wip: s3-region fixes

Signed-off-by: Milton Moura <miltonmoura@gmail.com>

.gitlab-ci.yml

@@ -185,15 +185,16 @@ variables:
   TESTS_BRANCH:
     description: "Branch of E2E-tests on which the test pipeline is triggered"
     value: "develop"
-  TESTS_PROJECT_URL:
-    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
-    value: "gitlab.opencode.de/api/v4/projects/1506"
   TESTS_TESTSET:
-    description: "Selects test set for E2E-tests"
+    description: "Selects test set for E2E-tests (Regression, Smoke or Nightly), name multiple comma separated to trigger the sets in one launch, use semikolon to trigger the sets in different launches."
     value: "Smoke"
+  TESTS_BROWSER:
+    description: "Select the browser (engine) to use for the test run."
+    value: "chromium"
     options:
-      - "Regression"
+      - "chromium"
-      - "Smoke"
+      - "webkit"
+      - "firefox"
   TESTS_GRACE_PERIOD:
     description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail.
                   GRACE_PERIOD is the period in seconds that should be waited before running the tests."
@@ -201,6 +202,9 @@ variables:
   TESTS_NUMBER_OF_THREADS:
     description: "How many threads are used for executing the tests in parallel?"
     value: "8"
+  TESTS_PROJECT_URL:
+    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
+    value: "gitlab.opencode.de/api/v4/projects/1506"
 
 # Declare .environments which is in `opendesk-env` repository. In case it is not available
 # 'cache' is used because job as a dummy key, as the job is not allowed to be empty.
@@ -580,6 +584,7 @@ run-tests:
           \"namespace\": \"${NAMESPACE}\", \
           \"url\": \"https://portal.${DOMAIN}/\", \
           \"language\": \"${LANGUAGE}\", \
+          \"browser\": \"${TESTS_BROWSER}\", \
           \"udm_api_username\": \"Administrator\", \
           \"udm_api_password\": \"${DEFAULT_ADMINISTRATOR_PASSWORD}\", \
           \"screenshot_test\": \"yes\", \

README.md

@@ -40,7 +40,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.3.0](https://www.openproject.org/docs/release-notes/15-3-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | [15.3.2](https://www.openproject.org/docs/release-notes/15-3-2/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.12.4](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 

docs/architecture.md

@@ -407,6 +407,8 @@ In openDesk, Element is used for chat and direct audio & video calling.
 
 In openDesk, Jitsi is used for video conferencing and online meetings. It integrates with other applications to provide seamless communication capabilities.
 
+[Jigasi](https://github.com/jitsi/jigasi) (Jitsi's SIP component) also allows joining the meeting via phone call if an external SIP server and SIP trunk are provided.
+
 ## Nextcloud (Files)
 
 [Nextcloud](https://nextcloud.com) is a file storage and sync platform with powerful collaboration capabilities with desktop, mobile and web interfaces.

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -12,9 +12,9 @@ containerSecurityContext:
   enabled: true
   privileged: false
   readOnlyRootFilesystem: false
-  runAsGroup: 0
+  runAsGroup: 1000
-  runAsNonRoot: false
+  runAsNonRoot: true
-  runAsUser: 0
+  runAsUser: 1000
   seccompProfile:
     type: "RuntimeDefault"
   seLinuxOptions:

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -136,8 +136,8 @@ configuration:
       port: 25
       tls: false
       starttls: false
-      username: ""
+      username: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
-      password: ""
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
 
     oidc:
       clientId: "opendesk-matrix"

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -49,6 +49,7 @@ extraVolumeMounts:
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -16,6 +16,8 @@ additionalAnnotations:
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 configuration:
   administrator:
@@ -121,10 +123,13 @@ configuration:
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
 
   opendeskIntegration:
-    username:
+    centralNavigation:
-      value: "opendesk_username"
+      username:
-    password:
+        value: "opendesk_username"
-      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+      password:
+        value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+    oxAppSuite:
+      enabled: {{ .Values.apps.oxAppSuite.enabled }}
 
   sharing:
     allowLinks: {{ .Values.functional.filestore.sharing.external.enabled }}
@@ -142,16 +147,16 @@ configuration:
 
   smtp:
     auth:
-      enabled: false
+      enabled: true
       username:
-        value: ""
+        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
       password:
-        value: ""
+        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
     host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    port: 25
+    port: 587
     fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
     mailDomain: "{{ .Values.global.domain }}"
-    security: ""
+    security: "tls"
     skipVerifyPeer: true
 
   quota:
@@ -161,7 +166,8 @@ configuration:
       versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}
 
   serverinfo:
-    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
+    token:
+      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/notes/values.yaml.gotmpl

@@ -168,6 +168,9 @@ backend:
     DJANGO_EMAIL_HOST: "postfix"
     DJANGO_EMAIL_PORT: 25
     DJANGO_EMAIL_USE_SSL: False
+    DJANGO_EMAIL_HOST_USER: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+    DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+    DJANGO_EMAIL_USE_TLS: False
     OIDC_RP_CLIENT_ID: "opendesk-notes"
     OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
     OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -537,8 +537,9 @@ nubusKeycloakExtensions:
       ssl: false
       starttls: false
     auth:
-      enabled: false
+      enabled: true
-      username: ""
+      username: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
       existingSecret:
         name: "ums-keycloak-extensions-smtp-opendesk-credentials"
         keyMapping:
@@ -572,7 +573,13 @@ nubusPortalListener:
 
 nubusPortalConsumer:
   enabled: true
+  extraEnvVars:
+    - name: "AWS_DEFAULT_REGION"
+      value: "failthis"
   portalConsumer:
+    extraEnvVars:
+      - name: "AWS_DEFAULT_REGION"
+        value: "failthis"
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
       repository: {{ .Values.images.nubusPortalConsumer.repository }}
@@ -615,6 +622,9 @@ nubusPortalConsumer:
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   {{- if .Values.certificate.selfSigned }}
+    extraEnvVars:
+      - name: "AWS_DEFAULT_REGION"
+        value: "failthis"
   extraVolumes:
     - name: "trusted-cert-secret-volume"
       secret:
@@ -639,6 +649,8 @@ nubusPortalConsumer:
         mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
         subPath: "cacert.pem"
     extraEnvVars:
+      - name: "AWS_DEFAULT_REGION"
+        value: "failthis"
       - name: "REQUESTS_CA_BUNDLE"
         value: "/etc/ssl/certs/ca-certificates.crt"
       - name: "DEFAULT_CA_BUNDLE_PATH"
@@ -669,6 +681,9 @@ nubusPortalServer:
     repository: {{ .Values.images.nubusPortalServer.repository }}
     tag: {{ .Values.images.nubusPortalServer.tag }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  extraEnvVars:
+    - name: "AWS_DEFAULT_REGION"
+      value: "failthis"
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   ingress:
@@ -691,6 +706,9 @@ nubusPortalServer:
     centralNavigation:
       enabled: true
       authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
+    extraEnvVars:
+      - name: "AWS_DEFAULT_REGION"
+        value: "failthis"
   replicaCount: {{ .Values.replicas.umsPortalServer }}
   resources:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
@@ -1108,7 +1126,7 @@ nubusStackDataUms:
     umcHtmlTitle: "Portal - {{ .Values.theme.texts.productName }}"
     smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     smtpPort: 25
-    smtpUser: ""
+    smtpUser: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
     smtpStartTls: false
     ldapBase: {{ .Values.ldap.baseDn }}
   templateContext:
@@ -1414,7 +1432,7 @@ extraSecrets:
       umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
   - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
     stringData:
-      umcKeycloakExtensionsSmtpPassword: ""
+      umcKeycloakExtensionsSmtpPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
   - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
     stringData:
       password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
@@ -1424,7 +1442,7 @@ extraSecrets:
       secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: "ums-umc-server-smtp-credentials-custom"
     stringData:
-      password: ""
+      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
   - name: "ums-provisioning-ox-credentials"
     stringData:
       ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -18,6 +18,7 @@ image:
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
@@ -89,8 +90,10 @@ config:
                '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
                '${client_security-admin-console}' ]
   keycloak:
-    adminUser: "kcadmin"
+    admin:
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      values:
+        username: "kcadmin"
+        password: {{ .Values.secrets.keycloak.adminPassword | quote }}
     realm: {{ .Values.platform.realm | quote }}
     intraCluster:
       enabled: true

helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl

@@ -51,6 +51,16 @@ repositories:
     oci: true
     url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 
+  # openDesk Postfix
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
+  - name: "postfix-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.postfix.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+
 releases:
   - name: "dovecot"
     chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
@@ -66,6 +76,17 @@ releases:
     installed: {{ .Values.apps.dovecot.enabled }}
     timeout: 900
 
+  - name: "postfix-ox"
+    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
+    version: "{{ .Values.charts.postfix.version }}"
+    values:
+      - "values-postfix.yaml.gotmpl"
+      {{- range .Values.customization.release.postfix }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.postfix.enabled }}
+    timeout: 900
+
   - name: "open-xchange"
     chart: "open-xchange-repo/{{ .Values.charts.oxAppSuite.name }}"
     version: "{{ .Values.charts.oxAppSuite.version }}"

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -119,7 +119,7 @@ appsuite:
     asConfig:
       default:
         host: "all"
-        pageHeaderPrefix: "as8.souvap App Suite"
+        productName: {{ .Values.theme.texts.productName | quote }}
         oidcLogin: true
         oidcPath: "/oidc"
     masterAdmin: "admin"
@@ -241,7 +241,7 @@ appsuite:
       com.openexchange.mail.mailServer: "dovecot"
       com.openexchange.mail.mailServerSource: "global"
       com.openexchange.mail.transport.authType: "xoauth2"
-      com.openexchange.mail.transportServer: "postfix"
+      com.openexchange.mail.transportServer: "postfix-ox"
       com.openexchange.mail.transportServerSource: "global"
       # Requirements for OX-Connector
       com.openexchange.user.enforceUniqueDisplayName: "false"
@@ -287,7 +287,12 @@ appsuite:
       # Guard
       com.openexchange.guard.storage.file.fileStorageType: "file"
       com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
+      com.openexchange.guard.guestSMTPMailFrom: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      com.openexchange.guard.guestSMTPPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+      com.openexchange.guard.guestSMTPPort: "25"
       com.openexchange.guard.guestSMTPServer: "postfix"
+      com.openexchange.guard.guestSMTPUsername: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+      com.openexchange.guard.useStartTLS: "false"
       # S/MIME
       # Usage (in browser console after login):
       # http = (await import('./io.ox/core/http.js')).default

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -0,0 +1,100 @@
+{{/*
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+certificate:
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
+  request:
+    enabled: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: false
+  runAsUser: 0
+  runAsGroup: 0
+  privileged: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.postfix.registry | quote }}
+  repository: {{ .Values.images.postfix.repository | quote }}
+  tag: {{ .Values.images.postfix.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+persistence:
+  size: {{ .Values.persistence.storages.postfix.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.postfix.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+postfix:
+  amavisHost: ""
+  amavisPortIn: ""
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
+  hostname: "postfix"
+  inetProtocols: "ipv4"
+  milterDefaultAction: "tempfail"
+  overrides:
+    - fileName: "sasl_passwd.map"
+      content:
+        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
+  {{- if .Values.apps.dkimpy.enabled }}
+  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
+  {{- end }}
+  rspamdHost: ""
+  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
+  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
+  smtpSASLAuthEnable: "yes"
+  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
+  smtpTLSSecurityLevel: "encrypt"
+  smtpdSASLAuthEnable: "yes"
+  smtpdSASLSecurityOptions: "noanonymous"
+  smtpdSASLType: "dovecot"
+  smtpdTLSSecurityLevel: "encrypt"
+  smtpdTLSCertFile: "/etc/tls/tls.crt"
+  smtpdKeyFile: "/etc/tls/tls.key"
+  smtpdSASLPath: "inet:dovecot:3659"
+
+  staticAuthDB:
+    enabled: false
+
+  {{- if .Values.antivirus.milter.host }}
+  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
+  {{- else }}
+  {{- if .Values.apps.clamavDistributed.enabled }}
+  smtpdMilters: "inet:clamav-milter:7357"
+  {{- else if .Values.apps.clamavSimple.enabled }}
+  smtpdMilters: "inet:clamav-simple:7357"
+  {{- end }}
+  {{- end }}
+  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
+  virtualTransport: "lmtps:dovecot:24"
+
+podAnnotations: {}
+
+replicaCount: {{ .Values.replicas.postfix }}
+
+resources:
+  {{ .Values.resources.postfix | toYaml | nindent 2 }}
+
+{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
+service:
+  external:
+    enabled: true
+    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
+{{- end }}
+...

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -13,6 +13,7 @@ global:
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:

helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl

@@ -49,6 +49,10 @@ global:
     {{- if .Values.apps.xwiki.enabled }}
     xwiki: {{ .Values.global.hosts.xwiki }}
     {{- end }}
+    {{- if .Values.apps.notes.enabled }}
+    notes: {{ .Values.global.hosts.notes }}
+    {{- end }}
+
 
 issuerRef:
   name: {{ .Values.certificate.issuerRef.name | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -76,13 +76,13 @@ environment:
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: ""
+  OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
-  OPENPROJECT_SMTP__PASSWORD: ""
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
-  OPENPROJECT_SMTP__PORT: 25
+  OPENPROJECT_SMTP__PORT: 587
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-  OPENPROJECT_SMTP__AUTHENTICATION: "none"
+  OPENPROJECT_SMTP__AUTHENTICATION: "cram_md5"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
   OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
   OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -15,7 +15,7 @@ containerSecurityContext:
   enabled: true
   seccompProfile:
     type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
   runAsNonRoot: false
   runAsUser: 0
   runAsGroup: 0
@@ -60,14 +60,20 @@ postfix:
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   smtpSASLAuthEnable: "yes"
   smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
-  smtpUseTLS: "yes"
+  smtpTLSSecurityLevel: "encrypt"
-  smtpdSASLAuthEnable: "no"
+  smtpdSASLAuthEnable: "yes"
   smtpdSASLSecurityOptions: "noanonymous"
-  smtpdSASLType: "dovecot"
+  smtpdSASLType: "cyrus"
-  smtpdUseTLS: "yes"
+  smtpdTLSSecurityLevel: "may"
   smtpdTLSCertFile: "/etc/tls/tls.crt"
   smtpdKeyFile: "/etc/tls/tls.key"
-  smtpdSASLPath: "inet:dovecot:3659"
+  smtpdSASLPath: "smtpd"
+
+  staticAuthDB:
+    enabled: true
+    username: "opendesk-system"
+    password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
   {{- else }}
@@ -77,8 +83,11 @@ postfix:
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
+  # Only deliver mail to Dovecot, if it is available
+  {{- if .Values.apps.oxAppSuite.enabled }}
+  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
   virtualTransport: "lmtps:dovecot:24"
+  {{- end }}
 
 podAnnotations: {}
 
@@ -87,10 +96,7 @@ replicaCount: {{ .Values.replicas.postfix }}
 resources:
   {{ .Values.resources.postfix | toYaml | nindent 2 }}
 
-{{- if or (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.postfix .Values.cluster.service.type) "LoadBalancer") }}
 service:
   external:
-    enabled: true
+    enabled: false
-    type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
-{{- end }}
 ...

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -167,8 +167,10 @@ properties:
   ## SMTP settings
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 587
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
   ## Link LDAP users and users authenticated through OIDC
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "1.0.0"
+    version: "1.0.1"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,7 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.1.3@sha256:53d1abb1132569ef81c235da2397d156aa8b3b9c6567806cdf4dc7f247ba05e0"
+    tag: "1.1.7@sha256:8e399ed19b2d6db9286bfd461696a8a584024334c14bead35c79d974f70314b1"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/core-mw"

helmfile/environments/default/charts.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -99,7 +99,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "1.4.1"
+    version: "1.4.2"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -151,7 +151,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "3.0.1"
+    version: "3.1.0"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -231,7 +231,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.4.0"
+    version: "1.4.1"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -251,7 +251,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "3.9.2"
+    version: "4.0.1"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -261,7 +261,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "3.9.2"
+    version: "4.0.1"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -333,7 +333,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.3.0"
+    version: "2.4.0"
     verify: true
   opendeskStaticFiles:
     # providerCategory: "Platform"
@@ -355,7 +355,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "9.7.0"
+    version: "9.7.2"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -419,7 +419,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "2.3.0"
+    version: "2.3.3"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/global.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -17,6 +17,10 @@ global:
   #
   mailDomain: {{ env "MAIL_DOMAIN" | quote }}
 
+  ## Define additional mail domains, comma separated, e.g. domain1.de,domain2.de
+  #
+  additionalMailDomains: ""
+
   ## Define synapse host
   ## If this is unset the "domain" value above should be used in all references
   #

helmfile/environments/default/images.yaml.gotmpl

@@ -318,7 +318,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.4.7@sha256:86775101c085904db2a93d26a4d7f304f6552025e40aacade7f7de175308824a"
+    tag: "2.4.10@sha256:3171dc98b6bdfa95cb2728599b17311d4592e7e18b1126865f85cde70e75cc32"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -412,8 +412,8 @@ images:
   nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
-    # upstreamRegistry: "https://docker.software-univention.de"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "keycloak-keycloak"
+    # upstreamRepository: "nubus/images/keycloak"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+).+$'
     # upstreamMirrorStartFrom: ["22", "0", "3"]
     registry: "registry.opencode.de"
@@ -528,7 +528,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.12.2@sha256:a9d33c4f97008847178e19a005d8c187a302ff4065f453df8041c9cda71612f9"
+    tag: "1.12.5@sha256:58cd2e545b65d354cc242cd97b06ce41733e9c6701c132c108bac245c493f7f0"
   nubusOpendeskExtensionA2gMapper:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -710,7 +710,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.2.1@sha256:f5ce0be27580c6347c5e700c4fa271a811d45d8a0e4b40ffe8a4d0e3d47e670f"
+    tag: "1.3.0@sha256:f0c18be261666b7dbb1794f61aaac2321608d396060b007d18b429d0e4d703a7"
   opendeskStaticFiles:
     # providerCategory: "Community"
     # providerResponsible: "Element"
@@ -728,7 +728,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.3.0@sha256:28beb3f7eb22cbbcb4f02e09bc799dab9282c693bb975bf7028afdf2274c0355"
+    tag: "15.3.2@sha256:5558a9164dfeb839b3d2b9ea97368473a50255931fd623d579b7858360f52c0c"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -744,7 +744,7 @@ images:
     # upstreamRepository: "library/postgres"
     registry: "registry-1.docker.io"
     repository: "library/postgres"
-    tag: "16.3-alpine3.20@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03f0b6839133ed05065"
+    tag: "16.8-alpine3.20@sha256:951d0626662c85a25e1ba0a89e64f314a2b99abced2c85b4423506249c2d82b0"
   openxchangeBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -880,7 +880,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "2.0.0@sha256:5b2432dc09318db172a593bca860887ee9d713b9987db64f8b265f3e08a1d374"
+    tag: "3.0.1@sha256:d2c6543b35b616ac3e6c8c27222d3154c0d35680813a8942ce0cc3fa9ea72a6d"
   postgresql:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"

helmfile/environments/default/secrets.yaml.gotmpl

@@ -23,6 +23,8 @@ secrets:
     synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
   oxConnector:
     provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
+  postfix:
+    opendeskSystemPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postfix" "opendesk-system" | sha1sum | quote }}
   nubus:
     masterpassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
     ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}