagePullPolicy }}
+        users:
-      tag: {{ .Values.images.umsWaitForDependency.tag }}
+          - user: "admin"
-      pullSecrets:
+            password: "$NATS_PASSWORD"
-        {{- range .Values.global.imagePullSecrets }}
+            permissions:
-        - name: {{ . | quote }}
+              publish: ">"
-        {{- end }}
+              subscribe: ">"
-    credentialSecretName: "ums-provisioning-register-consumers-credentials"
+          - user: "$NATS_API_USER"
-    jsonSecretName: "ums-provisioning-register-consumers-json-secrets"
+            password: "$NATS_API_PASSWORD"
-    provisioningApiBaseUrl: "http://ums-provisioning-api/internal/admin/v1/subscriptions"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+          - user: "$NATS_DISPATCHER_USER"
+            password: "$NATS_DISPATCHER_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+          - user: "$NATS_PREFILL_USER"
+            password: "$NATS_PREFILL_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+    extraEnvVars:
+      - name: NATS_USER
+        value: "admin"
+      - name: NATS_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-nats-credentials
+            key: admin_password
+      - name: NATS_API_USER
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-api-credentials
+            key: NATS_USER
+      - name: NATS_API_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-api-credentials
+            key: NATS_PASSWORD
+      - name: NATS_DISPATCHER_USER
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-dispatcher-credentials
+            key: NATS_USER
+      - name: NATS_DISPATCHER_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-dispatcher-credentials
+            key: NATS_PASSWORD
+      - name: NATS_PREFILL_USER
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-prefill-credentials
+            key: NATS_USER
+      - name: NATS_PREFILL_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-prefill-credentials
+            key: NATS_PASSWORD
   nats:
     nats:
       image:
@@ -509,13 +557,14 @@ provisioning:
         imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
         tag: {{ .Values.images.umsNatsReloader.tag | quote }}
 
+
   ingress:
     host: "localhost"
     tls:
       enabled: false
 
 udm-listener:
-  enabled: true
+  enabled: false
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
     repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
@@ -526,18 +575,15 @@ udm-listener:
       - name: {{ . | quote }}
       {{- end }}
   config:
+    debugLevel: "4"
     ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
     ldapHost: {{ .Values.ldap.host | quote }}
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     ldapPort: "389"
-    internalApiHost: "ums-provisioning-api"
     notifierServer: "ums-ldap-notifier"
+    tlsMode: "off"
     natsHost: "ums-provisioning-nats"
-    natsUser: {{ .Values.provisioning.udmListener.nats.username | quote }}
-    natsPassword: {{ .Values.provisioning.udmListener.nats.password | default .Values.secrets.univentionManagementStack.provisioning.udmListener.nats.password | quote }}
-    eventsUsernameUdm: {{ .Values.provisioning.api.udmListener.username | quote }}
-    eventsPasswordUdm: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }}
 
 stack-data-ums:
   enabled: true
@@ -1007,38 +1053,44 @@ keycloak-bootstrap:
     deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
     keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 
-  config:
+  keycloak:
-    keycloak:
+    connection:
-      adminUser: "kcadmin"
+      baseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
-      adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    auth:
+      username: "kcadmin"
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
       realm: {{ .Values.platform.realm | quote }}
-      intraCluster:
+  ldap:
-        enabled: true
+    baseDn: {{ .Values.ldap.baseDn | quote }}
-        internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    connection:
-      loginLinks:
+      host: {{ .Values.ldap.host | quote }}
-        - link_number: 1
+      port: "389"
-          language: "de"
+      protocol: "ldap"
-          description: "Passwort vergessen?"
+    auth:
-          href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
+      bindDn: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
-        - link_number: 1
+      password: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
-          language: "en"
+
-          description: "Forgot password?"
+  bootstrap:
-          href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
+    ldapMappers:
-    ums:
+      - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
-      ldap:
+      - ldapAndUserModelAttributeName: "oxContextIDNum"
-        internalHostname: {{ .Values.ldap.host | quote }}
+    loginLinks:
-        baseDN: {{ .Values.ldap.baseDn | quote }}
+      - link_number: 1
-        readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
+        language: "de"
-        readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
+        description: "Passwort vergessen?"
-        mappers:
+        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-          - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
+      - link_number: 1
-          - ldapAndUserModelAttributeName: "oxContextIDNum"
+        language: "en"
-      saml:
+        description: "Forgot password?"
-        serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
     twoFactorAuthentication:
       enabled: true
       group: "2fa-users"
 
+  config:
+    saml:
+      serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+
   containerSecurityContext:
     enabled: true
     allowPrivilegeEscalation: false
@@ -1069,11 +1121,13 @@ keycloak-bootstrap:
 keycloak-extensions:
   enabled: true
   keycloak:
-    host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    connection:
-    adminUsername: "kcadmin"
+      host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    auth:
-    adminRealm: "master"
+      username: "kcadmin"
-    realm: {{ .Values.platform.realm | quote }}
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      masterRealm: "master"
+      realm: {{ .Values.platform.realm | quote }}
   postgresql:
     connection:
       host: {{ .Values.databases.keycloakExtension.host | quote }}
@@ -1082,6 +1136,13 @@ keycloak-extensions:
       database: {{ .Values.databases.keycloakExtension.name | quote }}
       username: {{ .Values.databases.keycloakExtension.username | quote }}
       password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+  smtp:
+    connection:
+      host: {{ .Values.smtp.host | quote }}
+      port: {{ .Values.smtp.port | quote }}
+    auth:
+      username: {{ .Values.smtp.username | quote }}
+      password: {{ .Values.smtp.password | quote }}
   handler:
     replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
     podAnnotations:
@@ -1099,10 +1160,6 @@ keycloak-extensions:
       ipProtectionEnable: true
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      smtpPassword: {{ .Values.smtp.password | quote }}
-      smtpHost: {{ .Values.smtp.host | quote }}
-      smtpPort: {{ .Values.smtp.port | quote }}
-      smtpUsername: {{ .Values.smtp.username | quote }}
       mailFrom: "noreply@{{ .Values.global.domain }}"
     securityContext:
       allowPrivilegeEscalation: false
@@ -1501,6 +1558,23 @@ extraSecrets:
   - name: ums-portal-server-authenticator-credentials
     stringData:
       authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  - name: ums-provisioning-api-credentials
+    stringData:
+      NATS_USER: "api"
+      NATS_PASSWORD: "password"
+  - name: ums-provisioning-dispatcher-credentials
+    stringData:
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: "password"
+      NATS_USER: "dispatcher"
+      NATS_PASSWORD: "password"
+  - name: ums-provisioning-prefill-credentials
+    stringData:
+      NATS_USER: "prefill"
+      NATS_PASSWORD: "password"
+  - name: ums-provisioning-nats-credentials
+    stringData:
+      admin_password: "nimda"
   - name: ums-udm-rest-api-credentials
     stringData:
       ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
@@ -1515,53 +1589,4 @@ extraSecrets:
     stringData:
       KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }}
       GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-
-
-  - name: ums-provisioning-nats-credentials
-    stringData:
-      admin_password: {{ .Values.provisioning.nats.password | default .Values.secrets.univentionManagementStack.provisioning.nats.password | quote }}
-  - name: ums-provisioning-api-credentials
-    stringData:
-      NATS_USER: {{ .Values.provisioning.api.nats.username | quote }}
-      NATS_PASSWORD: {{ .Values.provisioning.api.nats.password | default .Values.secrets.univentionManagementStack.provisioning.api.nats.password | quote }}
-      ADMIN_NATS_USER: {{ .Values.provisioning.nats.username | quote }}
-      ADMIN_NATS_PASSWORD: {{ .Values.provisioning.nats.password | default .Values.secrets.univentionManagementStack.provisioning.nats.password | quote }}
-      ADMIN_USERNAME: {{ .Values.provisioning.api.admin.username | quote }}
-      ADMIN_PASSWORD: {{ .Values.provisioning.api.admin.password | default .Values.secrets.univentionManagementStack.provisioning.api.admin.password | quote }}
-      PREFILL_USERNAME: {{ .Values.provisioning.api.prefill.username | quote }}
-      PREFILL_PASSWORD: {{ .Values.provisioning.api.prefill.password | default .Values.secrets.univentionManagementStack.provisioning.api.prefill.password | quote }}
-      EVENTS_USERNAME_UDM: {{ .Values.provisioning.api.udmListener.username | quote }}
-      EVENTS_PASSWORD_UDM: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }}
-  - name: ums-provisioning-dispatcher-credentials
-    stringData:
-      UDM_USERNAME: "cn=admin"
-      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-      NATS_USER: {{ .Values.provisioning.dispatcher.nats.username | quote }}
-      NATS_PASSWORD: {{ .Values.provisioning.dispatcher.nats.password | default .Values.secrets.univentionManagementStack.provisioning.dispatcher.nats.password | quote }}
-  - name: ums-provisioning-prefill-credentials
-    stringData:
-      NATS_USER: {{ .Values.provisioning.prefill.nats.username | quote }}
-      NATS_PASSWORD: {{ .Values.provisioning.prefill.nats.password | default .Values.secrets.univentionManagementStack.provisioning.prefill.nats.password | quote }}
-      UDM_USERNAME: "cn=admin"
-      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-      PREFILL_USERNAME: {{ .Values.provisioning.api.prefill.username | quote }}
-      PREFILL_PASSWORD: {{ .Values.provisioning.api.prefill.password | default .Values.secrets.univentionManagementStack.provisioning.api.prefill.password | quote }}
-  - name: "ums-provisioning-udm-listener-credentials"
-    stringData:
-      NATS_USER: {{ .Values.provisioning.udmListener.nats.username | quote }}
-      NATS_PASSWORD: {{ .Values.provisioning.udmListener.nats.password | default .Values.secrets.univentionManagementStack.provisioning.udmListener.nats.password | quote }}
-      EVENTS_USERNAME_UDM: {{ .Values.provisioning.api.udmListener.username | quote }}
-      EVENTS_PASSWORD_UDM: {{ .Values.provisioning.api.udmListener.password | default .Values.secrets.univentionManagementStack.provisioning.api.udmListener.password | quote }}
-  - name: "ums-provisioning-register-consumers-credentials"
-    stringData:
-      ADMIN_USERNAME: {{ .Values.provisioning.api.admin.username | quote }}
-      ADMIN_PASSWORD: {{ .Values.provisioning.api.admin.password | default .Values.secrets.univentionManagementStack.provisioning.api.admin.password | quote }}
-  - name: "ums-provisioning-register-consumers-json-secrets"
-    stringData:
-      consumer.json: |
-        { "name": "consumer", "realms_topics": [["udm", "groups/group"]], "request_prefill": true, "password": "s0m3p4ss" }
-  - name: "ums-provisioning-selfservice-listener-credentials"
-    stringData:
-      NATS_USER: {{ .Values.provisioning.selfservice.nats.username | quote }}
-      NATS_PASSWORD: {{ .Values.provisioning.selfservice.nats.password | default .Values.secrets.univentionManagementStack.provisioning.selfservice.nats.password | quote }}
 ...

helmfile/environments/default/charts.yaml

@@ -7,215 +7,215 @@
 ---
 charts:
   certificates:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-certificates/opendesk-certificates'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates/opendesk-certificates"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
     name: "opendesk-certificates"
     version: "2.2.0"
     verify: true
   clamav:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-clamav/opendesk-clamav'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav/opendesk-clamav"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "opendesk-clamav"
     version: "4.0.5"
     verify: true
   clamavSimple:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-clamav/clamav-simple'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav/clamav-simple"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "clamav-simple"
     version: "4.0.5"
     verify: true
   collabora:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Collabora'
+    # providerResponsible: "Collabora"
-    # upstreamRegistry: 'ghcr.io/collaboraonline/charts'
+    # upstreamRegistry: "https://ghcr.io/collaboraonline/charts"
-    # upstreamRepository: 'collabora-online'
+    # upstreamRepository: "collabora-online"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '1', '8']
+    # upstreamMirrorStartFrom: ["1", "1", "8"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.11"
+    version: "1.1.15"
     verify: true
   cryptpad:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'XWiki'
+    # providerResponsible: "XWiki"
-    # upstreamRegistry: 'ghcr.io/cryptpad/helm'
+    # upstreamRegistry: "https://ghcr.io/cryptpad/helm"
-    # upstreamRepository: 'cryptpad'
+    # upstreamRepository: "cryptpad"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '0', '17']
+    # upstreamMirrorStartFrom: ["0", "0", "17"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "cryptpad"
-    version: "0.0.18"
+    version: "0.0.19"
     verify: true
   dovecot:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'Open-Xchange'
+    # providerResponsible: "Open-Xchange"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-dovecot/dovecot'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot/dovecot"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
     version: "1.3.10"
     verify: true
   element:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
     version: "2.7.1"
     verify: true
   elementWellKnown:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-well-known'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-well-known"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
     version: "2.7.1"
     verify: true
   home:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-home'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
     name: "opendesk-home"
     version: "1.0.1"
     verify: true
   intercomService:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Univention'
+    # providerResponsible: "Univention"
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: "https://registry.souvap-univention.de"
-    # upstreamRepository: 'souvap/tooling/charts/intercom-service/intercom-service'
+    # upstreamRepository: "souvap/tooling/charts/intercom-service/intercom-service"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['2', '0', '1']
+    # upstreamMirrorStartFrom: ["2", "0", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
     version: "2.0.1"
     verify: true
   jitsi:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-jitsi/opendesk-jitsi'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi/opendesk-jitsi"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.7.8"
+    version: "1.7.9"
     verify: true
   mariadb:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-mariadb/mariadb'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb/mariadb"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
     name: "mariadb"
     version: "2.2.1"
     verify: true
   matrixNeoboardWidget:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
     version: "3.5.0"
     verify: true
   matrixNeochoiseWidget:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
     version: "3.5.0"
     verify: true
   matrixNeodatefixBot:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
     version: "3.5.0"
     verify: true
   matrixNeodatefixWidget:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
     version: "3.5.0"
     verify: true
   matrixUserVerificationService:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
     version: "2.7.1"
     verify: true
   memcached:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/memcached'
+    # upstreamRepository: "bitnamicharts/memcached"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "memcached"
     version: "6.7.1"
     verify: true
   minio:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/minio'
+    # upstreamRepository: "bitnamicharts/minio"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "minio"
     version: "12.10.11"
     verify: true
   nextcloud:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
     version: "1.5.2"
     verify: true
   nextcloudManagement:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
     # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
@@ -223,182 +223,182 @@ charts:
     version: "1.5.2"
     verify: true
   nginx:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/nginx'
+    # upstreamRepository: "bitnamicharts/nginx"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "nginx"
     version: "15.9.3"
     verify: true
   opendeskKeycloakBootstrap:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "1.0.7"
+    version: "1.1.0"
     verify: true
   openproject:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'openProject'
+    # providerResponsible: "openProject"
-    # upstreamRegistry: 'ghcr.io'
+    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: 'opf/helm-charts/openproject'
+    # upstreamRepository: "opf/helm-charts/openproject"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['3', '0', '2']
+    # upstreamMirrorStartFrom: ["3", "0", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "4.2.1"
+    version: "4.5.0"
     verify: true
   openprojectBootstrap:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
     version: "1.3.0"
     verify: true
   openXchangeAppSuite:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Open-Xchange'
+    # providerResponsible: "Open-Xchange"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['2', '2', '37']
+    # upstreamMirrorStartFrom: ["2", "2", "37"]
-    # upstreamRegistry: 'registry.open-xchange.com'
+    # upstreamRegistry: "https://registry.open-xchange.com"
-    # upstreamRepository: 'appsuite-public-sector/charts/appsuite-public-sector'
+    # upstreamRepository: "appsuite-public-sector/charts/appsuite-public-sector"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
     version: "2.5.3"
     verify: false
   openXchangeAppSuiteBootstrap:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
     version: "1.3.4"
     verify: true
   otterize:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-otterize/opendesk-otterize'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize/opendesk-otterize"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
     version: "2.0.1"
     verify: true
   oxConnector:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Univention'
+    # providerResponsible: "Univention"
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: "https://registry.souvap-univention.de"
-    # upstreamRepository: 'souvap/tooling/charts/univention/ox-connector'
+    # upstreamRepository: "souvap/tooling/charts/univention/ox-connector"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '4', '2']
+    # upstreamMirrorStartFrom: ["0", "4", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ox-connector"
     version: "0.4.2"
     verify: true
   postfix:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-postfix/postfix'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix/postfix"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
     version: "2.0.5"
     verify: true
   postgresql:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-postgresql/postgresql'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql/postgresql"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql"
     name: "postgresql"
     version: "2.0.5"
     verify: true
   redis:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/redis'
+    # upstreamRepository: "bitnamicharts/redis"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "redis"
     version: "18.6.1"
     verify: true
   synapse:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
     version: "2.7.1"
     verify: true
   synapseCreateAccount:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
     version: "2.7.1"
     verify: true
   synapseWeb:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-web'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-web"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
     version: "2.7.1"
     verify: true
   ums:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Univention'
+    # providerResponsible: "Univention"
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: "https://registry.souvap-univention.de"
-    # upstreamRepository: 'souvap/tooling/charts/univention/ums'
+    # upstreamRepository: "souvap/tooling/charts/univention/ums"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '0', '1']
+    # upstreamMirrorStartFrom: ["0", "12", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums"
-    version: "0.12.0"
+    version: "0.13.0"
     verify: true
   umsKeycloakBootstrap:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Univention'
+    # providerResponsible: "Univention"
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: "https://registry.souvap-univention.de"
-    # upstreamRepository: 'souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap'
+    # upstreamRepository: "souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '0', '1']
+    # upstreamMirrorStartFrom: ["1", "0", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums-keycloak-bootstrap"
     version: "1.0.1"
     verify: true
   xwiki:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'XWiki'
+    # providerResponsible: "XWiki"
-    # upstreamRegistry: 'git.xwikisas.com:5050/xwikisas/swp/xwiki/contrib-xwiki-helm'
+    # upstreamRegistry: "https://git.xwikisas.com:5050/xwikisas/swp/xwiki/contrib-xwiki-helm"
-    # upstreamRepository: 'xwiki'
+    # upstreamRepository: "xwiki"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '2', '4']
+    # upstreamMirrorStartFrom: ["1", "2", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"

helmfile/environments/default/functional.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+authentication:
+  twoFactor:
+    # Define a list of groups to enable 2FA for.
+    # Note: Removing a group from the list will not disable 2FA for the removed group.
+    groups:
+      - "Domain Admins"
+...

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.7.0"
+    releaseVersion: "v0.7.1"
 ...

helmfile/environments/default/provisioning.yaml

@@ -1,37 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-provisioning:
-  nats:
-    username: "admin"
-    password: ""
-  api:
-    nats:
-      username: "api"
-      password: ""
-    admin:
-      username: "admin"
-      password: ""
-    prefill:
-      username: "prefill"
-      password: ""
-    udmListener:
-      username: "udmListener"
-      password: ""
-  dispatcher:
-    nats:
-      username: "dispatcher"
-      password: ""
-  prefill:
-    nats:
-      username: "prefill"
-      password: ""
-  udmListener:
-    nats:
-      username: "udmListener"
-      password: ""
-  selfservice:
-    nats:
-      username: "selfservice"
-      password: ""
-...

helmfile/environments/default/resources.yaml

@@ -60,10 +60,12 @@ resources:
     requests:
       cpu: 0.1
       memory: "64Mi"
+  # The Jibri container requires 2Gi /dev/shm so we need a limit based on the expected memory consumption of the
+  # service plus the 2Gi /dev/shm
   jibri:
     limits:
       cpu: 99
-      memory: "768Mi"
+      memory: "3Gi"
     requests:
       cpu: 0.1
       memory: "384Mi"

helmfile/environments/default/secrets.gotmpl

@@ -31,29 +31,20 @@ secrets:
       portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
       portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
     provisioning:
-      nats:
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
-        password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "admin" | b64enc | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
-      api:
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-        nats:
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "api" | b64enc | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
-        admin:
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin" | b64enc | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
-        prefill:
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "prefill" | b64enc | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
-        udmListener:
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "udmListener" | b64enc | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
-      dispatcher:
+  nats:
-        nats:
+    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "dispatcher" | b64enc | quote }}
+
-      prefill:
-        nats:
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "prefill" | b64enc | quote }}
-      udmListener:
-        nats:
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "udmListener" | b64enc | quote }}
-      selfservice:
-        nats:
-          password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nats" "selfservice" | b64enc | quote }}
   postgresql:
     postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
     keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}