feat(nubus): Update chart to version 0.63.0-pre-jconde-plain-nubus

fix(helmfile): Move Intercom-Service to Nubus component.
fix(helmfile): Move OX-Connector to Open-Xchange component.
2025-12-09 00:38:34 +01:00 · 2024-10-03 11:25:12 +00:00 · 2024-09-30 19:05:01 +02:00 · 2024-09-30 19:03:21 +02:00 · 2024-09-30 12:17:10 +02:00 · 2024-09-27 16:39:07 +00:00
82 changed files with 1033 additions and 1273 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,8 +6,10 @@
 # Ignore changes to sample environments
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
 # Ignore in CI generated files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.3"
+    ref: "v2.3.4"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
@@ -97,12 +97,6 @@ variables:
    options:
      - "yes"
      - "no"
  DEPLOY_PROVISIONING:
    description: "Enable Provisioning Components."
    value: "no"
    options:
      - "yes"
      - "no"
  DEPLOY_COLLABORA:
    description: "Enable Collabora deployment."
    value: "no"
@@ -127,12 +121,6 @@ variables:
    options:
      - "yes"
      - "no"
  DEPLOY_ICS:
    description: "Enable ICS deployment."
    value: "no"
    options:
      - "yes"
      - "no"
  DEPLOY_XWIKI:
    description: "Enable XWiki deployment."
    value: "no"
@@ -159,7 +147,7 @@ variables:
      - "no"
  RUN_TESTS:
    description: "Triggers execution of E2E-tests."
-    value: "yes"
+    value: "no"
    options:
      - "yes"
      - "no"
@@ -181,13 +169,16 @@ variables:
    options:
      - "Regression"
      - "Smoke"
  TESTS_GRACE_PERIOD:
    description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail. GRACE_PERIOD is the period in seconds that should be waited before running the tests."
    value: "0"
 .deploy-common:
  cache: {}
  dependencies: []
  extends: ".environments"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.1.0\
-          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
+          @sha256:74f349066ac5d20e3afaa6abd28781b4c8dc086f67e3d3c1b8345e4a9c3371b1"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -245,14 +236,6 @@ env-start:
  script:
    - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
    - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
    - >
      kubectl create secret
      --namespace "${NAMESPACE}"
      docker-registry external-registry
      --docker-server "${EXTERNAL_REGISTRY}"
      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
      --dry-run=client -o yaml | kubectl apply -f -
  stage: "env"
 policies-deploy:
@@ -304,18 +287,6 @@ services-deploy:
  variables:
    COMPONENT: "services"
 provisioning-deploy:
  stage: "component-deploy-stage-2"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
      when: "on_success"
  variables:
    COMPONENT: "provisioning"
 nubus-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
@@ -341,18 +312,6 @@ ox-deploy:
  variables:
    COMPONENT: "open-xchange"
 ics-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ICS != "no")
      when: "on_success"
  variables:
    COMPONENT: "intercom-service"
 xwiki-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
@@ -474,7 +433,7 @@ env-stop:
       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
    )
    DEFAULT_ADMIN_PASSWORD=$(
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d \
+       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.admin_password}' | base64 -d \
    )
 run-tests:
@@ -486,6 +445,11 @@ run-tests:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
      when: "on_success"
  parallel:
    matrix:
      - LANGUAGE:
          - "de"
          - "en"
  script:
    - *ums-default-password
    - |
@@ -499,6 +463,7 @@ run-tests:
          \"cluster\": \"${CLUSTER}\", \
          \"namespace\": \"${NAMESPACE}\", \
          \"url\": \"https://portal.${DOMAIN}/\", \
          \"language\": \"${LANGUAGE}\", \
          \"user_name\": \"${DEFAULT_USER_NAME}\", \
          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
@@ -511,7 +476,8 @@ run-tests:
          \"testprofile\": \"Namespace\", \
          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
-          \"gitlab_default_env_namespace\": \"values\" \
+          \"gitlab_default_env_namespace\": \"values\", \
          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
        } \
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
@@ -692,5 +658,4 @@ renovate:
  script:
    - "renovate ${RENOVATE_EXTRA_FLAGS}"
  stage: "renovate"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.4\
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.0\
-    @sha256:4120fe717071876f4c9ff128f26019d089fda158a4fb1912911e09af2fd3875f"
+    @sha256:630e102edc70c9e730a46180e79ff278fd8b5039eb336110e0df89fe415225ef"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.5\
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.6\
-    @sha256:60870adb64b0503d4a6efd16cef4e074b91a4ca52b48811cfcea057bcccd07e4"
+    @sha256:0a8997876a0c3f5a3c73eb6bd75c5cde63757bc31b983bfd92cfcb17389d536f"
 .common:
  cache: {}
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -14,18 +14,19 @@ lint-kyverno:
          - "collabora"
          - "cryptpad"
          - "element"
          - "intercom-service"
          - "jitsi"
          - "nextcloud"
          - "nubus"
          - "open-xchange"
          - "openproject"
          - "openproject-bootstrap"
          - "provisioning"
          - "services"
          - "xwiki"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
      -d ${CI_PROJECT_DIR}/helmfile/environments
    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -1,16 +0,0 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: openDesk - der Souveräne Arbeitsplatz
 Upstream-Contact: <opendesk@zendis.de>
 Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
 Files: helmfile/files/theme/*
 Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 License: Apache-2.0
 Files: helmfile/files/gpg-pubkeys/*
 Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 License: CC0-1.0
 Files: cspell.json
 Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 License: Apache-2.0
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.5.1](https://www.openproject.org/docs/release-notes/14-5-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -0,0 +1,19 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 version = 1
 [[annotations]]
 path = "helmfile/files/theme/*"
 SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
 [[annotations]]
 path = "cspell.json"
 SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
 [[annotations]]
 path = "helmfile/files/gpg-pubkeys/*"
 SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG ZenDiS \"Projektgruppe für Aufbau ZenDiS\""
 SPDX-License-Identifier = "CC0-1.0"
--- a/dev/charts-local.py
+++ b/dev/charts-local.py
@@ -25,7 +25,7 @@ script_path = os.path.dirname(os.path.realpath(__file__))
 log_path = script_path+'/../logs'
 charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml'
 base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
 helmfile_backup_extension = '.bak'
 Path(log_path).mkdir(parents=True, exist_ok=True)
--- a/docs/components.md
+++ b/docs/components.md
@@ -35,20 +35,18 @@ they need to be replaced in production deployments.
 | CryptPad                    | Weboffice                      | Functional |
 | dkimpy-milter               | DKIM milter for Postfix        | Eval       |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
 | MariaDB                     | Database                       | Eval       |
 | Memcached                   | Cache Database                 | Eval       |
 | MinIO                       | Object Storage                 | Eval       |
 | Nextcloud                   | File share                     | Functional |
 | Nubus (UMS)                 | Identity Management & Portal   | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
 | OX Dovecot                  | Mail backend (IMAP)            | Functional |
 | Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
 | Univention Management Stack | Identity Management & Portal   | Functional |
 | XWiki                       | Knowledge Management           | Functional |
 # Component integration
@@ -75,9 +73,9 @@ Most details can be found in the upstream documentation that is linked in the re
 ## Intercom Service / Silent Login
-The Intercom Service's role is to enable cross-application integration based on the user's browser interaction as handling
+The Intercom Service is deployed in context of Nubus/UMS. Its role is to enable cross-application integration
-authentication when the frontend of an application has to call the API from another application is often a
+based on the user's browser interaction as handling authentication when the frontend of an application has to call
-challenge.
+the API from another application is often a challenge.
 To establish a session with the Intercom Service an application can use the silent login feature within an iframe.
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -109,7 +109,6 @@ All available apps and their default value can be found in `helmfile/environment
 | CryptPad             | `cryptpad.enabled`          | `true`  | Weboffice                      |
 | Dovecot              | `dovecot.enabled`           | `true`  | Mail backend                   |
 | Element              | `element.enabled`           | `true`  | Secure communications platform |
 | Intercom Service     | `intercom.enabled`          | `true`  | Cross service data exchange    |
 | Jitsi                | `jitsi.enabled`             | `true`  | Videoconferencing              |
 | MariaDB              | `mariadb.enabled`           | `true`  | Database                       |
 | Memcached            | `memcached.enabled`         | `true`  | Cache Database                 |
@@ -118,7 +117,6 @@ All available apps and their default value can be found in `helmfile/environment
 | Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
 | OpenProject          | `openproject.enabled`       | `true`  | Project management             |
 | OX Appsuite          | `oxAppsuite.enabled`        | `true`  | Groupware                      |
 | Provisioning         | `oxConnector.enabled`       | `true`  | Backend provisioning           |
 | Postfix              | `postfix.enabled`           | `true`  | MTA                            |
 | PostgreSQL           | `postgresql.enabled`        | `true`  | Database                       |
 | Redis                | `redis.enabled`             | `true`  | Cache Database                 |
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -135,6 +135,21 @@ global:
    xwiki: "wiki"
 ```
 In case you would like to use the updated hostnames you at least have to apply some manual changes. But do this at
 your own risk. Be also aware that some of your user's bookmarks and links will stop working.
 - Update the affected portal tiles:
  - All tiles in the "Files" category.
  - The "Projects" tile in the "Management" category.
 - There are two options to change the link for the portal tiles:
  - Use an admin account to access the portal's edit mode (on the bottom of the sidebar portal's menu).
  - Utilize the UDM REST API to update the portal tile objects.
 - Update the hostnames for the OpenProject-Nextcloud integration using a functional admin user for both components:
  - In OpenProject: *Administration* > *Files* > *External file storages* > Select `Nextcloud at [your_domain]`
    Edit *Details* - *General Information* - *Storage provider* and update the *hostname* to `files.<your_domain>`.
  - In Nextcloud: *Administration* > *OpenProject* > *OpenProject server* update the *OpenProject host* to
    to `projects.<your_domain>`.
 #### Updated `global.imagePullSecrets`
 Without using a custom registry, you can pull all the openDesk images without authentication.
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -24,7 +24,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc.5**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -158,7 +158,6 @@ This list gives you an overview of templated security settings and if they compl
 | **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
 | **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
@@ -183,7 +182,7 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
 | **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
@@ -196,6 +195,7 @@ This list gives you an overview of templated security settings and if they compl
 | **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
 | **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -355,7 +355,7 @@ Commit messages must adhere to the [Conventional Commit standard](https://www.co
  │       │              |
  │       │              └─> Issue reference (optional)
  │       │
-  │       └─> Commit Scope: helmfile, docs, collabora, intercom-service, ...
+  │       └─> Commit Scope: helmfile, docs, collabora, nextcloud, open-xhcange etc.
  │
  └─> Commit Type: chore, ci, docs, feat, fix
 ```
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -18,6 +18,7 @@ releases:
    version: "{{ .Values.charts.collabora.version }}"
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.collaboraOnline | default "additionalValues: false" }}
    installed: {{ .Values.collabora.enabled }}
 commonLabels:
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -84,6 +84,8 @@ ingress:
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 podAnnotations: {}
 podSecurityContext:
  fsGroup: 100
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -18,6 +18,7 @@ releases:
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.cryptpad | default "additionalValues: false" }}
    installed: {{ .Values.cryptpad.enabled }}
 commonLabels:
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -53,6 +53,8 @@ ingress:
 persistence:
  enabled: false
 podAnnotations: {}
 podSecurityContext:
  fsGroup: 4001
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -32,52 +32,6 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
  - name: "matrix-user-verification-service-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 releases:
  - name: "opendesk-element"
@@ -85,6 +39,7 @@ releases:
    version: "{{ .Values.charts.element.version }}"
    values:
      - "values-element.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskElement | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -93,6 +48,7 @@ releases:
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
      - "values-well-known.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskWellKnown | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -101,6 +57,7 @@ releases:
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
      - "values-synapse-web.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskSynapseWeb | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -109,62 +66,7 @@ releases:
    version: "{{ .Values.charts.synapse.version }}"
    values:
      - "values-synapse.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      - {{ .Values.customization.release.opendeskSynapse | default "additionalValues: false" }}
    timeout: 900
  - name: "opendesk-matrix-user-verification-service-bootstrap"
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  - name: "opendesk-matrix-user-verification-service"
    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
      - "values-matrix-user-verification-service.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  - name: "matrix-neoboard-widget"
    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
      - "values-matrix-neoboard-widget.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  - name: "matrix-neochoice-widget"
    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
      - "values-matrix-neochoice-widget.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  - name: "matrix-neodatefix-widget"
    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
      - "values-matrix-neodatefix-widget.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  - name: "matrix-neodatefix-bot-bootstrap"
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  - name: "matrix-neodatefix-bot"
    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
      - "values-matrix-neodatefix-bot.yaml.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 configuration:
  endToEndEncryption: true
  additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=opendesk-matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
    "net.nordeck.element_web.module.opendesk":
      config:
@@ -20,86 +20,6 @@ configuration:
          --cpd-color-bg-action-primary-rest: {{ .Values.theme.colors.primary | quote }}
          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
    "net.nordeck.element_web.module.widget_lifecycle":
      widget_permissions:
        "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
          identity_approved: true
        "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
          preload_approved: true
          capabilities_approved:
            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
            - org.matrix.msc2762.send.state_event:m.room.power_levels#
            - org.matrix.msc2762.receive.state_event:m.room.power_levels#
            - org.matrix.msc2762.receive.state_event:m.room.member
            - org.matrix.msc2762.receive.state_event:m.room.name
            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
            - town.robin.msc3846.turn_servers
            - org.matrix.msc4039.upload_file
            - org.matrix.msc4039.download_file
        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
          preload_approved: true
          capabilities_approved:
            - org.matrix.msc2762.send.event:net.nordeck.poll.vote
            - org.matrix.msc2762.receive.event:net.nordeck.poll.vote
            - org.matrix.msc2762.send.state_event:net.nordeck.poll
            - org.matrix.msc2762.receive.state_event:net.nordeck.poll
            - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
            - org.matrix.msc2762.receive.state_event:m.room.power_levels
            - org.matrix.msc2762.receive.state_event:m.room.name
            - org.matrix.msc2762.receive.state_event:m.room.member
            - org.matrix.msc2762.send.state_event:net.nordeck.poll.group
            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
            - org.matrix.msc2762.send.event:net.nordeck.poll.start
            - org.matrix.msc2762.receive.event:net.nordeck.poll.start
        "https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
          preload_approved: true
          identity_approved: true
          capabilities_approved:
            - org.matrix.msc2931.navigate
            - org.matrix.msc2762.timeline:*
            - org.matrix.msc2762.receive.state_event:m.room.power_levels
            - org.matrix.msc2762.receive.event:m.reaction
            - org.matrix.msc2762.receive.state_event:m.room.create
            - org.matrix.msc2762.receive.state_event:m.room.tombstone
            - org.matrix.msc2762.receive.state_event:m.room.member
            - org.matrix.msc2762.send.state_event:m.room.member
            - org.matrix.msc2762.receive.state_event:m.room.name
            - org.matrix.msc2762.receive.state_event:m.room.topic
            - org.matrix.msc2762.receive.state_event:m.space.parent
            - org.matrix.msc2762.receive.state_event:m.space.child
            - org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
            - org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
            - org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
            - org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
            - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
            - org.matrix.msc3973.user_directory_search
  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -137,6 +57,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,55 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoBoardWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
 resources:
  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,55 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoChoiceWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 resources:
  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -1,44 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "meetings-bot"
  pod: "opendesk-synapse-0"
  secretName: "matrix-neodatefix-bot-account"
  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "matrix-neodatefix-bot-bootstrap"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -1,83 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  bot:
    username: "meetings-bot"
    displayname: "Terminplaner Bot"
  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
  strings:
    breakoutSessionWidgetName: "Breakoutsessions"
    calendarRoomName: "Terminplaner"
    calendarWidgetName: "Terminplaner"
    cockpitWidgetName: "Meeting Steuerung"
    jitsiWidgetName: "Videokonferenz"
    matrixNeoBoardWidgetName: "Whiteboard"
    matrixNeoChoiceWidgetName: "Abstimmungen"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
 extraEnvVars:
  - name: "ACCESS_TOKEN"
    valueFrom:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixBot.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 livenessProbe:
  enabled: true
 persistence:
  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 readinessProbe:
  enabled: true
 replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
 resources:
  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,60 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  bot:
    username: "meetings-bot"
    homeserver: {{ .Values.global.matrixDomain | default .Values.global.domain }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
 resources:
  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -1,43 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "uvs"
  pod: "opendesk-synapse-0"
  secretName: "opendesk-matrix-user-verification-service-account"
  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -1,54 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
    valueFrom:
      secretKeyRef:
        name: "opendesk-matrix-user-verification-service-account"
        key: "access_token"
  - name: "UVS_DISABLE_IP_BLACKLIST"
    value: "true"
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixUserVerificationService.registry | quote }}
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
 resources:
  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -51,6 +51,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -12,10 +12,9 @@ configuration:
    room_prejoin_state:
      additional_event_types:
        - "m.space.parent"
        - "net.nordeck.meetings.metadata"
        - "m.room.power_levels"
-    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # To allow intercom service logins for the users and also allow proper testautomation we want to raise the
-    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # ratelimit in a reasonable manner.
    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
    rc_login:
      account:
@@ -33,25 +32,6 @@ configuration:
  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
    appServiceConfigs:
      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
        id: intercom-service
        namespaces:
          users:
            - exclusive: false
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
      - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
        id: ox-appsuite
        namespaces:
          users:
            - exclusive: false
              regex: "@.*"
        url: null
        sender_localpart: ox-appsuite
    presence:
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -90,14 +70,6 @@ configuration:
          transport: {{ .Values.turn.transport | quote }}
        {{- end }}
    guestModule:
      enabled: true
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -141,6 +113,8 @@ persistence:
  size: {{ .Values.persistence.size.synapse | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 10991
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -45,6 +45,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
@@ -1,26 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
 releases:
  - name: "intercom-service"
    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
    version: "{{ .Values.charts.intercomService.version }}"
    values:
      - "values.yaml.gotmpl"
    installed: {{ .Values.intercom.enabled }}
 commonLabels:
  deploy-stage: "component-1"
  component: "intercom-service"
 ...
--- a/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -18,6 +18,7 @@ releases:
    version: "{{ .Values.charts.jitsi.version }}"
    values:
      - "values-jitsi.yaml.gotmpl"
      - {{ .Values.customization.release.jitsi | default "additionalValues: false" }}
    installed: {{ .Values.jitsi.enabled }}
    timeout: 900
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -10,6 +10,7 @@ global:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations: {}
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -51,6 +52,7 @@ jitsi:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
      tag: {{ .Values.images.jitsi.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
      ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -62,6 +64,8 @@ jitsi:
        - secretName: {{ .Values.ingress.tls.secretName | quote }}
          hosts:
            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    extraConfigJs:
      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
    extraEnvs:
      TURN_ENABLE: "1"
    resources:
@@ -82,6 +86,7 @@ jitsi:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
      tag: {{ .Values.images.prosody.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
@@ -131,6 +136,7 @@ jitsi:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
      tag: {{ .Values.images.jicofo.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
@@ -153,6 +159,7 @@ jitsi:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
      tag: {{ .Values.images.jvb.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
    resources:
@@ -176,6 +183,7 @@ jitsi:
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
      tag: {{ .Values.images.jibri.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    recorder:
      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
    xmpp:
@@ -215,6 +223,9 @@ patchJVB:
    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
 resources:
--- a/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
@@ -21,6 +21,7 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
      - {{ .Values.customization.release.migrationsPost | default "additionalValues: false" }}
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
--- a/helmfile/apps/migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/values.yaml.gotmpl
@@ -3,6 +3,8 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podAnnotations: {}
 migrations:
  stage: "POST"
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
@@ -21,6 +21,7 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
      - {{ .Values.customization.release.migrationsPre | default "additionalValues: false" }}
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
--- a/helmfile/apps/migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/values.yaml.gotmpl
@@ -3,6 +3,8 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podAnnotations: {}
 migrations:
  stage: "PRE"
 ...
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -25,6 +25,7 @@ releases:
    version: "{{ .Values.charts.nextcloudManagement.version }}"
    values:
      - "values-nextcloud-mgmt.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskNextcloudManagement | default "additionalValues: false" }}
    waitForJobs: true
    wait: true
    installed: {{ .Values.nextcloud.enabled }}
@@ -34,6 +35,7 @@ releases:
    version: "{{ .Values.charts.nextcloud.version }}"
    values:
      - "values-nextcloud.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskNextcloud | default "additionalValues: false" }}
    needs:
      - "opendesk-nextcloud-management"
    installed: {{ .Values.nextcloud.enabled }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -32,6 +32,7 @@ exporter:
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  podAnnotations: {}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -91,6 +92,7 @@ php:
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  podAnnotations: {}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -142,6 +144,7 @@ apache2:
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
  podAnnotations: {}
  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -11,7 +11,16 @@ repositories:
    oci: true
    url:
      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
-  # OpenDesk Keycloak Bootstrap Chart
+  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -29,14 +38,25 @@ releases:
      - "values-nubus.yaml.gotmpl"
      - "values-opendesk-customization.yaml.gotmpl"
      - "values-opendesk-images.yaml.gotmpl"
      - {{ .Values.customization.release.ums | default "additionalValues: false" }}
    installed: {{ .Values.nubus.enabled }}
    timeout: 900
-  # OpenDesk Keycloak Bootstrap Chart
+  # Intercom-Service
  - name: "intercom-service"
    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
    version: "{{ .Values.charts.intercomService.version }}"
    values:
      - "values-intercom-service.yaml.gotmpl"
      - {{ .Values.customization.release.intercomService | default "additionalValues: false" }}
    installed: {{ .Values.nubus.enabled }}
  # openDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap"
    chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
    version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
    values:
      - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskKeycloakBootstrap | default "additionalValues: false" }}
    needs:
      - "ums"
    installed: {{ .Values.nubus.enabled }}
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -72,6 +72,13 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
 provisioning:
  enabled: true
  config:
@@ -90,12 +97,21 @@ provisioning:
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
      credentialSecret:
        key: "ics_secret"
-
+  image:
-
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-podSecurityContext:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-  enabled: true
+    repository: {{ .Values.images.nubusWaitForDependency.repository | quote }}
-  fsGroup: 1000
+    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
-  fsGroupChangePolicy: "Always"
+  provisioningImage:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }}
  securityContext:
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.intercom | toYaml | nindent 6 }}
 replicaCount: {{ .Values.replicas.intercomService }}
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -79,7 +79,6 @@ global:
        repository: {{ .Values.images.nubusPortalExtension.repository }}
        tag: {{ .Values.images.nubusPortalExtension.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        imagePullPolicy: "IfNotPresent"
  configUcr:
    directory:
      manager:
@@ -140,6 +139,7 @@ ingress:
  certManager:
    enabled: false
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 # Nubus bundled services
@@ -194,6 +194,7 @@ nubusGuardian:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  postgresql:
    connection:
@@ -219,8 +220,76 @@ nubusNotificationsApi:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusPortalFrontend:
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName }}
    # TODO: Remove the block "items" once the "redirects" section has been
    # corrected.
    #
    # This does override the path configuration of the ingress
    # "ums-portal-frontend-redirects" to avoid that "/univention/*" is
    # redirected to "/univention/portal/".
    items:
      - name: rewrites
        # -- Define the Fully Qualified Domain Name (FQDN) where application should be reachable.
        host: ""
        # -- Define the Ingress paths.
        paths:
          - path: /univention/(portal|selfservice)/
            pathType: ImplementationSpecific
          - path: /univention/(portal|selfservice)/index.html
            pathType: ImplementationSpecific
          - path: /univention/(portal|selfservice)/(css|fonts|i18n|media|js|oidc|custom)(/.*)
            pathType: ImplementationSpecific
          - path: /univention/(portal)/(icons)(/.*)$
            pathType: ImplementationSpecific
        # -- The Ingress controller class name.
        ingressClassName: ""
        # -- Define custom ingress annotations.
        # annotations:
        #   nginx.ingress.kubernetes.io/rewrite-target: /
        annotations:
          nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
          nginx.ingress.kubernetes.io/use-regex: "true"
        # -- Secure an Ingress by specifying a Secret that contains a TLS private key and certificate.
        #
        # Ref.: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
        tls:
          # enabled: true
          # Set to override the global secretName
          secretName: ""
      - name: redirects
        host: ""
        paths:
          - pathType: Exact
            path: /$
          - pathType: Exact
            path: /univention$
          - pathType: Exact
            path: /univention/$
          - pathType: Exact
            path: /univention/portal$
          - pathType: Exact
            path: /univention/selfservice$
        ingressClassName: ""
        annotations:
          nginx.ingress.kubernetes.io/permanent-redirect: "/univention/portal/"
        tls:
          # enabled: true
          # Set to override the global secretName
          secretName: ""
 nubusKeycloakExtensions:
  keycloak:
@@ -247,6 +316,7 @@ nubusKeycloakExtensions:
      certManager:
        enabled: false
      tls:
        enabled: {{ .Values.ingress.tls.enabled }}
        secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -278,13 +348,6 @@ nubusKeycloakExtensions:
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
 nubusPortalFrontend:
  ingress:
    certManager:
      enabled: false
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusPortalListener:
  enabled: false
@@ -313,6 +376,7 @@ nubusPortalServer:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusUdmRestApi:
@@ -320,6 +384,7 @@ nubusUdmRestApi:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusProvisioning:
@@ -336,6 +401,9 @@ nubusSelfServiceConsumer:
 # Nubus services
 nubusStackDataUms:
  additionalAnnotations:
    argocd.argoproj.io/hook: "Sync"
    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
  stackDataContext:
    umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
    umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
@@ -387,10 +455,15 @@ nubusStackDataUms:
    portaltileGroupLiveCollaboration:
      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
    systemInformation:
-      enabled: {{ .Values.functional.admin.portal.deploymentInformation.enabled }}
+      enabled: true
      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
      {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-
+      {{- else }}
      deployDate: "not available"
      {{- end }}
  # In openDesk the external memcache does not expect a username to be set. Overwriting
  # the default username of `selfservice` is part of the customizing:
  nubusUmcServer:
    memcached:
      auth:
@@ -422,6 +495,7 @@ nubusUmcServer:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusUmcGateway:
@@ -431,9 +505,21 @@ nubusUmcGateway:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
    # TODO: Remove the block "paths" once it has been corrected upstream.
    paths:
        - path: /()(univention/)(languages.json|meta.json|theme.css)
          pathType: ImplementationSpecific
        - path: /()(univention/)((js|management|themes)/.*)
          pathType: ImplementationSpecific
        - path: /()(univention/login/)(dialog.js|main.js|LoginDialog.js|i18n/.*?/main.json)
          pathType: ImplementationSpecific
 nubusKeycloakBootstrap:
  additionalAnnotations:
    argocd.argoproj.io/hook: "Sync"
  keycloak:
    auth:
      username: "kcadmin"
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -5,37 +5,126 @@ SPDX-License-Identifier: Apache-2.0
 ---
 keycloak:
  enabled: true
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
  replicaCount: {{ .Values.replicas.keycloak }}
  resources:
    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
-guardian:
+nubusGuardian:
  authorizationApi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-authorization-api"
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
    resources:
      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
  managementApi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-api"
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
    resources:
      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
  managementUi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-ui"
    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
    resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
  openPolicyAgent:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    podAnnotations:
      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
    resources:
      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
  provisioning:
    # Using openDesk keycloak provisioning
    enabled: false
@@ -43,9 +132,24 @@ guardian:
 nubusNotificationsApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
-    annotations:
+    create: true
      intended.usage: "compliance"
  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
  resources:
    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
@@ -53,7 +157,40 @@ nubusNotificationsApi:
 nubusUmcServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-umc-server"
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  containerSecurityContextInit:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  proxy:
    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
  replicaCount: {{ .Values.replicas.umsUmcServer }}
  resources:
    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
  selfService:
@@ -75,19 +212,39 @@ nubusUmcServer:
 nubusKeycloakExtensions:
  handler:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
    resources:
      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
    securityContext:
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
  proxy:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
    securityContext:
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
 nubusPortalConsumer:
  portalConsumer:
    image:
      pullSecrets:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-portal-consumer"
  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
@@ -98,30 +255,75 @@ nubusPortalConsumer:
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
  securityContext:
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
-nubusPortalConsumer:
+nubusUdmListener:
-  podAnnotations:
+  containerSecurityContext:
-    intents.otterize.com/service-name: "ums-portal-consumer"
+    allowPrivilegeEscalation: false
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 102
    runAsGroup: 65534
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmListener }}
  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
  resourcesWaitForDependency:
    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
 nubusPortalServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-server"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
-    annotations:
+    create: true
      intended.usage: "compliance"
  replicaCount: {{ .Values.replicas.umsPortalServer }}
  resources:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 nubusLdapNotifier:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 101
    runAsGroup: 102
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-ldap-notifier"
  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
@@ -129,6 +331,8 @@ nubusLdapNotifier:
    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
 nubusLdapServer:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  highAvailabilityMode: false
  replicaCountPrimary: 1
  replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
@@ -136,8 +340,7 @@ nubusLdapServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-ldap-server"
  serviceAccount:
-    annotations:
+    create: true
      intended.usage: "compliance"
  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  persistence:
@@ -160,10 +363,8 @@ nubusLdapServer:
      stringData:
        30-purge.sh: |
          #!/usr/bin/env bash
          me=$(basename "$0")
          echo "- Running ${me}"
          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
            echo "- Cleaning up /var/lib/univention-ldap."
            cd /var/lib/univention-ldap
@@ -175,31 +376,50 @@ nubusLdapServer:
          fi
        95-slapadd-24-ldif.sh: |
          #!/usr/bin/env bash
          me=$(basename "$0")
          echo "- Running ${me}"
          ls -l /var/lib/univention-ldap
          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif, but not before deleting the directories /var/lib/univention-ldap/ldap and ./internal"
+            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
            ls -l /var/lib/univention-ldap/
            rm -rf /var/lib/univention-ldap/ldap
            rm -rf /var/lib/univention-ldap/internal
            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
            ls -l /var/lib/univention-ldap/
            mkdir /var/lib/univention-ldap/ldap
            mkdir /var/lib/univention-ldap/internal
-            /usr/sbin/slapadd -l /var/lib/univention-ldap/ldap-24-export.ldif
+            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
            ls -l /var/lib/univention-ldap/
            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
            echo "- slapadd executed"
            ls -l /var/lib/univention-ldap/
            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
            echo "- import file renamed"
            ls -l /var/lib/univention-ldap/
          else
            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
          fi
 nubusPortalFrontend:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-frontend"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
-    annotations:
+    create: true
      intended.usage: "compliance"
  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
  resources:
    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
@@ -211,12 +431,44 @@ nubusPortalFrontend:
      backgroundImage: {{ .Values.theme.imagery.logoPortalBackgroundSvgB64 | toJson }}
 nubusStackDataUms:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-stack-data-ums"
  resources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
 nubusSelfServiceConsumer:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
  resources:
@@ -226,6 +478,22 @@ nubusSelfServiceConsumer:
 nubusUdmRestApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-udm-rest-api"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
    annotations:
      intended.usage: "compliance"
@@ -236,11 +504,43 @@ nubusUdmRestApi:
  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
 nubusUmcGateway:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  resources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
 nubusKeycloakBootstrap:
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: false
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
  serviceAccount:
@@ -250,39 +550,81 @@ nubusKeycloakBootstrap:
    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
 nubusProvisioning:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount:
    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
    api: {{ .Values.replicas.umsProvisioningApi }}
  serviceAccount:
-    annotations:
+    create: true
      intended.usage: "compliance"
  nats:
    config:
      cluster:
        replicas: {{ .Values.replicas.umsProvisioningNats }}
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      enabled: true
      runAsUser: 1000
      runAsGroup: 1000
      seccompProfile:
        type: "RuntimeDefault"
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    persistence:
      size: {{ .Values.persistence.size.nubus.provisioningNats }}
    resources:
-      {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
+      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-nats"
    serviceAccount:
-      annotations:
+      create: true
        intended.usage: "compliance"
  api:
    resources:
-      {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}
+      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-api"
  dispatcher:
    resources:
-      {{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }}
+      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
  prefill:
    resources:
-      {{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }}
+      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-prefill"
  registerConsumers:
    resources:
      {{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
  udmTransformer:
    resources:
-      {{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }}
+      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
  resources:
    registerConsumers:
      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -3,17 +3,22 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 keycloak:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusKeycloakBootstrap:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusKeycloakExtensions:
    handler:
@@ -21,18 +26,21 @@ nubusKeycloakExtensions:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    proxy:
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapNotifier:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
    repository: {{ .Values.images.nubusLdapNotifier.repository }}
    tag: {{ .Values.images.nubusLdapNotifier.tag }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapServer:
  ldapServer:
@@ -40,28 +48,33 @@ nubusLdapServer:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
      repository: {{ .Values.images.nubusLdapServer.repository }}
      tag: {{ .Values.images.nubusLdapServer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  dhInitcontainer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusNotificationsApi:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
    repository: {{ .Values.images.nubusNotificationsApi.repository }}
    tag: {{ .Values.images.nubusNotificationsApi.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalFrontend:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalConsumer:
  portalConsumer:
@@ -69,17 +82,20 @@ nubusPortalConsumer:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
      repository: {{ .Values.images.nubusPortalConsumer.repository }}
      tag: {{ .Values.images.nubusPortalConsumer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalServer:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
    repository: {{ .Values.images.nubusPortalServer.repository }}
    tag: {{ .Values.images.nubusPortalServer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioning:
  api:
@@ -87,72 +103,84 @@ nubusProvisioning:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  dispatcher:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  udmTransformer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  prefill:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registerConsumers:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  nats:
    nats:
-        image:
+      image:
-            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
+        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
-            repository: {{ .Values.images.nubusNats.repository }}
+        repository: {{ .Values.images.nubusNats.repository }}
-            tag: {{ .Values.images.nubusNats.tag }}
+        tag: {{ .Values.images.nubusNats.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    reloader:
-        image:
+      image:
-            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
+        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
-            repository: {{ .Values.images.nubusNatsReloader.repository }}
+        repository: {{ .Values.images.nubusNatsReloader.repository }}
-            tag: {{ .Values.images.nubusNatsReloader.tag }}
+        tag: {{ .Values.images.nubusNatsReloader.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    natsBox:
-        image:
+      image:
-            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
+        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
-            repository: {{ .Values.images.nubusNatsBox.repository }}
+        repository: {{ .Values.images.nubusNatsBox.repository }}
-            tag: {{ .Values.images.nubusNatsBox.tag }}
+        tag: {{ .Values.images.nubusNatsBox.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioningEventsAndConsumerApi:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioningPrefill:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUdmListener:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-nubusSelfServiceListener:
+nubusSelfServiceConsumer:
-  selfserviceInvitation:
+  image:
-    image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
+    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
-      repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
+    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
-      tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUdmRestApi:
  udmRestApi:
@@ -160,24 +188,36 @@ nubusUdmRestApi:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
      repository: {{ .Values.images.nubusUdmRestApi.repository }}
      tag: {{ .Values.images.nubusUdmRestApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUmcGateway:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
    repository: {{ .Values.images.nubusUmcGateway.repository }}
    tag: {{ .Values.images.nubusUmcGateway.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUmcServer:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
    repository: {{ .Values.images.nubusUmcServer.repository }}
    tag: {{ .Values.images.nubusUmcServer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  proxy:
    image:
      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusWaitForDependency:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    tag: {{ .Values.images.nubusWaitForDependency.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusGuardian:
@@ -186,29 +226,35 @@ nubusGuardian:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  authorizationApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  managementApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  managementUi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  openPolicyAgent:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusStackDataUms:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -32,12 +32,20 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
  # OX Connector
  - name: "ox-connector-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 releases:
  - name: "dovecot"
    chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
    version: "{{ .Values.charts.dovecot.version }}"
    values:
      - "values-dovecot.yaml.gotmpl"
      - {{ .Values.customization.release.dovecot | default "additionalValues: false" }}
    installed: {{ .Values.dovecot.enabled }}
    timeout: 900
@@ -47,6 +55,7 @@ releases:
    values:
      - "values-openxchange.yaml.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
      - {{ .Values.customization.release.openXchange | default "additionalValues: false" }}
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
@@ -55,9 +64,20 @@ releases:
    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
    values:
      - "values-openxchange-bootstrap.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskOpenXchangeBootstrap | default "additionalValues: false" }}
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
  - name: "ox-connector"
    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
      - "values-oxconnector.yaml.gotmpl"
      - {{ .Values.customization.release.oxConnector | default "additionalValues: false" }}
    installed: {{ .Values.oxAppsuite.enabled }}
    needs:
      - "open-xchange"
 commonLabels:
  deploy-stage: "component-1"
  component: "open-xchange"
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -8,12 +8,10 @@ image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
  repository: {{ .Values.images.dovecot.repository | quote }}
  tag: {{ .Values.images.dovecot.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
+  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
  - name: {{ . | quote }}
 {{- end }}
 dovecot:
  mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
@@ -68,6 +66,9 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -8,6 +8,12 @@ cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.openxchangeBootstrap | toYaml | nindent 4 }}
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openxchangeBootstrap.registry | quote }}
  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
@@ -15,7 +21,9 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
+  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
-  - name: {{ . | quote }}
+
-{{- end }}
+podAnnotations:
  argocd.argoproj.io/hook: "Sync"
  argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -27,6 +27,7 @@ nextcloud-integration-ui:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  podAnnotations: {}
  replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
@@ -51,12 +52,14 @@ public-sector-ui:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangePublicSectorUI.registry | quote }}
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }}
  podAnnotations: {}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
@@ -119,6 +122,7 @@ appsuite:
    jolokiaLogin: "jolokia"
    jolokiaPassword: {{ .Values.secrets.oxAppsuite.jolokiaPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    podAnnotations: {}
    serviceAccount:
      create: true
    features:
@@ -138,6 +142,7 @@ appsuite:
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      replicaCount: {{ .Values.replicas.openxchangeGotenberg }}
      podAnnotations: {}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
@@ -226,7 +231,7 @@ appsuite:
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
-      com.openexchange.capability.public-sector-element: "true"
+      com.openexchange.capability.public-sector-element: "false"
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
@@ -376,6 +381,7 @@ appsuite:
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    replicaCount: {{ .Values.replicas.openxchangeCoreUI }}
    podAnnotations: {}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
@@ -409,6 +415,7 @@ appsuite:
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
    podAnnotations: {}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }}
    resources:
@@ -447,6 +454,7 @@ appsuite:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    podAnnotations: {}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
    resources:
@@ -494,6 +502,7 @@ appsuite:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    podAnnotations: {}
    replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
@@ -528,6 +537,7 @@ appsuite:
          endpoint: "."
          accessKey: "."
          secretKey: "."
    podAnnotations: {}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
    resources:
@@ -560,6 +570,7 @@ appsuite:
      repository: {{ .Values.images.openxchangeGuardUI.repository | quote }}
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    podAnnotations: {}
    replicaCount: {{ .Values.replicas.openxchangeGuardUI }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
@@ -591,6 +602,7 @@ appsuite:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    podAnnotations: {}
    replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -10,6 +10,16 @@ image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
  waitForDependency:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
    pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
@@ -19,16 +29,8 @@ ingress:
  enabled: false
 oxConnector:
  caCert: "ucctempldapstring"
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
-  ldapHost: "{{ .Values.ldap.host }}-primary"
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
  tlsMode: "off"
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  oxDefaultContext: "1"
  oxImapServer: "imap://127.0.0.1:143"
  oxLocalTimezone: "Europe/Berlin"
@@ -38,12 +40,21 @@ oxConnector:
  oxSmtpServer: "smtp://127.0.0.1:587"
  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
 provisioningApi:
  connection:
    baseUrl: "http://ums-provisioning-api"
  auth:
    username: "ox-connector"
    password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}
 resources:
  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations: {}
 ## Container deployment probes
 probes:
  liveness:
--- a/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -20,6 +20,7 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskOpenprojectBootstrap | default "additionalValues: false" }}
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -16,6 +16,8 @@ cleanup:
  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 config:
  debug:
    enabled: {{ .Values.debug.enabled }}
  openproject:
    fileshareName: "Nextcloud at {{ .Values.global.domain }}"
    admin:
@@ -51,6 +53,8 @@ image:
 job:
  enabled: true
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -20,8 +20,9 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.openproject | default "additionalValues: false" }}
    installed: {{ .Values.openproject.enabled }}
-    timeout: 900
+    timeout: 1500
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -8,6 +8,10 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 appInit:
  resources:
    {{ .Values.resources.openprojectAppInit | toYaml | nindent 4 }}
 containerSecurityContext:
  enabled: true
  privileged: false
@@ -24,6 +28,15 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 dbInit:
  image:
    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectDbInit.registry | quote }}
    repository: {{ .Values.images.openprojectDbInit.repository | quote }}
    tag: {{ .Values.images.openprojectDbInit.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  resources:
    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -81,13 +94,6 @@ image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}
 initdb:
  image:
    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 memcached:
  bundled: false
  connection:
@@ -97,6 +103,8 @@ memcached:
 persistence:
  enabled: false
 podAnnotations: {}
 postgresql:
  bundled: false
  auth:
@@ -180,5 +188,12 @@ s3:
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
  resources:
    {{ .Values.resources.openprojectSeederJob | toYaml | nindent 4 }}
 workers:
  default:
    resources:
      {{ .Values.resources.openprojectWorkers | toYaml | nindent 6 }}
 ...
--- a/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
@@ -1,23 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  # OX Connector
  - name: "ox-connector-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 releases:
  - name: "ox-connector"
    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
      - "values-oxconnector.yaml.gotmpl"
    installed: {{ .Values.oxConnector.enabled }}
 commonLabels:
  deploy-stage: "component-2"
  component: "provisioning"
 ...
--- a/helmfile/apps/provisioning/helmfile.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile-child.yaml.gotmpl
@@ -119,6 +119,7 @@ releases:
    version: "{{ .Values.charts.otterize.version }}"
    values:
      - "values-otterize.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskOtterize | default "additionalValues: false" }}
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
@@ -127,6 +128,7 @@ releases:
    version: "{{ .Values.charts.home.version }}"
    values:
      - "values-home.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskHome | default "additionalValues: false" }}
    installed: {{ .Values.home.enabled }}
  - name: "opendesk-certificates"
@@ -134,6 +136,7 @@ releases:
    version: "{{ .Values.charts.certificates.version }}"
    values:
      - "values-certificates.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskCertificates | default "additionalValues: false" }}
    installed: {{ .Values.certificates.enabled }}
    timeout: 900
@@ -142,6 +145,7 @@ releases:
    version: "{{ .Values.charts.redis.version }}"
    values:
      - "values-redis.yaml.gotmpl"
      - {{ .Values.customization.release.redis | default "additionalValues: false" }}
    installed: {{ .Values.redis.enabled }}
    timeout: 900
@@ -150,6 +154,7 @@ releases:
    version: "{{ .Values.charts.memcached.version }}"
    values:
      - "values-memcached.yaml.gotmpl"
      - {{ .Values.customization.release.memcached | default "additionalValues: false" }}
    installed: {{ .Values.memcached.enabled }}
    timeout: 900
@@ -158,6 +163,7 @@ releases:
    version: "{{ .Values.charts.postgresql.version }}"
    values:
      - "values-postgresql.yaml.gotmpl"
      - {{ .Values.customization.release.postgresql | default "additionalValues: false" }}
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900
@@ -166,6 +172,7 @@ releases:
    version: "{{ .Values.charts.mariadb.version }}"
    values:
      - "values-mariadb.yaml.gotmpl"
      - {{ .Values.customization.release.mariadb | default "additionalValues: false" }}
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900
@@ -174,6 +181,7 @@ releases:
    version: "{{ .Values.charts.postfix.version }}"
    values:
      - "values-postfix.yaml.gotmpl"
      - {{ .Values.customization.release.postfix | default "additionalValues: false" }}
    installed: {{ .Values.postfix.enabled }}
    timeout: 900
@@ -182,6 +190,7 @@ releases:
    version: "{{ .Values.charts.dkimpy.version }}"
    values:
      - "values-dkimpy.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskDkimpyMilter | default "additionalValues: false" }}
    installed: {{ .Values.dkimpy.enabled }}
    timeout: 900
@@ -190,6 +199,7 @@ releases:
    version: "{{ .Values.charts.clamav.version }}"
    values:
      - "values-clamav-distributed.yaml.gotmpl"
      - {{ .Values.customization.release.clamav | default "additionalValues: false" }}
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900
@@ -198,6 +208,7 @@ releases:
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
      - "values-clamav-simple.yaml.gotmpl"
      - {{ .Values.customization.release.clamavSimple | default "additionalValues: false" }}
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900
@@ -206,6 +217,7 @@ releases:
    version: "{{ .Values.charts.minio.version }}"
    values:
      - "values-minio.yaml.gotmpl"
      - {{ .Values.customization.release.minio | default "additionalValues: false" }}
    installed: {{ .Values.minio.enabled }}
    timeout: 900
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -23,7 +23,7 @@ global:
    synapseFederation: {{ .Values.global.hosts.synapseFederation }}
    whiteboard: {{ .Values.global.hosts.whiteboard }}
    {{- end }}
-    {{- if .Values.intercom.enabled }}
+    {{- if .Values.nubus.enabled }}
    intercomService: {{ .Values.global.hosts.intercomService }}
    {{- end }}
    {{- if .Values.jitsi.enabled }}
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -25,6 +25,7 @@ clamd:
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -69,6 +70,7 @@ freshclam:
    repository: {{ .Values.images.freshclam.repository | quote }}
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -110,6 +112,7 @@ icap:
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -139,6 +142,7 @@ milter:
    repository: {{ .Values.images.milter.repository | quote }}
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -40,6 +40,8 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.clamav | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -73,6 +73,8 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.mariadb | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1001
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -32,6 +32,8 @@ image:
  tag: {{ .Values.images.memcached.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.memcached }}
 resources:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -182,6 +182,8 @@ provisioning:
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
 podAnnotations: {}
 readinessProbe:
  enabled: true
  initialDelaySeconds: 5
--- a/helmfile/apps/services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/services/values-otterize.yaml.gotmpl
@@ -16,8 +16,6 @@ apps:
    enabled: {{ .Values.dovecot.enabled }}
  element:
    enabled: {{ .Values.element.enabled }}
  intercom:
    enabled: {{ .Values.intercom.enabled }}
  jitsi:
    enabled: {{ .Values.jitsi.enabled }}
  mariadb:
@@ -32,8 +30,6 @@ apps:
    enabled: {{ .Values.openproject.enabled }}
  oxAppsuite:
    enabled: {{ .Values.oxAppsuite.enabled }}
  oxConnector:
    enabled: {{ .Values.oxConnector.enabled }}
  postfix:
    enabled: {{ .Values.postfix.enabled }}
  postgresql:
@@ -48,7 +44,6 @@ apps:
 ingressController:
  {{ .Values.security.ingressController | toYaml | nindent 2 }}
 extraApps:
  clusterPostfix:
    enabled: {{ .Values.security.clusterPostfix.enabled }}
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -76,6 +76,8 @@ postfix:
  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  virtualTransport: "lmtps:dovecot:24"
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.postfix }}
 resources:
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -90,6 +90,8 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.postgresql | quote }}
 podAnnotations: {}
 postgres:
  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -38,6 +38,7 @@ master:
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
  podAnnotations: {}
  resources:
    {{ .Values.resources.redis | toYaml | nindent 4 }}
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -19,6 +19,7 @@ releases:
    wait: true
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.xwiki | default "additionalValues: false" }}
    installed: {{ .Values.xwiki.enabled }}
    timeout: 900
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -137,6 +137,8 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
  ## SMTP settings
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -90,7 +90,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.4.0"
+    version: "3.4.1"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -100,7 +100,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.4.0"
+    version: "3.4.1"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -122,7 +122,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.1.1"
+    version: "2.2.0"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -132,7 +132,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "1.11.3"
+    version: "1.12.1"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -144,56 +144,6 @@ charts:
    name: "mariadb"
    version: "2.3.1"
    verify: true
  matrixNeoboardWidget:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neoboard-widget"
    version: "3.5.0"
    verify: true
  matrixNeochoiseWidget:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neochoice-widget"
    version: "3.5.0"
    verify: true
  matrixNeodatefixBot:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-bot"
    version: "3.5.0"
    verify: true
  matrixNeodatefixWidget:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-widget"
    version: "3.5.0"
    verify: true
  matrixUserVerificationService:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
    version: "3.4.0"
    verify: true
  memcached:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -212,7 +162,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
    name: "opendesk-migrations"
-    version: "1.2.3"
+    version: "1.3.3"
    verify: true
  minio:
    # providerCategory: "Community"
@@ -261,10 +211,12 @@ charts:
    # upstreamRepository: "nubus/charts/nubus"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "19", "3"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    registry: "artifacts.software-univention.de"
    repository: "nubus-dev/charts"
    name: "nubus"
-    version: "0.57.3"
+    version: "0.63.0-pre-jconde-plain-nubus"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
@@ -274,7 +226,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.1.1"
+    version: "2.1.2"
    verify: true
  openproject:
    # providerCategory: "Supplier"
@@ -286,7 +238,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "7.0.0"
+    version: "8.0.0"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
@@ -296,7 +248,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
    name: "opendesk-openproject-bootstrap"
-    version: "1.3.0"
+    version: "2.0.0"
    verify: true
  openXchangeAppSuite:
    # providerCategory: "Supplier"
@@ -308,7 +260,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.8.78"
+    version: "2.10.9"
    verify: false
  openXchangeAppSuiteBootstrap:
    # providerCategory: "Platform"
@@ -318,7 +270,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
    name: "opendesk-open-xchange-bootstrap"
-    version: "1.3.4"
+    version: "2.0.0"
    verify: true
  otterize:
    # providerCategory: "Platform"
@@ -340,7 +292,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ox-connector"
-    version: "0.4.2"
+    version: "0.14.5"
    verify: true
  postfix:
    # providerCategory: "Platform"
@@ -380,17 +332,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.4.0"
+    version: "3.4.1"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
    version: "3.4.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -400,7 +342,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.4.0"
+    version: "3.4.1"
    verify: true
  xwiki:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/customization.yaml
+++ b/helmfile/environments/default/customization.yaml
@@ -0,0 +1,57 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 # This variable allows customization of helmfile releases by loading custom values file.
 # Example:
 # customization:
 #   release:
 #     collaboraOnline: /path/to/additional/file.yaml
 customization:
  release:
    # collabora
    collaboraOnline: ~
    # cryptpad
    cryptpad: ~
    # element
    opendeskElement: ~
    opendeskWellKnown: ~
    opendeskSynapseWeb: ~
    opendeskSynapse: ~
    # jitsi
    jitsi: ~
    # migrations-post
    migrationsPost: ~
    # migrations-pre
    migrationsPre: ~
    # nextcloud
    opendeskNextcloudManagement: ~
    opendeskNextcloud: ~
    # nubus
    ums: ~
    intercomService: ~
    opendeskKeycloakBootstrap: ~
    # open-xchange
    dovecot: ~
    openXchange: ~
    opendeskOpenXchangeBootstrap: ~
    oxConnector: ~
    # openproject
    openproject: ~
    # openproject-bootstrap
    opendeskOpenprojectBootstrap: ~
    # services
    opendeskOtterize: ~
    opendeskHome: ~
    opendeskCertificates: ~
    redis: ~
    memcached: ~
    postgresql: ~
    mariadb: ~
    postfix: ~
    opendeskDkimpyMilter: ~
    clamav: ~
    clamavSimple: ~
    minio: ~
    # xwiki
    xwiki: ~
 ...
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -79,6 +79,10 @@ functional:
      # Enable to allow information about the user presence status to be shared.
      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
      enabled: false
    jitsiRoomHistory:
      # Enable to allow the room history to be stored in the user's browser local storage.
      # Ref.:
      enabled: false
  chat:
    matrix:
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -50,12 +50,10 @@ images:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
+    # upstreamRepository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["1", "8", "0"]
    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
+    repository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
-    tag: "1.11.1@sha256:6ed72fccd302fc5891f31157bcffd14358e1f90f8b60d649fd261ba0f5d5fb91"
+    tag: "1.11.4-amd64@sha256:1785ca0dcb608939533ce50067fb17c2152ceff00ea4e17a4cd500930727687b"
  freshclam:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -81,7 +79,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.1.1@sha256:889b82681883b2cec1267a744f135f5b25a716de6ca584f7565ccd118b6f6c4f"
+    tag: "2.2.0@sha256:6e02a3b06827d8f23615ea43ed87f510018b8ecf77b2a8404b1554077b1bdc6b"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -148,56 +146,6 @@ images:
    registry: "registry-1.docker.io"
    repository: "library/mariadb"
    tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
  matrixNeoBoardWidget:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://ghcr.io"
    # upstreamRepository: "nordeck/matrix-neoboard-widget"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["1", "4", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
    tag: "1.17.0@sha256:f4e711473ba99159c878177f0f9e750fd6d9555b7d8c266ac7040f053be19513"
  matrixNeoChoiceWidget:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://ghcr.io"
    # upstreamRepository: "nordeck/matrix-poll-widget"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["1", "4", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-poll-widget"
    tag: "1.4.0@sha256:216cb88aaa47449a15af9a531d60eee593cb1923c4e8fcc67c119982972911e5"
  matrixNeoDateFixBot:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://ghcr.io"
    # upstreamRepository: "nordeck/matrix-meetings-bot"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["2", "7", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
    tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c"
  matrixNeoDateFixWidget:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://ghcr.io"
    # upstreamRepository: "nordeck/matrix-meetings-widget"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["1", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
    tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd"
  matrixUserVerificationService:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "matrixdotorg/matrix-user-verification-service"
    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["3", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/matrix-user-verification-service"
    tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008"
  memcached:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -213,7 +161,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.2.2@sha256:32afdd71c5b8003ed1609e389494ce10c715c5db64d4ed32a74d65b0f0227e64"
+    tag: "1.3.10@sha256:8cdc1d497840bbf3a1d824969e471503b42b8d8fae0ad22c275947085fc3179a"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -269,9 +217,11 @@ images:
    # upstreamRepository: "nubus/images/data-loader"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "41", "5"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.69.3@sha256:2eed474783e27a70996b19fe1db1fdb3b4c100fa5f611241b6a72340db48e4af"
+    registry: "artifacts.software-univention.de"
    repository: "nubus-dev/images/data-loader"
    tag: "0.72.0-pre-jconde-plain-nubus-theming@sha256:cbe0054bf57cb3bf80b6c03557dfac8691e4f777aba09ad0fc5c446271325ba8"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -311,7 +261,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.13.0@sha256:0b0a4e4ab60a3d0f5e4872c9ed6d7b7db35e967007dd9b8ee7473daa5f6774f5"
+    tag: "0.14.0@sha256:91613f123f7e46b321002d4b2b86c4635b79621376e513d4bea1bb1d01aa99f8"
  nubusKeycloak:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -331,7 +281,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.2.1@sha256:33acee89e870016d51b79d28213052b3fc40f9fed94898f6e11c51c2eb5677fb"
+    tag: "0.3.0@sha256:2911e8d5409f4e302b5c8c073cc6bf3f3622582e6eef43c63672ac4551712750"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -341,7 +291,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.10.0@sha256:7aa5bac4821c9226fd74c6a2883f7c24d214b4610d516574866cf933ee1be080"
+    tag: "0.11.0@sha256:aaba6527f37a7302cf54b0a689a1c11cb439bdc471e01d101726a05902714b9c"
  nubusKeycloakExtensionProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -351,7 +301,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "0", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.10.0@sha256:a5f6ae65732f7fb9d7ceae11f1c412b109d230e197075d8a8e1d989c87a0309d"
+    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
  nubusLdapNotifier:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -361,7 +311,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.24.0@sha256:c41ecc4e6446ae6182b6e0a01592c69c9a99c8e17b33d0373b6892d0669e9902"
+    tag: "0.25.2@sha256:9e29c7fb5c609d7e597f27e0384c4f932e6962cdf64012154d7b7c076755d86c"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -371,7 +321,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.24.0@sha256:8db7292ec34291a2416bd72b1944b9076d651ed3b257890ebd8a990bcb8a7e98"
+    tag: "0.25.2@sha256:2b9d53f93a93d0f3a659c81c0e44596da8941bd83c8e1f7301a24e46ca06dba2"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -413,7 +363,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.38.3@sha256:3b74617c6a8b68b086be8ab648bfffb08ba6ddb052ff0dcd4731c1bcc5a87a03"
+    tag: "0.40.1@sha256:1c18a88b3eefe421b6da1bbd8f569cbf54de3749d9285decaad186d9d28f520a"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -421,7 +371,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.5.0@sha256:2bfdf79028ec788162cf75bf80b08ed5aa3f747430bc85fd5e0427decc9994de"
+    tag: "1.5.1@sha256:d4b97a6438e89e747ab38d975895347eec5ecd771af4d35dd0865d98fd585029"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -451,7 +401,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.38.3@sha256:a4c7b57870aa7868174ef446f4212da1fc9f57d72c31dca245a5787699f2975b"
+    tag: "0.40.1@sha256:468b7785a0baff67dce184ecf66b048517d10587e8a877030b140efe4384f3fb"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -469,9 +419,11 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.38.3@sha256:514ff5117331d0b446944b252d993db547daad64062fcfaab8794bfb4f5290a3"
+    registry: "artifacts.software-univention.de"
    repository: "nubus-dev/images/portal-frontend"
    tag: "0.41.0-pre-jconde-plain-nubus-theming@sha256:7eb3e30906a461468d835e7a50a74444749218b47e0b0abd1243b4faae079455"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -481,7 +433,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.38.3@sha256:0cd37fc82a7426013a1f93dcf4a72686f3b90b7532991dd1d50ae28cbca493e5"
+    tag: "0.40.1@sha256:ae1966abc103267d1399eef0a1ee53951d545309071a51283323c7f6d4c3e7cb"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -491,7 +443,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.39.0@sha256:cff262c399785594a07d61a0645ca304e4da044d37831c29f848d8d70b2e58c9"
+    tag: "0.43.1@sha256:c646a5888b0a146580bb451d5b04d738de915a7251d51b035ccc0edc9ec948e7"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -501,7 +453,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.39.0@sha256:9f537eb138863ea9c3f6f7b416e7787ab1841e3e0ba3a8dd39fe35464955d75d"
+    tag: "0.43.1@sha256:0e6a75695e2654be6aae895a9dc97b937b3c3bcb2d42fcbbdc8a9fc3ee3476c8"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -511,7 +463,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.39.0@sha256:72ab91cd235b52875c03411c5488984b482aafc6d58f2064bd5313ab7a119cab"
+    tag: "0.43.1@sha256:92a24a3955ad16258f7c0a881d8b113fe29936defab041258c0b4735eeb21e1f"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -521,7 +473,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.39.0@sha256:f0e63353f0ea28890c992a374b82ac65f379f9dfd4c7fe645f002b170df1da69"
+    tag: "0.42.0@sha256:123165dcf5a723fc1a3e88923a11f31784a1f6e66b3da15f20f11477cecbd3ac"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -531,8 +483,8 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.39.0@sha256:64166fae60856da544698b601b70037a93239e9f6072ced890cd5965fab148dc"
+    tag: "0.43.1@sha256:33aa61b6f2ca23d6383b3b27fc9c5a23a8dfc39ccbdd127191d40a9c6b6337f5"
-  nubusSelfserviceInvitation:
+  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
    # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -541,7 +493,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.7.2@sha256:a204a74575d4aed5f343d4ab4838fd6b11b4ae0d1a61e5cc464a5fde6d16ec37"
+    tag: "0.11.1@sha256:3d6afb820f55272727ace7e7213f4b3a46bcc6c2c8c22aa45dd421a6daf33322"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -551,7 +503,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.23.0@sha256:908e79f13bee54b6ee521278d8423b436071aa0628803f561c9cebdfebda1403"
+    tag: "0.24.0@sha256:113251d8052f69ac0c7af721954d1711231ca72de1ce6565bb86cdadf53a0ad9"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -561,7 +513,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.30.0@sha256:73cd61b29c2d1e44c025c3da56ec8664c2509ee2ac49a0bccf0b357f017489e6"
+    tag: "0.32.0@sha256:d47716784ea86659ef93b1e79b0edd72a69d5e8169704accaf6213f01d4e395e"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -571,7 +523,15 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.30.0@sha256:78e20377a8cb3f6c5efa004a52aee444345e71d91e02e414c86c2a2631de5822"
+    tag: "0.32.0@sha256:e2b28d54e9b9c0a3f0267a631dd0f2b18e04a8f8438986b570a9c8a5ccb06001"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "traefik"
    registry: "registry-1.docker.io"
    repository: "library/traefik"
    tag: "3.0@sha256:a208c74fd80a566d4ea376053bff73d31616d7af3f1465a7747b8b89ee34d97e"
  nubusWaitForDependency:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -581,7 +541,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.25.0@sha256:71a4d66fd67db6f92212b1936862b2b0d5a678d412213d74452a9195c2fe67f7"
+    tag: "0.26.0@sha256:a31fde86bf21c597a31356fe492ab7e7a03a89282ca215eb7100763d6eb96b6b"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -599,7 +559,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.4.1@sha256:40a2ff3f3a75b9792f93da07e80a730941f783abc7ae3c1a988c7904cbc1f2a4"
+    tag: "14.5.1@sha256:b6f823a4f4ff6873a992506c5f5bd9fe54b89f5d4e0bfb60b5da7b6c3bff82e1"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -608,7 +568,7 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
-  openprojectInitDb:
+  openprojectDbInit:
    # providerCategory: "Community"
    # providerResponsible: "OpenProject"
    # upstreamRegistry: "https://registry-1.docker.io"
@@ -633,7 +593,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.5@sha256:cbdea676267011d5c9ef7764fcd23ef432219b61c4f3949ef11ddfc4920873dd"
+    tag: "8.6.6@sha256:3082f3259a03025c03f6b9b77fafcd5b9e391ae5ac4a47b47d5f546d4f1534ee"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -643,7 +603,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.26.38@sha256:ff2dcf50a9d9a801357255f7244173fe9835715fd1852a28e3a8ebb7c0634293"
+    tag: "8.28.50@sha256:38447bd607c497977a5ba9189d957eebe7f82f09fa329ebc38c0785c70b04558"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -653,7 +613,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.27.4@sha256:d5b99bfc12baaeb5cbfc332c260ecca5308b6b662fe8acc8cd07479c99a1d148"
+    tag: "8.28.1@sha256:be9cfb5a1d9389a151b057884857ddebba982cfde621e432c55a17c03fff28d0"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -673,7 +633,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.27.1071402@sha256:764108a8dcb28467dadad1cfd98074a8e174209652de2f009d74fea51bb50d65"
+    tag: "8.28.1107609@sha256:96a700ef71b4c723146ed0a274482422e09f5a9ccd035c351e192ea4de81eb9f"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -683,7 +643,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.27.54@sha256:79080b4b766901977532a18ef38af70234a99cf0bf53900c4df3902f24702eb7"
+    tag: "8.28.49@sha256:0b45243cb2b6453b4073f4b80f205873fff49d8ed93f05c55971d728aa957e07"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -703,7 +663,7 @@ images:
    # upstreamMirrorStartFrom: ["4", "2", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.27.0@sha256:89b81de90a6e7078371d8ea02ab4e1056c512ba515db113daf55b160533f7a73"
+    tag: "8.28.0@sha256:950dd4ec4633fb920502392e8e93d9f497eaf920ae4fe79629b53a835f129741"
  openxchangeImageConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -713,7 +673,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.27.55@sha256:f999c8205d83730a064aec13eb98762e1c7354f31f42e0add0136cf15be32dd0"
+    tag: "8.28.49@sha256:90d2f7defae974d115654986acb2035e38bb16a9daa9b2bf15078d48c0c24366"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -743,7 +703,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "4", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.4.2@sha256:308489c0c0e0436bbbedbd757f78875d44468992c46c8d371c584dc778b30770"
+    tag: "0.14.5@sha256:0b7816e3c8eca1949d3adc8c19d64394a862cbe478a3c51c6d18e546f02aea3d"
  postfix:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -788,25 +748,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "91", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.108.0@sha256:0754a5c372f4cfb5f69f58ad4b70d05bc2e380354f1b0c9101611e9157082712"
+    tag: "v1.115.0@sha256:abf4a5b5b2030f7deb555a8ec7b945607db9e98b057eb06364e66ba8308bdd40"
  synapseCreateUser:
    # providerCategory: "Community"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
    tag: "1.30.0@sha256:d7a11b7032550e992667fd7725b039dcd639270fbceec368d7e66e3d9e41ee15"
  synapseGuestModule:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
    # upstreamRegistry: "https://ghcr.io"
    # upstreamRepository: "nordeck/synapse-guest-module"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module"
    tag: "1.0.0@sha256:6b3b17183a7d163148cc1bc5342604682ec67d898394fc743db2f339e61c722e"
  synapseWeb:
    # providerCategory: "Community"
    # providerResponsible: "Element"
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -31,9 +31,6 @@ element:
 home:
  enabled: true
  namespace: ~
 intercom:
  enabled: true
  namespace: ~
 jitsi:
  enabled: true
  namespace: ~
@@ -61,9 +58,6 @@ openproject:
 oxAppsuite:
  enabled: true
  namespace: ~
 oxConnector:
  enabled: true
  namespace: ~
 postfix:
  enabled: true
  namespace: ~
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -20,5 +20,6 @@ persistence:
      ldapServerData: "1Gi"
      ldapServerShared: "1Gi"
      portalConsumer: "1Gi"
      provisioningNats: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -75,6 +75,8 @@ replicas:
  umsGuardianManagementUi: 1
  # -- scalable: tbd
  umsGuardianOpenPolicyAgent: 1
  # -- scalable: tbd
  umsKeycloak: 1
  # -- scalable: false
  # -- comment: Should not be scaled, is an async process.
  umsKeycloakExtensionsHandler: 1
@@ -97,16 +99,28 @@ replicas:
  umsPortalConsumer: 1
  # -- scalable: true
  umsPortalServer: 1
  # -- scalable: tdb
  umsProvisioningApi: 1
  # -- scalable: false
  umsProvisioningDispatcher: 1
  # -- scalable: tdb
  umsProvisioningNats: 1
  # -- scalable: tdb
  umsProvisioningPrefill: 1
  # -- scalable: false
  umsProvisioningUdmTransformer: 1
  # -- scalable: tbd
  umsSelfserviceConsumer: 1
  # -- scalable: tbd
  umsStackGateway: 1
  # -- scalable: true
  umsUdmListener: 1
  # -- scalable: tbd
  umsUdmRestApi: 1
  # -- scalable: tbd
  umsUmcGateway: 1
  # -- scalable: tbd
  umsUmcServer: 1
  # -- scalable: tbd
  umsUmcServerProxy: 1
  # -- component: Video conference (Jitsi)
  # -- scalable: tbd
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -225,49 +225,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "512Mi"
  nubusProvisioning:
    nats:
      limits:
        cpu: 288
        memory: "1Gi"
      requests:
        cpu: 0.1
        memory: "128Mi"
    dispatcher:
      limits:
        cpu: 1
        memory: "1Gi"
      requests:
        cpu: 0.1
        memory: "64Mi"
    registerConsumers:
      limits:
        cpu: 1
        memory: "1Gi"
      requests:
        cpu: 0.1
        memory: "64Mi"
    udmTransformer:
      limits:
        cpu: 1
        memory: "1Gi"
      requests:
        cpu: 0.1
        memory: "64Mi"
    prefill:
      limits:
        cpu: 1
        memory: "1Gi"
      requests:
        cpu: 0.1
        memory: "64Mi"
    api:
      limits:
        cpu: 1
        memory: "1Gi"
      requests:
        cpu: 0.1
        memory: "100Mi"
  openproject:
    limits:
      cpu: 99
@@ -275,6 +232,34 @@ resources:
    requests:
      cpu: 0.1
      memory: "768Mi"
  openprojectDbInit:
    limits:
      cpu: 99
      memory: "768Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  openprojectAppInit:
    limits:
      cpu: 99
      memory: "768Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  openprojectSeederJob:
    limits:
      cpu: 99
      memory: "768Mi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  openprojectWorkers:
    limits:
      cpu: 99
      memory: "4Gi"
    requests:
      cpu: 0.25
      memory: "512Mi"
  openxchangeCoreDocumentConverter:
    limits:
      cpu: 99
@@ -450,13 +435,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsLdapServerInit:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsNotificationsApi:
    limits:
      cpu: 99
@@ -485,20 +463,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsPortalConsumer:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsPortalConsumerDependencies:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsPortalServer:
    limits:
      cpu: 99
@@ -506,13 +470,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsProvisioningEventsAndConsumerApi:
+  umsProvisioningApi:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "256Mi"
+      memory: "100Mi"
  umsProvisioningDispatcher:
    limits:
      cpu: 99
@@ -527,20 +491,27 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsProvisioningUdmListener:
+  umsProvisioningRegisterConsumers:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "256Mi"
+      memory: "64Mi"
  umsProvisioningUdmTransformer:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "64Mi"
  umsProvisioningNats:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "256Mi"
+      memory: "128Mi"
  umsSelfserviceConsumer:
    limits:
      cpu: 99
@@ -548,13 +519,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsSelfserviceListenerDependencies:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsStackDataUms:
    limits:
      cpu: 99
@@ -562,13 +526,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsStackGateway:
+  umsUdmListener:
    limits:
      cpu: 99
-      memory: "64Mi"
+      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "16Mi"
+      memory: "256Mi"
  umsUdmRestApi:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -19,6 +19,8 @@ secrets:
    shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
    sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
  oxConnector:
    provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
  nubus:
    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
    ldapSearch:
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -41,7 +41,7 @@ seLinuxOptions:
  opendeskKeycloakBootstrap: ~
  openproject: ~
  openprojectBootstrap: ~
-  openprojectInitDb: ~
+  openprojectDbInit: ~
  openxchangeBootstrap: ~
  openxchangeCoreGuidedtours: ~
  openxchangeCoreMW: ~
@@ -60,14 +60,11 @@ seLinuxOptions:
  prosody: ~
  redis: ~
  synapse: ~
  synapseCreateUser: ~
  synapseGuestModule: ~
  synapseWeb: ~
  umsConfigHtpasswd: ~
  umsDataLoader: ~
  umsGuardianAuthorizationApi: ~
  umsGuardianManagementApi: ~
  umsGuardianManagementUi: ~
  umsGuardianOpenPolicyAgent: ~
  umsKeycloak: ~
  umsKeycloakBootstrap: ~
  umsKeycloakExtensionHandler: ~
@@ -75,24 +72,17 @@ seLinuxOptions:
  umsLdapNotifier: ~
  umsLdapServer: ~
  umsNotificationsApi: ~
  umsOpenPolicyAgent: ~
  umsPortalFrontend: ~
  umsPortalConsumer: ~
  umsPortalServer: ~
-  umsProvisioningDispatcher: ~
+  umsProvisioning: ~
  umsProvisioningEventsAndConsumerApi: ~
  umsProvisioningNats: ~
  umsProvisioningNatsBox: ~
  umsProvisioningNatsReloader: ~
  umsProvisioningUdmListener: ~
  umsSelfserviceInvitation: ~
  umsSelfserviceConsumer: ~
-  umsStackGateway: ~
+  umsStackDataUms: ~
-  umsStoreDav: ~
+  umsUdmListener: ~
  umsUdmRestApi: ~
  umsUmcGateway: ~
  umsUmcServer: ~
  umsWaitForDependency: ~
  wellKnown: ~
  xwiki: ~
 ...
--- a/helmfile/environments/default/theme.gotmpl
+++ b/helmfile/environments/default/theme.gotmpl
@@ -15,7 +15,7 @@ theme:
  ## Define colors
  #
  colors:
-    # Element, OX AppSuite, Xwiki
+    # Element, OX AppSuite, Xwiki, Jitsi
    primary: "#5e27dd"
    # OX AppSuite
    primary15: "#e7dffa"
@@ -23,7 +23,7 @@ theme:
    black: "#000000"
    # OX AppSuite, Xwiki
    white: "#ffffff"
-    # OX AppSuite, Xwiki
+    # OX AppSuite, Xwiki, Jitsi
    secondaryGreyLight: "#f5f5f5"
    # Not in use yet
--- a/helmfile/environments/test/values.yaml.gotmpl
+++ b/helmfile/environments/test/values.yaml.gotmpl
@@ -1,102 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: "my_private_registry.domain.tld"
  imagePullSecrets:
    - "kyverno-test"
  imagePullPolicy: "kyverno"
 persistence:
  storageClassNames:
    RWX: "kyverno-test"
    RWO: "kyverno-test"
  size:
    clamav: "42Gi"
    dovecot: "42Gi"
    mariadb: "42Gi"
    matrixNeoDateFixBot: "42Gi"
    minio: "42Gi"
    nubus:
      ldapServerData: "42Gi"
      ldapServerShared: "42Gi"
      portalConsumer: "42Gi"
    postfix: "42Gi"
    postgresql: "42Gi"
    prosody: "42Gi"
    redis: "42Gi"
    synapse: "42Gi"
    xwiki: "42Gi"
 ingress:
  ingressClassName: "kyverno"
  tls:
    enabled: true
    secretName: "kyverno-tls"
 replicas:
  clamav: 42
  clamd: 42
  collabora: 42
  cryptpad: 42
  dovecot: 42
  element: 42
  freshclam: 42
  icap: 42
  intercomService: 42
  jibri: 42
  jicofo: 42
  jitsi: 42
  jitsiKeycloakAdapter: 42
  jvb: 42
  keycloak: 42
  mariadb: 42
  matrixNeoBoardWidget: 42
  matrixNeoChoiceWidget: 42
  matrixNeoDateFixBot: 42
  matrixNeoDateFixWidget: 42
  matrixUserVerificationService: 42
  memcached: 42
  milter: 42
  minio: 42
  nextcloudApache2: 42
  nextcloudExporter: 42
  nextcloudPHP: 42
  openprojectWeb: 42
  openprojectWorker: 42
  openxchangeCoreGuidedtours: 42
  openxchangeCoreMW: 42
  openxchangeCoreUI: 42
  openxchangeCoreUIMiddleware: 42
  openxchangeCoreUserGuide: 42
  openxchangeDocumentConverter: 42
  openxchangeGotenberg: 42
  openxchangeGuardUI: 42
  openxchangeImageConverter: 42
  openxchangeNextcloudIntegrationUI: 42
  openxchangePublicSectorUI: 42
  oxConnector: 42
  postfix: 42
  postgres: 42
  redis: 42
  synapse: 42
  synapseWeb: 42
  umsGuardianAuthorizationApi: 42
  umsGuardianManagementApi: 42
  umsGuardianManagementUi: 42
  umsGuardianOpenPolicyAgent: 42
  umsKeycloakExtensionsHandler: 42
  umsKeycloakExtensionsProxy: 42
  umsLdapNotifier: 42
  umsLdapServer: 42
  umsNotificationsApi: 42
  umsPortalFrontend: 42
  umsPortalConsumer: 42
  umsPortalServer: 42
  umsSelfserviceConsumer: 42
  umsStackGateway: 42
  umsUdmRestApi: 42
  umsUmcGateway: 42
  umsUmcServer: 42
  wellKnown: 42
  xwiki: 42
 ...
--- a/helmfile_generic.yaml.gotmpl
+++ b/helmfile_generic.yaml.gotmpl
@@ -15,8 +15,6 @@ helmfiles:
    values: *values
  - path: "helmfile/apps/nubus/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl"
@@ -33,8 +31,6 @@ helmfiles:
    values: *values
  - path: "helmfile/apps/xwiki/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/provisioning/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl"
    values: *values
  - path: "helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl"
Author	SHA1	Message	Date
Nubus CI Bot	3b2d4d6cf4	feat(nubus): Update chart to version 0.63.0-pre-jconde-plain-nubus	2024-10-03 11:25:12 +00:00
Thorsten Roßner	ef1dad7433	fix(helmfile): Move Intercom-Service to Nubus component.	2024-09-30 19:05:01 +02:00
Thorsten Roßner	751f5783d0	fix(helmfile): Move OX-Connector to Open-Xchange component.	2024-09-30 19:03:21 +02:00
Dominik Kaminski	13e0bb8d68	fix(helmfile): Check imagePullSecrets templates for all resources	2024-09-30 12:17:10 +02:00
openDesk Bot	8229949b47	fix(nubus): Update to Nubus 0.62.2.	2024-09-27 16:39:07 +00:00
openDesk Bot	dcb6e15e90	chore(renovate): Update Open-Xchange	2024-09-27 09:05:26 +00:00
Dominik Kaminski	a7d3d2585c	fix(nubus): Remove superfluous variables	2024-09-27 08:55:02 +00:00
Dominik Kaminski	e923468cd6	fix(nubus): Reduce lint failures, especially take care of pullSecrets	2024-09-27 08:55:02 +00:00
Thorsten Roßner	4ff720d36f	fix(element): Set Synapse rate limit.	2024-09-27 09:34:23 +02:00
Thorsten Roßner	fa8572f785	fix(xwiki): Enable IAM controlled functional admin role.	2024-09-26 18:31:27 +02:00
Dominik Kaminski	9eb854616c	chore(nubus): Reduce nubus lint issues	2024-09-26 05:44:58 +00:00
Johannes Bornhold	6a60c6dd43	fix(nubus): Add interim ingress configuration fixing UMC in German	2024-09-26 05:11:49 +00:00
Johannes Bornhold	8cd2f3a993	fix(nubus): Remove duplicated "nubusPortalFrontend"	2024-09-26 05:11:49 +00:00
Luis Lürenbaum	9d7d89f74f	fix(ci): Trigger e2e tests for multiple languages.	2024-09-25 21:23:00 +02:00
Dominik Kaminski	180ccddfaa	feat(helmfile): Add customization.yaml to define custom files for helmfile releases	2024-09-25 11:43:39 +00:00
Thorsten Roßner	11f750e1d6	fix(nubus): Update to version 0.57.3.	2024-09-25 09:25:51 +02:00
Thorsten Roßner	91e34aabaa	fix(openproject): Update Helm chart to v8.0.0 and explicitly template resources.	2024-09-25 09:18:28 +02:00
Oliver Günther	deacbc9db5	fix(openproject): Bump OpenProject to 14.5.1.	2024-09-24 18:27:24 +02:00
Thorsten Roßner	cbe6b1ae6c	fix(ci): Remove K8s secret creation for `EXTERNAL_REGISTRY_USERNAME` / `EXTERNAL_REGISTRY_PASSWORD`.	2024-09-24 11:29:08 +00:00
Thorsten Roßner	67d52c771e	fix(jitsi): Updated branding and new option `functional.dataProtection.jitsiRoomHistory.enabled` defaulting to `false`.	2024-09-24 11:15:50 +00:00
Luis Lürenbaum	1023f3d081	fix(ci): Add TESTS_GRACE_PERIOD variable for run-tests job.	2024-09-24 11:15:16 +02:00
Thorsten Roßner	12680e5c1a	fix(element): Update Synapse to v0.1150.	2024-09-23 14:44:55 +00:00
Thorsten Roßner	592f03135f	fix(helmfile): Switch fom dep5 to REUSE.toml.	2024-09-23 11:27:33 +02:00
Thorsten Roßner	bdc6ad2864	fix(element): Use Element upstream without widgets.	2024-09-19 12:12:55 +00:00
Dominik Kaminski	57f70b876a	chore(helmfile): Add test environment to gitignore	2024-09-19 13:23:42 +02:00
Dominik Kaminski	e9f779049c	ci(gitlab): Update to openDesk CLI v2.5.0	2024-09-19 13:22:06 +02:00
Dominik Kaminski	9f081d8567	feat(helmfile): Add support for argocd git-ops deployment	2024-09-18 23:30:33 +02:00