feat(opendesk-services): Add opendesk-otterize

README.md

@@ -43,7 +43,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.14.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.14.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.6.0](https://www.openproject.org/docs/release-notes/16-6-0/)                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.10431](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_10431)       | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.6](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.5](https://www.collaboraoffice.com/code-25-04-release-notes/)                          | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 
 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

docs/architecture.md

@@ -129,7 +129,7 @@ An overview of
 - components that consume the LDAP service.
   - The components access the LDAP using a component-specific LDAP search account.
 - components using Univention Keycloak as an identity provider (IdP).
-  - All components use OAuth2 / OIDC flows.
+  - The components should use OAuth2 / OIDC flows if not otherwise denoted.
   - All components have a client configured in Keycloak.
 
 Some components trust others to handle authentication for them.
@@ -148,7 +148,7 @@ flowchart TD
  D-->K
  O-->K
  X-->K
- P-->K
+ P-->|SAML|K
  E[Element]-->K
  J[Jitsi]-->K
  I[IntercomService]-->K
@@ -184,6 +184,11 @@ sequenceDiagram
     Note over Browser: User is authenticated
 ```
 
+> [!note]
+> Nubus' Portal and UMC still use [SAML 2.0](https://www.oasis-open.org/standard/saml/) to authenticate
+> users. However, Nubus will switch to OIDC in an upcoming release, eliminating the use of SAML in openDesk
+> altogether.
+
 ## Keycloak
 
 [Keycloak](https://www.keycloak.org/) is an open-source identity and access management solution for web based applications and services. It provides features such as single sign-on, multi-factor authentication, user federation, and centralized user management.

docs/migrations.md

@@ -8,14 +8,14 @@ SPDX-License-Identifier: Apache-2.0
 <!-- TOC -->
 * [Disclaimer](#disclaimer)
 * [Deprecation warnings](#deprecation-warnings)
-* [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
+* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [Versions ≥ v1.9.0](#versions--v190)
-    * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190)
+  * [Versions &GreaterEqual; v1.9.0](#versions--v190)
+    * [Pre-upgrade to versions &GreaterEqual; v1.9.0](#pre-upgrade-to-versions--v190)
       * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
       * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
-  * [Versions ≥ v1.8.0](#versions--v180)
-    * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180)
+  * [Versions &GreaterEqual; v1.8.0](#versions--v180)
+    * [Pre-upgrade to versions &GreaterEqual; v1.8.0](#pre-upgrade-to-versions--v180)
       * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
       * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc)
       * [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts)
@@ -24,39 +24,39 @@ SPDX-License-Identifier: Apache-2.0
       * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour)
       * [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default)
       * [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject)
-  * [Versions ≥ v1.7.0](#versions--v170)
-    * [Pre-upgrade to versions ≥ v1.7.0](#pre-upgrade-to-versions--v170)
+  * [Versions &GreaterEqual; v1.7.0](#versions--v170)
+    * [Pre-upgrade to versions &GreaterEqual; v1.7.0](#pre-upgrade-to-versions--v170)
       * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
       * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
-    * [Post-upgrade to versions ≥ v1.7.0](#post-upgrade-to-versions--v170)
+    * [Post-upgrade to versions &GreaterEqual; v1.7.0](#post-upgrade-to-versions--v170)
       * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
-  * [Versions ≥ v1.6.0](#versions--v160)
-    * [Pre-upgrade to versions ≥ v1.6.0](#pre-upgrade-to-versions--v160)
+  * [Versions &GreaterEqual; v1.6.0](#versions--v160)
+    * [Pre-upgrade to versions &GreaterEqual; v1.6.0](#pre-upgrade-to-versions--v160)
       * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets)
       * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
       * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
       * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
-    * [Post-upgrade to versions ≥ v1.6.0](#post-upgrade-to-versions--v160)
+    * [Post-upgrade to versions &GreaterEqual; v1.6.0](#post-upgrade-to-versions--v160)
       * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
-  * [Versions ≥ v1.4.0](#versions--v140)
-    * [Pre-upgrade to versions ≥ v1.4.0](#pre-upgrade-to-versions--v140)
+  * [Versions &GreaterEqual; v1.4.0](#versions--v140)
+    * [Pre-upgrade to versions &GreaterEqual; v1.4.0](#pre-upgrade-to-versions--v140)
       * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
-  * [Versions ≥ v1.3.0](#versions--v130)
-    * [Pre-upgrade to versions ≥ v1.3.0](#pre-upgrade-to-versions--v130)
+  * [Versions &GreaterEqual; v1.3.0](#versions--v130)
+    * [Pre-upgrade to versions &GreaterEqual; v1.3.0](#pre-upgrade-to-versions--v130)
       * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
-  * [Versions ≥ v1.2.0](#versions--v120)
-    * [Pre-upgrade to versions ≥ v1.2.0](#pre-upgrade-to-versions--v120)
+  * [Versions &GreaterEqual; v1.2.0](#versions--v120)
+    * [Pre-upgrade to versions &GreaterEqual; v1.2.0](#pre-upgrade-to-versions--v120)
       * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
       * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
-  * [Versions ≥ v1.1.2](#versions--v112)
-    * [Pre-upgrade to versions ≥ v1.1.2](#pre-upgrade-to-versions--v112)
+  * [Versions &GreaterEqual; v1.1.2](#versions--v112)
+    * [Pre-upgrade to versions &GreaterEqual; v1.1.2](#pre-upgrade-to-versions--v112)
       * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
-  * [Versions ≥ v1.1.1](#versions--v111)
-    * [Pre-upgrade to versions ≥ v1.1.1](#pre-upgrade-to-versions--v111)
+  * [Versions &GreaterEqual; v1.1.1](#versions--v111)
+    * [Pre-upgrade to versions &GreaterEqual; v1.1.1](#pre-upgrade-to-versions--v111)
       * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
       * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
-  * [Versions ≥ v1.1.0](#versions--v110)
-    * [Pre-upgrade to versions ≥ v1.1.0](#pre-upgrade-to-versions--v110)
+  * [Versions &GreaterEqual; v1.1.0](#versions--v110)
+    * [Pre-upgrade to versions &GreaterEqual; v1.1.0](#pre-upgrade-to-versions--v110)
       * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
       * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
       * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
@@ -66,10 +66,10 @@ SPDX-License-Identifier: Apache-2.0
       * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
       * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
       * [External requirements: Redis 7.4](#external-requirements-redis-74)
-    * [Post-upgrade to versions ≥ v1.1.0](#post-upgrade-to-versions--v110)
+    * [Post-upgrade to versions &GreaterEqual; v1.1.0](#post-upgrade-to-versions--v110)
       * [XWiki fix-ups](#xwiki-fix-ups)
-  * [Versions ≥ v1.0.0](#versions--v100)
-    * [Pre-upgrade to versions ≥ v1.0.0](#pre-upgrade-to-versions--v100)
+  * [Versions &GreaterEqual; v1.0.0](#versions--v100)
+    * [Pre-upgrade to versions &GreaterEqual; v1.0.0](#pre-upgrade-to-versions--v100)
       * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
       * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
       * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
@@ -77,17 +77,17 @@ SPDX-License-Identifier: Apache-2.0
       * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
       * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
       * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
-    * [Post-upgrade to versions ≥ v1.0.0](#post-upgrade-to-versions--v100)
+    * [Post-upgrade to versions &GreaterEqual; v1.0.0](#post-upgrade-to-versions--v100)
       * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
       * [Optional Cleanup](#optional-cleanup)
 * [Automated migrations - Details](#automated-migrations---details)
-  * [Versions ≥ v1.6.0 (automated)](#versions--v160-automated)
-    * [Versions ≥ v1.6.0 migrations-post](#versions--v160-migrations-post)
-  * [Versions ≥ v1.2.0 (automated)](#versions--v120-automated)
-    * [Versions ≥ v1.2.0 migrations-pre](#versions--v120-migrations-pre)
-    * [Versions ≥ v1.2.0 migrations-post](#versions--v120-migrations-post)
-  * [Versions ≥ v1.1.0 (automated)](#versions--v110-automated)
-  * [Versions ≥ v1.0.0 (automated)](#versions--v100-automated)
+  * [Versions &GreaterEqual; v1.6.0 (automated)](#versions--v160-automated)
+    * [Versions &GreaterEqual; v1.6.0 migrations-post](#versions--v160-migrations-post)
+  * [Versions &GreaterEqual; v1.2.0 (automated)](#versions--v120-automated)
+    * [Versions &GreaterEqual; v1.2.0 migrations-pre](#versions--v120-migrations-pre)
+    * [Versions &GreaterEqual; v1.2.0 migrations-post](#versions--v120-migrations-post)
+  * [Versions &GreaterEqual; v1.1.0 (automated)](#versions--v110-automated)
+  * [Versions &GreaterEqual; v1.0.0 (automated)](#versions--v100-automated)
   * [Related components and artifacts](#related-components-and-artifacts)
   * [Development](#development)
 <!-- TOC -->
@@ -140,22 +140,22 @@ matching that constraint, though our links always point to the newest patch rele
 > 1. You are at v1.3.2 → pre steps for v1.4.0 to v1.5.0
 > 1. Upgrade to v1.5.0 → post steps for v1.4.0 to v1.5.0
 > 1. You are at v1.5.0 → pre steps for v1.6.0 to 1.7.1
-> 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1
+> 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 
 
 <!-- IMPORTANT: Make sure to mark mandatory releases if an automatic migration requires a previous update to be installed -->
-| Version                                                                                 | Mandatory | Pre-Upgrade                                                                                                                    | Post-Upgrade                            | Minimum Required Previous Version                   |
-|-----------------------------------------------------------------------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|-----------------------------------------------------|
-| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | --        | [Pre](#pre-upgrade-to-versions--v190)                                                                                          | --                                      | ⬇ Install ≥ v1.5.0 first                            |
-| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | --        | [Pre](#pre-upgrade-to-versions--v180)                                                                                          | --                                      | ⬇ Install ≥ v1.5.0 first                            |
-| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | --        | [Pre](#pre-upgrade-to-versions--v170)                                                                                          | [Post](#post-upgrade-to-versions--v170) | ⬇ Install ≥ v1.5.0 first                            |
-| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | --        | [Pre](#pre-upgrade-to-versions--v160)                                                                                          | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) |
-| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes**   | --                                                                                                                             | --                                      | ⬇ Install ≥ v1.1.x first                            |
-| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | --        | [Pre](#pre-upgrade-to-versions--v140)                                                                                          | --                                      | ⬇ Install ≥ v1.1.x first                            |
-| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | --        | [Pre](#pre-upgrade-to-versions--v130)                                                                                          | --                                      | ⬇ Install ≥ v1.1.x first                            |
-| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | --        | [Pre](#pre-upgrade-to-versions--v120)                                                                                          | --                                      | [⚠ Install v1.1.x first](#versions--v120-automated) |
+| Version                                                                                 | Mandatory | Pre-Upgrade                                                                                                                 | Post-Upgrade                            | Minimum Required Previous Version            |
+|-----------------------------------------------------------------------------------------|-----------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|----------------------------------------------|
+| [v1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.9.0) | --        | [Pre](#pre-upgrade-to-versions--v190)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
+| [v1.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.8.0) | --        | [Pre](#pre-upgrade-to-versions--v180)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
+| [v1.7.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.7.1) | --        | [Pre](#pre-upgrade-to-versions--v170)                                                                                       | [Post](#post-upgrade-to-versions--v170) | ⬇ Install &GreaterEqual; v1.5.0 first                                           |
+| [v1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.6.0) | --        | [Pre](#pre-upgrade-to-versions--v160)                                                                                       | [Post](#post-upgrade-to-versions--v160) | [⚠ Install v1.5.0 first](#versions--v160-automated) |
+| [v1.5.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.5.0) | **yes**   | --                                                                                                                          | --                                      | ⬇ Install &GreaterEqual; v1.1.x first                                           |
+| [v1.4.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.4.1) | --        | [Pre](#pre-upgrade-to-versions--v140)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.1.x first                                           |
+| [v1.3.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.3.2) | --        | [Pre](#pre-upgrade-to-versions--v130)                                                                                       | --                                      | ⬇ Install &GreaterEqual; v1.1.x first                                           |
+| [v1.2.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.2.1) | --        | [Pre](#pre-upgrade-to-versions--v120)                                                                                       | --                                      | [⚠ Install v1.1.x first](#versions--v120-automated) |
 | [v1.1.x](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.1.2) | **yes**   | [Pre .0](#pre-upgrade-to-versions--v110) → [Pre .1](#pre-upgrade-to-versions--v111) → [Pre .2](#pre-upgrade-to-versions--v112) | [Post](#post-upgrade-to-versions--v110) | [⚠ Install v1.0.0 first](#versions--v110-automated) |
-| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes**   | [Pre](#pre-upgrade-to-versions--v100)                                                                                          | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) |
-| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes**   | --                                                                                                                             | --                                      | --                                                  |
+| [v1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v1.0.0) | **yes**   | [Pre](#pre-upgrade-to-versions--v100)                                                                                       | [Post](#post-upgrade-to-versions--v100) | [⚠ Install v0.9.0 first](#versions--v100-automated) |
+| [v0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/releases/v0.9.0) | **yes**   | --                                                                                                                          | --                                      | --                                           |
 
 > [!warning]
 > Be sure to check out the table in the release version you are going to install, and not the currently installed version.
@@ -165,49 +165,15 @@ If you would like more details about the automated migrations, please read secti
 # Manual checks/actions
 
 > [!note]
-> We **only** use the mathematical symbol ≥ to denote for which versions manual steps must be
-> applied. For example, "Versions ≥ v1.7.0" refers to all openDesk versions (major, minor and
+> We **only** use the mathematical symbol &GreaterEqual; to denote for which versions manual steps must be
+> applied. For example, "Versions &GreaterEqual; v1.7.0" refers to all openDesk versions (major, minor and
 > patch) starting from 1.7.0, e.g. 1.7.0, 1.7.1, 1.8.0, etc. Furthermore, if a version is not explicitly
 > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from
 > version 1.7.0 to version 1.7.1.
 
-## Versions ≥ v1.9.0
+## Versions &GreaterEqual; v1.9.0
 
-### Pre-upgrade to versions ≥ v1.9.0
-
-#### Helmfile fix: New Postfix SMTP SASL security option defaults
-
-Starting from openDesk v1.9.0, the SMTP SALS security options set within openDesk are aligned with the
-recommended defaults. This might break currently working connections with external SMTP relays.
-
-> [!warning]
-> Please check your mail relays supported SASL security options and adjust your deployment accordingly to
-> prevent the disruption of mail delivery.
-
-To fall back to the behavior of openDesk < v1.9.0 (no security options at all) set the following in
-`smtp.yaml.gotmpl`
-
-``` yaml
-smtp:
-  security:
-    smtpdSASLSecurityOptions: ~
-    smtpSASLSecurityOptions: ~
-```
-
-To set specific options consult the official Postfix documentation for
-[smtpd](https://www.postfix.org/postconf.5.html#smtpd_sasl_security_options) or
-[smtp](https://www.postfix.org/postconf.5.html#smtp_sasl_security_options) and set the string options via the
-yaml array notation:
-
-``` yaml
-smtp:
-  security:
-    smtpdSASLSecurityOptions:
-      - "noanonymous"
-    smtpSASLSecurityOptions:
-      - "noanonymous"
-      - "noplaintext"
-```
+### Pre-upgrade to versions &GreaterEqual; v1.9.0
 
 #### Helmfile fix: Cassandra passwords read from `databases.*`
 
@@ -245,9 +211,9 @@ Additionally, it is now possible to explicitly define the hostnames shown in the
 
 If these values are not explicitly set, openDesk will use `.Values.global.domain` as in previous releases.
 
-## Versions ≥ v1.8.0
+## Versions &GreaterEqual; v1.8.0
 
-### Pre-upgrade to versions ≥ v1.8.0
+### Pre-upgrade to versions &GreaterEqual; v1.8.0
 
 #### New application default: Default group for two-factor authentication is now "2FA Users"
 
@@ -271,7 +237,7 @@ The portal has been migrated to use OIDC for single sign-on by default. This int
   - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above.
 
 > [!note]
-> The SAML Client for the Nubus portal is still preserved in Keycloak and is going to be removed with openDesk 1.10.0.
+> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases.
 
 #### New application default: XWiki blocks self-registration of user accounts
 
@@ -402,9 +368,9 @@ Gravatar support is no longer enabled by default in Jitsi and OpenProject. In ca
     OPENPROJECT_PLUGIN__OPENPROJECT__AVATARS: '{enable_gravatars: true, enable_local_avatars: true}'
   ```
 
-## Versions ≥ v1.7.0
+## Versions &GreaterEqual; v1.7.0
 
-### Pre-upgrade to versions ≥ v1.7.0
+### Pre-upgrade to versions &GreaterEqual; v1.7.0
 
 #### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
 
@@ -435,7 +401,7 @@ annotation:
   notesYProvider: {}
 ```
 
-### Post-upgrade to versions ≥ v1.7.0
+### Post-upgrade to versions &GreaterEqual; v1.7.0
 
 #### Upstream fix: Provisioning of functional mailboxes
 
@@ -462,9 +428,9 @@ kill ${PROVISIONING_PORT_FORWARD_PID}
 rm ${TEMPORARY_CONSUMER_JSON}
 ```
 
-## Versions ≥ v1.6.0
+## Versions &GreaterEqual; v1.6.0
 
-### Pre-upgrade to versions ≥ v1.6.0
+### Pre-upgrade to versions &GreaterEqual; v1.6.0
 
 #### Upstream constraint: Nubus' external secrets
 
@@ -519,7 +485,7 @@ kubectl cp -n ${NAMESPACE} open-xchange-core-mw-default-0:/opt/open-xchange/ox-f
 2. Run the upgrade.
 3. Continue with the [related post-upgrade steps](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
 
-### Post-upgrade to versions ≥ v1.6.0
+### Post-upgrade to versions &GreaterEqual; v1.6.0
 
 #### OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)
 
@@ -560,9 +526,9 @@ ID    Type of Job                              Status     Further Information
 /opt/open-xchange/sbin/unregisterfilestore -A $MASTER_ADMIN_USER -P $MASTER_ADMIN_PW -i <your_old_filestore_id_from_step_3>
 ```
 
-## Versions ≥ v1.4.0
+## Versions &GreaterEqual; v1.4.0
 
-### Pre-upgrade to versions ≥ v1.4.0
+### Pre-upgrade to versions &GreaterEqual; v1.4.0
 
 #### Helmfile cleanup: `global.additionalMailDomains` as list
 
@@ -586,9 +552,9 @@ global:
     - "sub2.maildomain.de"
 ```
 
-## Versions ≥ v1.3.0
+## Versions &GreaterEqual; v1.3.0
 
-### Pre-upgrade to versions ≥ v1.3.0
+### Pre-upgrade to versions &GreaterEqual; v1.3.0
 
 #### Helmfile new feature: `functional.authentication.ssoFederation`
 
@@ -596,9 +562,9 @@ global:
 
 Please ensure to configure your IdP federation config details as part of `functional.authentication.ssoFederation`. You can find more details in the "Example configuration" section of [`idp-federation.md`](./enhanced-configuration/idp-federation.md).
 
-## Versions ≥ v1.2.0
+## Versions &GreaterEqual; v1.2.0
 
-### Pre-upgrade to versions ≥ v1.2.0
+### Pre-upgrade to versions &GreaterEqual; v1.2.0
 
 #### Helmfile cleanup: Do not configure OX provisioning when no OX installed
 
@@ -659,9 +625,9 @@ In case you are planning to migrate an existing instance from MariaDB to Postgre
   - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Backup#HUsingtheXWikiExportfeature
   - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/ImportExport
 
-## Versions ≥ v1.1.2
+## Versions &GreaterEqual; v1.1.2
 
-### Pre-upgrade to versions ≥ v1.1.2
+### Pre-upgrade to versions &GreaterEqual; v1.1.2
 
 #### Helmfile feature update: App settings wrapped in `apps.` element
 
@@ -690,9 +656,9 @@ apps:
     enabled: true
 ```
 
-## Versions ≥ v1.1.1
+## Versions &GreaterEqual; v1.1.1
 
-### Pre-upgrade to versions ≥ v1.1.1
+### Pre-upgrade to versions &GreaterEqual; v1.1.1
 
 #### Helmfile feature update: Component specific `storageClassName`
 
@@ -745,9 +711,9 @@ persistence:
 
 A not yet templated secret was discovered in the Nubus deployment. It is now declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) and can be defined using: `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the same value as the `MASTER_PASSWORD` environment variable used in your deployment.
 
-## Versions ≥ v1.1.0
+## Versions &GreaterEqual; v1.1.0
 
-### Pre-upgrade to versions ≥ v1.1.0
+### Pre-upgrade to versions &GreaterEqual; v1.1.0
 
 #### Helmfile cleanup: Restructured `/helmfile/files/theme` folder
 
@@ -910,7 +876,7 @@ The update from openDesk v1.0.0 contains Redis 7.4.1, like the other openDesk bu
 
 Please ensure the Redis you are using is updated to at least version 7.4 to support the requirement of OX App Suite.
 
-### Post-upgrade to versions ≥ v1.1.0
+### Post-upgrade to versions &GreaterEqual; v1.1.0
 
 #### XWiki fix-ups
 
@@ -936,9 +902,9 @@ Unfortunately XWiki does not upgrade itself as expected. The bug has been report
 
 You should have now a fully functional XWiki instance with single sign-on and full-text search.
 
-## Versions ≥ v1.0.0
+## Versions &GreaterEqual; v1.0.0
 
-### Pre-upgrade to versions ≥ v1.0.0
+### Pre-upgrade to versions &GreaterEqual; v1.0.0
 
 #### Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus
 
@@ -1120,7 +1086,7 @@ The IAM admin account `Administrator` is the only member of this group by defaul
 
 If you need other accounts to use the API, please assign them to the aforementioned group.
 
-### Post-upgrade to versions ≥ v1.0.0
+### Post-upgrade to versions &GreaterEqual; v1.0.0
 
 #### Configuration Improvement: Separate user permission for using Video Conference component
 
@@ -1152,33 +1118,33 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 
 # Automated migrations - Details
 
-## Versions ≥ v1.6.0 (automated)
+## Versions &GreaterEqual; v1.6.0 (automated)
 
 > [!note]
 > Details can be found in [run_5.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_5.py).
 
-### Versions ≥ v1.6.0 migrations-post
+### Versions &GreaterEqual; v1.6.0 migrations-post
 
 - Automatically restarts the StatefulSets `ums-provisioning-nats` and `ox-connector` due to a workaround applied on the NATS secrets, see the "Notes" segment of the ["Password seed" heading in getting-started.md](./docs/getting-started.md#password-seed)
 
 > [!note]
 > This change aims to prevent authentication failures with NATS in some Pods, which can lead to errors such as: `wait-for-nats Unavailable, waiting 2 seconds. Error: nats: 'Authorization Violation'`.
 
-## Versions ≥ v1.2.0 (automated)
+## Versions &GreaterEqual; v1.2.0 (automated)
 
 > [!note]
 > Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py).
 
-### Versions ≥ v1.2.0 migrations-pre
+### Versions &GreaterEqual; v1.2.0 migrations-pre
 
 - Automatically deletes PVC `group-membership-cache-ums-portal-consumer-0`: With the upgrade the Nubus Portal Consumer no longer requires to be executed with root privileges. The PVC contains files that require root permission to access them, therefore the PVC gets deleted (and re-created) during the upgrade.
 - Automatically deletes StatefulSet `ums-portal-consumer`: A bug was fixed in the templating of the Portal Consumer's PVC causing the values in `persistence.storages.nubusPortalConsumer.*` to be ignored. As these values are immutable, we had to delete the whole StatefulSet.
 
-### Versions ≥ v1.2.0 migrations-post
+### Versions &GreaterEqual; v1.2.0 migrations-post
 
 - Automatically restarts the Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` and deletes the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream.
 
-## Versions ≥ v1.1.0 (automated)
+## Versions &GreaterEqual; v1.1.0 (automated)
 
 With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
 
@@ -1189,7 +1155,7 @@ creating the config map with the mentioned label.
 > [!note]
 > Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
 
-## Versions ≥ v1.0.0 (automated)
+## Versions &GreaterEqual; v1.0.0 (automated)
 
 The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
 

helmfile/apps/collabora/values.yaml.gotmpl

@@ -35,7 +35,7 @@ collabora:
     {{- end }}
     {{- if .Values.apps.collaboraController.enabled }}
     --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
-    --o:monitors.monitor[0]=ws://collabora-controller-cool-controller.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:9000/controller/ws
+    --o:monitors.monitor[0]=ws://collabora-controller-cool-controller:9000/controller/ws
     --o:monitors.monitor[0][@retryInterval]=5
     {{- end }}
   username: "collabora-internal-admin"

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -84,7 +84,7 @@ config:
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                     'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC OIDC', '${client_account}',
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}',
                '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
                '${client_security-admin-console}' ]
   keycloak:

helmfile/apps/opendesk-services/charts/opendesk-otterize/Chart.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+annotations:
+  category: "Security"
+  licenses: "Apache-2.0"
+apiVersion: "v2"
+dependencies:
+  - name: "common"
+    version: "^2.x.x"
+    repository: "oci://registry.opencode.de/bmi/opendesk/components/external/charts/bitnami-charts"
+description: "A Helm chart deploying resources for Otterize to secure services with NetworkPolicies."
+home: "https://zendis.de"
+keywords:
+  - "security"
+name: "opendesk-otterize"
+sources:
+  - "https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-otterize"
+type: "application"
+version: "2.1.3"
+...

helmfile/apps/opendesk-services/charts/opendesk-otterize/README.md

@@ -0,0 +1,121 @@
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+# opendesk-otterize
+
+A Helm chart deploying resources for Otterize to secure services with NetworkPolicies.
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`, you have two options:
+
+### Install via Repository
+
+```console
+helm repo add opendesk-otterize https://gitlab.opencode.de/api/v4/projects/2293/packages/helm/stable
+helm install my-release --version 2.1.3 opendesk-otterize/opendesk-otterize
+```
+
+### Install via OCI Registry
+
+```console
+helm repo add opendesk-otterize oci://registry.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-otterize
+helm install my-release --version 2.1.3 opendesk-otterize/opendesk-otterize
+```
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://registry.opencode.de/bmi/opendesk/components/external/charts/bitnami-charts | common | ^2.x.x |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalAnnotations | object | `{}` | Additional custom annotations to add to all deployed objects. |
+| additionalLabels | object | `{}` | Additional custom labels to add to all deployed objects. |
+| apps.clamavDistributed.enabled | bool | `true` | Enables ClamAV (in distributed mode) related resource creation. |
+| apps.clamavDistributed.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.clamavDistributed.signatureHost | string | `"gitlab.opencode.de"` | Signature database host |
+| apps.clamavSimple.enabled | bool | `true` | Enables ClamAV (in simple mode) related resource creation. |
+| apps.clamavSimple.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.clamavSimple.signatureHost | string | `"gitlab.opencode.de"` | Signature database host |
+| apps.collabora.enabled | bool | `true` | Enables Collabora related resource creation. |
+| apps.collabora.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.cryptpad.enabled | bool | `true` | Enables Cryptpad related resource creation. |
+| apps.cryptpad.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.dkimpy.enabled | bool | `true` | Enables dkimpy related resource creation. |
+| apps.dkimpy.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.dovecot.enabled | bool | `true` | Enables Dovecot related resource creation. |
+| apps.dovecot.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.element.enabled | bool | `true` | Enables Element related resource creation. |
+| apps.element.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.intercom.enabled | bool | `true` | Enables Intercom Service related resource creation. |
+| apps.intercom.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.jitsi.enabled | bool | `true` | Enables Jitsi related resource creation. |
+| apps.jitsi.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.mariadb.enabled | bool | `true` | Enables MariaDB related resource creation. |
+| apps.mariadb.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.memcached.enabled | bool | `true` | Enables Memcached related resource creation. |
+| apps.memcached.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.minio.enabled | bool | `true` | Enables MinIO related resource creation. |
+| apps.minio.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.nextcloud.enabled | bool | `true` | Enables Nextcloud related resource creation. |
+| apps.nextcloud.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.notes.enabled | bool | `true` | Enables LaSuite Notes related resource creation. |
+| apps.notes.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.nubus.enabled | bool | `true` | Enables Univention Management Stack related resource creation. |
+| apps.nubus.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.openproject.enabled | bool | `true` | Enables OpenProject related resource creation. |
+| apps.openproject.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.oxAppSuite.enabled | bool | `true` | Enables Open-Xchange Appsuite related resource creation. |
+| apps.oxAppSuite.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.oxConnector.enabled | bool | `true` | Enables OX-Connector related resource creation. |
+| apps.oxConnector.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.postfix.enabled | bool | `true` | Enables Postfix related resource creation. |
+| apps.postfix.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.postgresql.enabled | bool | `true` | Enables PostgreSQL related resource creation. |
+| apps.postgresql.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.redis.enabled | bool | `true` | Enables Redis related resource creation. |
+| apps.redis.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| apps.xwiki.enabled | bool | `true` | Enables XWiki related resource creation. |
+| apps.xwiki.namespace | string | `""` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| clientIntents.apiVersion | string | `"k8s.otterize.com/v1alpha3"` | Choose the API version to use. |
+| clientIntents.enabled | bool | `true` | Enable creation of ClientIntents custom resource. |
+| extraApps.clusterPostfix.enabled | bool | `false` | Enables cluster-wide postfix related resource creation. |
+| extraApps.clusterPostfix.namespace | string | `"swp-cross-instance-mail"` | If omitted, resources are deployed in the same namespace as this helm chart. |
+| global.domain | string | `"example.internal"` | Deployment base domain used for egress restrictions to opendesk services via Ingress. |
+| global.hosts | object | `{"collabora":"office","cryptpad":"pad","element":"chat","intercomService":"ics","jitsi":"meet","keycloak":"id","matrixNeoBoardWidget":"matrix-neoboard-widget","matrixNeoChoiceWidget":"matrix-neochoice-widget","matrixNeoDateFixBot":"matrix-neodatefix-bot","matrixNeoDateFixWidget":"matrix-neodatefix-widget","minioApi":"objectstore","minioConsole":"objectstore-ui","nextcloud":"files","notes":"notes","nubus":"portal","openproject":"projects","openxchange":"webmail","synapse":"matrix","synapseFederation":"matrix-federation","whiteboard":"whiteboard","xwiki":"wiki"}` | A map of avaible deployment subdomains. |
+| ingressController.namespace | string | `"nginx-ingress"` | Namespace of ingress controller. |
+| ingressController.podSelector | object | `{"matchLabels":{"app.kubernetes.io/name":"nginx-ingress"}}` | Pod selector for ingress controller to match for NetworkPolicies. |
+| istioGateway.namespace | string | `"istio-system"` | Namespace of ingress controller. |
+| istioGateway.podSelector | object | `{"matchLabels":{"app":"gateway","istio":"gateway"}}` | Pod selector for ingress controller to match for NetworkPolicies. |
+| networkPolicies.enabled | bool | `true` | Enable creation of NetworkPolicies custom resource. |
+| prometheus.namespace | string | `"monitoring"` | Namespace of ingress controller. |
+| prometheus.podSelector | object | `{"matchLabels":{"app.kubernetes.io/name":"prometheus"}}` | Pod selector for ingress controller to match for NetworkPolicies. |
+| protectedServices.apiVersion | string | `"k8s.otterize.com/v1alpha3"` | Choose the API version to use. |
+| protectedServices.enabled | bool | `true` | Enable creation of ProtectedServices custom resource. |
+
+## Uninstalling the Chart
+
+To install the release with name `my-release`:
+
+```bash
+helm uninstall my-release
+```
+
+## Signing
+
+Helm charts are signed with helm native signing method.
+
+You can verify the chart against [the public GPG key](../../files/gpg-pubkeys/opendesk.gpg).
+
+## License
+
+This project uses the following license: Apache-2.0
+
+## Copyright
+
+Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"

helmfile/apps/opendesk-services/charts/opendesk-otterize/README.md.gotmpl.tpl

@@ -0,0 +1,50 @@
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`, you have two options:
+
+### Install via Repository
+
+```console
+helm repo add ${CI_PROJECT_NAME} ${CI_SERVER_PROTOCOL}://${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/helm/stable
+helm install my-release --version ${RELEASE_VERSION} ${CI_PROJECT_NAME}/{{ template "chart.name" . }}
+```
+
+### Install via OCI Registry
+
+```console
+helm repo add ${CI_PROJECT_NAME} oci://${CI_REGISTRY_IMAGE}
+helm install my-release --version ${RELEASE_VERSION} ${CI_PROJECT_NAME}/{{ template "chart.name" . }}
+```
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+## Uninstalling the Chart
+
+To install the release with name `my-release`:
+
+```bash
+helm uninstall my-release
+```
+
+## Signing
+
+Helm charts are signed with helm native signing method.
+
+You can verify the chart against [the public GPG key](../../files/gpg-pubkeys/opendesk.gpg).
+
+## License
+
+This project uses the following license: Apache-2.0
+
+## Copyright
+
+Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/clamav-freshclam.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "clamav-freshclam"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "clamav-freshclam"
+  targets:
+    - internet:
+        domains:
+          - {{ .Values.apps.clamavDistributed.signatureHost | quote }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/clamav-icap.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "clamav-icap"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "clamav-icap"
+  targets:
+    - kubernetes:
+        name: "clamav-clamd.{{ coalesce .Values.apps.clamavDistributed.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/clamav-milter.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "clamav-milter"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "clamav-milter"
+  targets:
+    - kubernetes:
+        name: {{ printf "%s.%s" "clamav-clamd" (coalesce .Values.apps.clamavDistributed.namespace .Release.Namespace) | quote }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/clamav-simple.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavSimple.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "clamav-simple"
+  namespace: {{ .Values.apps.clamavSimple.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "clamav-simple"
+  targets:
+    - internet:
+        domains:
+          - {{ .Values.apps.clamavSimple.signatureHost | quote }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/collabora-controller.yaml

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.collabora.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "collabora-controller"
+  namespace: {{ .Values.apps.collabora.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "collabora-controller"
+  targets:
+    - kubernetes:
+        name: "collabora-controller"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/collabora.yaml

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.collabora.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "collabora"
+  namespace: {{ .Values.apps.collabora.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "collabora"
+  targets:
+    - kubernetes:
+        name: "collabora-controller"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/cryptpad.yaml

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.cryptpad.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "cryptpad"
+  namespace: {{ .Values.apps.cryptpad.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "cryptpad"
+  targets:
+    - kubernetes:
+        name: "clamav-clamd.{{ coalesce .Values.apps.clamavDistributed.namespace .Release.Namespace }}"
+    - internet:
+        domains:
+          - "registry.npmjs.org"
+          - "accounts.cryptpad.fr"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/impress-backend-init.yaml

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.notes.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "impress-backend-init"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "impress-backend-init"
+    kind: "Job"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/impress-backend.yaml

@@ -0,0 +1,40 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.notes.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "impress-backend"
+  namespace: {{ .Values.apps.notes.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "impress-backend"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis.{{ coalesce .Values.apps.redis.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/impress-y-provider.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.notes.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "impress-y-provider"
+  namespace: {{ .Values.apps.notes.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "impress-y-provider"
+  targets:
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/intercom-service.yaml

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "intercom-service"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "intercom-service"
+  targets:
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis.{{ coalesce .Values.apps.redis.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/jitsi-jibri.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "jitsi-jibri"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "jitsi-jibri"
+  targets:
+    - kubernetes:
+        name: "jitsi-prosody.{{ coalesce .Values.apps.jitsi.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/jitsi-jicofo.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "jitsi-jicofo"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "jitsi-jicofo"
+  targets:
+    - kubernetes:
+        name: "jitsi-prosody.{{ coalesce .Values.apps.jitsi.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/jitsi-jvb.yaml

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "jitsi-jvb"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "jitsi-jvb"
+  targets:
+    - kubernetes:
+        name: "jitsi-prosody.{{ coalesce .Values.apps.jitsi.namespace .Release.Namespace }}"
+    - internet:
+        ips:
+          # Cloud provider instance metadata
+          - "169.254.169.254"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/jitsi-opendesk-jitsi.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "jitsi-opendesk-jitsi"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "jitsi-opendesk-jitsi"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/jitsi-prosody.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "jitsi-prosody"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "jitsi-prosody"
+  targets:
+    - kubernetes:
+        name: "opendesk-matrix-user-verification-service.{{ coalesce .Values.apps.element.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/jitsi-web.yaml

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "jitsi-web"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "jitsi-web"
+  targets:
+    - kubernetes:
+        name: "jitsi-prosody.{{ coalesce .Values.apps.jitsi.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "opendesk-jitsi-keycloak-adapter.{{ coalesce .Values.apps.jitsi.namespace .Release.Namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/mariadb-bootstrap.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.mariadb.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "mariadb-bootstrap"
+  namespace: {{ .Values.apps.mariadb.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "mariadb-bootstrap"
+  targets:
+    - kubernetes:
+        name: "mariadb.{{ coalesce .Values.apps.mariadb.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/matrix-adminbot-bootstrap.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementAdmin.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "matrix-adminbot-bootstrap"
+  namespace: {{ .Values.apps.elementAdmin.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "matrix-adminbot-bootstrap"
+    kind: "Job"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/matrix-auditbot-bootstrap.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementAdmin.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "matrix-auditbot-bootstrap"
+  namespace: {{ .Values.apps.elementAdmin.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "matrix-auditbot-bootstrap"
+    kind: "Job"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/matrix-neodatefix-bot-bootstrap.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.element.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "matrix-neodatefix-bot-bootstrap"
+  namespace: {{ .Values.apps.element.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "matrix-neodatefix-bot-bootstrap"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/matrix-neodatefix-bot.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.element.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "matrix-neodatefix-bot"
+  namespace: {{ .Values.apps.element.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "matrix-neodatefix-bot"
+  targets:
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/minio-provisioning.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.minio.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "minio-provisioning"
+  namespace: {{ .Values.apps.minio.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "minio-provisioning"
+  targets:
+    - kubernetes:
+        name: "minio.{{ coalesce .Values.apps.minio.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/nubus-nginx-s3-gateway.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "nubus-nginx-s3-gateway"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "nubus-nginx-s3-gateway"
+  targets:
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-bootstrap.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.oxAppSuite.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-bootstrap"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-bootstrap"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-connector.yaml

@@ -0,0 +1,36 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.oxAppSuite.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-connector"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-connector"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-api"
+    {{- if .Values.apps.oxAppSuite.enabled }}
+    - kubernetes:
+        name: "open-xchange-core-mw.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace}}"
+    {{- end }}
+    {{- if .Values.apps.xwiki.enabled }}
+    - kubernetes:
+        name: "xwiki.{{ coalesce .Values.apps.xwiki.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-core-mw-groupware.yaml

@@ -0,0 +1,70 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.oxAppSuite.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-core-mw-groupware"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-core-mw"
+  targets:
+    {{- if .Values.apps.clamavSimple.enabled }}
+    - kubernetes:
+        name: "clamav-simple.{{ coalesce .Values.apps.clamavSimple.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
+    - kubernetes:
+        name: "clamav-distributed.{{ coalesce .Values.apps.clamavDistributed.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.mariadb.enabled }}
+    - kubernetes:
+        name: "mariadb.{{ coalesce .Values.apps.mariadb.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "open-xchange-core-documentconverter.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+        kind: "Deployment"
+    - kubernetes:
+        name: "open-xchange-core-imageconverter.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+        kind: "Deployment"
+    - kubernetes:
+        name: "open-xchange-dovecot.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "open-xchange-postfix.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    {{- if .Values.apps.element.enabled }}
+    - kubernetes:
+        name: "opendesk-synapse-web.{{ coalesce .Values.apps.element.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.nextcloud.enabled }}
+    - kubernetes:
+        name: "opendesk-nextcloud-aio.{{ coalesce .Values.apps.nextcloud.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis.{{ coalesce .Values.apps.redis.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.nubus.enabled }}
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- end }}
+    - kubernetes:
+          name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+          kind: "Deployment"
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-core-ui-middleware.yaml

@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.oxAppSuite.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-core-ui-middleware"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-core-ui-middleware"
+  targets:
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis.{{ coalesce .Values.apps.redis.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "open-xchange-guard-ui.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "open-xchange-core-ui.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "open-xchange-guidedtours.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "open-xchange-nextcloud-integration-ui.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "open-xchange-public-sector-ui.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-dovecot.yaml

@@ -0,0 +1,41 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.oxAppSuite.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-dovecot"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-dovecot"
+  targets:
+    {{- if .Values.apps.nubus.enabled }}
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    {{- if .Values.apps.cassandra.enabled }}
+    - kubernetes:
+        name: "cassandra.{{ coalesce .Values.apps.cassandra.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-imageconverter.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.oxAppSuite.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-imageconverter"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-imageconverter"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/open-xchange-postfix.yaml

@@ -0,0 +1,40 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "open-xchange-postfix"
+  namespace: {{ .Values.apps.oxAppSuite.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "open-xchange-postfix"
+  targets:
+    {{- if .Values.apps.clamavDistributed.enabled }}
+      - kubernetes:
+          name: "clamav-milter.{{ coalesce .Values.apps.clamavDistributed.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.clamavSimple.enabled}}
+      - kubernetes:
+          name: "clamav-simple.{{ coalesce .Values.apps.clamavSimple.namespace .Release.Namespace }}"
+    {{- end }}
+      - kubernetes:
+          name: "open-xchange-dovecot.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    {{- if .Values.apps.dkimpy.enabled }}
+      - kubernetes:
+          name: "dkimpy-milter.{{ coalesce .Values.apps.dkimpy.namespace .Release.Namespace }}"
+    {{- end }}
+      - internet:
+          domains:
+            - "{{ .Values.smtp.host }}"
+...

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-jitsi-keycloak-adapter.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.jitsi.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-jitsi-keycloak-adapter"
+  namespace: {{ .Values.apps.jitsi.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-jitsi-keycloak-adapter"
+    kind: "Deployment"
+  targets:
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-keycloak-bootstrap.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-keycloak-bootstrap"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-keycloak-bootstrap"
+  targets:
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-matrix-user-verification-service-bootstrap.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.element.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-matrix-user-verification-service-bootstrap"
+  namespace: {{ .Values.apps.element.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-matrix-user-verification-service-bootstrap"
+  targets:
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-matrix-user-verification-service.yaml

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.element.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-matrix-user-verification-service"
+  namespace: {{ .Values.apps.element.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-matrix-user-verification-service"
+  targets:
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    - internet:
+        domains:
+          - "registry.npmjs.org"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-migrations-post.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.migrations.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-migrations-post"
+  namespace: {{ .Values.apps.migrations.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-migrations-post"
+  targets:
+    - internet:
+        domains:
+          - {{ .Values.cluster.api.domain }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-migrations-pre.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.migrations.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-migrations-pre"
+  namespace: {{ .Values.apps.migrations.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-migrations-pre"
+  targets:
+    - internet:
+        domains:
+          - {{ .Values.cluster.api.domain }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-nextcloud-aio-cron.yaml

@@ -0,0 +1,52 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nextcloud.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-nextcloud-aio-cron"
+  namespace: {{ .Values.apps.nextcloud.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-nextcloud-aio-cron"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis"
+    {{- end }}
+    {{- if .Values.apps.nubus.enabled }}
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- end }}
+    {{- if .Values.apps.clamavSimple.enabled }}
+    - kubernetes:
+        name: "clamav-simple.{{ coalesce .Values.apps.clamavSimple.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    - internet:
+        domains:
+          - "cloud.nextcloud.com"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-nextcloud-aio.yaml

@@ -0,0 +1,53 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nextcloud.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-nextcloud-aio"
+  namespace: {{ .Values.apps.nextcloud.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-nextcloud-aio"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis"
+    {{- end }}
+    {{- if .Values.apps.nubus.enabled }}
+    - kubernetes:
+        name: "ums-ldap-server-primary"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-portal-server"
+    {{- end }}
+    {{- if .Values.apps.clamavSimple.enabled }}
+    - kubernetes:
+        name: "clamav-simple"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix"
+    {{- end }}
+    - kubernetes:
+        name: "opendesk-nextcloud-notifypush"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-nextcloud-exporter.yaml

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nextcloud.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-nextcloud-exporter"
+  namespace: {{ .Values.apps.nextcloud.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-nextcloud-exporter"
+  targets:
+    - kubernetes:
+        name: "opendesk-nextcloud-aio.{{ coalesce .Values.apps.nextcloud.namespace .Release.Namespace }}"
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-nextcloud-management.yaml

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nextcloud.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-nextcloud-management"
+  namespace: {{ .Values.apps.nextcloud.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-nextcloud-management"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis.{{ coalesce .Values.apps.redis.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-nextcloud-notifypush.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nextcloud.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-nextcloud-notifypush"
+  namespace: {{ .Values.apps.nextcloud.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-nextcloud-notifypush"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.redis.enabled }}
+    - kubernetes:
+        name: "redis.{{ coalesce .Values.apps.redis.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "opendesk-nextcloud-aio.{{ coalesce .Values.apps.nextcloud.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-openproject-bootstrap.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.openproject.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-openproject-bootstrap"
+  namespace: {{ .Values.apps.openproject.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-openproject-bootstrap"
+  targets:
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse-admin-cron.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementAdmin.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse-admin-cron"
+  namespace: {{ .Values.apps.elementAdmin.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse-admin-cron"
+  targets:
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-ldap-server-secondary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse-admin.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementAdmin.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse-admin"
+  namespace: {{ .Values.apps.elementAdmin.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse-admin"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse-adminbot-pipe.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementAdmin.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse-adminbot-pipe"
+  namespace: {{ .Values.apps.elementAdmin.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse-adminbot-pipe"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "opendesk-synapse-web.{{ coalesce .Values.apps.element.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse-auditbot-pipe.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementAdmin.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse-auditbot-pipe"
+  namespace: {{ .Values.apps.elementAdmin.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse-auditbot-pipe"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "opendesk-synapse-web.{{ coalesce .Values.apps.element.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse-groupsync .yaml

@@ -0,0 +1,37 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.elementGroupsync.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse-groupsync"
+  namespace: {{ .Values.apps.elementGroupsync.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse-groupsync"
+  targets:
+    {{- if .Values.apps.element.enabled }}
+    - kubernetes:
+        name: "opendesk-synapse-web.{{ coalesce .Values.apps.element.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.nubus.enabled }}
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-ldap-server-secondary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- end}}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse-web.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.element.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse-web"
+  namespace: {{ .Values.apps.element.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse-web"
+  targets:
+    - kubernetes:
+        name: "opendesk-synapse.{{ coalesce .Values.apps.element.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/opendesk-synapse.yaml

@@ -0,0 +1,40 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.element.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "opendesk-synapse"
+  namespace: {{ .Values.apps.element.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "opendesk-synapse"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.elementAdmin.enabled }}
+    - kubernetes:
+        name: "opendesk-synapse-auditbot-pipe.{{ coalesce .Values.apps.elementAdmin.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "opendesk-synapse-adminbot-pipe.{{ coalesce .Values.apps.elementAdmin.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "opendesk-synapse-groupsync.{{ coalesce .Values.apps.elementAdmin.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+          name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+          kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/openproject-seeder.yaml

@@ -0,0 +1,36 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.openproject.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "openproject-seeder"
+  namespace: {{ .Values.apps.openproject.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "openproject-seeder"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.memcached.enabled }}
+    - kubernetes:
+        name: "memcached.{{ coalesce .Values.apps.memcached.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/openproject.yaml

@@ -0,0 +1,48 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.openproject.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "openproject"
+  namespace: {{ .Values.apps.openproject.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "openproject"
+  targets:
+    {{- if .Values.apps.memcached.enabled }}
+    - kubernetes:
+        name: "memcached.{{ coalesce .Values.apps.memcached.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.nubus.enabled }}
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    - internet:
+        domains:
+          - "{{ .Values.cluster.networking.ingressGatewayIP }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/postfix.yaml

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.postfix.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "postfix"
+  namespace: {{ .Values.apps.postfix.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "postfix"
+  targets:
+    {{- if .Values.apps.clamavDistributed.enabled }}
+    - kubernetes:
+        name: "clamav-milter.{{ coalesce .Values.apps.clamavDistributed.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.clamavSimple.enabled }}
+    - kubernetes:
+        name: "clamav-simple.{{ coalesce .Values.apps.clamavSimple.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.dovecot.enabled }}
+    - kubernetes:
+        name: "open-xchange-dovecot.{{ coalesce .Values.apps.oxAppSuite.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.dkimpy.enabled }}
+    - kubernetes:
+        name: "dkimpy-milter.{{ coalesce .Values.apps.dkimpy.namespace .Release.Namespace }}"
+    {{- end }}
+    - internet:
+        domains:
+          - "{{ .Values.smtp.host }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/postgresql-bootstrap.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.postgresql.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "postgresql-bootstrap"
+  namespace: {{ .Values.apps.postgresql.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "postgresql-bootstrap"
+  targets:
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-keycloak-bootstrap.yaml

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-keycloak-bootstrap"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-keycloak-bootstrap"
+  targets:
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-keycloak-extensions-handler.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-keycloak-extensions-handler"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-keycloak-extensions-handler"
+  targets:
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postgresql.enabled}}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-keycloak-extensions-proxy.yaml

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-keycloak-extensions-proxy"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-keycloak-extensions-proxy"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-keycloak.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-keycloak"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-keycloak"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        kind: "StatefulSet"
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-ldap-notifier.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-ldap-notifier"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-ldap-notifier"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-udm-listener.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-ldap-server-primary.yaml

@@ -0,0 +1,30 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-ldap-server-primary"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-ldap-server-primary"
+  targets:
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - internet:
+        domains:
+          - "{{ .Values.cluster.api.domain }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-ldap-server-secondary.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-ldap-server-secondary"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-ldap-server-secondary"
+  targets:
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-portal-consumer.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-portal-consumer"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-portal-consumer"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-udm-rest-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-portal-server.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-portal-server"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-portal-server"
+  targets:
+    - kubernetes:
+        name: "ums-udm-rest-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-umc-server.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    - internet:
+        domains:
+          - "{{ .Values.cluster.networking.ingressGatewayIP }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-provisioning-api.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-provisioning-api"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-provisioning-api"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-nats.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-provisioning-dispatcher.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-provisioning-dispatcher"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-provisioning-dispatcher"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-nats.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-provisioning-prefill.yaml

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-provisioning-prefill"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-provisioning-prefill"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-nats.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-udm-rest-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-provisioning-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-provisioning-register-consumers.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-provisioning-register-consumers"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-provisioning-register-consumers"
+  targets:
+    - kubernetes:
+        name: "ums-provisioning-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-udm-rest-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-provisioning-udm-listener.yaml

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-provisioning-udm-listener"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-provisioning-udm-listener"
+  targets:
+    - kubernetes:
+        name: "ums-ldap-notifier.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-provisioning-nats.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-provisioning-udm-transformer.yaml

@@ -0,0 +1,36 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-provisioning-udm-transformer"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-provisioning-udm-transformer"
+  targets:
+    - kubernetes:
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-ldap-server-secondary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+    - kubernetes:
+        name: "ums-provisioning-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-provisioning-nats.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+        kind: "StatefulSet"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-selfservice-listener.yaml

@@ -0,0 +1,29 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-selfservice-listener"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-selfservice-listener"
+  targets:
+    - kubernetes:
+        name: "ums-umc-server.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-provisioning-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-stack-data-ums.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-stack-data-ums"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-stack-data-ums"
+  targets:
+  - kubernetes:
+      name: "ums-udm-rest-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-udm-rest-api.yaml

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-udm-rest-api"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-udm-rest-api"
+  targets:
+  - kubernetes:
+      name: "ums-udm-rest-api.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+  - kubernetes:
+      name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+      kind: "StatefulSet"
+  - kubernetes:
+      name: "ums-ldap-server-secondary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+      kind: "StatefulSet"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/ums-umc-server.yaml

@@ -0,0 +1,43 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nubus.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "ums-umc-server"
+  namespace: {{ .Values.apps.nubus.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    name: "ums-umc-server"
+  targets:
+    - kubernetes:
+        kind: "StatefulSet"
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        kind: "StatefulSet"
+        name: "ums-ldap-server-secondary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-keycloak.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        name: "ums-umc-server.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ClientIntents/xwiki.yaml

@@ -0,0 +1,51 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.xwiki.enabled .Values.clientIntents.enabled }}
+---
+apiVersion: {{ .Values.clientIntents.apiVersion | quote }}
+kind: "ClientIntents"
+metadata:
+  name: "xwiki"
+  namespace: {{ .Values.apps.xwiki.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  workload:
+    kind: "StatefulSet"
+    name: "xwiki"
+  targets:
+    {{- if .Values.apps.postgresql.enabled }}
+    - kubernetes:
+        name: "postgresql.{{ coalesce .Values.apps.postgresql.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        kind: "StatefulSet"
+        name: "ums-ldap-server-primary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    - kubernetes:
+        kind: "StatefulSet"
+        name: "ums-ldap-server-secondary.{{ coalesce .Values.apps.nubus.namespace .Release.Namespace }}"
+    {{- if .Values.apps.collabora.enabled }}
+    - kubernetes:
+        name: "collabora.{{ coalesce .Values.apps.collabora.namespace .Release.Namespace }}"
+    {{- end }}
+    {{- if .Values.apps.postfix.enabled }}
+    - kubernetes:
+        name: "postfix.{{ coalesce .Values.apps.postfix.namespace .Release.Namespace }}"
+    {{- end }}
+    - kubernetes:
+        name: "{{ .Values.ingressController.name }}.{{ .Values.ingressController.namespace }}"
+        kind: "Deployment"
+    - internet:
+        domains:
+          - "extensions.xwiki.org"
+          - "store.xwiki.com"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/allow-all-dev-ingress.yaml

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "allow-all-dev-ingress"
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              network-policy-dev: "true"
+  policyTypes:
+    - "Ingress"
+...

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/allow-all-dev.yaml

@@ -0,0 +1,27 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "allow-all-dev"
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      network-policy-dev: "true"
+  egress:
+    - {}
+  policyTypes:
+    - "Egress"
+...

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/collabora-prometheus-access.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.collabora.enabled .Values.networkPolicies.enabled .Values.monitoring.prometheus.serviceMonitors.enabled }}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "collabora-prometheus-access"
+  namespace: {{ .Values.apps.collabora.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: "collabora-online"
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            {{- .Values.monitoring.prometheus.podSelectorLabels | toYaml | nindent 12 }}
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Values.monitoring.prometheus.namespace | quote }}
+  policyTypes:
+    - "Ingress"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/default-deny-all.yaml

@@ -0,0 +1,24 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "default-deny-all"
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - "Ingress"
+    - "Egress"
+...

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/default-dns-access.yaml

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "default-dns-access"
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - "Egress"
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: "kube-system"
+        - podSelector:
+            matchLabels:
+              k8s-app: "kube-dns"
+...

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/dovecot.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.extraApps.clusterPostfix.enabled .Values.networkPolicies.enabled }}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "{{ include "common.names.fullname" . }}-dovecot-external"
+  namespace: {{ .Values.apps.dovecot.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: "dovecot"
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: "postfix"
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.extraApps.clusterPostfix.namespace | quote }}
+  policyTypes:
+    - "Ingress"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/minio-prometheus-access.yaml

@@ -0,0 +1,35 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.minio.enabled .Values.networkPolicies.enabled .Values.monitoring.prometheus.serviceMonitors.enabled }}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "minio-prometheus-access"
+  namespace: {{ .Values.apps.minio.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: "minio"
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            {{- .Values.monitoring.prometheus.podSelectorLabels | toYaml | nindent 12 }}
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Values.monitoring.prometheus.namespace | quote }}
+  policyTypes:
+    - "Ingress"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/NetworkPolicies/opendesk-nextcloud-exporter-prometheus-access.yaml

@@ -0,0 +1,36 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.nextcloud.enabled .Values.networkPolicies.enabled .Values.monitoring.prometheus.serviceMonitors.enabled }}
+---
+apiVersion: "networking.k8s.io/v1"
+kind: "NetworkPolicy"
+metadata:
+  name: "opendesk-nextcloud-exporter-prometheus-access"
+  namespace: {{ .Values.apps.nextcloud.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: "opendesk-nextcloud"
+      app.kubernetes.io/name: "exporter"
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            {{- .Values.monitoring.prometheus.podSelectorLabels | toYaml | nindent 12 }}
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: {{ .Values.monitoring.prometheus.namespace | quote }}
+  policyTypes:
+    - "Ingress"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/cassandra.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.cassandra.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "cassandra"
+  namespace: {{ .Values.apps.cassandra.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "cassandra"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/clamav-clamd.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "clamav-clamd"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "clamav-clamd"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/clamav-freshclam.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "clamav-freshclam"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "clamav-freshclam"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/clamav-icap.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "clamav-icap"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "clamav-icap"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/clamav-milter.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavDistributed.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "clamav-milter"
+  namespace: {{ .Values.apps.clamavDistributed.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "clamav-milter"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/clamav-simple.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.clamavSimple.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "clamav-simple"
+  namespace: {{ .Values.apps.clamavSimple.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "clamav-simple"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/collabora-controller.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.collabora.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "collabora-controller"
+  namespace: {{ .Values.apps.collabora.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "collabora-controller"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/collabora.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.collabora.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "collabora"
+  namespace: {{ .Values.apps.collabora.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "collabora"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/cryptpad.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.cryptpad.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "cryptpad"
+  namespace: {{ .Values.apps.cryptpad.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "cryptpad"
+...
+{{- end }}

helmfile/apps/opendesk-services/charts/opendesk-otterize/templates/ProtectedServices/dkimpy.yaml

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{- if and .Values.apps.dkimpy.enabled .Values.protectedServices.enabled }}
+---
+apiVersion: {{ .Values.protectedServices.apiVersion | quote }}
+kind: "ProtectedService"
+metadata:
+  name: "dkimpy"
+  namespace: {{ .Values.apps.dkimpy.namespace | default .Release.Namespace | quote }}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.additionalLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.additionalLabels "context" . ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.additionalAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.additionalAnnotations "context" . ) | nindent 4 }}
+  {{- end }}
+spec:
+  name: "dkimpy-milter"
+...
+{{- end }}