fix(nubus): Configure "global.subDomains" based on "global.hosts"

This commit should be reverted once we are confident that provisioning
and the consumers work as expected.

.gitignore

@@ -6,10 +6,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/*.yaml.gotmpl
-helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
 !helmfile/environments/dev/sample.yaml.gotmpl
-!helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
 
 # Ignore in CI generated files

.gitlab-ci.yml

@@ -4,7 +4,7 @@
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.4"
+    ref: "v2.3.3"
     file:
       - "ci/common/automr.yml"
       - "ci/common/lint.yml"
@@ -159,7 +159,7 @@ variables:
       - "no"
   RUN_TESTS:
     description: "Triggers execution of E2E-tests."
-    value: "no"
+    value: "yes"
     options:
       - "yes"
       - "no"
@@ -171,19 +171,7 @@ variables:
       - "no"
   TESTS_BRANCH:
     description: "Branch of E2E-tests on which the test pipeline is triggered"
-    value: "develop"
-  TESTS_PROJECT_URL:
-    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
-    value: "gitlab.opencode.de/api/v4/projects/1506"
-  TESTS_TESTSET:
-    description: "Selects testset for E2E-tests"
-    value: "Smoke"
-    options:
-      - "Regression"
-      - "Smoke"
-  TESTS_GRACE_PERIOD:
-    description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail. GRACE_PERIOD is the period in seconds that should be waited before running the tests."
-    value: "0"
+    value: "main"
 
 .deploy-common:
   cache: {}
@@ -248,6 +236,14 @@ env-start:
   script:
     - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
     - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
+    - >
+      kubectl create secret
+      --namespace "${NAMESPACE}"
+      docker-registry external-registry
+      --docker-server "${EXTERNAL_REGISTRY}"
+      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
+      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
+      --dry-run=client -o yaml | kubectl apply -f -
   stage: "env"
 
 policies-deploy:
@@ -490,28 +486,27 @@ run-tests:
         \"ref\": \"${TESTS_BRANCH}\", \
         \"token\": \"${CI_JOB_TOKEN}\", \
         \"variables\": { \
-          \"operator\": \"${OPERATOR}\", \
-          \"cluster\": \"${CLUSTER}\", \
-          \"namespace\": \"${NAMESPACE}\", \
-          \"url\": \"https://portal.${DOMAIN}/\", \
+          \"url\": \"https://portal.${DOMAIN}\", \
           \"user_name\": \"${DEFAULT_USER_NAME}\", \
           \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
           \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
           \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
-          \"screenshot_test\": \"yes\", \
-          \"screenshot_before_step\": \"yes\", \
-          \"screenshot_after_step\": \"yes\", \
-          \"screenshot_redirect_step\": \"yes\", \
-          \"testset\": \"${TESTS_TESTSET}\", \
-          \"testprofile\": \"Namespace\", \
-          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
-          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
-          \"gitlab_default_env_namespace\": \"values\", \
-          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
         } \
       }" \
       "https://${TESTS_PROJECT_URL}/trigger/pipeline"
-  retry: 1
 
 avscan-prepare:
   stage: ".pre"
@@ -688,4 +683,5 @@ renovate:
   script:
     - "renovate ${RENOVATE_EXTRA_FLAGS}"
   stage: "renovate"
+
 ...

.gitlab/common/common.yml

@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.0\
-    @sha256:630e102edc70c9e730a46180e79ff278fd8b5039eb336110e0df89fe415225ef"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.6\
-    @sha256:0a8997876a0c3f5a3c73eb6bd75c5cde63757bc31b983bfd92cfcb17389d536f"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.4\
+    @sha256:4120fe717071876f4c9ff128f26019d089fda158a4fb1912911e09af2fd3875f"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.5\
+    @sha256:60870adb64b0503d4a6efd16cef4e074b91a4ca52b48811cfcea057bcccd07e4"
 
 .common:
   cache: {}

.gitlab/lint/lint-kyverno.yml

@@ -26,9 +26,6 @@ lint-kyverno:
           - "xwiki"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
-    - >
-      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
-      -d ${CI_PROJECT_DIR}/helmfile/environments
     - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
     - >
       node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests

.reuse/dep5

@@ -0,0 +1,16 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk - der Souveräne Arbeitsplatz
+Upstream-Contact: <opendesk@zendis.de>
+Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
+
+Files: helmfile/files/theme/*
+Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+License: Apache-2.0
+
+Files: helmfile/files/gpg-pubkeys/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: CC0-1.0
+
+Files: cspell.json
+Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+License: Apache-2.0

README.md

@@ -29,16 +29,16 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version                                                                 | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- |---------------------------------------------------------------------------------------| -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.5.1](https://www.openproject.org/docs/release-notes/14-5-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.7.1.2](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

REUSE.toml

@@ -1,19 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-
-version = 1
-
-[[annotations]]
-path = "helmfile/files/theme/*"
-SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
-SPDX-License-Identifier = "Apache-2.0"
-
-[[annotations]]
-path = "cspell.json"
-SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
-SPDX-License-Identifier = "Apache-2.0"
-
-[[annotations]]
-path = "helmfile/files/gpg-pubkeys/*"
-SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG ZenDiS \"Projektgruppe für Aufbau ZenDiS\""
-SPDX-License-Identifier = "CC0-1.0"

dev/charts-local.py

@@ -25,7 +25,7 @@ script_path = os.path.dirname(os.path.realpath(__file__))
 log_path = script_path+'/../logs'
 charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml'
 base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml'
 helmfile_backup_extension = '.bak'
 
 Path(log_path).mkdir(parents=True, exist_ok=True)

docs/ci.md

@@ -33,11 +33,10 @@ You might want to set credential variables in the GitLab project at `Settings` >
 # Tests
 
 The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-To select the current testset, use the variable `TESTS_TESTSET`. Default: `Smoke`.
+
 If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.
-
-The variable `testprofile` within the job is set to `Namespace`, which tells the e2e tests to use environment specific settings that will be read from the cluster and namespace specific file in the opendesk-env repository.

docs/development.md

@@ -138,9 +138,6 @@ configured to pull artifacts that do not originate from Open CoDE into projects
 
 The mirror script takes the information on what artifacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
-- `# upstreamRegistryCredentialId`: *optional*: In case the source registry is not public the access credentials have to be specified as ENV variables containing the value of this key in their name, so you want to specific that key all uppercase:
-  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_USERNAME`
-  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_PASSWORT`
 - `# upstreamRepository` *required*: To identify the source repository
 - `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artifacts beginning with a specific version. You must use capturing groups

docs/migrations.md

@@ -135,21 +135,6 @@ global:
     xwiki: "wiki"
 ```
 
-In case you would like to use the updated hostnames you at least have to apply some manual changes. But do this at
-your own risk. Be also aware that some of your user's bookmarks and links will stop working.
-
-- Update the affected portal tiles:
-  - All tiles in the "Files" category.
-  - The "Projects" tile in the "Management" category.
-- There are two options to change the link for the portal tiles:
-  - Use an admin account to access the portal's edit mode (on the bottom of the sidebar portal's menu).
-  - Utilize the UDM REST API to update the portal tile objects.
-- Update the hostnames for the OpenProject-Nextcloud integration using a functional admin user for both components:
-  - In OpenProject: *Administration* > *Files* > *External file storages* > Select `Nextcloud at [your_domain]`
-    Edit *Details* - *General Information* - *Storage provider* and update the *hostname* to `files.<your_domain>`.
-  - In Nextcloud: *Administration* > *OpenProject* > *OpenProject server* update the *OpenProject host* to
-    to `projects.<your_domain>`.
-
 #### Updated `global.imagePullSecrets`
 
 Without using a custom registry, you can pull all the openDesk images without authentication.

helmfile.yaml

@@ -15,7 +15,7 @@ environments:
 ---
 # yamllint disable
 helmfiles:
-  - path: "./helmfile_generic.yaml.gotmpl"
+  - path: "./helmfile_generic.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 # {{/*

helmfile/apps/collabora/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
+      {{ .Values.charts.collabora.repository }}"
 
 releases:
   - name: "collabora-online"

helmfile/apps/collabora/helmfile.yaml

@@ -6,7 +6,7 @@ bases:
   - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 ...

helmfile/apps/collabora/values.yaml.gotmpl

@@ -84,8 +84,6 @@ ingress:
       hosts:
         - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 
-podAnnotations: {}
-
 podSecurityContext:
   fsGroup: 100
 

helmfile/apps/cryptpad/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
+      {{ .Values.charts.cryptpad.repository }}"
 
 releases:
   - name: "cryptpad"

helmfile/apps/cryptpad/helmfile.yaml

@@ -6,7 +6,7 @@ bases:
   - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 ...

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -53,8 +53,6 @@ ingress:
 persistence:
   enabled: false
 
-podAnnotations: {}
-
 podSecurityContext:
   fsGroup: 4001
 

helmfile/apps/element/helmfile-child.yaml

@@ -0,0 +1,184 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Element
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-element
+  - name: "element-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.element.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
+      {{ .Values.charts.element.repository }}"
+  - name: "element-well-known-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.elementWellKnown.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
+      {{ .Values.charts.elementWellKnown.repository }}"
+  - name: "synapse-web-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.synapseWeb.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
+      {{ .Values.charts.synapseWeb.repository }}"
+  - name: "synapse-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.synapse.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
+      {{ .Values.charts.synapse.repository }}"
+  - name: "synapse-create-account-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.synapseCreateAccount.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
+      {{ .Values.charts.synapseCreateAccount.repository }}"
+
+  # openDesk Matrix Widgets
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
+  - name: "matrix-user-verification-service-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
+      {{ .Values.charts.matrixUserVerificationService.repository }}"
+  - name: "matrix-neoboard-widget-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
+  - name: "matrix-neochoice-widget-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
+  - name: "matrix-neodatefix-widget-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
+      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
+  - name: "matrix-neodatefix-bot-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
+      {{ .Values.charts.matrixNeodatefixBot.repository }}"
+
+
+releases:
+  - name: "opendesk-element"
+    chart: "element-repo/{{ .Values.charts.element.name }}"
+    version: "{{ .Values.charts.element.version }}"
+    values:
+      - "values-element.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-well-known"
+    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
+    version: "{{ .Values.charts.elementWellKnown.version }}"
+    values:
+      - "values-well-known.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-synapse-web"
+    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
+    version: "{{ .Values.charts.synapseWeb.version }}"
+    values:
+      - "values-synapse-web.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-synapse"
+    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
+    version: "{{ .Values.charts.synapse.version }}"
+    values:
+      - "values-synapse.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-matrix-user-verification-service-bootstrap"
+    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
+    version: "{{ .Values.charts.synapseCreateAccount.version }}"
+    values:
+      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-matrix-user-verification-service"
+    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
+    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
+    values:
+      - "values-matrix-user-verification-service.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neoboard-widget"
+    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
+    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
+    values:
+      - "values-matrix-neoboard-widget.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neochoice-widget"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
+    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
+    values:
+      - "values-matrix-neochoice-widget.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-widget"
+    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
+    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
+    values:
+      - "values-matrix-neodatefix-widget.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-bot-bootstrap"
+    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
+    version: "{{ .Values.charts.synapseCreateAccount.version }}"
+    values:
+      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-bot"
+    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
+    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
+    values:
+      - "values-matrix-neodatefix-bot.yaml.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+...

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -1,72 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-repositories:
-  # openDesk Element
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-element
-  - name: "element-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.element.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
-  - name: "element-well-known-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.elementWellKnown.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
-  - name: "synapse-web-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.synapseWeb.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
-  - name: "synapse-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.synapse.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
-
-releases:
-  - name: "opendesk-element"
-    chart: "element-repo/{{ .Values.charts.element.name }}"
-    version: "{{ .Values.charts.element.version }}"
-    values:
-      - "values-element.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "opendesk-well-known"
-    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
-    version: "{{ .Values.charts.elementWellKnown.version }}"
-    values:
-      - "values-well-known.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "opendesk-synapse-web"
-    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
-    version: "{{ .Values.charts.synapseWeb.version }}"
-    values:
-      - "values-synapse-web.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "opendesk-synapse"
-    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
-    version: "{{ .Values.charts.synapse.version }}"
-    values:
-      - "values-synapse.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-commonLabels:
-  deploy-stage: "component-1"
-  component: "element"
-...

helmfile/apps/element/helmfile.yaml

@@ -6,7 +6,7 @@ bases:
   - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 ...

helmfile/apps/element/values-element.yaml.gotmpl

@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 configuration:
   endToEndEncryption: true
   additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=opendesk-matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":
       config:
@@ -20,6 +20,86 @@ configuration:
           --cpd-color-bg-action-primary-rest: {{ .Values.theme.colors.primary | quote }}
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
 
+    "net.nordeck.element_web.module.widget_lifecycle":
+      widget_permissions:
+        "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
+          identity_approved: true
+        "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          capabilities_approved:
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.send.state_event:m.room.power_levels#
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels#
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
+            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
+            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
+            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
+            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
+            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
+            - town.robin.msc3846.turn_servers
+            - org.matrix.msc4039.upload_file
+            - org.matrix.msc4039.download_file
+        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          capabilities_approved:
+            - org.matrix.msc2762.send.event:net.nordeck.poll.vote
+            - org.matrix.msc2762.receive.event:net.nordeck.poll.vote
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll.group
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
+            - org.matrix.msc2762.send.event:net.nordeck.poll.start
+            - org.matrix.msc2762.receive.event:net.nordeck.poll.start
+        "https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          identity_approved: true
+          capabilities_approved:
+            - org.matrix.msc2931.navigate
+            - org.matrix.msc2762.timeline:*
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels
+            - org.matrix.msc2762.receive.event:m.reaction
+            - org.matrix.msc2762.receive.state_event:m.room.create
+            - org.matrix.msc2762.receive.state_event:m.room.tombstone
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.send.state_event:m.room.member
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.receive.state_event:m.room.topic
+            - org.matrix.msc2762.receive.state_event:m.space.parent
+            - org.matrix.msc2762.receive.state_event:m.space.child
+            - org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
+            - org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
+            - org.matrix.msc3973.user_directory_search
+
+  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -57,8 +137,6 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 101

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -0,0 +1,55 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoBoardWidget.registry | quote }}
+  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
+  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -0,0 +1,55 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoChoiceWidget.registry | quote }}
+  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
+  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+resources:
+  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
+  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+fullnameOverride: "matrix-neodatefix-bot-bootstrap"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
+
+...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -0,0 +1,83 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  bot:
+    username: "meetings-bot"
+    displayname: "Terminplaner Bot"
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+  strings:
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
+    matrixNeoBoardWidgetName: "Whiteboard"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
+
+extraEnvVars:
+  - name: "ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "matrix-neodatefix-bot-account"
+        key: "access_token"
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixBot.registry | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+livenessProbe:
+  enabled: true
+
+persistence:
+  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+readinessProbe:
+  enabled: true
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -0,0 +1,60 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+    homeserver: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixWidget.registry | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -0,0 +1,43 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
+...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -0,0 +1,54 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
+
+extraEnvVars:
+  - name: "UVS_ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "opendesk-matrix-user-verification-service-account"
+        key: "access_token"
+  - name: "UVS_DISABLE_IP_BLACKLIST"
+    value: "true"
+
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixUserVerificationService.registry | quote }}
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+
+...

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -51,8 +51,6 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 101

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -12,7 +12,18 @@ configuration:
     room_prejoin_state:
       additional_event_types:
         - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
         - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
 
   database:
     host: {{ .Values.databases.synapse.host | quote }}
@@ -22,6 +33,25 @@ configuration:
 
   homeserver:
     serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+    appServiceConfigs:
+      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+        id: intercom-service
+        namespaces:
+          users:
+            - exclusive: false
+              regex: "@.*"
+        url: null
+        sender_localpart: intercom-service
+      - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+        id: ox-appsuite
+        namespaces:
+          users:
+            - exclusive: false
+              regex: "@.*"
+        url: null
+        sender_localpart: ox-appsuite
 
     presence:
       enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -60,6 +90,14 @@ configuration:
           transport: {{ .Values.turn.transport | quote }}
         {{- end }}
 
+    guestModule:
+      enabled: true
+      image:
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }}
+        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
+        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -103,8 +141,6 @@ persistence:
   size: {{ .Values.persistence.size.synapse | quote }}
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 10991

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -45,8 +45,6 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 101

helmfile/apps/intercom-service/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
+      {{ .Values.charts.intercomService.repository }}"
 
 releases:
   - name: "intercom-service"

helmfile/apps/intercom-service/helmfile.yaml

@@ -6,7 +6,7 @@ bases:
   - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 ...

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -72,13 +72,6 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-podAnnotations: {}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-
 provisioning:
   enabled: true
   config:
@@ -98,6 +91,12 @@ provisioning:
       credentialSecret:
         key: "ics_secret"
 
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+
 replicaCount: {{ .Values.replicas.intercomService }}
 
 resources:

helmfile/apps/jitsi/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
+      {{ .Values.charts.jitsi.repository }}"
 
 releases:
   - name: "jitsi"

helmfile/apps/jitsi/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/jitsi/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -10,7 +10,6 @@ global:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations: {}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -63,8 +62,6 @@ jitsi:
         - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    extraConfigJs:
-      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
     extraEnvs:
       TURN_ENABLE: "1"
     resources:
@@ -218,9 +215,6 @@ patchJVB:
     registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
     repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
     tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
-
-podAnnotations: {}
-
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
 
 resources:

helmfile/apps/migrations-post/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-post"

helmfile/apps/migrations-post/helmfile.yaml

@@ -5,7 +5,7 @@ bases:
   - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 ...

helmfile/apps/migrations-post/values.yaml.gotmpl

@@ -3,8 +3,6 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-podAnnotations: {}
-
 migrations:
   stage: "POST"
 ...

helmfile/apps/migrations-pre/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-pre"

helmfile/apps/migrations-pre/helmfile.yaml

@@ -5,7 +5,7 @@ bases:
   - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
     values:
       - {{ toYaml .Values | nindent 8 }}
 ...

helmfile/apps/migrations-pre/values.yaml.gotmpl

@@ -3,8 +3,6 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-podAnnotations: {}
-
 migrations:
   stage: "PRE"
 ...

helmfile/apps/nextcloud/helmfile-child.yaml

@@ -10,14 +10,16 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
+      {{ .Values.charts.nextcloudManagement.repository }}"
   - name: "nextcloud-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.nextcloud.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
+      {{ .Values.charts.nextcloud.repository }}"
 
 releases:
   - name: "opendesk-nextcloud-management"

helmfile/apps/nextcloud/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/nextcloud/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -32,7 +32,6 @@ exporter:
     repository: "{{ .Values.images.nextcloudExporter.repository }}"
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.nextcloudExporter.tag | quote }}
-  podAnnotations: {}
   prometheus:
     serviceMonitor:
       enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -92,7 +91,6 @@ php:
     repository: "{{ .Values.images.nextcloudPHP.repository }}"
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.nextcloudPHP.tag | quote }}
-  podAnnotations: {}
   prometheus:
     serviceMonitor:
       enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -144,7 +142,6 @@ apache2:
     repository: {{ .Values.images.nextcloudApache2.repository | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.nextcloudApache2.tag | quote }}
-  podAnnotations: {}
   replicaCount: {{ .Values.replicas.nextcloudApache2 }}
   resources:
     {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}

helmfile/apps/nubus/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
+      {{ .Values.charts.nubus.repository }}"
   # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -18,7 +19,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
+      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
 
 releases:
   # Univention Management Stack Umbrella Chart

helmfile/apps/nubus/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/nubus/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -79,6 +79,7 @@ global:
         repository: {{ .Values.images.nubusPortalExtension.repository }}
         tag: {{ .Values.images.nubusPortalExtension.tag }}
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        imagePullPolicy: "IfNotPresent"
   configUcr:
     directory:
       manager:
@@ -135,11 +136,25 @@ global:
         passwordreset:
           token_validity_period: 172800
     
+    password:
+      # quality:
+        # length:
+          # min: 8
+        # required:
+          # chars:
+        # forbidden:
+          # chars:
+        # credit:
+          # digits: 1
+          # upper: 0
+          # other: 0
+          # lower: 1
+        # mspolicy: false
+
 ingress:
   certManager:
     enabled: false
   tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 # Nubus bundled services
@@ -194,7 +209,6 @@ nubusGuardian:
     certManager:
       enabled: false
     tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
   postgresql:
     connection:
@@ -220,14 +234,8 @@ nubusNotificationsApi:
     certManager:
       enabled: false
     tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-nubusPortalFrontend:
-  ingress:
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName }}
 
 nubusKeycloakExtensions:
   keycloak:
@@ -254,7 +262,6 @@ nubusKeycloakExtensions:
       certManager:
         enabled: false
       tls:
-        enabled: {{ .Values.ingress.tls.enabled }}
         secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 
@@ -321,7 +328,6 @@ nubusPortalServer:
     certManager:
       enabled: false
     tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusUdmRestApi:
@@ -329,15 +335,9 @@ nubusUdmRestApi:
     certManager:
       enabled: false
     tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusProvisioning:
-  nats:
-    config:
-      lame_duck_grace_period: |
-        10s
-              max_payload: 16MB
   enabled: true
 
 nubusUdmListener:
@@ -351,9 +351,6 @@ nubusSelfServiceConsumer:
 
 # Nubus services
 nubusStackDataUms:
-  additionalAnnotations:
-    argocd.argoproj.io/hook: "Sync"
-    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
   stackDataContext:
     umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
     umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
@@ -404,21 +401,38 @@ nubusStackDataUms:
       - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
     portaltileGroupLiveCollaboration:
       - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-    systemInformation:
-      enabled: true
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-      {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-      {{- else }}
-      deployDate: "not available"
-      {{- end }}
-  # In openDesk the external memcache does not expect a username to be set. Overwriting
-  # the default username of `selfservice` is part of the customizing:
+
   nubusUmcServer:
     memcached:
       auth:
         username: ""
 
+# TODO: Remove values when upstreaming fixes
+nubusStackDataSwp:
+  stackDataSwp:
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+    systemInformation:
+      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+    {{- end }}
+  stackDataContext:
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpPort: 25
+    smtpUser: ""
+    smtpStartTls: false
+    ldapBase: {{ .Values.ldap.baseDn }}
+    # FIXME: Should be templated correctly in the future
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+
 nubusUmcServer:
   postgresql:
     bundled: false
@@ -445,7 +459,6 @@ nubusUmcServer:
     certManager:
       enabled: false
     tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusUmcGateway:
@@ -455,12 +468,9 @@ nubusUmcGateway:
     certManager:
       enabled: false
     tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusKeycloakBootstrap:
-  additionalAnnotations:
-    argocd.argoproj.io/hook: "Sync"
   keycloak:
     auth:
       username: "kcadmin"

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -5,126 +5,37 @@ SPDX-License-Identifier: Apache-2.0
 ---
 keycloak:
   enabled: true
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: false
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-keycloak"
   replicaCount: {{ .Values.replicas.keycloak }}
   resources:
     {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
 
-nubusGuardian:
+guardian:
   authorizationApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-authorization-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
     replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
     resources:
       {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
   managementApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-management-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
     replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
     resources:
       {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
   managementUi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-management-ui"
     replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
     resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
   openPolicyAgent:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
     podAnnotations:
       intents.otterize.com/service-name: "ums-ums-open-policy-agent"
     replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
     resources:
       {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
   provisioning:
     # Using openDesk keycloak provisioning
     enabled: false
@@ -132,24 +43,9 @@ nubusGuardian:
 nubusNotificationsApi:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-notifications-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   replicaCount: {{ .Values.replicas.umsNotificationsApi }}
   resources:
     {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
@@ -157,40 +53,7 @@ nubusNotificationsApi:
 nubusUmcServer:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-umc-server"
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextInit:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  proxy:
-    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
   replicaCount: {{ .Values.replicas.umsUmcServer }}
-
   resources:
     {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
   selfService:
@@ -212,36 +75,19 @@ nubusUmcServer:
 
 nubusKeycloakExtensions:
   handler:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
     resources:
       {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
   proxy:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
     resources:
       {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
 
 nubusPortalConsumer:
-  image:
-    pullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-portal-consumer"
   replicaCount: {{ .Values.replicas.umsPortalConsumer }}
@@ -253,70 +99,29 @@ nubusPortalConsumer:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
 
-
-nubusUdmListener:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 102
-    runAsGroup: 65534
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUdmListener }}
+nubusPortalConsumer:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-portal-consumer"
+  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
   resources:
-    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+  resourcesWaitForDependency:
+    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
+  persistence:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
 
 nubusPortalServer:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-portal-server"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   replicaCount: {{ .Values.replicas.umsPortalServer }}
   resources:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 
 nubusLdapNotifier:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 101
-    runAsGroup: 102
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-ldap-notifier"
   replicaCount: {{ .Values.replicas.umsLdapNotifier }}
@@ -324,8 +129,6 @@ nubusLdapNotifier:
     {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
 
 nubusLdapServer:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   highAvailabilityMode: false
   replicaCountPrimary: 1
   replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
@@ -333,86 +136,20 @@ nubusLdapServer:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-ldap-server"
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
   resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-  extraVolumes:
-    - name: "migration-scripts"
-      secret:
-        secretName: "ums-ldap-server-migration"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/30-purge.sh"
-      subPath: "30-purge.sh"
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
-      subPath: "95-slapadd-24-ldif.sh"
-  extraSecrets:
-    - name: "ums-ldap-server-migration"
-      stringData:
-        30-purge.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- Cleaning up /var/lib/univention-ldap."
-            cd /var/lib/univention-ldap
-            rm -rf internal
-            rm -rf ldap
-            ls -l
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-        95-slapadd-24-ldif.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          ls -l /var/lib/univention-ldap
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
-            ls -l /var/lib/univention-ldap/
-            rm -rf /var/lib/univention-ldap/ldap
-            rm -rf /var/lib/univention-ldap/internal
-            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            mkdir /var/lib/univention-ldap/ldap
-            mkdir /var/lib/univention-ldap/internal
-            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
-            echo "- slapadd executed"
-            ls -l /var/lib/univention-ldap/
-            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
-            echo "- import file renamed"
-            ls -l /var/lib/univention-ldap/
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
+
 nubusPortalFrontend:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-portal-frontend"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   replicaCount: {{ .Values.replicas.umsPortalFrontend }}
   resources:
     {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
@@ -429,23 +166,13 @@ nubusStackDataUms:
   resources:
     {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
 
+nubusStackDataSwp:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-swp"
+  resources:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
+
 nubusSelfServiceConsumer:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-selfservice-listener"
   resources:
@@ -455,22 +182,6 @@ nubusSelfServiceConsumer:
 nubusUdmRestApi:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-udm-rest-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
     annotations:
       intended.usage: "compliance"
@@ -481,22 +192,6 @@ nubusUdmRestApi:
   replicaCount: {{ .Values.replicas.umsUdmRestApi }}
 
 nubusUmcGateway:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   replicaCount: {{ .Values.replicas.umsUmcGateway }}
   resources:
     {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
@@ -511,56 +206,17 @@ nubusKeycloakBootstrap:
     {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
 
 nubusProvisioning:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount:
-    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
-    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
-    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
-    api: {{ .Values.replicas.umsProvisioningApi }}
-
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   nats:
-    config:
-      cluster:
-        replicas: {{ .Values.replicas.umsProvisioningNats }}
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - "ALL"
-      enabled: true
-      runAsUser: 1000
-      runAsGroup: 1000
-      seccompProfile:
-        type: "RuntimeDefault"
-      readOnlyRootFilesystem: true
-      runAsNonRoot: true
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     resources:
       {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-nats"
     serviceAccount:
-      create: true
+      annotations:
+        intended.usage: "compliance"
   api:
     resources:
       {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -3,22 +3,17 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-global:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
 keycloak:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
     repository: {{ .Values.images.nubusKeycloak.repository }}
     tag: {{ .Values.images.nubusKeycloak.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusKeycloakBootstrap:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
     repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
     tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusKeycloakExtensions:
     handler:
@@ -26,21 +21,18 @@ nubusKeycloakExtensions:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
         repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
         tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
     proxy:
       image:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
         repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
         tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusLdapNotifier:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
     repository: {{ .Values.images.nubusLdapNotifier.repository }}
     tag: {{ .Values.images.nubusLdapNotifier.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusLdapServer:
   ldapServer:
@@ -48,33 +40,28 @@ nubusLdapServer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
       repository: {{ .Values.images.nubusLdapServer.repository }}
       tag: {{ .Values.images.nubusLdapServer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   dhInitcontainer:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
       repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
       tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusNotificationsApi:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
     repository: {{ .Values.images.nubusNotificationsApi.repository }}
     tag: {{ .Values.images.nubusNotificationsApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusPortalFrontend:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
     repository: {{ .Values.images.nubusPortalFrontend.repository }}
     tag: {{ .Values.images.nubusPortalFrontend.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusPortalConsumer:
   portalConsumer:
@@ -82,20 +69,17 @@ nubusPortalConsumer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
       repository: {{ .Values.images.nubusPortalConsumer.repository }}
       tag: {{ .Values.images.nubusPortalConsumer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusPortalServer:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
     repository: {{ .Values.images.nubusPortalServer.repository }}
     tag: {{ .Values.images.nubusPortalServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusProvisioning:
   api:
@@ -103,84 +87,72 @@ nubusProvisioning:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
       tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   dispatcher:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
       tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   udmTransformer:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
       tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   prefill:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
       tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   registerConsumers:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   nats:
     nats:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
-        repository: {{ .Values.images.nubusNats.repository }}
-        tag: {{ .Values.images.nubusNats.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        image:
+            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
+            repository: {{ .Values.images.nubusNats.repository }}
+            tag: {{ .Values.images.nubusNats.tag }}
     reloader:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
-        repository: {{ .Values.images.nubusNatsReloader.repository }}
-        tag: {{ .Values.images.nubusNatsReloader.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        image:
+            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
+            repository: {{ .Values.images.nubusNatsReloader.repository }}
+            tag: {{ .Values.images.nubusNatsReloader.tag }}
     natsBox:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
-        repository: {{ .Values.images.nubusNatsBox.repository }}
-        tag: {{ .Values.images.nubusNatsBox.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        image:
+            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
+            repository: {{ .Values.images.nubusNatsBox.repository }}
+            tag: {{ .Values.images.nubusNatsBox.tag }}
 
 nubusProvisioningEventsAndConsumerApi:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
     tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusProvisioningPrefill:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
     tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUdmListener:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
     tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-nubusSelfServiceConsumer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
-    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
-    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+nubusSelfServiceListener:
+  selfserviceInvitation:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
+      repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
+      tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUdmRestApi:
   udmRestApi:
@@ -188,36 +160,24 @@ nubusUdmRestApi:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
       repository: {{ .Values.images.nubusUdmRestApi.repository }}
       tag: {{ .Values.images.nubusUdmRestApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUmcGateway:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
     repository: {{ .Values.images.nubusUmcGateway.repository }}
     tag: {{ .Values.images.nubusUmcGateway.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUmcServer:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
     repository: {{ .Values.images.nubusUmcServer.repository }}
     tag: {{ .Values.images.nubusUmcServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  proxy:
-    image:
-      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
-      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
-      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusWaitForDependency:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
     repository: {{ .Values.images.nubusWaitForDependency.repository }}
     tag: {{ .Values.images.nubusWaitForDependency.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 
 nubusGuardian:
@@ -226,35 +186,35 @@ nubusGuardian:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
       repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
       tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   authorizationApi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
       tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   managementApi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
       tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   managementUi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
       tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   openPolicyAgent:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
       repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
       tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusStackDataUms:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
     repository: {{ .Values.images.nubusDataLoader.repository }}
     tag: {{ .Values.images.nubusDataLoader.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+nubusStackDataSwp:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -29,7 +29,7 @@ config:
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
     # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
-    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -517,6 +517,296 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
+      - name: "guardian-management-api"
+        clientId: "guardian-management-api"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        protocol: "openid-connect"
+        publicClient: false
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        fullScopeAllowed: true
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: true
+        protocolMappers:
+          - name: "Client Host"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientHost"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientHost"
+              jsonType.label: "String"
+          - name: "Client ID"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "client_id"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "client_id"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              userinfo.token.claim: false
+              id.token.claim: false
+              access.token.claim: true
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-cli"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "Client IP Address"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientAddress"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientAddress"
+              jsonType.label: "String"
+      - name: "guardian-scripts"
+        clientId: "guardian-scripts"
+        description: ""
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        surrogateAuthRequired: false
+        enabled: true
+        alwaysDisplayInConsole: false
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        webOrigins:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        bearerOnly: false
+        consentRequired: false
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: false
+        publicClient: true
+        frontchannelLogout: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-scripts"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              aggregate.attrs: false
+              multivalued: false
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "web-origins"
+          - "acr"
+          - "roles"
+          - "profile"
+          - "email"
+        optionalClientScopes:
+          - "address"
+          - "phone"
+          - "offline_access"
+          - "microprofile-jwt"
+      - name: "guardian-ui"
+        clientId: "guardian-ui"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+        standardFlowEnabled: true
+        publicClient: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: "false"
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
+      {{ .Values.charts.dovecot.repository }}"
 
   # Open-Xchange
   - name: "open-xchange-repo"
@@ -19,7 +20,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
+      {{ .Values.charts.openXchangeAppSuite.repository }}"
 
   # openDesk Open-Xchange Bootstrap
   # Source:
@@ -30,7 +32,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 
 releases:
   - name: "dovecot"

helmfile/apps/open-xchange/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/open-xchange/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -68,9 +68,6 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 
-
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 1000

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl

@@ -18,8 +18,4 @@ imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
   - name: {{ . | quote }}
 {{- end }}
-
-podAnnotations:
-  argocd.argoproj.io/hook: "Sync"
-  argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
 ...

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -27,7 +27,6 @@ nextcloud-integration-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
   {{- end }}
-  podAnnotations: {}
   replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }}
   resources:
     {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
@@ -52,14 +51,12 @@ public-sector-ui:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangePublicSectorUI.registry | quote }}
     repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
     tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
   {{- end }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }}
-  podAnnotations: {}
   resources:
     {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
   securityContext:
@@ -122,7 +119,6 @@ appsuite:
     jolokiaLogin: "jolokia"
     jolokiaPassword: {{ .Values.secrets.oxAppsuite.jolokiaPassword | quote }}
     hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
-    podAnnotations: {}
     serviceAccount:
       create: true
     features:
@@ -142,7 +138,6 @@ appsuite:
         tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
         pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
       replicaCount: {{ .Values.replicas.openxchangeGotenberg }}
-      podAnnotations: {}
       resources:
         {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
       securityContext:
@@ -231,7 +226,7 @@ appsuite:
       # Old capability can be used to toggle all integrations with a single switch
       com.openexchange.capability.public-sector: "true"
       # New capabilities in 2.0
-      com.openexchange.capability.public-sector-element: "false"
+      com.openexchange.capability.public-sector-element: "true"
       com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
@@ -381,7 +376,6 @@ appsuite:
       tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     replicaCount: {{ .Values.replicas.openxchangeCoreUI }}
-    podAnnotations: {}
     resources:
       {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
     securityContext:
@@ -415,7 +409,6 @@ appsuite:
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     overrides: {}
-    podAnnotations: {}
     redis: *redisConfiguration
     replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }}
     resources:
@@ -454,7 +447,6 @@ appsuite:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeDocumentConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
-    podAnnotations: {}
     redis: *redisConfiguration
     replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
     resources:
@@ -502,7 +494,6 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    podAnnotations: {}
     replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }}
     resources:
       {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
@@ -537,7 +528,6 @@ appsuite:
           endpoint: "."
           accessKey: "."
           secretKey: "."
-    podAnnotations: {}
     redis: *redisConfiguration
     replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
     resources:
@@ -570,7 +560,6 @@ appsuite:
       repository: {{ .Values.images.openxchangeGuardUI.repository | quote }}
       tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    podAnnotations: {}
     replicaCount: {{ .Values.replicas.openxchangeGuardUI }}
     resources:
       {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
@@ -602,7 +591,6 @@ appsuite:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
     {{- end }}
-    podAnnotations: {}
     replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }}
     resources:
       {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}

helmfile/apps/openproject-bootstrap/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
+      {{ .Values.charts.openprojectBootstrap.repository }}"
 
 releases:
   - name: "opendesk-openproject-bootstrap"

helmfile/apps/openproject-bootstrap/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -16,8 +16,6 @@ cleanup:
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
-  debug:
-    enabled: {{ .Values.debug.enabled }}
   openproject:
     fileshareName: "Nextcloud at {{ .Values.global.domain }}"
     admin:
@@ -53,8 +51,6 @@ image:
 job:
   enabled: true
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 1000

helmfile/apps/openproject/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
+      {{ .Values.charts.openproject.repository }}"
 
 releases:
   - name: "openproject"
@@ -21,7 +22,7 @@ releases:
     values:
       - "values.yaml.gotmpl"
     installed: {{ .Values.openproject.enabled }}
-    timeout: 1500
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/openproject/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/openproject/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/openproject/values.yaml.gotmpl

@@ -8,10 +8,6 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-appInit:
-  resources:
-    {{ .Values.resources.openprojectAppInit | toYaml | nindent 4 }}
-
 containerSecurityContext:
   enabled: true
   privileged: false
@@ -28,15 +24,6 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 
-dbInit:
-  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectDbInit.registry | quote }}
-    repository: {{ .Values.images.openprojectDbInit.repository | quote }}
-    tag: {{ .Values.images.openprojectDbInit.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  resources:
-    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
-
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -94,6 +81,13 @@ image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.openproject.tag | quote }}
 
+initdb:
+  image:
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectInitDb.registry | quote }}
+    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
+    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
 memcached:
   bundled: false
   connection:
@@ -103,8 +97,6 @@ memcached:
 persistence:
   enabled: false
 
-podAnnotations: {}
-
 postgresql:
   bundled: false
   auth:
@@ -188,12 +180,5 @@ s3:
 seederJob:
   annotations:
     intents.otterize.com/service-name: "openproject-seeder"
-  resources:
-    {{ .Values.resources.openprojectSeederJob | toYaml | nindent 4 }}
-
-workers:
-  default:
-    resources:
-      {{ .Values.resources.openprojectWorkers | toYaml | nindent 6 }}
 
 ...

helmfile/apps/provisioning/helmfile-child.yaml

@@ -7,7 +7,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
+      {{ .Values.charts.oxConnector.repository }}"
 
 releases:
   - name: "ox-connector"

helmfile/apps/provisioning/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/provisioning/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -44,8 +44,6 @@ resources:
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
-podAnnotations: {}
-
 ## Container deployment probes
 probes:
   liveness:

helmfile/apps/services/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
+      {{ .Values.charts.otterize.repository }}"
 
   # openDesk Home
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +21,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"
 
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +32,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
+      {{ .Values.charts.certificates.repository }}"
 
   # openDesk PostgreSQL
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -40,7 +43,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
+      {{ .Values.charts.postgresql.repository }}"
 
   # openDesk MariaDB
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -50,7 +54,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
+      {{ .Values.charts.mariadb.repository }}"
 
   # openDesk dkimpy-milter
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -60,7 +65,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/\
+      {{ .Values.charts.dkimpy.repository }}"
 
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -70,7 +76,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
+      {{ .Values.charts.postfix.repository }}"
 
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -80,14 +87,16 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
+      {{ .Values.charts.clamav.repository }}"
   - name: "clamav-simple-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.clamavSimple.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
+      {{ .Values.charts.clamavSimple.repository }}"
 
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
@@ -97,21 +106,24 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
+      {{ .Values.charts.memcached.repository }}"
   - name: "redis-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.redis.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
+      {{ .Values.charts.redis.repository }}"
   - name: "minio-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.minio.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
+      {{ .Values.charts.minio.repository }}"
 
 releases:
   - name: "opendesk-otterize"

helmfile/apps/services/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/services/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/apps/services/values-clamav-distributed.yaml.gotmpl

@@ -25,7 +25,6 @@ clamd:
     repository: {{ .Values.images.clamd.repository | quote }}
     tag: {{ .Values.images.clamd.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
   podSecurityContext:
     enabled: true
     fsGroup: 101
@@ -70,7 +69,6 @@ freshclam:
     repository: {{ .Values.images.freshclam.repository | quote }}
     tag: {{ .Values.images.freshclam.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
   podSecurityContext:
     enabled: true
     fsGroup: 101
@@ -112,7 +110,6 @@ icap:
     repository: {{ .Values.images.icap.repository | quote }}
     tag: {{ .Values.images.icap.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
   podSecurityContext:
     enabled: true
     fsGroup: 101
@@ -142,7 +139,6 @@ milter:
     repository: {{ .Values.images.milter.repository | quote }}
     tag: {{ .Values.images.milter.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podAnnotations: {}
   podSecurityContext:
     enabled: true
     fsGroup: 101

helmfile/apps/services/values-clamav-simple.yaml.gotmpl

@@ -40,8 +40,6 @@ persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.clamav | quote }}
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 101

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -73,8 +73,6 @@ persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.mariadb | quote }}
 
-podAnnotations: {}
-
 podSecurityContext:
   enabled: true
   fsGroup: 1001

helmfile/apps/services/values-memcached.yaml.gotmpl

@@ -32,8 +32,6 @@ image:
   tag: {{ .Values.images.memcached.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-podAnnotations: {}
-
 replicaCount: {{ .Values.replicas.memcached }}
 
 resources:

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -182,8 +182,6 @@ provisioning:
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 
-podAnnotations: {}
-
 readinessProbe:
   enabled: true
   initialDelaySeconds: 5

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -76,8 +76,6 @@ postfix:
   virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   virtualTransport: "lmtps:dovecot:24"
 
-podAnnotations: {}
-
 replicaCount: {{ .Values.replicas.postfix }}
 
 resources:

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -90,8 +90,6 @@ persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.postgresql | quote }}
 
-podAnnotations: {}
-
 postgres:
   password: {{ .Values.secrets.postgresql.postgresUser | quote }}
 

helmfile/apps/services/values-redis.yaml.gotmpl

@@ -38,7 +38,6 @@ master:
   count: {{ .Values.replicas.redis }}
   persistence:
     size: {{ .Values.persistence.size.redis | quote }}
-  podAnnotations: {}
   resources:
     {{ .Values.resources.redis | toYaml | nindent 4 }}
 

helmfile/apps/xwiki/helmfile-child.yaml

@@ -10,7 +10,8 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\
+      {{ .Values.charts.xwiki.repository }}"
 
 releases:
   - name: "xwiki"

helmfile/apps/xwiki/helmfile.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/xwiki/helmfile.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
----
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...

helmfile/environments/default/charts.yaml

@@ -46,7 +46,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.21"
+    version: "1.1.20"
     verify: true
   cryptpad:
     # providerCategory: "Supplier"
@@ -90,7 +90,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -100,7 +100,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -132,7 +132,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.12.1"
+    version: "1.9.3"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -144,6 +144,56 @@ charts:
     name: "mariadb"
     version: "2.3.1"
     verify: true
+  matrixNeoboardWidget:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
+    name: "matrix-neoboard-widget"
+    version: "3.5.0"
+    verify: true
+  matrixNeochoiseWidget:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
+    name: "matrix-neochoice-widget"
+    version: "3.5.0"
+    verify: true
+  matrixNeodatefixBot:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
+    name: "matrix-neodatefix-bot"
+    version: "3.5.0"
+    verify: true
+  matrixNeodatefixWidget:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
+    name: "matrix-neodatefix-widget"
+    version: "3.5.0"
+    verify: true
+  matrixUserVerificationService:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
+    name: "opendesk-matrix-user-verification-service"
+    version: "3.4.0"
+    verify: true
   memcached:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -162,7 +212,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.3.2"
+    version: "1.2.3"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -214,7 +264,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "0.57.3"
+    version: "0.56.1"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
@@ -224,8 +274,9 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.1.2"
-    verify: true
+    version: "2.2.0-jtorres-univention-keycloak-clients"
+    verify: false
+    # TODO: change to the final version during MR to develop
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "openProject"
@@ -236,7 +287,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "8.0.0"
+    version: "7.0.0"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -246,7 +297,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "2.0.0"
+    version: "1.3.0"
     verify: true
   openXchangeAppSuite:
     # providerCategory: "Supplier"
@@ -268,7 +319,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
-    version: "2.0.0"
+    version: "1.3.4"
     verify: true
   otterize:
     # providerCategory: "Platform"
@@ -330,7 +381,17 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "3.4.1"
+    version: "3.4.0"
+    verify: true
+  synapseCreateAccount:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
+    name: "opendesk-synapse-create-account"
+    version: "3.4.0"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"
@@ -340,7 +401,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   xwiki:
     # providerCategory: "Supplier"

helmfile/environments/default/functional.yaml

@@ -79,10 +79,6 @@ functional:
       # Enable to allow information about the user presence status to be shared.
       # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
       enabled: false
-    jitsiRoomHistory:
-      # Enable to allow the room history to be stored in the user's browser local storage.
-      # Ref.:
-      enabled: false
 
   chat:
     matrix:

helmfile/environments/default/images.yaml

@@ -20,7 +20,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.7.2.1@sha256:5b00478f2c6c7372b2a67e68783d9b1a91265679bbd4afdc1416e50720d50ce6"
+    tag: "24.04.7.1.2@sha256:6e3d64dfdf4a429c374f18947d7c4e987f585a13642817672123fd1963dc8a2d"
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -50,10 +50,12 @@ images:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
     # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
+    # upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "8", "0"]
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
-    tag: "1.11.4-amd64@sha256:1785ca0dcb608939533ce50067fb17c2152ceff00ea4e17a4cd500930727687b"
+    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
+    tag: "1.11.1@sha256:6ed72fccd302fc5891f31157bcffd14358e1f90f8b60d649fd261ba0f5d5fb91"
   freshclam:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -146,6 +148,56 @@ images:
     registry: "registry-1.docker.io"
     repository: "library/mariadb"
     tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
+  matrixNeoBoardWidget:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://ghcr.io"
+    # upstreamRepository: "nordeck/matrix-neoboard-widget"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "4", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
+    tag: "1.17.0@sha256:f4e711473ba99159c878177f0f9e750fd6d9555b7d8c266ac7040f053be19513"
+  matrixNeoChoiceWidget:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://ghcr.io"
+    # upstreamRepository: "nordeck/matrix-poll-widget"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "4", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-poll-widget"
+    tag: "1.4.0@sha256:216cb88aaa47449a15af9a531d60eee593cb1923c4e8fcc67c119982972911e5"
+  matrixNeoDateFixBot:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://ghcr.io"
+    # upstreamRepository: "nordeck/matrix-meetings-bot"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2", "7", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
+    tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c"
+  matrixNeoDateFixWidget:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://ghcr.io"
+    # upstreamRepository: "nordeck/matrix-meetings-widget"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "6", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
+    tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd"
+  matrixUserVerificationService:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "matrixdotorg/matrix-user-verification-service"
+    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["3", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/element/images-mirror/matrix-user-verification-service"
+    tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008"
   memcached:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -161,7 +213,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.3.9@sha256:dee06e4da27ff67cad12ba990aca58ca81eae89a02dfe4831bd3e9c67c08ddcf"
+    tag: "1.2.2@sha256:32afdd71c5b8003ed1609e389494ce10c715c5db64d4ed32a74d65b0f0227e64"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -361,7 +413,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.38.3@sha256:3b74617c6a8b68b086be8ab648bfffb08ba6ddb052ff0dcd4731c1bcc5a87a03"
+    tag: "0.38.1@sha256:da8bed3e1ce40804d8ac4ac5901109dcce8cd76eb7c6c711787fff6cbcc76733"
   nubusOpendeskExtension:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -369,7 +421,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.5.0@sha256:2bfdf79028ec788162cf75bf80b08ed5aa3f747430bc85fd5e0427decc9994de"
+    tag: "1.4.0@sha256:8f3a278c41b799f23f0559e6bc4ebfe9a3ee3d70a906205ea84597a5411af5d5"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -399,7 +451,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.38.3@sha256:a4c7b57870aa7868174ef446f4212da1fc9f57d72c31dca245a5787699f2975b"
+    tag: "0.38.1@sha256:beaa9f6f9cf2045781dba6f4aa67ed0b129b0f01a5a719ac038a07be135b6430"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -419,7 +471,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.38.3@sha256:514ff5117331d0b446944b252d993db547daad64062fcfaab8794bfb4f5290a3"
+    tag: "0.38.1@sha256:ace41eb46cc751efda5e0c827a5707c0442b454254944a71cd6a7a265a5e2247"
   nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -429,7 +481,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.38.3@sha256:0cd37fc82a7426013a1f93dcf4a72686f3b90b7532991dd1d50ae28cbca493e5"
+    tag: "0.38.1@sha256:3cb56bf434607282bad4a70e6be0ee72d8889c4135b63af91db54d8f48b31b0a"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -439,7 +491,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.39.0@sha256:cff262c399785594a07d61a0645ca304e4da044d37831c29f848d8d70b2e58c9"
+    tag: "0.38.0@sha256:d583151b108164374bd11dc74626c62aace0ff4ddc5997b08553b559d7c0bf91"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -449,7 +501,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.39.0@sha256:9f537eb138863ea9c3f6f7b416e7787ab1841e3e0ba3a8dd39fe35464955d75d"
+    tag: "0.38.0@sha256:b459c3a9bfd51692691736f0afeb0c7ba2d75efe30a5b1e2a8b51c5c48f08ac4"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -459,7 +511,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.39.0@sha256:72ab91cd235b52875c03411c5488984b482aafc6d58f2064bd5313ab7a119cab"
+    tag: "0.38.0@sha256:7fe6dfe75c3131ebf9bb9a36210adf4bd0bead06d6214985427d59eb4b420b40"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -469,7 +521,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.39.0@sha256:f0e63353f0ea28890c992a374b82ac65f379f9dfd4c7fe645f002b170df1da69"
+    tag: "0.38.0@sha256:99a7fdc23650c5bcbf58c38ffea86b5fe779b12a834824ae5e206fc5f2c0301a"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -479,8 +531,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.39.0@sha256:64166fae60856da544698b601b70037a93239e9f6072ced890cd5965fab148dc"
-  nubusSelfServiceConsumer:
+    tag: "0.38.0@sha256:e40b33188f11d82f669532e1f085ba5e1758fd6099f679a759f6ae2b1d0ee3ef"
+  nubusSelfserviceInvitation:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -489,7 +541,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.7.3@sha256:7eb99ca8e7b5af321c45a515d7999ec421a3644e34c47028e90b627e8af9d39d"
+    tag: "0.7.2@sha256:a204a74575d4aed5f343d4ab4838fd6b11b4ae0d1a61e5cc464a5fde6d16ec37"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -520,14 +572,6 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
     tag: "0.30.0@sha256:78e20377a8cb3f6c5efa004a52aee444345e71d91e02e414c86c2a2631de5822"
-  nubusUmcServerProxy:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: "traefik"
-    registry: "registry-1.docker.io"
-    repository: "traefik"
-    tag: "3.0@sha256:a208c74fd80a566d4ea376053bff73d31616d7af3f1465a7747b8b89ee34d97e"
   nubusWaitForDependency:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -555,7 +599,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.5.1@sha256:b6f823a4f4ff6873a992506c5f5bd9fe54b89f5d4e0bfb60b5da7b6c3bff82e1"
+    tag: "14.4.1@sha256:40a2ff3f3a75b9792f93da07e80a730941f783abc7ae3c1a988c7904cbc1f2a4"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -564,7 +608,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
-  openprojectDbInit:
+  openprojectInitDb:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"
     # upstreamRegistry: "https://registry-1.docker.io"
@@ -744,7 +788,25 @@ images:
     # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.115.0@sha256:abf4a5b5b2030f7deb555a8ec7b945607db9e98b057eb06364e66ba8308bdd40"
+    tag: "v1.108.0@sha256:0754a5c372f4cfb5f69f58ad4b70d05bc2e380354f1b0c9101611e9157082712"
+  synapseCreateUser:
+    # providerCategory: "Community"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "alpine/k8s"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.30.0@sha256:d7a11b7032550e992667fd7725b039dcd639270fbceec368d7e66e3d9e41ee15"
+  synapseGuestModule:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://ghcr.io"
+    # upstreamRepository: "nordeck/synapse-guest-module"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module"
+    tag: "1.0.0@sha256:6b3b17183a7d163148cc1bc5342604682ec67d898394fc743db2f339e61c722e"
   synapseWeb:
     # providerCategory: "Community"
     # providerResponsible: "Element"

helmfile/environments/default/replicas.yaml

@@ -75,8 +75,6 @@ replicas:
   umsGuardianManagementUi: 1
   # -- scalable: tbd
   umsGuardianOpenPolicyAgent: 1
-  # -- scalable: tbd
-  umsKeycloak: 1
   # -- scalable: false
   # -- comment: Should not be scaled, is an async process.
   umsKeycloakExtensionsHandler: 1
@@ -99,30 +97,16 @@ replicas:
   umsPortalConsumer: 1
   # -- scalable: true
   umsPortalServer: 1
-  # -- scalable: tdb
-  umsProvisioningApi: 1
-  # -- scalable: false
-  umsProvisioningDispatcher: 1
-  # -- scalable: tdb
-  umsProvisioningNats: 1
-  # -- scalable: tdb
-  umsProvisioningPrefill: 1
-  # -- scalable: false
-  umsProvisioningUdmTransformer: 1
   # -- scalable: tbd
   umsSelfserviceConsumer: 1
   # -- scalable: tbd
   umsStackGateway: 1
   # -- scalable: true
-  umsUdmListener: 1
-  # -- scalable: tbd
   umsUdmRestApi: 1
   # -- scalable: tbd
   umsUmcGateway: 1
   # -- scalable: tbd
   umsUmcServer: 1
-  # -- scalable: tbd
-  umsUmcServerProxy: 1
 
   # -- component: Video conference (Jitsi)
   # -- scalable: tbd

helmfile/environments/default/resources.yaml

@@ -275,34 +275,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "768Mi"
-  openprojectDbInit:
-    limits:
-      cpu: 99
-      memory: "768Mi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  openprojectAppInit:
-    limits:
-      cpu: 99
-      memory: "768Mi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  openprojectSeederJob:
-    limits:
-      cpu: 99
-      memory: "768Mi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  openprojectWorkers:
-    limits:
-      cpu: 99
-      memory: "4Gi"
-    requests:
-      cpu: 0.25
-      memory: "512Mi"
   openxchangeCoreDocumentConverter:
     limits:
       cpu: 99
@@ -513,6 +485,20 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsPortalConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumerDependencies:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsPortalServer:
     limits:
       cpu: 99
@@ -576,6 +562,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsStackDataSwp:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsStackGateway:
     limits:
       cpu: 99
@@ -583,13 +576,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "16Mi"
-  umsUdmListener:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
   umsUdmRestApi:
     limits:
       cpu: 99

helmfile/environments/default/selinux.yaml

@@ -41,7 +41,7 @@ seLinuxOptions:
   opendeskKeycloakBootstrap: ~
   openproject: ~
   openprojectBootstrap: ~
-  openprojectDbInit: ~
+  openprojectInitDb: ~
   openxchangeBootstrap: ~
   openxchangeCoreGuidedtours: ~
   openxchangeCoreMW: ~
@@ -68,7 +68,6 @@ seLinuxOptions:
   umsGuardianAuthorizationApi: ~
   umsGuardianManagementApi: ~
   umsGuardianManagementUi: ~
-  umsGuardianOpenPolicyAgent: ~
   umsKeycloak: ~
   umsKeycloakBootstrap: ~
   umsKeycloakExtensionHandler: ~
@@ -76,16 +75,20 @@ seLinuxOptions:
   umsLdapNotifier: ~
   umsLdapServer: ~
   umsNotificationsApi: ~
+  umsOpenPolicyAgent: ~
   umsPortalFrontend: ~
   umsPortalConsumer: ~
   umsPortalServer: ~
-  umsProvisioning: ~
+  umsProvisioningDispatcher: ~
+  umsProvisioningEventsAndConsumerApi: ~
   umsProvisioningNats: ~
+  umsProvisioningNatsBox: ~
+  umsProvisioningNatsReloader: ~
+  umsProvisioningUdmListener: ~
   umsSelfserviceInvitation: ~
   umsSelfserviceConsumer: ~
   umsStackGateway: ~
   umsStoreDav: ~
-  umsUdmListener: ~
   umsUdmRestApi: ~
   umsUmcGateway: ~
   umsUmcServer: ~

helmfile/environments/default/theme.gotmpl

@@ -15,7 +15,7 @@ theme:
   ## Define colors
   #
   colors:
-    # Element, OX AppSuite, Xwiki, Jitsi
+    # Element, OX AppSuite, Xwiki
     primary: "#5e27dd"
     # OX AppSuite
     primary15: "#e7dffa"
@@ -23,7 +23,7 @@ theme:
     black: "#000000"
     # OX AppSuite, Xwiki
     white: "#ffffff"
-    # OX AppSuite, Xwiki, Jitsi
+    # OX AppSuite, Xwiki
     secondaryGreyLight: "#f5f5f5"
 
     # Not in use yet
@@ -46,9 +46,6 @@ theme:
     favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
     logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}
 
-    # Jitsi
-    logoHeaderInvertedSvgB64: {{ readFile "./../../files/theme/logoHeaderInverted.svg" | b64enc | quote }}
-
     # Portal
     logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
     portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}

helmfile/environments/test/values.yaml.gotmpl

@@ -0,0 +1,102 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "my_private_registry.domain.tld"
+  imagePullSecrets:
+    - "kyverno-test"
+  imagePullPolicy: "kyverno"
+persistence:
+  storageClassNames:
+    RWX: "kyverno-test"
+    RWO: "kyverno-test"
+  size:
+    clamav: "42Gi"
+    dovecot: "42Gi"
+    mariadb: "42Gi"
+    matrixNeoDateFixBot: "42Gi"
+    minio: "42Gi"
+    nubus:
+      ldapServerData: "42Gi"
+      ldapServerShared: "42Gi"
+      portalConsumer: "42Gi"
+    postfix: "42Gi"
+    postgresql: "42Gi"
+    prosody: "42Gi"
+    redis: "42Gi"
+    synapse: "42Gi"
+    xwiki: "42Gi"
+ingress:
+  ingressClassName: "kyverno"
+  tls:
+    enabled: true
+    secretName: "kyverno-tls"
+replicas:
+  clamav: 42
+  clamd: 42
+  collabora: 42
+  cryptpad: 42
+  dovecot: 42
+  element: 42
+  freshclam: 42
+  icap: 42
+  intercomService: 42
+  jibri: 42
+  jicofo: 42
+  jitsi: 42
+  jitsiKeycloakAdapter: 42
+  jvb: 42
+  keycloak: 42
+  mariadb: 42
+  matrixNeoBoardWidget: 42
+  matrixNeoChoiceWidget: 42
+  matrixNeoDateFixBot: 42
+  matrixNeoDateFixWidget: 42
+  matrixUserVerificationService: 42
+  memcached: 42
+  milter: 42
+  minio: 42
+  nextcloudApache2: 42
+  nextcloudExporter: 42
+  nextcloudPHP: 42
+  openprojectWeb: 42
+  openprojectWorker: 42
+  openxchangeCoreGuidedtours: 42
+  openxchangeCoreMW: 42
+  openxchangeCoreUI: 42
+  openxchangeCoreUIMiddleware: 42
+  openxchangeCoreUserGuide: 42
+  openxchangeDocumentConverter: 42
+  openxchangeGotenberg: 42
+  openxchangeGuardUI: 42
+  openxchangeImageConverter: 42
+  openxchangeNextcloudIntegrationUI: 42
+  openxchangePublicSectorUI: 42
+  oxConnector: 42
+  postfix: 42
+  postgres: 42
+  redis: 42
+  synapse: 42
+  synapseWeb: 42
+  umsGuardianAuthorizationApi: 42
+  umsGuardianManagementApi: 42
+  umsGuardianManagementUi: 42
+  umsGuardianOpenPolicyAgent: 42
+  umsKeycloakExtensionsHandler: 42
+  umsKeycloakExtensionsProxy: 42
+  umsLdapNotifier: 42
+  umsLdapServer: 42
+  umsNotificationsApi: 42
+  umsPortalFrontend: 42
+  umsPortalConsumer: 42
+  umsPortalServer: 42
+  umsSelfserviceConsumer: 42
+  umsStackGateway: 42
+  umsUdmRestApi: 42
+  umsUmcGateway: 42
+  umsUmcServer: 42
+  wellKnown: 42
+  xwiki: 42
+...

helmfile_generic.yaml

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+#
+# Advanced Configuration: Nested States
+#
+helmfiles:
+  # Path to the helmfile state file being processed BEFORE releases in this state file
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
+    values: &values
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/default/*.gotmpl"
+      - {{ toYaml .Values | nindent 8 }}
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nubus/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/open-xchange/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nextcloud/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/collabora/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/cryptpad/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/jitsi/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/element/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/openproject/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/xwiki/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/provisioning/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
+missingFileHandler: "Error"
+...

helmfile_generic.yaml.gotmpl

@@ -1,43 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-#
-# Advanced Configuration: Nested States
-#
-helmfiles:
-  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl"
-    values: &values
-      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/default/*.gotmpl"
-      - {{ toYaml .Values | nindent 8 }}
-  - path: "helmfile/apps/services/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/nubus/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/collabora/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/jitsi/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/element/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/openproject/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/xwiki/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/provisioning/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl"
-    values: *values
-missingFileHandler: "Error"
-...