chore(misc): Add standard python script guard to charts-local.py

This adds a `if __name__ == "__main__"` guard to the charts-local.py script.
The guard should always be used to make it obvious to developers that this is
the entrypoint of the script and to prevent accidental side effects when handling
the script as a python module in any way (e.g. during interactive debugging).

.gitlab-ci.yml

@@ -767,17 +767,33 @@ import-default-accounts:
     - "echo \"Starting default account import for ${DOMAIN}\""
     - "cd /app"
     - |
-      ./user_import_udm_rest_api.py \
-        --import_domain ${DOMAIN} \
-        --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
-        --set_default_password ${DEFAULT_ACCOUNTS_PASSWORD} \
-        --import_filename ./template.ods \
-        --admin_enable_fileshare True \
-        --admin_enable_knowledgemanagement True \
-        --admin_enable_projectmanagement True \
-        --create_admin_accounts True \
-        --create_maildomains True \
-        --verify_certificate False
+      set +e
+      success=0
+      for i in {1..5}; do
+        echo "Attempt $i/5..."
+        ./user_import_udm_rest_api.py \
+          --import_domain ${DOMAIN} \
+          --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
+          --set_default_password ${DEFAULT_ACCOUNTS_PASSWORD} \
+          --import_filename ./template.ods \
+          --admin_enable_fileshare True \
+          --admin_enable_knowledgemanagement True \
+          --admin_enable_projectmanagement True \
+          --create_admin_accounts True \
+          --create_maildomains True \
+          --verify_certificate False
+        if [ $? -eq 0 ]; then
+          echo "Script succeeded on attempt $i."
+          success=1
+          break
+        fi
+        echo "Script failed. Waiting 60 seconds before retry..."
+        sleep 60
+      done
+      if [ "$success" -ne 1 ]; then
+        echo "Script failed after 5 attempts."
+        exit 1
+      fi
 
 run-tests:
   stage: "post-execute"

CHANGELOG.md

@@ -1,3 +1,30 @@
+# [1.10.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.9.0...v1.10.0) (2025-11-24)
+
+
+### Bug Fixes
+
+* **collabora:** Update Controller to 1.1.6 incl. Helm chart update to 1.1.10 ([d25c95f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d25c95f06bc199d09aa6ea4dc09c10e95153de38))
+* **collabora:** Update from 25.04.5 to 25.04.6 ([8de0f5d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8de0f5de7277ad726588d7de2d06cb3e9376c993))
+* **external-services:** Create `nubus_authsession` database ([ec72602](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ec72602cdd3207f73ff806a26bfe7b9fd32b8634))
+* **helmfile:** Enable verification for XWiki Helm chart ([5104793](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/51047936de102c610adc00f4dff12d2eb8e945b0))
+* **helmfile:** Streamline annotations ([7aa717c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7aa717c0509a731c060c58a1b5877e1d9899406f))
+* **nubus:** Remove legacy `UMC` Keycloak client that was used for SAML connection with the Nubus portal ([152221f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/152221fa7976bfa942d5e9e9b8f78cc8e65765c0))
+* **open-xchange:** Only enable `smtpSASLAuthEnable` when `relayHost` is set ([70bbbf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/70bbbf311fcba57c31f535be7d0d453f4a945cee))
+* **open-xchange:** Optimize Dovecot Pro full-text search caches; review `migrations.md` for required upgrade steps ([f3f707c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f3f707c9eee8edf3ad61834d87b5c059f31b0e26))
+* **open-xchange:** Template SASL security options ([684c6d4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/684c6d4f29dd447872ebe582eef43c04034896f7))
+* **open-xchange:** Update Dovecot configuration based on supplier's best practise review ([850761e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/850761e0475b2f281fb23f6972d5c74fbdaa3a61))
+* **opendesk-static-files:** [[#260](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/260)] Fix doublette creation of configmap `data` keys when the same file is referenced multiple times for a component ([b5a76be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b5a76bea57ef7b136c54d1bc95c40f0a0c3f9716))
+* **openproject:** Update from 16.6.0 to 16.6.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
+* **xwiki:** Update XWiki from 17.4.4 to 17.4.7 ([02a3b77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02a3b7711490394690df70ca92bab58b253e34f5))
+
+
+### Features
+
+* **jitsi:** Update from 2.0.10431 to 2.0.10590 ([f5aad1f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f5aad1fa47559f0d3941c233c7d40029a9e83281))
+* **nubus:** Update from v1.14.0 to v1.15.2 ([12379d6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/12379d67e07936496fe31276b2052406e0137db6))
+* **open-xchange:** Support for LDAP group based mailing lists ([cc94f0c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cc94f0c66df098d0a20f7f0d4a6af5e791557981))
+* **openproject:** Update OpenProject from 16.5.1 to 16.6.0 ([19438c0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/19438c02817875bd408c5d6cf423d7bfb61f907f))
+
 # [1.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.8.0...v1.9.0) (2025-11-07)
 
 

dev/charts-local.py

@@ -1,6 +1,14 @@
 #!/usr/bin/env python3
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
+# /// script
+# requires-python = ">=3.12"
+# dependencies = [
+#     "configargparse",
+#     "gitpython",
+#     "pyyaml",
+# ]
+# ///
 
 import os.path
 import logging
@@ -13,40 +21,6 @@ import configargparse
 from pathlib import Path
 from git import Repo
 
-p = configargparse.ArgParser()
-p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work with. Will be created by the script if it does not exist yet.')
-p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
-p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
-p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
-options = p.parse_args()
-
-script_path = os.path.dirname(os.path.realpath(__file__))
-# some static definitions
-log_path = script_path+'/../logs'
-charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml.gotmpl'
-base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
-helmfile_backup_extension = '.bak'
-
-Path(log_path).mkdir(parents=True, exist_ok=True)
-
-logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
-rootLogger = logging.getLogger()
-rootLogger.setLevel(options.loglevel)
-
-fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
-fileHandler.setFormatter(logFormatter)
-rootLogger.addHandler(fileHandler)
-
-consoleHandler = logging.StreamHandler()
-consoleHandler.setFormatter(logFormatter)
-rootLogger.addHandler(consoleHandler)
-
-logging.debug(f"Working with relative paths from script location: {script_path}")
-logging.debug(f"Log directory:      {log_path}")
-logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
-
 
 def create_or_switch_branch_base_repo():
     base_repo = Repo(path=base_repo_path)
@@ -188,11 +162,50 @@ def revert_the_helmfiles():
 ##
 ## Main program
 ##
-if options.revert:
-    revert_the_helmfiles()
-else:
-    branch = create_or_switch_branch_base_repo()
-    with open(charts_yaml, 'r') as file:
-        charts = yaml.safe_load(file)
-    charts_dict = clone_charts_locally(branch, charts)
-    process_the_helmfiles(charts_dict, charts)
+if __name__ == "__main__":
+    p = configargparse.ArgParser()
+    p.add('--branch', env_var='CHART_DEV_BRANCH',
+          help='The branch you want to work with. Will be created by the script if it does not exist yet.')
+    p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de',
+          help='Set the hostname for the chart git checkouts.')
+    p.add('--revert', default=False, action='store_true',
+          help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
+    p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
+    p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG',
+          help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
+    options = p.parse_args()
+
+    script_path = os.path.dirname(os.path.realpath(__file__))
+    # some static definitions
+    log_path = script_path + '/../logs'
+    charts_yaml = script_path + '/../helmfile/environments/default/charts.yaml.gotmpl'
+    base_repo_path = script_path + '/..'
+    base_helmfile = base_repo_path + '/helmfile_generic.yaml.gotmpl'
+    helmfile_backup_extension = '.bak'
+
+    Path(log_path).mkdir(parents=True, exist_ok=True)
+
+    logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
+    rootLogger = logging.getLogger()
+    rootLogger.setLevel(options.loglevel)
+
+    fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
+    fileHandler.setFormatter(logFormatter)
+    rootLogger.addHandler(fileHandler)
+
+    consoleHandler = logging.StreamHandler()
+    consoleHandler.setFormatter(logFormatter)
+    rootLogger.addHandler(consoleHandler)
+
+    logging.debug(f"Working with relative paths from script location: {script_path}")
+    logging.debug(f"Log directory:      {log_path}")
+    logging.debug(f"charts.yaml.gotmpl: {charts_yaml}")
+
+    if options.revert:
+        revert_the_helmfiles()
+    else:
+        branch = create_or_switch_branch_base_repo()
+        with open(charts_yaml, 'r') as file:
+            charts = yaml.safe_load(file)
+        charts_dict = clone_charts_locally(branch, charts)
+        process_the_helmfiles(charts_dict, charts)

docs/migrations.md

@@ -10,8 +10,12 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [Versions ≥ v1.11.0](#versions--v1110)
+    * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
+      * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
   * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
+      * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
       * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix)
       * [Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword`](#helmfile-new-secret-secretsdoveocotsharedmailboxesmasterpassword)
       * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
@@ -181,10 +185,58 @@ If you would like more details about the automated migrations, please read secti
 > listed no extra manual steps are required when upgrading to that version, e.g. in the case of an update from
 > version 1.7.0 to version 1.7.1.
 
+## Versions ≥ v1.11.0
+
+### Pre-upgrade to versions ≥ v1.11.0
+
+#### Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)
+
+**Target group:** Existing deployments using `service` annotations.
+
+The three non-HTTP external services support now explicit annotations.
+See [`annotations.yaml.gomtpl`](../helmfile/environments/default/annotations.yaml.gotmpl) for reference.
+
+**Jitsi JVB**
+
+The already existing annotation key `annotations.jitsiJVB.service` has been renamed to
+`annotations.jitsiJVB.serviceExternal` be in line with the newly added ones for Postfix and Dovecot.
+If you make use of the JVB service annotation please rename the attribute to the new `serviceExternal` standard.
+
+**Dovecot**
+
+Setting service annotation by `annotations.openxchangeDovecot.service` applied the annotations to the internal
+and external service. This key now only sets annotations for the internal service. If you want to set
+annotations for the external service use the newly introduced key `annotations.openxchangeDovecot.serviceExternal`.
+
+**Postfix**
+
+Setting service annotation by `annotations.openxchangePostfix.service` applied the annotations to the internal
+and external service. This key now only sets annotations for the internal service. If you want to set
+annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
+
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0
 
+#### Deployment cleanup: Collabora Controller
+
+**Target group:** Existing openDesk Enterprise deployments using Collabora Controller. Actually only long running
+deployments are affected, but following the instructions won't hurt.
+
+As per upstream release notes for [Collabora Online Controller 1.1.4](https://www.collaboraonline.com/cool-controller-release-notes/)
+you have to remove the existing leases of the Controller. You can do so by setting `<your_namespace>` and executing
+the commands below.
+
+```shell
+export NAMESPACE=<your_namespace>
+export COLLABORA_CONTROLLER_DEPLOYMENT_NAME=collabora-controller-cool-controller
+kubectl -n ${NAMESPACE} scale deployment/${COLLABORA_CONTROLLER_DEPLOYMENT_NAME} --replicas=0
+kubectl -n ${NAMESPACE} delete -n collabora leases.coordination.k8s.io collabora-online
+```
+
+> [!note]
+> The Collabora Online Controller is not scaled up again, as this would happen as part of the upgrade deployment.
+
 #### Helmfile new secret: `secrets.nubus.ldapSearch.postfix`
 
 **Target group:** All existing deployments that use self-defined secrets.

docs/requirements.md

@@ -29,14 +29,14 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
-- [Helm](https://helm.sh/) >= v3.17.3, but not v3.18.0[^1]
+- [Helm](https://helm.sh/) >= v3.17.3 (but not v3.18.0[^1]) and < v4[^2],
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0
 - [HelmDiff](https://github.com/databus23/helm-diff) >= v3.11.0
-- Volume provisioner supporting RWO (read-write-once)[^2]
+- Volume provisioner supporting RWO (read-write-once)[^3]
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 
 **Additional openDesk Enterprise requirements**
-- [OpenKruise](https://openkruise.io/)[^3] >= v1.6
+- [OpenKruise](https://openkruise.io/)[^4] >= v1.6
 
 # Hardware
 
@@ -138,8 +138,11 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 
 # Footnotes
 
-[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
+[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm v3.18.0 is not supported.
 
-[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+[^2]: Helm v4 introduced stricter flag grouping that is not yet supported by the helmdiff plugin.
+
+[^3]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
+
+[^4]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
 
-[^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -248,9 +248,9 @@ jitsi:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
-    {{- if .Values.annotations.jitsiJvb.service }}
+    {{- if .Values.annotations.jitsiJvb.serviceExternal }}
       annotations:
-        {{ .Values.annotations.jitsiJvb.service | toYaml | nindent 8 }}
+        {{ .Values.annotations.jitsiJvb.serviceExternal | toYaml | nindent 8 }}
     {{- end }}
     securityContext:
       allowPrivilegeEscalation: false

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -140,6 +140,8 @@ service:
     {{ .Values.annotations.openxchangeDovecot.service | toYaml | nindent 4 }}
   external:
     enabled: true
+    annotations:
+      {{ .Values.annotations.openxchangeDovecot.serviceExternal | toYaml | nindent 6 }}
     type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
 {{- end }}
 

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -129,6 +129,8 @@ service:
     {{ .Values.annotations.openxchangePostfix.service | toYaml | nindent 4 }}
   external:
     enabled: true
+    annotations:
+      {{ .Values.annotations.openxchangePostfix.serviceExternal | toYaml | nindent 6 }}
     type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
 {{- end }}
 ...

helmfile/apps/services-external/helmfile-child.yaml.gotmpl

@@ -162,7 +162,7 @@ releases:
     timeout: 900
 
   - name: "clamav"
-    chart: "/Users/timbastin/Desktop/l3montree/od/opendesk/dev/../../charts-irondesk-preview/opendesk-clamav/charts/opendesk-clamav" # replaced by local-dev script
+    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
     version: "{{ .Values.charts.clamav.version }}"
     values:
       - "values-clamav-distributed.yaml.gotmpl"
@@ -173,7 +173,7 @@ releases:
     timeout: 900
 
   - name: "clamav-simple"
-    chart: "/Users/timbastin/Desktop/l3montree/od/opendesk/dev/../../charts-irondesk-preview/opendesk-clamav/charts/clamav-simple" # replaced by local-dev script
+    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
     version: "{{ .Values.charts.clamavSimple.version }}"
     values:
       - "values-clamav-simple.yaml.gotmpl"

helmfile/apps/services-external/values-clamav-distributed.yaml.gotmpl

@@ -28,7 +28,7 @@ clamd:
   podAnnotations:
     intents.otterize.com/service-name: "clamav-distributed"
     {{- with .Values.annotations.servicesExternalClamavDistributed.clamdPod }}
-    {{ .  | toYaml | nindent 4 }}
+    {{ . | toYaml | nindent 4 }}
     {{- end }}
   podSecurityContext:
     enabled: true

helmfile/apps/services-external/values-clamav-simple.yaml.gotmpl

@@ -12,8 +12,8 @@ containerSecurityContext:
       - "ALL"
   enabled: true
   privileged: false
-  runAsUser: 53111
-  runAsGroup: 53111
+  runAsUser: 100
+  runAsGroup: 101
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
@@ -46,7 +46,7 @@ persistence:
 podAnnotations:
   intents.otterize.com/service-name: "clamav-simple"
   {{- with .Values.annotations.servicesExternalClamavSimple.pod }}
-  {{ .  | toYaml | nindent 2 }}
+  {{ . | toYaml | nindent 2 }}
   {{- end }}
 
 podSecurityContext:

helmfile/apps/services-external/values-dkimpy.yaml.gotmpl

@@ -32,7 +32,7 @@ image:
 podAnnotations:
   intents.otterize.com/service-name: "dkimpy-milter"
   {{- with .Values.annotations.servicesExternalDkimpy.service }}
-  {{ .  | toYaml | nindent 2 }}
+  {{ . | toYaml | nindent 2 }}
   {{- end }}
 
 podSecurityContext:

helmfile/apps/services-external/values-memcached.yaml.gotmpl

@@ -36,7 +36,7 @@ image:
 podAnnotations:
   intents.otterize.com/service-name: "memcached"
   {{- with .Values.annotations.servicesExternalMemcached.pod }}
-  {{ .  | toYaml | nindent 2 }}
+  {{ . | toYaml | nindent 2 }}
   {{- end}}
 replicaCount: {{ .Values.replicas.memcached }}
 

helmfile/apps/services-external/values-minio.yaml.gotmpl

@@ -136,7 +136,7 @@ provisioning:
   podAnnotations:
     intents.otterize.com/service-name: "minio-provisioning"
     {{- with .Values.annotations.servicesExternalMinio.provisioningPod }}
-    {{ .  | toYaml | nindent 4}}
+    {{ . | toYaml | nindent 4}}
     {{- end }}
   policies:
     - name: "migrations-bucket-policy"

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.2.1"
+    version: "3.3.0"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default/annotations.yaml.gotmpl

@@ -95,7 +95,7 @@ annotations:
     serviceAccount: ~
   jitsiJvb:
     pod: ~
-    service: ~
+    serviceExternal: ~
     metricsPrometheus: ~
     metricsGrafana: ~
   jitsiProsody:
@@ -360,6 +360,7 @@ annotations:
     pod: ~
     service: ~
     serviceAccount: ~
+    serviceExternal: ~
   openxchangeEnterpriseContactPicker:
     appsuiteCoreMw:
     appsuiteCoreMwPod: ~
@@ -369,6 +370,7 @@ annotations:
   openxchangePostfix:
     pod: ~
     service: ~
+    serviceExternal: ~
   openxchangePublicSectorUi:
     pod: ~
   servicesExternalClamavDistributed:

helmfile/environments/default/charts.yaml.gotmpl

@@ -97,7 +97,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "3.2.1"
+    version: "3.3.0"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.0.2"
+    version: "5.1.0"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/global.generated.yaml.gotmpl

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v1.9.0"
+    releaseVersion: "v1.10.0"
 ...

helmfile/environments/default/images.yaml.gotmpl

@@ -13,8 +13,8 @@ images:
     # upstreamMirrorTagFilterRegEx: '^(\d+)-debian-(\d+)-r(\d+)$'
     # upstreamMirrorStartFrom: ["12", "12", "44"]
     registry: "registry.opencode.de"
-    repository: "open-code/oci/coreutils"
-    tag: "latest-amd64"
+    repository: "bmi/opendesk/components/community/images-mirror/os-shell"
+    tag: "12-debian-12-r44@sha256:e0eab38c4e2e2ebfc9043bc9bc482109ec5cca3123154c1af8e040ea23c5ce98"
   cassandra:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -23,8 +23,8 @@ images:
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
     # upstreamMirrorStartFrom: ["5", "0", "4", "12", "4"]
     registry: "registry.opencode.de"
-    repository: "open-code/oci/cassandra"
-    tag: "main-amd64"
+    repository: "bmi/opendesk/components/community/images-mirror/cassandra"
+    tag: "5.0.4-debian-12-r4@sha256:93be59e318070e5c1d515c2b5840e9e07babfbac845b2c9bcc1cdf8efda6bb18"
   cassandraExporter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -40,9 +40,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "clamav/clamav"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/clamav"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "clamav/clamav"
+    tag: "1.4.2-38_base@sha256:e7d108f30ea8f16935dbd12e4b58665f1bc148ce3dd59028cf04088330216910"
   collabora:
     # providerCategory: "Supplier"
     # providerResponsible: "Collabora"
@@ -89,9 +89,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "alpine/k8s"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/k8s-tools"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
   element:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
@@ -138,17 +138,17 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "clamav/clamav"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/clamav"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "clamav/clamav"
+    tag: "1.4.2-38_base@sha256:e7d108f30ea8f16935dbd12e4b58665f1bc148ce3dd59028cf04088330216910"
   icap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry.opencode.de"
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/clamav-icap"
     registry: "registry.opencode.de"
-    repository: "open-code/oci/clamav"
-    tag: "main-amd64"
+    repository: "bmi/opendesk/components/platform-development/images/clamav-icap"
+    tag: "0.5.10@sha256:891f267a6b2a304616854ad2f013dc5d23f6f6c84d535c8b46e76d124fe39b6a"
   intercom:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -217,8 +217,8 @@ images:
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["1", "32", "0"]
     registry: "registry.opencode.de"
-    repository: "open-code/oci/k8s-tools"
-    tag: "main-amd64"
+    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
+    tag: "1.33.4@sha256:681609aff6bf316acf464d9c9e369d84c49d50be6379247291b01ac311a7f5f5"
   jvb:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -234,9 +234,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "library/mariadb"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/mariadb"
-    tag: "10.11.14-amd64-oc-latest"
+    registry: "registry-1.docker.io"
+    repository: "library/mariadb"
+    tag: "10.6.21@sha256:8a16204dc96c08ed0ee2c52c0f9324aa5d2dd0e43ad23a471d447a39f75765b5"
   matrixNeoBoardWidget:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -310,9 +310,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "clamav/clamav"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/clamav"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "clamav/clamav"
+    tag: "1.4.2-38_base@sha256:e7d108f30ea8f16935dbd12e4b58665f1bc148ce3dd59028cf04088330216910"
   minio:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -750,9 +750,9 @@ images:
     # providerResponsible: "Element"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "library/nginx"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/nginx"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "library/nginx"
+    tag: "1.28.0-alpine3.21@sha256:aed99734248e851764f1f2146835ecad42b5f994081fa6631cc5d79240891ec9"
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "OpenProject"
@@ -784,9 +784,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "alpine/k8s"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/k8s-tools"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
   openxchangeCoreGuidedtours:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -920,17 +920,17 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "alpine/k8s"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/k8s-tools"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
   postgresql:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "open-code/oci/postgresql"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/postgresql"
-    tag: "15-alpine"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "library/postgres"
+    registry: "registry-1.docker.io"
+    repository: "library/postgres"
+    tag: "15.13-alpine3.20@sha256:f7de0e2497b9a3b027d41377606f94bb0140a034ed303f6de690aa77637bfbc9"
   prosody:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -949,8 +949,8 @@ images:
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
     # upstreamMirrorStartFrom: ["7", "4", "3", "12", "0"]
     registry: "registry.opencode.de"
-    repository: "open-code/oci/redis"
-    tag: "7.4.7-amd64-oc-latest"
+    repository: "bmi/opendesk/components/community/images-mirror/redis"
+    tag: "7.4.3-debian-12-r0@sha256:fbdf361bbb6a17be28913fb9e4a1cfe3244331d2cbf449ecfe7a1fbbab02efc4"
   synapse:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
@@ -966,9 +966,9 @@ images:
     # providerResponsible: "Nordeck"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "alpine/k8s"
-    registry: "registry.opencode.de"
-    repository: "open-code/oci/k8s-tools"
-    tag: "main-amd64"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.34.0@sha256:b5f6edfeac5279f3e182d938d1ffecb62f7c980756ac4b6b66d7f0d566782f77"
   synapseGuestModule:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"

helmfile/environments/default/replicas.yaml.gotmpl

@@ -146,7 +146,7 @@ replicas:
   # -- scalable: tbd
   jitsiKeycloakAdapter: 1
   # -- scalable: tbd
-  jvb: 2
+  jvb: 1
 
   # -- component: Persistence Layer
   # -- scalable: false

publiccode.yml

@@ -22,8 +22,8 @@ name: "openDesk"
 platforms:
   - "web"
 developmentStatus: "stable"
-softwareVersion: "1.9.0"
-releaseDate: "2025-11-07"
+softwareVersion: "1.10.0"
+releaseDate: "2025-11-24"
 softwareType: "standalone/web"
 url: "https://gitlab.opencode.de/bmi/opendesk/"
 logo: ".opencode/openDesk-logo-rgb-color.svg"