fix(nubus): Configure "global.subDomains" based on "global.hosts"

feat(nubus): Update chart and images to version 0.56.1
fix(ci): Correct the way how credentials for the RUN_TESTS job are extracted
2025-12-06 15:31:38 +01:00 · 2024-09-12 12:03:06 +02:00 · 2024-09-12 11:29:12 +02:00 · 2024-09-12 11:29:12 +02:00 · 2024-09-12 10:41:54 +02:00 · 2024-09-11 17:54:28 +02:00
55 changed files with 625 additions and 306 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -171,16 +171,7 @@ variables:
      - "no"
  TESTS_BRANCH:
    description: "Branch of E2E-tests on which the test pipeline is triggered"
-    value: "develop"
-  TESTS_PROJECT_URL:
-    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
-    value: "gitlab.opencode.de/api/v4/projects/1506"
-  TESTS_TESTSET:
-    description: "Selects testset for E2E-tests"
-    value: "Smoke"
-    options:
-      - "Regression"
-      - "Smoke"
+    value: "main"

 .deploy-common:
  cache: {}
@@ -495,27 +486,27 @@ run-tests:
        \"ref\": \"${TESTS_BRANCH}\", \
        \"token\": \"${CI_JOB_TOKEN}\", \
        \"variables\": { \
-          \"operator\": \"${OPERATOR}\", \
-          \"cluster\": \"${CLUSTER}\", \
-          \"namespace\": \"${NAMESPACE}\", \
-          \"url\": \"https://portal.${DOMAIN}/\", \
+          \"url\": \"https://portal.${DOMAIN}\", \
          \"user_name\": \"${DEFAULT_USER_NAME}\", \
          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
-          \"screenshot_test\": \"yes\", \
-          \"screenshot_before_step\": \"yes\", \
-          \"screenshot_after_step\": \"yes\", \
-          \"screenshot_redirect_step\": \"yes\", \
-          \"testset\": \"${TESTS_TESTSET}\", \
-          \"testprofile\": \"Namespace\", \
-          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
-          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
-          \"gitlab_default_env_namespace\": \"values\" \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
        } \
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
-  retry: 1

 avscan-prepare:
  stage: ".pre"
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 openDesk currently features the following functional main components:

 | Function             | Functional Component        | Component<br/>Version                                                                 | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- |---------------------------------------------------------------------------------------| -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.7.1.2](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -33,11 +33,10 @@ You might want to set credential variables in the GitLab project at `Settings` >
 # Tests

 The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-To select the current testset, use the variable `TESTS_TESTSET`. Default: `Smoke`.
+
 If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.
-
-The variable `testprofile` within the job is set to `Namespace`, which tells the e2e tests to use environment specific settings that will be read from the cluster and namespace specific file in the opendesk-env repository.
--- a/docs/development.md
+++ b/docs/development.md
@@ -138,9 +138,6 @@ configured to pull artifacts that do not originate from Open CoDE into projects

 The mirror script takes the information on what artifacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
- `# upstreamRegistryCredentialId`: *optional*: In case the source registry is not public the access credentials have to be specified as ENV variables containing the value of this key in their name, so you want to specific that key all uppercase:
-  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_USERNAME`
-  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_PASSWORT`
 - `# upstreamRepository` *required*: To identify the source repository
 - `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artifacts beginning with a specific version. You must use capturing groups
--- a/helmfile.yaml.gotmpl
+++ b/helmfile.yaml.gotmpl
@@ -15,7 +15,7 @@ environments:
 ---
 # yamllint disable
 helmfiles:
-  - path: "./helmfile_generic.yaml.gotmpl"
+  - path: "./helmfile_generic.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 # {{/*
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
+      {{ .Values.charts.collabora.repository }}"

 releases:
  - name: "collabora-online"
--- a/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
+      {{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
--- a/helmfile/apps/element/helmfile.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -10,35 +10,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
+      {{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
+      {{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
+      {{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
+      {{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
+      {{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +53,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
+      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
+      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
+      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
+      {{ .Values.charts.matrixNeodatefixBot.repository }}"


 releases:
--- a/helmfile/apps/collabora/helmfile.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
+      {{ .Values.charts.intercomService.repository }}"

 releases:
  - name: "intercom-service"
--- a/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
+      {{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/jitsi/helmfile.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"

 releases:
  - name: "opendesk-migrations-post"
--- a/helmfile/apps/migrations-post/helmfile.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile.yaml.gotmpl
@@ -5,7 +5,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"

 releases:
  - name: "opendesk-migrations-pre"
--- a/helmfile/apps/migrations-pre/helmfile.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile.yaml.gotmpl
@@ -5,7 +5,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -10,14 +10,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
+      {{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
+      {{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
+      {{ .Values.charts.nubus.repository }}"
  # OpenDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -18,7 +19,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
+      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"

 releases:
  # Univention Management Stack Umbrella Chart
--- a/helmfile/apps/nubus/helmfile.yaml
+++ b/helmfile/apps/nubus/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/nubus/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -112,11 +112,11 @@ global:
                      visible: "False"
            wizard:
              disabled: "No"
-
+    
    ucs:
      web:
        theme: light
-
+    
    umc:
      cookie-banner:
        show: "false"
@@ -135,6 +135,21 @@ global:
      self-service:
        passwordreset:
          token_validity_period: 172800
+    
+    password:
+      # quality:
+        # length:
+          # min: 8
+        # required:
+          # chars:
+        # forbidden:
+          # chars:
+        # credit:
+          # digits: 1
+          # upper: 0
+          # other: 0
+          # lower: 1
+        # mspolicy: false

 ingress:
  certManager:
@@ -386,16 +401,38 @@ nubusStackDataUms:
      - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupLiveCollaboration:
      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-    systemInformation:
-      enabled: {{ .Values.functional.admin.portal.deploymentInformation.enabled }}
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"

  nubusUmcServer:
    memcached:
      auth:
        username: ""

+# TODO: Remove values when upstreaming fixes
+nubusStackDataSwp:
+  stackDataSwp:
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+    systemInformation:
+      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+    {{- end }}
+  stackDataContext:
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpPort: 25
+    smtpUser: ""
+    smtpStartTls: false
+    ldapBase: {{ .Values.ldap.baseDn }}
+    # FIXME: Should be templated correctly in the future
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+
 nubusUmcServer:
  postgresql:
    bundled: false
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -143,56 +143,6 @@ nubusLdapServer:
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-  extraVolumes:
-    - name: "migration-scripts"
-      secret:
-        secretName: "ums-ldap-server-migration"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/30-purge.sh"
-      subPath: "30-purge.sh"
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
-      subPath: "95-slapadd-24-ldif.sh"
-  extraSecrets:
-    - name: "ums-ldap-server-migration"
-      stringData:
-        30-purge.sh: |
-          #!/usr/bin/env bash
-
-          me=$(basename "$0")
-          echo "- Running ${me}"
-
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- Cleaning up /var/lib/univention-ldap."
-            cd /var/lib/univention-ldap
-            rm -rf internal
-            rm -rf ldap
-            ls -l
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-        95-slapadd-24-ldif.sh: |
-          #!/usr/bin/env bash
-
-          me=$(basename "$0")
-          echo "- Running ${me}"
-
-          ls -l /var/lib/univention-ldap
-
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif, but not before deleting the directories /var/lib/univention-ldap/ldap and ./internal"
-            rm -rf /var/lib/univention-ldap/ldap
-            rm -rf /var/lib/univention-ldap/internal
-            mkdir /var/lib/univention-ldap/ldap
-            mkdir /var/lib/univention-ldap/internal
-            /usr/sbin/slapadd -l /var/lib/univention-ldap/ldap-24-export.ldif
-            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-

 nubusPortalFrontend:
  additionalAnnotations:
@@ -216,6 +166,12 @@ nubusStackDataUms:
  resources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}

+nubusStackDataSwp:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-swp"
+  resources:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
+
 nubusSelfServiceConsumer:
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -212,3 +212,9 @@ nubusStackDataUms:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
+
+nubusStackDataSwp:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -29,7 +29,7 @@ config:
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
    # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
-    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -517,6 +517,296 @@ config:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
        defaultClientScopes:
          - "opendesk-xwiki-scope"
+      - name: "guardian-management-api"
+        clientId: "guardian-management-api"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        protocol: "openid-connect"
+        publicClient: false
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        fullScopeAllowed: true
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: true
+        protocolMappers:
+          - name: "Client Host"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientHost"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientHost"
+              jsonType.label: "String"
+          - name: "Client ID"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "client_id"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "client_id"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              userinfo.token.claim: false
+              id.token.claim: false
+              access.token.claim: true
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-cli"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "Client IP Address"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientAddress"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientAddress"
+              jsonType.label: "String"
+      - name: "guardian-scripts"
+        clientId: "guardian-scripts"
+        description: ""
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        surrogateAuthRequired: false
+        enabled: true
+        alwaysDisplayInConsole: false
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        webOrigins:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        bearerOnly: false
+        consentRequired: false
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: false
+        publicClient: true
+        frontchannelLogout: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-scripts"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              aggregate.attrs: false
+              multivalued: false
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "web-origins"
+          - "acr"
+          - "roles"
+          - "profile"
+          - "email"
+        optionalClientScopes:
+          - "address"
+          - "phone"
+          - "offline_access"
+          - "microprofile-jwt"
+      - name: "guardian-ui"
+        clientId: "guardian-ui"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+        standardFlowEnabled: true
+        publicClient: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: "false"
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
+      {{ .Values.charts.dovecot.repository }}"

  # Open-Xchange
  - name: "open-xchange-repo"
@@ -19,7 +20,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
+      {{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
  # Source:
@@ -30,7 +32,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"

 releases:
  - name: "dovecot"
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
+      {{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
+      {{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/openproject/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
@@ -7,7 +7,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
+      {{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "ox-connector"
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/provisioning/helmfile.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
+      {{ .Values.charts.otterize.repository }}"

  # openDesk Home
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +21,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +32,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
+      {{ .Values.charts.certificates.repository }}"

  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -40,7 +43,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
+      {{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -50,7 +54,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
+      {{ .Values.charts.mariadb.repository }}"

  # openDesk dkimpy-milter
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -60,7 +65,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/\
+      {{ .Values.charts.dkimpy.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -70,7 +76,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
+      {{ .Values.charts.postfix.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -80,14 +87,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
+      {{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
+      {{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -97,21 +106,24 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
+      {{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
+      {{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
+      {{ .Values.charts.minio.repository }}"

 releases:
  - name: "opendesk-otterize"
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/services/helmfile.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\
+      {{ .Values.charts.xwiki.repository }}"

 releases:
  - name: "xwiki"
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...
--- a/helmfile/apps/xwiki/helmfile.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-bases:
-  - "../../bases/environments.yaml"
---
-helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
-    values:
-      - {{ toYaml .Values | nindent 8 }}
-...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -46,7 +46,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.21"
+    version: "1.1.20"
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
@@ -132,7 +132,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "1.11.3"
+    version: "1.9.3"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -264,7 +264,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "0.57.3"
+    version: "0.56.1"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
@@ -274,8 +274,9 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.1.1"
-    verify: true
+    version: "2.2.0-jtorres-univention-keycloak-clients"
+    verify: false
+    # TODO: change to the final version during MR to develop
  openproject:
    # providerCategory: "Supplier"
    # providerResponsible: "openProject"
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.7.2.1@sha256:5b00478f2c6c7372b2a67e68783d9b1a91265679bbd4afdc1416e50720d50ce6"
+    tag: "24.04.7.1.2@sha256:6e3d64dfdf4a429c374f18947d7c4e987f585a13642817672123fd1963dc8a2d"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -413,7 +413,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.38.3@sha256:3b74617c6a8b68b086be8ab648bfffb08ba6ddb052ff0dcd4731c1bcc5a87a03"
+    tag: "0.38.1@sha256:da8bed3e1ce40804d8ac4ac5901109dcce8cd76eb7c6c711787fff6cbcc76733"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -421,7 +421,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.5.0@sha256:2bfdf79028ec788162cf75bf80b08ed5aa3f747430bc85fd5e0427decc9994de"
+    tag: "1.4.0@sha256:8f3a278c41b799f23f0559e6bc4ebfe9a3ee3d70a906205ea84597a5411af5d5"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -451,7 +451,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.38.3@sha256:a4c7b57870aa7868174ef446f4212da1fc9f57d72c31dca245a5787699f2975b"
+    tag: "0.38.1@sha256:beaa9f6f9cf2045781dba6f4aa67ed0b129b0f01a5a719ac038a07be135b6430"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -471,7 +471,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.38.3@sha256:514ff5117331d0b446944b252d993db547daad64062fcfaab8794bfb4f5290a3"
+    tag: "0.38.1@sha256:ace41eb46cc751efda5e0c827a5707c0442b454254944a71cd6a7a265a5e2247"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -481,7 +481,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.38.3@sha256:0cd37fc82a7426013a1f93dcf4a72686f3b90b7532991dd1d50ae28cbca493e5"
+    tag: "0.38.1@sha256:3cb56bf434607282bad4a70e6be0ee72d8889c4135b63af91db54d8f48b31b0a"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -491,7 +491,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.39.0@sha256:cff262c399785594a07d61a0645ca304e4da044d37831c29f848d8d70b2e58c9"
+    tag: "0.38.0@sha256:d583151b108164374bd11dc74626c62aace0ff4ddc5997b08553b559d7c0bf91"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -501,7 +501,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.39.0@sha256:9f537eb138863ea9c3f6f7b416e7787ab1841e3e0ba3a8dd39fe35464955d75d"
+    tag: "0.38.0@sha256:b459c3a9bfd51692691736f0afeb0c7ba2d75efe30a5b1e2a8b51c5c48f08ac4"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -511,7 +511,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.39.0@sha256:72ab91cd235b52875c03411c5488984b482aafc6d58f2064bd5313ab7a119cab"
+    tag: "0.38.0@sha256:7fe6dfe75c3131ebf9bb9a36210adf4bd0bead06d6214985427d59eb4b420b40"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -521,7 +521,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.39.0@sha256:f0e63353f0ea28890c992a374b82ac65f379f9dfd4c7fe645f002b170df1da69"
+    tag: "0.38.0@sha256:99a7fdc23650c5bcbf58c38ffea86b5fe779b12a834824ae5e206fc5f2c0301a"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -531,7 +531,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.39.0@sha256:64166fae60856da544698b601b70037a93239e9f6072ced890cd5965fab148dc"
+    tag: "0.38.0@sha256:e40b33188f11d82f669532e1f085ba5e1758fd6099f679a759f6ae2b1d0ee3ef"
  nubusSelfserviceInvitation:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -562,6 +562,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
+  umsStackDataSwp:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
  umsStackGateway:
    limits:
      cpu: 99
--- a/helmfile/environments/default/theme.gotmpl
+++ b/helmfile/environments/default/theme.gotmpl
@@ -46,9 +46,6 @@ theme:
    favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
    logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}

-    # Jitsi
-    logoHeaderInvertedSvgB64: {{ readFile "./../../files/theme/logoHeaderInverted.svg" | b64enc | quote }}
-
    # Portal
    logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
    portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}
--- a/helmfile/files/theme/logoHeaderInverted.svg
+++ b/helmfile/files/theme/logoHeaderInverted.svg
--- a/helmfile_generic.yaml
+++ b/helmfile_generic.yaml
@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+#
+# Advanced Configuration: Nested States
+#
+helmfiles:
+  # Path to the helmfile state file being processed BEFORE releases in this state file
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
+    values: &values
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/default/*.gotmpl"
+      - {{ toYaml .Values | nindent 8 }}
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nubus/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/open-xchange/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nextcloud/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/collabora/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/cryptpad/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/jitsi/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/element/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/openproject/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/xwiki/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/provisioning/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
+missingFileHandler: "Error"
+...
--- a/helmfile_generic.yaml.gotmpl
+++ b/helmfile_generic.yaml.gotmpl
@@ -1,43 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
---
-#
-# Advanced Configuration: Nested States
-#
-helmfiles:
-  # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl"
-    values: &values
-      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/default/*.gotmpl"
-      - {{ toYaml .Values | nindent 8 }}
-  - path: "helmfile/apps/services/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/nubus/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/collabora/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/jitsi/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/element/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/openproject/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/xwiki/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/provisioning/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl"
-    values: *values
-  - path: "helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl"
-    values: *values
-missingFileHandler: "Error"
-...
Author	SHA1	Message	Date
Johannes Bornhold	6c2682176d	fix(nubus): Configure "global.subDomains" based on "global.hosts"	2024-09-12 12:03:06 +02:00
Nubus CI Bot	77528d4a14	feat(nubus): Update chart and images to version 0.56.1	2024-09-12 11:29:12 +02:00
Johannes Bornhold	558a0c350d	fix(ci): Correct the way how credentials for the RUN_TESTS job are extracted	2024-09-12 11:29:12 +02:00
Carlos García-Mauriño	5f8d27dc3c	chore(nubus): Remove installUmcPolicies option	2024-09-12 10:41:54 +02:00
Johannes Bornhold	20d75271b3	fix(nubus): Update images to match version 0.56.0	2024-09-11 17:54:28 +02:00
Carlos García-Mauriño	a68704b310	feat(nubus): Upgrade nubus chart to 0.56.0	2024-09-11 17:25:04 +02:00
Nubus CI Bot	c9ce869d1d	feat(nubus): Update chart to version 0.54.1-pre-jlohmer-consumer-race-condition	2024-09-11 17:25:04 +02:00
Johannes Lohmer	20a6200483	fix(nubus): Clean up portal-listener and selfservice-listener artifacts	2024-09-11 17:21:02 +02:00
Johannes Lohmer	39e125c26a	fix(nubus): Use helmfile secrets in provisioning and remove unused secrets.	2024-09-11 17:21:02 +02:00
Johannes Lohmer	6047197d8c	feat(nubus): Activate Nubus Provisioning components and Consumers to replace portal-listener and selfservice-listener	2024-09-11 17:21:01 +02:00
Johannes Lohmer	dcacd9cac9	fix(nubus): Keep provisioning and consumers behind a feature-flag for easier merging This commit should be reverted once we are confident that provisioning and the consumers work as expected.	2024-09-11 17:21:01 +02:00
Johannes Lohmer	95c4dd2e2e	fix(nubus): Update nubus provisioning and consumer configuration	2024-09-11 17:21:01 +02:00
Nubus CI Bot	269c8270ee	feat(nubus): Update chart to version 0.51.0	2024-09-11 17:21:01 +02:00
Juan Pedro Torres	1d1c170142	feat(nubus): Bump chart version for default tiles removal	2024-09-11 17:21:01 +02:00
Johannes Bornhold	19f366defb	fix(nubus): Adjust keyring for intercom service	2024-09-11 17:21:01 +02:00
Nubus CI Bot	49382879d8	feat(nubus): Integrate keycloak provisioning	2024-09-11 17:21:01 +02:00
Juan Pedro Torres	26defa7776	feat(nubus): Bump chart version for default tiles removal	2024-09-11 17:21:00 +02:00
Nubus CI Bot	c76a117418	feat(nubus): Update chart to version 0.47.0	2024-09-11 17:21:00 +02:00
Jaime Conde	01f8e602f1	fix(nubus): Map Administrator credentials	2024-09-11 17:21:00 +02:00
Jaime Conde	86085c0f41	fix(nubus): Univention Portal images	2024-09-11 17:21:00 +02:00
Nubus CI Bot	e51ba3bc40	feat(nubus): Update chart to version 0.45.0	2024-09-11 17:21:00 +02:00
Carlos García-Mauriño	70ccbe400e	feat(nubus): Update charts and images	2024-09-11 17:21:00 +02:00
Carlos García-Mauriño	c819ec6ee8	fix(nubus): Configure stackDataContext	2024-09-11 17:21:00 +02:00
Carlos García-Mauriño	5316bd58a2	feat(nubus): Add custom UCR values	2024-09-11 17:20:59 +02:00
Juan Pedro Torres	565237155a	fix(nubus): Cleanup values	2024-09-11 17:20:59 +02:00
Juan Pedro Torres	036230eb58	feat(nubus): Upgrade Keycloak version	2024-09-11 17:20:59 +02:00
Juan Pedro Torres	0b3ee7e2d9	fix(nubus): Fix Keycloak init race condition	2024-09-11 17:20:59 +02:00
Juan Pedro Torres	ddbc89102b	feat(nubus): Bump Nubus version to 0.41.0, readonly user from Nubus	2024-09-11 17:20:59 +02:00
Jaime Conde	73c08ca953	fix(nubus): Use Nubus LDAP server image	2024-09-11 17:20:59 +02:00
Nubus CI Bot	d260c183ad	feat(nubus): Update ldap-server with umc-server license fix	2024-09-11 17:20:59 +02:00
Johannes Lohmer	cbe2da123b	fix(nubus): Comments are not allowed in images.yaml	2024-09-11 17:20:58 +02:00
Johannes Lohmer	03131989fa	fix(nubus): Keep provisioning and consumers behind a feature-flag for easier merging This commit should be reverted once we are confident that provisioning and the consumers work as expected.	2024-09-11 17:20:58 +02:00
Johannes Lohmer	aa46848e30	fix(nubus): Update nubus provisioning and consumer configuration	2024-09-11 17:20:58 +02:00
Johannes Lohmer	5d080c4abf	feat(nubus): Update nubus chart and images to version 0.39.2	2024-09-11 17:20:58 +02:00
Johannes Bornhold	a2afb22dce	fix(nubus): Disable certManager	2024-09-11 17:20:58 +02:00
Johannes Bornhold	2398f8c8a2	fix(nubus): Support "ingress.tls.secretName"	2024-09-11 17:20:57 +02:00
Thorsten Roßner	6484e1bd8b	fix(nubus): Set replicaCountProxy and replicaCountSecondary to `0`.	2024-09-11 17:15:01 +02:00
Johannes Bornhold	9e154b178d	fix(nubus): Configure keycloak-bootstrap to use the correct bind DN	2024-09-11 17:15:01 +02:00
Johannes Lohmer	9f0c481017	fix(nubus-extensions): Replace branch version of image after the merge	2024-09-11 17:15:01 +02:00
Johannes Lohmer	137e8e3437	fix(nubus): Use keycloak passwords from helmfile	2024-09-11 17:15:01 +02:00
Thorsten Roßner	02253ef4f2	fix(docs): Ensure 120 char line limit in yaml.	2024-09-11 17:15:01 +02:00
Johannes Lohmer	660618cff9	fix(nubus): Only use one LDAP Primary and make replica count of Secondary and Proxy others configurable	2024-09-11 17:15:01 +02:00
Juan Pedro Torres	171cc164ef	feat(nubus): OpenDesk UDM loader	2024-09-11 17:15:00 +02:00
Thorsten Roßner	246fbf4960	fix(nubus): Update migration to delete umc-server deployment.	2024-09-11 17:15:00 +02:00
Johannes Bornhold	31664a1803	fix(nubus): Update openDesk extension to version 1.2.1	2024-09-11 17:15:00 +02:00
Johannes Bornhold	5e2d28b90d	fix(nubus): Update to version 0.39.2 This does include a fix related to the UMC Server proxy in regard to issues around "too many open files".	2024-09-11 17:15:00 +02:00
Johannes Bornhold	579c303a5f	fix(nubus): Use the selfservice-invitation image out of the correct registry	2024-09-11 17:15:00 +02:00
Johannes Bornhold	c8aa5b8432	fix(nubus): Remove TODO note around the custom ldap server image	2024-09-11 17:15:00 +02:00
Johannes Bornhold	82e3e8aa0d	fix(nubus): Remove TODO note around dhInitcontainer	2024-09-11 17:15:00 +02:00
Johannes Bornhold	861009995d	fix(nubus): Use the newer keycloak-bootstrap image	2024-09-11 17:15:00 +02:00
Johannes Bornhold	df7bccef26	fix(nubus): Use the newer Keycloak image	2024-09-11 17:14:59 +02:00
Johannes Bornhold	5affcc0e29	fix(nubus): Remove stack gateway related image configuration	2024-09-11 17:14:59 +02:00
Johannes Bornhold	f45ef0740c	fix(nubus): Disable certManager	2024-09-11 17:14:59 +02:00
Johannes Bornhold	3bac7cafde	fix(nubus): Increase UMC Server limit	2024-09-11 17:14:59 +02:00
Johannes Bornhold	b635aa3a3c	feat(nubus): Update to Nubus 0.39.1 chart and images only	2024-09-11 17:14:59 +02:00
Jaime Conde	4cc0479876	fix(nubus): Drop umc-gateway menu unused patches	2024-09-11 17:14:59 +02:00
Johannes Bornhold	3fbf6c8bfd	fix(nubus): Support "ingress.tls.secretName"	2024-09-11 17:14:59 +02:00
Johannes Bornhold	b2e517afab	fix(nubus): Use cert-manager issuer name out of Helmfile values	2024-09-11 17:14:59 +02:00