chore(release): 1.1.2 [skip ci]

## [1.1.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.1...v1.1.2) (2025-02-19)

### Bug Fixes

* **dovecot:** Add Dovecot Pro [EE] ([6e343c7](6e343c76a3))
* **element:** Add Element EE components ([61d94a8](61d94a8de6))
* **helmfile:** Add missing customizing option for Matrix widgets ([9c79c44](9c79c44453))
* **helmfile:** Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection ([91d0f98](91d0f98682))
* **helmfile:** Fine-grained service types ([de8b560](de8b560fe7))
* **helmfile:** Integrate oD EE ([03ec704](03ec70435c))
* **helmfile:** Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations ([2fcf014](2fcf014894))
* **helmfile:** Make openDesk IAM attributes optional with enabled as default ([b32996d](b32996da34))
* **helmfile:** Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails ([284c9fe](284c9fe0c7))
* **helmfile:** Remove reference to no longer required `elementWeb` chart ([cd9c54b](cd9c54b177))
* **helmfile:** Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides ([930ae9d](930ae9d3e7))
* **helmfile:** Update/streamline theming ([8eeaa23](8eeaa23c2f))
* **jitsi:** Support for phone dial-in into Jitsi conferences ([1323ef1](1323ef142e))
* **nextcloud:** Update `groupfolders` app to fix group selection in admin mode ([ab49bf9](ab49bf9f6b))
* **nextcloud:** Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions ([09f4829](09f482981b))
* **nubus:** Disable unused notification feature ([955f17e](955f17ef8b))
* **nubus:** Fix Keycloak dialogue background length on small screens ([4662709](4662709673))
* **nubus:** Only configure apps that are deployed to show up in IAM admin UI and Keycloak ([1f051e7](1f051e7779))
* **nubus:** Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled` ([777e7d2](777e7d2fc6))
* **nubus:** Remove doublet `resources` key in `udm-listener` StatefulSet ([10e0b0a](10e0b0ad6c))
* **nubus:** Support for custom UDM commands ([aff8edb](aff8edbde2))
* **nubus:** Update Keycloak Extensions Proxy ([601e649](601e649913))
* **open-xchange:** Parameters to split read and write queries to MariaDB ([370247b](370247b951))
* **open-xchange:** Update OX App Suite to 8.33 ([581c8ae](581c8aed1f))
* **openproject:** Update OpenProject to 15.2.1 ([83c311b](83c311b101))
* **oxconnector:** Update to strict `securityContext` from upstream defaults ([32df165](32df1657d2))

.gitignore

@@ -8,6 +8,9 @@
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
+helmfile/environments/dev/*/
+helmfile/environments/test/*/
+helmfile/environments/prod/*/
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl

.gitlab-ci.yml

@@ -1,15 +1,20 @@
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.4.3"
+    ref: "v2.4.8"
     file:
-      - "ci/common/automr.yml"
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
   - local: "/.gitlab/generate/generate-docs.yml"
+  - local: "/.gitlab/renovate/renovate.yml"
+  - local: "/.gitlab/release/release-common.yml"
+  - local: "/.gitlab/release/release-generate-version.yml"
+  - local: "/.gitlab/release/release-semantic.yml"
+  - local: "/.gitlab/lint/lint-common.yml"
+  - local: "/.gitlab/lint/lint-reuse.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
     ref: "main"
@@ -32,7 +37,6 @@ stages:
   - ".pre"
   - "renovate"
   - "scan"
-  - "automr"
   - "env-cleanup"
   - "env"
   - "pre-services-deploy"
@@ -70,11 +74,17 @@ variables:
       - "no"
   DEBUG_ENABLED:
     description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific\
-     configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
+     configuration containing: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
     value: "no"
     options:
       - "yes"
       - "no"
+  OPENDESK_ENTERPRISE:
+    description: "Set to `true` if you want to deploy openDesk EE (but be sure you provide the required EE keys/tokens for the application)"
+    value: "false"
+    options:
+      - "true"
+      - "false"
   DEPLOY_ALL_COMPONENTS:
     description: "Enable all component deployment (overwrites 'no' setting on component level)."
     value: "no"
@@ -154,6 +164,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_NOTES:
+    description: "Enable Notes deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   RUN_TESTS:
     description: "Triggers execution of E2E-tests."
     value: "no"
@@ -182,11 +198,21 @@ variables:
     description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail.
                   GRACE_PERIOD is the period in seconds that should be waited before running the tests."
     value: "0"
+  TESTS_NUMBER_OF_THREADS:
+    description: "How many threads are used for executing the tests in parallel?"
+    value: "8"
+
+# Declare .environments which is in `opendesk-env` repository. In case it is not available
+# 'cache' is used because job as a dummy key, as the job is not allowed to be empty.
+.environments:
+  cache: {}
 
 .deploy-common:
   cache: {}
   dependencies: []
   extends: ".environments"
+  environment:
+    name: "${NAMESPACE}"
   image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.1.0\
           @sha256:74f349066ac5d20e3afaa6abd28781b4c8dc086f67e3d3c1b8345e4a9c3371b1"
   script:
@@ -208,9 +234,6 @@ variables:
 
 env-cleanup:
   extends: ".deploy-common"
-  environment:
-    name: "${NAMESPACE}"
-    action: "stop"
   needs: []
   rules:
     - if: >
@@ -272,6 +295,18 @@ env-start:
         ca:
           secretName: opendesk-root-cert-secret
       EOF
+  after_script:
+    # Set credentials for openDesk Enterprise Registry
+    - |
+      if [ "${OPENDESK_ENTERPRISE}" = "true" ]; then
+        kubectl create secret \
+        --namespace "${NAMESPACE}" \
+        docker-registry enterprise-registry \
+        --docker-server "registry.opencode.de" \
+        --docker-username "${OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME}" \
+        --docker-password "${OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD}" \
+        --dry-run=client -o yaml | kubectl apply -f -
+      fi
   stage: "env"
 
 policies-deploy:
@@ -444,6 +479,18 @@ jitsi-deploy:
   variables:
     COMPONENT: "jitsi"
 
+notes-deploy:
+  stage: "050-components"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NOTES != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "notes"
+
 element-deploy:
   stage: "050-components"
   extends: ".deploy-common"
@@ -458,8 +505,6 @@ element-deploy:
 
 fetch-administrator-credentials:
   extends: ".deploy-common"
-  environment:
-    name: "${NAMESPACE}"
   stage: "post-prepare"
   rules:
     - if: >
@@ -503,7 +548,8 @@ import-default-accounts:
         --admin_enable_fileshare True \
         --admin_enable_knowledgemanagement True \
         --admin_enable_projectmanagement True \
-        --create_admin_accounts True
+        --create_admin_accounts True \
+        --verify_certificate False
 
 run-tests:
   stage: "post-execute"
@@ -542,7 +588,9 @@ run-tests:
           \"screenshot_redirect_step\": \"yes\", \
           \"testset\": \"${TESTS_TESTSET}\", \
           \"testprofile\": \"Namespace\", \
-          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
+          \"OPENDESK_ENTERPRISE\": \"${OPENDESK_ENTERPRISE}\", \
+          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\", \
+          \"NUMBER_OF_THREADS\": \"${TESTS_NUMBER_OF_THREADS}\" \
         } \
       }" \
       "https://${TESTS_PROJECT_URL}/trigger/pipeline"
@@ -592,7 +640,7 @@ avscan-prepare:
       | del(.[].repository)
       | del(.[].tag)
       | del(.[].registry)'
-      helmfile/environments/default/images.yaml
+      helmfile/environments/default/images.yaml.gotmpl
       >> dynamic-scans.yml
   artifacts:
     paths:
@@ -612,115 +660,4 @@ avscan-start:
       - artifact: "dynamic-scans.yml"
         job: "avscan-prepare"
     strategy: "depend"
-
-# Declare .environments which is in `opendesk-env` repository. In case it is not available
-# 'cache' is used because job as a dummy key, as the job is not allowed to be empty.
-.environments:
-  cache: {}
-
-# Overwrite shared settings
-.common-semantic-release:
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
-  tags: []
-
-conventional-commits-linter:
-  rules:
-    - if: >
-          $RUN_RENOVATE == "yes" ||
-          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
-          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
-      when: "never"
-    - when: "always"
-
-common-yaml-linter:
-  rules:
-    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
-      when: "never"
-    - when: "always"
-
-reuse-linter:
-  allow_failure: false
-  rules:
-    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
-      when: "never"
-    - when: "always"
-
-generate-release-version:
-  rules:
-    - if: >
-        $JOB_RELEASE_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-
-release:
-  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-  script:
-    - >
-      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
-      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
-      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
-    - |
-      if [ -z "${RELEASE_VERSION}" ]; then
-        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
-      else
-        echo "RELEASE_VERSION=${RELEASE_VERSION}"
-      fi
-    - |
-      echo -e "\n[INFO] Writing data to helm value file..."
-      cat <<EOF >helmfile/environments/default/global.generated.yaml.gotmpl
-      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-      # SPDX-License-Identifier: Apache-2.0
-      ---
-      global:
-        systemInformation:
-          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
-      ...
-      EOF
-    - |
-      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
-      {
-        "branches": ["${RELEASE_BRANCH}"],
-        "plugins": [
-          "@semantic-release/gitlab",
-          "@semantic-release/release-notes-generator",
-          "@semantic-release/changelog",
-          ["@semantic-release/git", {
-            "assets": [
-              "charts/**/Chart.yaml",
-              "CHANGELOG.md",
-              "charts/**/README.md",
-              "helmfile/environments/default/global.generated.yaml.gotmpl",
-              ".kyverno/kyverno-test.yaml",
-              "docs"
-            ],
-            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
-          }]
-        ]
-      }
-      EOF
-    - "semantic-release"
-  needs:
-    - "generate-docs"
-
-renovate:
-  rules:
-    - if: >
-        $RUN_RENOVATE == "yes"
-      when: "on_success"
-  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
-  variables:
-    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
-    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
-    # Increase the renovatebot log level on stdout
-    LOG_LEVEL: "DEBUG"
-  script:
-    - "renovate ${RENOVATE_EXTRA_FLAGS}"
-  stage: "renovate"
 ...

.gitlab/common/common.yml

@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.3\
-    @sha256:1296e8590b59f02311881307bb14c58b72bafc92a58e7e7e7212508abf902b00"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.8\
-    @sha256:59e714cad38e873cf8a9a132af76ad868b46a51ed12d0bd45477f328c0136991"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.2\
+    @sha256:e33a6327b9c8f89f6e86d13804d5d81e9fdf6974a2f280874d6901067c22fd83"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
+    @sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
 
 .common:
   cache: {}

.gitlab/lint/lint-common.yml

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024-2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -8,4 +8,18 @@ include:
   extends: ".common"
   stage: "lint"
 
+common-yaml-linter:
+  rules:
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+conventional-commits-linter:
+  rules:
+    - if: >
+          $RUN_RENOVATE == "yes" ||
+          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
+          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
+      when: "never"
+    - when: "always"
 ...

.gitlab/lint/lint-kyverno.yml

@@ -16,6 +16,7 @@ lint-kyverno:
           - "element"
           - "jitsi"
           - "nextcloud"
+          - "notes"
           - "nubus"
           - "open-xchange"
           - "opendesk-migrations-post"
@@ -30,7 +31,11 @@ lint-kyverno:
     - >
       node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
       -d ${CI_PROJECT_DIR}/helmfile/environments
+      -x ${CI_PROJECT_DIR}/.kyverno/_overwrite.yaml
     - "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - >
+      node /app/opendesk-ci-cli/src/index.js remove-empty-keys
+      -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml
     - "cd ${CI_PROJECT_DIR}/.kyverno"
     # Test optional
     - >

.gitlab/lint/lint-reuse.yml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2025 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+reuse-linter:
+  allow_failure: false
+  rules:
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+...

.gitlab/release/release-common.yml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+# Overwrite shared settings
+.common-semantic-release:
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release:1.1.0"
+  tags: []
+...

.gitlab/release/release-generate-version.yml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+generate-release-version:
+  rules:
+    - if: >
+        $JOB_RELEASE_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+      when: "on_success"
+...

.gitlab/release/release-semantic.yml

@@ -0,0 +1,63 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+release:
+  cache:
+    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
+      paths:
+        - "${CI_PROJECT_DIR}/docs"
+      policy: "pull"
+  rules:
+    - if: >
+        $JOB_AVSCAN_ENABLED != 'false' &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
+        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+      when: "on_success"
+  script:
+    - >
+      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
+      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
+      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
+    - |
+      if [ -z "${RELEASE_VERSION}" ]; then
+        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
+      else
+        echo "RELEASE_VERSION=${RELEASE_VERSION}"
+      fi
+    - |
+      echo -e "\n[INFO] Writing data to helm value file..."
+      cat <<EOF >helmfile/environments/default/global.generated.yaml.gotmpl
+      # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+      # SPDX-License-Identifier: Apache-2.0
+      ---
+      global:
+        systemInformation:
+          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
+      ...
+      EOF
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          "@semantic-release/gitlab",
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": [
+              "charts/**/Chart.yaml",
+              "CHANGELOG.md",
+              "charts/**/README.md",
+              "helmfile/environments/default/global.generated.yaml.gotmpl",
+              ".kyverno/kyverno-test.yaml",
+              "docs"
+            ],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+  needs:
+    - "generate-docs"
+...

.gitlab/renovate/renovate.yml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+renovate:
+  rules:
+    - if: >
+        $RUN_RENOVATE == "yes"
+      when: "on_success"
+  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
+  variables:
+    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    # Increase the renovatebot log level on stdout
+    LOG_LEVEL: "DEBUG"
+  script:
+    - "renovate ${RENOVATE_EXTRA_FLAGS}"
+  stage: "renovate"
+...

.kyverno/_overwrite.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+  umsLdapServerPrimary: 2
+...

.kyverno/policies/template-storage.yaml

@@ -10,7 +10,7 @@ metadata:
     policies.kyverno.io/subject: "Pod"
     policies.kyverno.io/description: >-
       This policy validates if `.Values.persistence.storageClassNames` variables are used in templates and if the size
-      of volumes can be customized by `.Values.persistence.size` variable.
+      of volumes can be customized by `.Values.persistence.storages.<COMPONENT>.size` variable.
 spec:
   background: true
   rules:

CHANGELOG.md

@@ -1,3 +1,152 @@
+## [1.1.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.1...v1.1.2) (2025-02-19)
+
+
+### Bug Fixes
+
+* **dovecot:** Add Dovecot Pro [EE] ([6e343c7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6e343c76a32a5bf4b431bdad6be1f7d107caa4f5))
+* **element:** Add Element EE components ([61d94a8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/61d94a8de655d1289aaf59c42f0dbf30b0156e1f))
+* **helmfile:** Add missing customizing option for Matrix widgets ([9c79c44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c79c44453af7b0c68f4ee2a5e40f1f9fb298570))
+* **helmfile:** Add SSL option for Keycloak Extensions Proxy's PostgreSQL connection ([91d0f98](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/91d0f9868226b08128af518be741c8614342581e))
+* **helmfile:** Fine-grained service types ([de8b560](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/de8b560fe7e2294229a959398be60bec9b6a7790))
+* **helmfile:** Integrate oD EE ([03ec704](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/03ec70435c365eca9f555a195b7ab92cc9eee907))
+* **helmfile:** Introduce `apps` as top level in `opendesk_main.yaml.gotmpl`; Please check migrations.md for upgrades of existing installations ([2fcf014](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2fcf014894ac3356ef8c6e57dda30c5176172e5e))
+* **helmfile:** Make openDesk IAM attributes optional with enabled as default ([b32996d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b32996da347c7ec24fb53afe72fee8c07631bebe))
+* **helmfile:** Provide toggle in `functional.yaml.gotmpl` for "new device notification" mails ([284c9fe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/284c9fe0c7e217e3f92ec70eaad6ccf593ff2a87))
+* **helmfile:** Remove reference to no longer required `elementWeb` chart ([cd9c54b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd9c54b17733f9e334c558ccd86e69677264970a))
+* **helmfile:** Set default for domain to `opendesk.internal` to avoid enforcing DOMAIN environment variable for deployments using YAML overrides ([930ae9d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/930ae9d3e71bcd3f4034aa4dae5eabb3ae04d11b))
+* **helmfile:** Update/streamline theming ([8eeaa23](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8eeaa23c2f68e8e0cbda5b3763ab15ba8262c48d))
+* **jitsi:** Support for phone dial-in into Jitsi conferences ([1323ef1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1323ef142e789820acb05cb4991d10502a35498b))
+* **nextcloud:** Update `groupfolders` app to fix group selection in admin mode ([ab49bf9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ab49bf9f6bb945cdce3950e46382b7361c48e6e4))
+* **nextcloud:** Update Nextcloud to 29.0.11 and support for Cron-Job specific resource definitions ([09f4829](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09f482981b96774b3fe0948b7bb120be90157148))
+* **nubus:** Disable unused notification feature ([955f17e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/955f17ef8bb72459beb536cdcf6b502b16eabbff))
+* **nubus:** Fix Keycloak dialogue background length on small screens ([4662709](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/466270967310fab9333b892c904efa86d21f7d17))
+* **nubus:** Only configure apps that are deployed to show up in IAM admin UI and Keycloak ([1f051e7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1f051e777905668297c98dfa507875c08158bfda))
+* **nubus:** Re-implement toggle for UDM-REST-API based on `functional.externalServices.nubus.udmRestApi.enabled` ([777e7d2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/777e7d2fc6afa9c53a4ff1c6853c9960b9a22d5f))
+* **nubus:** Remove doublet `resources` key in `udm-listener` StatefulSet ([10e0b0a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10e0b0ad6cbd89bd88b119f17b6cba6ec698f698))
+* **nubus:** Support for custom UDM commands ([aff8edb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/aff8edbde2150763d6a36f97b9403c8c67e51fab))
+* **nubus:** Update Keycloak Extensions Proxy ([601e649](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/601e6499132c3adaaaea374033511eab09132cb2))
+* **open-xchange:** Parameters to split read and write queries to MariaDB ([370247b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/370247b95197792a65b84b2d01b9c1806f8b059a))
+* **open-xchange:** Update OX App Suite to 8.33 ([581c8ae](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/581c8aed1f86bad251141ecb105e59d0054d5a1a))
+* **openproject:** Update OpenProject to 15.2.1 ([83c311b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83c311b101a6fa551d9c25ea4e9a7ef6673137ca))
+* **oxconnector:** Update to strict `securityContext` from upstream defaults ([32df165](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/32df1657d29a2d73495d52b62bb77521cb8b8e86))
+
+## [1.1.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.0...v1.1.1) (2025-01-27)
+
+
+### Bug Fixes
+
+* **docs:** Add permissions.md ([04ab28c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/04ab28c029bb60575c1936ca5acdd2f829b26c06))
+* **element:** MatrixID for Element "Welcome User" to support deployments where matrix domain differs from homeserver FQDN ([ccb51a0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ccb51a0de32525a93fd982d52dc8e6a35db8f09a))
+* **element:** Update Element to 1.11.90 ([335806a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/335806a53e51c3fc6a03440316e909aa51af5be8))
+* **element:** Update Helm chart to v6.0.2 for a fix when using non generated secrets in `opendesk-synapse` ([d5e73fe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d5e73feb880c33e8127f284fcc685ffdc15874a8))
+* **element:** Update Synapse to 1.121.1 ([33ff922](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/33ff9227b745f99e3abdde6dbbe6b00042fca655))
+* **helmfile:** Move the access restriction configuration for Keycloak client scopes into helmfile templating, instead of hardcoded Helm chart values ([3662b5c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3662b5cd255b37321d3a3625f78feff07b7e633c))
+* **helmfile:** Remove duplicate entries from `secrets.yaml.gotmpl` ([a13cf63](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a13cf630242343dc8f759cfeb423ff626480b086))
+* **helmfile:** Support component specific storageClassNames. **Note:** Please check the migration.md if you upgrade a deployment that has set custom PVC sizes using `persistence.size` settings. ([bacf51e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bacf51efb1b042b80f13f5cf3f50557006f32374))
+* **helmfile:** Support PostgreSQL as alternative database backend for Nextcloud and XWiki. **Note:** PostgreSQL is likely to become the preferred option/default in the future and MariaDB might be deprecated at a later point. ([a0f52ee](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a0f52ee7d4f6a9b82c9d4e288bc4c6cc96018985))
+* **helmfile:** Update `opendesk-alerts` and `opendesk-dashboards` to get predictable sort order, improving GitOps deployments ([0c91117](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0c91117575a3b56ff9f0b4ae72a501b9f3b4384c))
+* **helmfile:** Update upstream images for k8s/kubectl to v1.32.0 ([b71c2e5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b71c2e57eec10093d96804e249fbaf81c51fb22e))
+* **intercom:** Remove legacy OIDC claims ([6796f32](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6796f320f72db02d67b73685aa6356cda9ac86d1))
+* **nextcloud:** Update image and Helm chart to support app toggles during deployment ([1cdfcf2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1cdfcf2784271f2b8ea61d2e8e534db2aa386f4b))
+* **nextcloud:** Update to Nextcloud 29.0.10 ([d096fb1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d096fb1154dbcd092e105d4450e7996dfda0388e))
+* **nubus:** Fix `pullPolicy` setting for `ldapServer.leaderElector` to satisfy Kyverno linter ([6f2f7cd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6f2f7cd5db6708c1fc523e3cf3160f39f1dba2bb))
+* **nubus:** Merge yaml files for better maintainability ([6c67eca](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6c67eca7aa68c3f597cc5790ba1046ca0855c329))
+* **nubus:** Pre-create groups in Keycloak to avoid race condition on group sync when initial users login parallel ([5496317](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5496317fee1ca47a80d0798b9048a1474ca8e2a6))
+* **nubus:** Remove `extra` settings from ldapServer needed for openDesk 1.0.0 LDAP migration ([fab862e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fab862eec689bf8ef547c4bd06244313f24f6d0b))
+* **nubus:** Remove b64 encoded files from CSS, instead use `opendesk-static-files` ([2926e2c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2926e2c93a2b4be24abd1e6dd4ce02071a629cb4))
+* **nubus:** Template `secrets.nubus.masterpassword`. **Note:** Please check migrations.md for details. ([5aae75a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5aae75a1521f73e497859fe3d3b89a8752bb47a1))
+* **nubus:** Update customizations for group cleanup ([0b230fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0b230fa2cc841edfde99f5d94dc9c8054bfbb5ec))
+* **open-xchange:** Add missing `registryOpencodeDe` to OX-Connector's `waitForDependency` image ([a16d907](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a16d9071c96ef7fde87e6579c328e1e05509824b))
+* **openproject:** Update to 15.1.1 ([b4b714f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b4b714ff41a8f01d4b44c6d5ced3f036f7d90699))
+* **openproject:** Update to 15.2.0 ([9d8e9c3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9d8e9c3ade9917fb8044331ebdea8d7bca4066b0))
+* **static-files:** Update Helm chart to use more generic `assets` over `theme.imagery.assets` ([63562c1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/63562c1aae6b2c33ea39b93c11e842c2ab1e2c25))
+* **static-files:** Update Helm chart to v4.0.1 to support longer domain names ([b0e665b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b0e665b031baf36c59eea85b3d575f1a49290bf1))
+* **xwiki:** Update Helm chart to v1.4.1 to fix support for custom `ingressClassName` values. Ref [#144](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/144) ([033cb55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/033cb558ddc0b47d17b006cdc75c593c5c356147))
+
+# [1.1.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.0.0...v1.1.0) (2024-12-24)
+
+
+### Bug Fixes
+
+* **cassandra:** Prepare cassandra for openDesk Enterprise. ([508e286](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/508e28623258542a4082e79ed75ce1e5758ae2e0))
+* **cassandra:** Remove values in charts.yaml for enterprise components. ([c0cbb76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0cbb76921b5108d084640baf3e607e9fc6557c7))
+* **ci:** Explicitly set RELEASE_BRANCH (to `main`) for scan and release steps ([e5ad0bb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e5ad0bb2e028dafab0ba29fb2e9b0d207b8795fd))
+* **ci:** Reduce Kyverno linting issues ([e4d9106](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e4d9106c457e018922dcc730df0570d41f3ec2aa))
+* **collabora:** Add/update Helmfile for Collabora Controller to be used in EE deployments ([a63d7cb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a63d7cb8614bfa7d26d997ffdf3ea807ae187664))
+* **collabora:** Update to 24.04.9.2. ([407f2be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/407f2be2ad2d40813bb37e0ba302ef14e3a06bd9))
+* **docs:** Add `architecture.md` and `apis.md` ([7710858](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/77108587c71dee16ecf539608838c8c9064a66f8))
+* **docs:** Add GitOps / Argo CD documentation ([bbe7550](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bbe7550c4617b4799190192b5316ac04295e9e88))
+* **docs:** Update and streamline README.md and migrations.md. ([a86c0af](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a86c0afdbb7fa1230aa90cf210323969fd580431))
+* **element:** Add extensive database options ([9e102e2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9e102e2d1b9d6621b9c5d6ed0643432e8879f663))
+* **element:** Prepare element for openDesk Enterprise. ([00a1a93](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/00a1a9394ee3544b1a0d7b3e975c36830ba8b13c))
+* **element:** Rename release opendesk-element to opendesk-element-web ([1213ecc](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1213ecc425041ac4adba99a0ae2d8188932a7d9f))
+* **element:** Switch `element-web` base image to Alpine ([47ce294](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/47ce29440388370f7d63e373eeda90d067830ebd))
+* **element:** Toggle IPv4-only mode depending on cluster.networking.ipFamilies ([627b9c1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/627b9c1e8464fd9529ddf50f171031053710323c))
+* **element:** Update Matrix Meetings Bot to 2.8.2 ([4403dfe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4403dfe720982a8339043951a4dfc88bfb0af57c))
+* **element:** Update Synapse to 1.120.2 and Element to 1.11.87 update also related containers ([9d7644d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9d7644dc04c9ef97449680e5197f2129d62d56f8))
+* **helmfile:** Add `opendesk-static-files` to `opendesk-services` to serve favicons ([6438284](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6438284090f3e552843679c1ea62b5538be5dff9))
+* **helmfile:** Add Redis username and tls option ([564fb2d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/564fb2d7c7190a91446293ce21950701503ecbb7))
+* **helmfile:** Allow usage of pre-defined CA certificates. ([0738fa0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0738fa080d61f0e6c084dd8fd5e09635469b1dca))
+* **helmfile:** Auto-redirect user to login dialogue, please read migrations.md for more details ([a9c8dfe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a9c8dfeab125510a7d9a137e16b14685155aa441))
+* **helmfile:** Remove `default.user` and `default.admin` for new deployments. ([54f9e4c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/54f9e4c3f8fd425bde1272e3eec490efa30461f7))
+* **helmfile:** Remove `theme` subtree from the migration's `.Values` secret to avoid a bloated secret hitting limits in certain clusters setups and GitOps tools. ([b6725dd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b6725dddc19f22e142a214c02aef5139b2921d5a))
+* **helmfile:** Splitting the directory `./helmfile/apps/services` into `-external` and `opendesk-` services, please read migrations.md for more details ([277a1f5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/277a1f5a65e340180feeb84cce2097be5a2157e1))
+* **helmfile:** Streamline `commonLabels.deployStage`. ([f969425](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f96942536f931e8f8eb714ce0503716b873b593b))
+* **helmfile:** Streamline `requests.cpu` in `resources.yaml` ([43f427e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/43f427e06a83aea8979e1b54f7ea7f2d24ab28cf))
+* **helmfile:** Streamline file extensions in `/helmfile/environments/default` to ([0e3b661](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0e3b6615653d7bbe30b09e57428b1f5c19f171f8))
+* **helmfile:** Unify templating name for Open-Xchange to `openxchange` and for OX App Suite to `oxAppSuite`. ([6ff1fcd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6ff1fcd438103534e78a5898f25fcea1080dfb86))
+* **helmfile:** Use dictionaries for defining `customization.yaml`, please read migrations.md for more details ([86ef0be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/86ef0be542b0e34d76a85cb226e223a3e7dbc76e))
+* **jitsi:** Update Jitsi Helm chart and images. ([5c691e4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5c691e450821c81b363040b68ffba96e38d1712b))
+* **jitsi:** Update to 2.0.9823 and chart to 2.1.1 ([56ce335](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56ce3355fcedf60595f33609848f6c8bd8644914))
+* **jitsi:** Update to switch the colors of `Hang up` and `End meeting for all` buttons. ([9dbb2b7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9dbb2b755caa8e6bda80bed691c54e66b1a63eb9))
+* **migrations:** Cleanup of jobs ([539a302](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/539a30263c9ce25ab7c6aa6607fd41cd1099315b))
+* **migrations:** Update to support Nubus 1.5.1 ([7f60ab3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7f60ab3b7a155c8f95bfcf139fa896cbc41ca767))
+* **nextcloud:** Add Redis TLS option ([1402593](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1402593556af9cf039878a1261b656424fc45c88))
+* **nextcloud:** Fix templating for nextcloud database name ([7f1f6cd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7f1f6cdcd4385d24cf13cdf9425b615337a131de))
+* **nextcloud:** Fix templating for nextcloud database user ([c8c12a2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c8c12a278e8d00f04c1c7b6dd7fbdf3826c89a19))
+* **nextcloud:** Support IPv4 only clusters ([b25ada1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b25ada1f603659cd551be23d62992e8fa6a0603d))
+* **nextcloud:** Trusted Proxy setting. ([bc0ca8b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc0ca8b4c1dfdcd046c9b4ddd1f63a28e6a5531a))
+* **nextcloud:** Update Chart to 3.6.1 and Image to 2.3.3 (including rollback to 29.0.8). Introducing setting for `functional.filestore.sharing.external.sendPasswordMail` ([18fcaa0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/18fcaa0331c9c94bb2f260f97fbadad44b019bb6))
+* **nextcloud:** Update to 29.0.9 incl. latest apps. ([c63cca7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c63cca72a35cdeb35b8ea48d98a5c5d55982d145))
+* **notes:** Add `favicon.ico` via `opendesk-static-files` ([669995b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/669995bb95235a56f7b2387c4c582d6e7250e4a9))
+* **notes:** Add https to all endpoints ([174951c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/174951cd5145e83d776a9b4bda4f091d5b827402))
+* **nubus:** Add nginx s3 proxy when minio disabled ([b3b6ab5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b3b6ab5a61dc5bca13c8b1f4e6b716bbcad64e8c))
+* **nubus:** Enable Keycloak debug mode logging; add Keycloak specific section to debugging.md ([3b3679b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3b3679bab150ece327ce1e132933820b1e3afa88))
+* **nubus:** Fix selfsigned certificate mounts ([b90bff3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b90bff30b35b91fff792f2d5d617de4cdba30f23))
+* **nubus:** Leader election on re-deployments ([b965677](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9656772a9c743c9119a850e0b48cb39d68f48fa))
+* **nubus:** Start ums keycloak bootstrap already during Sync phase ([16dfd25](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/16dfd255c621b1da311fd6fee775f7397e5f6792))
+* **nubus:** Update external portal links and login screen background. ([901b1f5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/901b1f529e7d16a8164511bebac1e7f9a475d111))
+* **nubus:** Update to 1.4.0 ([2a94f2d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2a94f2dd4bdfa039b4459b3711e171ee46172583))
+* **nubus:** Update to v1.5.1 ([4c7422a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4c7422a411a4fa1ddc36430d363ae06226efb31d))
+* **nubus:** Use favicon with transparent background for portal ([1b13c3e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1b13c3ea658786420d960c8e67aed81f40067c0a))
+* **open-xchange:** Extend Dovecot LDAP filter to also match OX-Resources ([31ea6e0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31ea6e0e08226afb8d9cba4370033fd6f742459b))
+* **open-xchange:** Fix truststore decrypt error on self-signed deployments ([8611d95](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8611d95e5a4ab7b158ed8322676589c3d196b548))
+* **open-xchange:** Update AppSuite to 8.30, update Helm chart to 2.12.85 ([0c88699](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0c886999174f87030af268c7fdd0beee11f01346))
+* **opendesk-services:** Update minio to 2024.12.13 ([4cda827](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4cda827f5554ed7ff92a85fc62f6908183181f9b))
+* **opendesk-services:** Update otterize Network Policies ([4602396](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4602396583c454a23b3458c54cb40e259f245163))
+* **openproject:** Bump Helm chart to 9.2 ([718eb45](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/718eb45e9c9961f1f792b59e232fd7da66916c7d))
+* **openproject:** Bump version to 15.0.2 ([c06e0bb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c06e0bb8d4d04c8794dafddecc189d5f376d661e))
+* **openproject:** Update 15.1.0 image ([6d329e1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6d329e18cff8c6ebbbf1b0965801827079904f88))
+* **openproject:** Update branding and Helm chart to 9.0.1 ([d3b1916](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d3b191644b0bf20cac1cd9f85ed4b4dc7c6b549d))
+* **openproject:** Update to 14.6.3 incl. latest Helm chart (8.3.2). ([4c82adf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4c82adf668c7f90489bc4ae46426cf607e3425d8))
+* **postfix:** Added service type definition analogous to dovecot ([31ec100](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31ec1003c0874a2920132c61d48a1a88e5569cb8))
+* **services:** Add template for certificate issuerRef.kind ([df144fe](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/df144fe3d3ffd70ca0b7e5aa4c2894b96d0138f1))
+* **services:** Update MariaDB chart to v3.0.3 in preparation for the use of external secrets. ([08feab1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/08feab1cfcc099d9b8caed2c4db9a97d4542a5ac))
+* **services:** Update Redis to 7.4.1 as required by OX Appsuite, please read migrations.md for more details ([5e0b2e2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5e0b2e26fc33d7befcb3f94d748e8e9d6f93f383))
+* **xwiki:** Fix templating for xwiki database port ([de15071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/de15071ae9d6194d93f9a5fbb0033650b266eaf9))
+* **xwiki:** Set superadmin password account only when debug is enabled ([e2b3bd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e2b3bd543fab7be512cef58382c4d62c48cd79b4))
+
+
+### Features
+
+* **helmfile:** Add grafana dashboards ([1441c57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1441c5734f42b995505e6aa97f59bdb1eae32b1b))
+* **helmfile:** Add openDesk specific alerts ([f630a36](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f630a369da12ef7f19d5553c6dbd5955e414868f))
+* **helmfile:** Add template support for antivirus icap/milter ([83da87e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83da87e9623be294753302686a8d8270c28bcc58))
+* **helmfile:** Allow custom/self-signed ca-certificates ([c71faf5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c71faf5e8011c42b02fd5025a9b1629300a4f1e3))
+* **jitsi:** Enable Jitsi room history by default. ([45add79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/45add7981c3a50045caeadb7f2b0bc11254ae562))
+* Newsfeed in Portal based on XWiki blog feature ([3ad285a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3ad285a8695a32607c4bf0faea0747c7e685dcd6))
+* **notes:** Integrate Preview of Notes app ([96f1819](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/96f18196c53267dbd72cd28e6fbadf06448db93a))
+
 # [1.0.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.9.0...v1.0.0) (2024-10-14)
 
 

README-EE.md

@@ -0,0 +1,102 @@
+<!--
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>openDesk Enterprise Edition</h1>
+
+<!-- TOC -->
+* [Components](#components)
+* [Enabling the Enterprise deployment](#enabling-the-enterprise-deployment)
+* [Configuring the oD EE deployment for self-hosted installations](#configuring-the-od-ee-deployment-for-self-hosted-installations)
+  * [Registry access](#registry-access)
+  * [License keys](#license-keys)
+<!-- TOC -->
+
+openDesk Enterprise Edition is recommended for production use. It receives support and patches from ZenDiS and the suppliers of the components due to the included product subscriptions.
+
+The document refers to openDesk Community Edition as "oD CE" and for the openDesk Enterprise Edition it is "oD EE".
+
+Please contact [ZenDiS](mailto:opendesk@zendis.de) to get openDesk Enterprise, either as SaaS offering or for you on-premise installation.
+
+# Components
+
+The following components using the same codebase and artifacts for their Enterprise and Community offering:
+- Cryptpad
+- Jitsi
+- Nubus
+- OpenProject
+- XWiki
+
+The following components have - at least partially - Enterprise specific artifacts:
+
+- Collabora: Collabora Online image version `<major>.<minor>.<patch>.3` will be used once available, at the same time the Collabora Development Edition image will be updated to `<major>.<minor>.<patch>.2` for oD CE.
+- Element: Some artifacts providing additional functionality are only available in oD EE. For the shared artifacts we keep the ones in oD CE and oD EE in sync.
+- Nextcloud: Specific enterprise image based on the NC Enterprise package is build based on the same release version as used in oD CE.
+- OX AppSuite: oD CE and EE are using the same release version, in EE an enterprise-built container of the AppSuite's Core-Middleware is being integrated.
+- OX Dovecot Pro 3: Dovecot Pro provides support for S3 storage and this feature is used by default.
+
+# Enabling the Enterprise deployment
+
+To enable the oD EE deployment you must set the environment variable `OPENDESK_ENTERPRISE` to any value that does not evaluate to boolean *false* for [Helm flow control](https://helm.sh/docs/chart_template_guide/control_structures/#ifelse), e.g. `"true"`, `"yes"` or `"1"`:
+
+```shell
+OPENDESK_ENTERPRISE=true
+```
+
+# Configuring the oD EE deployment for self-hosted installations
+
+## Registry access
+
+With openDesk EE you get access to the related artifact registry owned by ZenDiS.
+
+Three steps are required to access the registry - for step #1 and #2 you can set some variables. You can to define a `<your_name_for_the_secret>` freely, like `enterprise-secret`, as long as it consistent in step #1 and #3.
+
+```shell
+NAMESPACE=<your_namespace>
+NAME_FOR_THE_SECRET=<your_name_for_the_secret>
+YOUR_ENTERPRISE_REGISTRY_USERNAME=<your_registry_credential_username>
+YOUR_ENTERPRISE_REGISTRY_PASSWORD=<your_registry_credential_password>
+```
+
+1. Add your registry credentials as secret to the namespace you want to deploy openDesk to. Do not forget to create the namespace if it does not exist yet (`kubectl create namespace ${NAMESPACE}`).
+
+```shell
+kubectl create secret --namespace "${NAMESPACE}" \
+  docker-registry "${NAME_FOR_THE_SECRET}" \
+  --docker-server "registry.opencode.de" \
+  --docker-username "${YOUR_ENTERPRISE_REGISTRY_USERNAME}" \
+  --docker-password "${YOUR_ENTERPRISE_REGISTRY_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+```
+
+2. Docker login to the registry to access Helm charts for local deployments:
+
+```shell
+docker login registry.opencode.de -u ${YOUR_ENTERPRISE_REGISTRY_USERNAME} -p ${YOUR_ENTERPRISE_REGISTRY_PASSWORD}
+```
+
+3. Reference the secret from step #1 in the deployment as well as the registry itself for `images` and `helm` charts:
+
+```yaml
+global:
+  imagePullSecrets:
+    - "<your_name_for_the_secret>"
+repositories:
+  image:
+    registryOpencodeDeEnterprise: "registry.opencode.de"
+  helm:
+    registryOpencodeDeEnterprise: "registry.opencode.de"
+```
+
+## License keys
+
+Some applications require license information for their Enterprise features to be enabled. With the aforementioned registry credentials you will also receive a file called `enterprise.yaml` containing the relevant license keys.
+
+Please place the file next your other `.yaml.gotmpl` file(s) that configure your deployment.
+
+Details regarding the scope/limitation of the component's licenses:
+
+- Nextcloud: Enterprise license to enable [Nextcloud Enterprise](https://nextcloud.com/de/enterprise/) specific features, can be used across multiple installations until the licensed number of users is reached.
+- OpenProject: Domain specific enterprise license to enable [OpenProject's Enterprise feature set](https://www.openproject.org/enterprise-edition/), domain matching can use regular expressions.
+- XWiki: Deployment specific enterprise license (key pair) to activate the [XWiki Pro](https://xwiki.com/en/offerings/products/xwiki-pro) apps.

README.md

@@ -13,7 +13,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
 * [Architecture](#architecture)
+* [Permissions](#permissions)
 * [Releases](#releases)
+* [Data Storage](#data-storage)
 * [Feedback](#feedback)
 * [Development](#development)
 * [License](#license)
@@ -25,17 +27,19 @@ SPDX-License-Identifier: Apache-2.0
 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
 *Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
 
+For production use the [openDesk Enterprise Edition](./README-EE.md) is required.
+
 openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version                                                                                | Upstream Documentation                                                                                                                |
 | -------------------- | --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.87](https://github.com/element-hq/element-desktop/releases/tag/v1.11.87)                       | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89)                       | [For the most recent release](https://element.io/user-guide)                                                                          |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                     | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8)                                                 | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.4.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.1.0](https://www.openproject.org/docs/release-notes/15-1-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Project management   | OpenProject                 | [15.2.1](https://www.openproject.org/docs/release-notes/15-2-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 
@@ -77,6 +81,10 @@ You would like to install openDesk in your own infrastructure?
 
 More information on openDesk's architecture can be found in our [Architecture docs](./docs/architecture.md).
 
+# Permissions
+
+Find out more about the permission system in the[roles & permissions concept](./docs/permissions.md)
+
 # Releases
 
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
@@ -92,6 +100,11 @@ in the files from the release's git-tag:
 
 Find more information in our [Workflow documentation](./docs/workflow.md).
 
+# Data Storage
+
+More information about different data storages used within openDesk are described in the
+[Data Storage documentation](./docs/data-storage.md).
+
 # Feedback
 
 We love to get feedback from you!

REUSE.toml

@@ -14,7 +14,7 @@ SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG
 SPDX-License-Identifier = "CC0-1.0"
 
 [[annotations]]
-path = "helmfile/files/theme/*"
+path = "helmfile/files/theme/**"
 SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
 

cspell.json

@@ -4,79 +4,82 @@
     "dictionaryDefinitions": [],
     "dictionaries": [],
     "words": [
-        "openDesk",
+        "Addressbooks",
         "AppSuite",
-        "Collabora",
-        "Digitale",
-        "Jitsi",
-        "Nextcloud",
-        "Öffentlichen",
-        "OpenProject",
-        "Souveränität",
-        "Verwaltung",
-        "Zentrum",
-        "Keycloak",
-        "NATS",
-        "slapadd",
-        "slapcat",
-        "RDBMS",
-        "Velero",
-        "Univention",
-        "OIDC",
-        "kcadmin",
-        "DMARC",
-        "homeserver",
-        "Bundesministerium",
-        "Innern",
-        "Heimat",
-        "Projektgruppe",
+        "Arbeitsplatz",
         "Aufbau",
-        "Filepicker",
-        "Weboffice",
-        "Xchange",
-        "opencode",
-        "seccomp",
-        "psql",
-        "databasename",
-        "helmfile",
-        "gotmpl",
-        "containerd",
-        "letsencrypt",
-        "CNCF",
-        "kubespray",
-        "ICAP",
+        "bootstrap",
+        "Bundesministerium",
         "Ceph",
+        "clamav",
+        "CNCF",
+        "Collabora",
+        "commandline",
+        "configurability",
+        "containerd",
         "Coturn",
-        "Minio",
-        "Kyverno",
-        "Otterize",
-        "IBAC",
-        "pubkeys",
-        "Grundschutz",
-        "Kubescape",
-        "Gitflow",
-        "hadolint",
+        "cryptpad",
+        "databasename",
+        "Digitale",
+        "DMARC",
         "explorative",
+        "Filepicker",
+        "filestore",
+        "Gitflow",
+        "gotmpl",
+        "Grundschutz",
+        "hadolint",
+        "Heimat",
+        "helmfile",
+        "helmfiles",
+        "homeserver",
+        "IBAC",
+        "ICAP",
+        "IMAPS",
+        "Innern",
+        "Jitsi",
+        "kcadmin",
+        "Keycloak",
+        "Kubescape",
+        "kubespray",
+        "Kyverno",
+        "letsencrypt",
+        "localpart",
+        "Minio",
+        "NATS",
+        "Nextcloud",
+        "nindent",
         "Nordeck",
         "Nubus",
-        "Souveräne",
-        "Arbeitsplatz",
-        "commandline",
-        "helmfiles",
-        "SMTPS",
-        "IMAPS",
-        "xwiki",
-        "cryptpad",
-        "clamav",
-        "templating",
-        "localpart",
-        "Addressbooks",
-        "filestore",
-        "trashbin",
-        "bootstrap",
-        "configurability",
+        "Öffentlichen",
+        "OIDC",
+        "opencode",
+        "openDesk",
+        "OpenProject",
+        "Otterize",
+        "Projektgruppe",
+        "psql",
+        "pubkeys",
+        "RDBMS",
+        "seccomp",
         "selfsigned",
-        "truststore"
+        "slapadd",
+        "slapcat",
+        "SMTPS",
+        "Souveräne",
+        "Souveränität",
+        "templating",
+        "trashbin",
+        "truststore",
+        "Univention",
+        "Velero",
+        "Verwaltung",
+        "Videokonferenz",
+        "Weboffice",
+        "Xchange",
+        "xwiki",
+        "Zentrum",
+        "analysed"
     ],
     "ignoreWords": [],
     "import": []

dev/README.md

@@ -7,30 +7,40 @@ SPDX-License-Identifier: Apache-2.0
 
 * [charts-local.py](#charts-localpy)
   * [Commandline parameter](#commandline-parameter)
-    * [`--branch`](#--branch)
+    * [`--match <your_string>`](#--match-your_string)
     * [`--revert`](#--revert)
+    * [`--branch` (deprecated)](#--branch-deprecated)
 
 # charts-local.py
 
-This script helps you on cloning the platform development Helm charts and referencing them directly in the openDesk
-Helmfile deployment for comfortable local test and development. The charts will be cloned into a directory
-parallel created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
-The name of the chart directory is derived from the branch name you are working with in this `opendesk` repo.
+This script helps you with cloning/pulling Helm charts and referencing them directly in the openDesk
+Helmfile deployment for comfortable local test and development. The charts will be cloned/pulled into a directory
+created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
 
-The script will create `.bak` copies of the helmfiles that have been touched.
+The name of the directory containing the charts is based on the (currently) selected branch of the openDesk
+repo prefixed with `charts-`.
+
+The script will create `.bak` copies of the helmfiles that have been touched that can easily be reverted to
+using the `--revert` option.
 
 Run the script with `-h` to get information about the script's parameter on commandline.
 
 ## Commandline parameter
 
-### `--branch`
+### `--match <your_string>`
+
+Will only fetch repos or pull images for charts which name matches `<your_string>`.
+
+### `--revert`
+
+Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
+scripts itself back to their original location.
+
+### `--branch` (deprecated)
 
 Optional parameter: Defines a branch for the `opendesk` repo to work with. The script will create the branch if it
 does not exist yet. Otherwise it will switch to defined branch.
 
 If parameter is omitted the current branch of the `opendesk` repo will be used.
 
-### `--revert`
-
-Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
-scripts itself back to their original location.
+As this parameter was used rarely, we might remove the support in a later version.

dev/charts-local.py

@@ -18,7 +18,6 @@ p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work
 p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
 p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
 p.add('--match', default='', help="Clone/pull only charts that contain the given string in their name.")
-p.add('--pull', default=False, action='store_true', help='Will also pull and unpack Helm charts that are not developed by product development.')
 p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
 options = p.parse_args()
 
@@ -78,13 +77,10 @@ def create_path_if_not_exists(path):
         Path(path).mkdir(parents=True, exist_ok=True)
 
 def clone_charts_locally(branch, charts):
-    charts_clone_path = script_path+'/../../chart-repo/'+branch.replace('/', '_')
-    charts_pull_path = script_path+'/../../chart-pull/'+branch.replace('/', '_')
+    charts_path = script_path+'/../../charts-'+branch.replace('/', '_')
     charts_dict = {}
     doublette_dict = {}
-    create_path_if_not_exists(charts_clone_path)
-    if options.pull:
-        create_path_if_not_exists(charts_pull_path)
+    create_path_if_not_exists(charts_path)
 
     for chart in charts['charts']:
         tag = charts['charts'][chart]['version']
@@ -92,41 +88,41 @@ def clone_charts_locally(branch, charts):
         registry = charts['charts'][chart]['registry']
         name = charts['charts'][chart]['name']
         logging.debug(f"Working on {chart} / tag {tag} / repo {repository}")
+        chart_local_path = charts_path+'/'+name
         if not options.match in name:
             logging.info(f"Chart name {name} does not match {options.match} - skipping...")
+            continue
         elif registry == '':
             logging.info("Empty registry definition - skipping...")
+            continue
+        if os.path.isdir(chart_local_path):
+            logging.debug(f"Found pre-existing {chart_local_path} skipping clone/pull, but will still reference chart in Helmfile...")
+            charts_dict[chart] = chart_local_path
+            continue
         elif 'opendesk/components/platform-development/charts' in repository:
             logging.info("Cloning the charts repo")
             git_url = options.git_hostname+':'+repository
-            chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
             if git_url in doublette_dict:
                 logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
                 charts_dict[chart] = doublette_dict[git_url]
             else:
-                if os.path.isdir(chart_repo_path):
-                    logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
-                else:
-                    logging.debug(f"Cloning into {chart_repo_path}")
-                    Repo.clone_from(git_url, chart_repo_path)
-                    chart_repo = Repo(path=chart_repo_path)
-                    chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
-                doublette_dict[git_url] = chart_repo_path
-                charts_dict[chart] = chart_repo_path
-        elif options.pull:
+                logging.debug(f"Cloning into {chart_local_path}")
+                Repo.clone_from(git_url, chart_local_path)
+                chart_repo = Repo(path=chart_local_path)
+                chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
+                doublette_dict[git_url] = chart_local_path
+                charts_dict[chart] = chart_local_path
+        else:
             logging.info("Pulling the chart")
-            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_pull_path}"
+            helm_command = f"helm pull oci://{registry}/{repository}/{name} --version {tag} --untar --destination {charts_path}"
             logging.debug(f"CLI command: {helm_command}")
             try:
-                output = subprocess.check_output(helm_command, shell = True)
+                subprocess.check_output(helm_command, shell = True)
             except subprocess.CalledProcessError:
                 sys.exit(f"! CLI command '{helm_command}' failed")
-        else:
-            logging.debug("Not a product development chart and `--pull` option not enabled - skipping...")
-
+            charts_dict[chart] = chart_local_path
     return charts_dict
 
-
 def grep_yaml(file):
     with open(file, 'r') as file:
         content = ''
@@ -156,7 +152,12 @@ def process_the_helmfiles(charts_dict, charts):
                     for chart_ident in charts_dict:
                         if '.Values.charts.'+chart_ident+'.name' in line:
                             logging.debug(f"found match with {chart_ident} in {line.strip()}")
-                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
+                            line = charts_dict[chart_ident]
+                            if os.path.isdir(line+'/charts/'+chart_ident):
+                                line += '/charts/'+charts['charts'][chart_ident]['name']
+                            elif not os.path.isdir(line):
+                                sys.exit(f"! Did not find directory to reference in Helmfile: '{line}'")
+                            line = chart_def_prefix+line+'" # replaced by local-dev script'+"\n"
                             child_helmfile_updated = True
                             break
                 output.append(line)

docs/architecture.md

@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 
 <h1>Architecture</h1>
 
+<!-- TOC -->
 * [Overview](#overview)
 * [Nubus (IAM)](#nubus-iam)
 * [Authentication](#authentication)
@@ -23,6 +24,7 @@ SPDX-License-Identifier: Apache-2.0
   * [Central Contacts](#central-contacts)
   * [Central Navigation](#central-navigation)
   * [Filepicker](#filepicker)
+  * [Newsfeed](#newsfeed)
   * [(OpenProject) File Store](#openproject-file-store)
 * [Applications vs. Services](#applications-vs-services)
   * [Collabora (Office)](#collabora-office)
@@ -36,6 +38,7 @@ SPDX-License-Identifier: Apache-2.0
   * [XWiki (Knowledge management)](#xwiki-knowledge-management)
 * [Application specific user accounts](#application-specific-user-accounts)
 * [Footnotes](#footnotes)
+<!-- TOC -->
 
 openDesk is designed as a [Kubernetes](https://kubernetes.io) deployment.
 
@@ -234,7 +237,7 @@ The [OX SOAP API](https://oxpedia.org/wiki/index.php?title=Open-Xchange_Provisio
 - (Managed) Resources
 - Users
 
-To find out more, see [Roles & Permissions](roles-and-permissions.md).
+To find out more, see [Roles & Permissions](permissions.md).
 
 ## SCIM
 
@@ -256,6 +259,7 @@ flowchart TD
  Intercom_Service-->|Silent Login, Token Exchange|IdP
  Intercom_Service-->|Filepicker|Nextcloud
  Intercom_Service-->|Central Navigations|Portal
+ Intercom_Service-->|Newsfeed|XWiki
  OX-AppSuite_Backend-->|Filepicker|Nextcloud
  OX-AppSuite_Backend-->|Videoconferences|Element
  Nextcloud-->|Central Navigation|Portal
@@ -264,6 +268,7 @@ flowchart TD
  XWiki-->|Central Navigation|Portal
  Nextcloud-->|Central Contacts|OX-AppSuite_Backend
  OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
+ Portal-->|Newsfeed|Intercom_Service
 ```
 
 Details can be found in the upstream documentation that is linked in the respective sections.
@@ -325,6 +330,14 @@ when adding a file to an email or storing a file into Nextcloud to avoid passing
 **Links**
 - [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).
 
+## Newsfeed
+
+The portal renders a newsfeed based on entries of a predefined openDesk blog in XWiki. It accesses the required XWiki
+service through the Intercom Service's `/wiki` endpoint, in combination with the previously described silent login.
+
+**Links:**
+- [XWiki Blog feature](https://extensions.xwiki.org/xwiki/bin/view/Extension/Blog%20Application)
+
 ## (OpenProject) File Store
 
 While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are

docs/architecture/apis.md

@@ -51,6 +51,10 @@ This chapter presents APIs available in openDesk grouped by applications.
   * [Matrix Server-Server API](#matrix-server-server-api)
   * [Matrix Push Gateway API](#matrix-push-gateway-api)
   * [Matrix Identity Service API](#matrix-identity-service-api)
+  * [Matrix React SDK Module API](#matrix-react-sdk-module-api)
+  * [Matrix Widget API](#matrix-widget-api)
+  * [NeoBoard Data Model API](#neoboard-data-model-api)
+  * [NeoDateFix REST API](#neodatefix-rest-api)
 * [Knowledge management - XWiki](#knowledge-management---xwiki)
   * [REST API](#rest-api-1)
   * [Scripting API](#scripting-api)
@@ -647,7 +651,56 @@ Following are APIs used by the Project management application:
 
 While Jitsi is available as standalone videoconferencing in openDesk, it is also used in [Element as videoconferencing backend](https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md).
 
-![APIs of Element and Jitsi providing Communication Service](./apis_images/ChatVC-overview.png)
+```mermaid
+---
+  config:
+    class:
+      hideEmptyMembersBox: true
+---
+classDiagram
+    class CommunicationService["Communication Service"] {
+        <<interface>>
+    }
+
+    class MxChat["Element Matrix Chat"] {
+        <<interface>>
+    }
+    class JitsiVideoConference["Jitsi Video Conference"] {
+        <<interface>>
+    }
+
+    CommunicationService <|.. MxChat
+    CommunicationService <|.. JitsiVideoConference
+    MxChat <-- JitsiVideoConference
+
+    class MxAppServiceApi["Matrix Application Service API"]
+    class MxClientServerApi["Matrix Client Server API"]
+    class MxServerServerApi["Matrix Server Server API"]
+    class MxPushGatewayApi["Matrix Push Gateway API"]
+    class MxIdentityServiceApi["Matrix Identity Service API"]
+    class MxRtc["Matrix RTC"]
+    class MxElementWebModuleApi["Matrix React SDK Module API"]
+    class MxWidgetApi["Matrix Widget API"]
+    class NeoBoardDataModelApi["NeoBoard Data Model API"]
+    class NeoDateFixRestApi["NeoDateFix REST API"]
+
+    MxChat *-- MxAppServiceApi
+    MxChat *-- MxClientServerApi
+    MxChat *-- MxServerServerApi
+    MxChat *-- MxPushGatewayApi
+    MxChat *-- MxIdentityServiceApi
+    MxChat *-- MxRtc
+    MxChat *-- MxElementWebModuleApi
+    MxChat *-- MxWidgetApi
+
+    class JitsiIframeApi["Jitsi iFrame API"]
+    class JitsiMeetApi["Jitsi Meet API"]
+    class JitsiMeetReactSdk["Jitsi Meet React SDK"]
+
+    JitsiVideoConference *-- JitsiIframeApi
+    JitsiVideoConference *-- JitsiMeetApi
+    JitsiVideoConference *-- JitsiMeetReactSdk
+```
 
 Following are APIs used by the Chat application:
 
@@ -741,6 +794,74 @@ Following are APIs used by the Chat application:
 | Supported standards            | [Matrix](https://spec.matrix.org/latest/identity-service-api/)                                                                               |
 | Documentation                  | [Synapse](https://element-hq.github.io/synapse/latest/) is the reference implementation of the Matrix protocol, see standard for API details |
 
+## Matrix React SDK Module API
+
+| Name                           | Matrix React SDK Module API                                                                                                                                                                                                        |
+| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Purpose                        | The module system in Element Web is a way to add or modify functionality of Element Web itself, bundled at compile time for the app.                                                                                               |
+| Versioning                     | [Releases in the Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api/releases); [Dependency in `package.json` in Element (Chat Web-UI)](https://github.com/element-hq/element-web/blob/develop/package.json) |
+| Authentication                 | n/a - used as a library                                                                                                                                                                                                            |
+| In openDesk provided by        | Element (Chat Web-UI)                                                                                                                                                                                                              |
+| Transport protocol             | n/a - used as a library                                                                                                                                                                                                            |
+| Usage within component         | [Element (Chat-Web-UI) Modules](https://github.com/nordeck/element-web-modules/)                                                                                                                                                   |
+| Usage within openDesk          | none                                                                                                                                                                                                                               |
+| Usage for external integration | n/a - uses as a library                                                                                                                                                                                                            |
+| Parallel access                | Allowed                                                                                                                                                                                                                            |
+| Message protocol               | n/a - used as a library                                                                                                                                                                                                            |
+| Supported standards            | n/a - Element (Chat Web-UI) specific                                                                                                                                                                                               |
+| Documentation                  | [Element (Chat Web-UI) Documentation](https://github.com/element-hq/element-web/blob/develop/docs/modules.md); [matrix-react-sdk-module-api Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api)             |
+
+## Matrix Widget API
+
+| Name                           | Matrix Widget API                                                                                                                                                                                                    |
+| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Purpose                        | Matrix Widgets are HTML and Javascript content / applications that can be embedded within, and communicate with Matrix clients.                                                                                      |
+| Versioning                     | n/a                                                                                                                                                                                                                  |
+| Authentication                 | Widgets request capabilities. They must be confirmed by a user or by the [Widget Lifecycle Module](https://github.com/nordeck/element-web-modules/blob/main/packages/element-web-widget-lifecycle-module/README.md). |
+| In openDesk provided by        | Element (Chat Web-UI)                                                                                                                                                                                                |
+| Transport protocol             | [HTML window.postMessage API](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)                                                                                                                   |
+| Usage within component         | [NeoDateFix](https://github.com/nordeck/matrix-meetings/), [NeoBoard](https://github.com/nordeck/matrix-neoboard), [NeoChoice](https://github.com/nordeck/matrix-poll)                                                                                                    |
+| Usage within openDesk          | none                                                                                                                                                                                                                 |
+| Usage for external integration | none                                                                                                                                                                                                                 |
+| Parallel access                | Allowed                                                                                                                                                                                                              |
+| Message protocol               | JSON                                                                                                                                                                                                                 |
+| Supported standards            | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764)                                                                                                                                    |
+| Documentation                  | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764)                                                                                                                                    |
+
+## NeoBoard Data Model API
+
+| Name                           | NeoBoard Data Model API                                                                                                               |
+| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
+| Purpose                        | The NeoBoard data model can be used to generate whiteboard documents.                                                                 |
+| Versioning                     | `version` field in the [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/blob/main/docs/model/export-format.md#fields) |
+| Authentication                 | n/a                                                                                                                                   |
+| In openDesk provided by        | [NeoBoard](https://github.com/nordeck/matrix-neoboard)                                                                                |
+| Transport protocol             | n/a                                                                                                                                   |
+| Usage within component         | [NeoBoard](https://github.com/nordeck/matrix-neoboard)                                                                                |
+| Usage within openDesk          | none                                                                                                                                  |
+| Usage for external integration | none                                                                                                                                  |
+| Parallel access                | n/a                                                                                                                                   |
+| Message protocol               | JSON                                                                                                                                  |
+| Supported standards            | n/a                                                                                                                                   |
+| Documentation                  | [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/tree/main/docs/model)                                                |
+
+## NeoDateFix REST API
+
+| Name                           | NeoDateFix REST API                                                                                                                                |
+| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Purpose                        | Can be used to query and set up NeoDateFix Matrix meetings.                                                                                        |
+| Versioning                     | Path segment in the [Meetings Bot API](https://github.com/nordeck/matrix-meetings/blob/main/docs/data-model.md#http-api)                           |
+| Authentication                 | n/a                                                                                                                                                |
+| In openDesk provided by        | [NeoDateFix](https://github.com/nordeck/matrix-meetings)                                                                                           |
+| Transport protocol             | HTTP(S)                                                                                                                                            |
+| Usage within component         | [NeoDateFix](https://github.com/nordeck/matrix-meetings)                                                                                           |
+| Usage within openDesk          | Used by OX to sync calendar entries to NeoDateFix                                                                                                  |
+| Usage for external integration | none                                                                                                                                               |
+| Parallel access                | n/a                                                                                                                                                |
+| Message protocol               | JSON                                                                                                                                               |
+| Supported standards            | n/a                                                                                                                                                |
+| Documentation                  | [NeoDateFix ADR001](https://github.com/nordeck/matrix-meetings/blob/main/docs/adrs/adr001-use-the-widget-api-to-interact-with-the-meetings-bot.md) |
+
 # Knowledge management - XWiki
 
 Following are APIs used by the Knowledge management application:
@@ -804,7 +925,7 @@ Following are APIs used by the Knowledge management application:
 
 ## JavaScript API
 
-| Name                           | Javascript API                                                                               |
+| Name                           | JavaScript API                                                                               |
 | ------------------------------ | -------------------------------------------------------------------------------------------- |
 | Purpose                        | Include dynamic components in XWiki/web pages                                                |
 | Versioning                     |                                                                                              |

docs/data-storage.md

@@ -0,0 +1,117 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Application Data Storages</h1>
+
+To provide a feasible backup and restore concept, a thorough overview of all openDesk
+applications and their related data storages (ephemeral & persistent) is provided in the
+following subsection.
+
+<!-- TOC -->
+* [Overview](#overview)
+* [Details](#details)
+<!-- TOC -->
+
+# Overview
+
+The provided diagram shows all relevant openDesk applications on the left and
+their utilized data storages on the right. For more detailed information about each
+application refer to the table show in Section [Details](#details)
+
+```mermaid
+---
+config:
+  sankey:
+    showValues: false
+    linkColor: target
+---
+sankey-beta
+
+ClamAV,PersistentVolume,1
+
+Dovecot,PersistentVolume,1
+
+Element/Synapse,PostgreSQL,1
+Element/Synapse,PersistentVolume,1
+
+Intercom-Service,Redis,1
+
+Jitsi,PersistentVolume,1
+
+Nextcloud,MariaDB,1
+Nextcloud,S3,1
+Nextcloud,Redis,1
+
+Nubus,PostgreSQL,1
+Nubus,S3,1
+Nubus,PersistentVolume,1
+Nubus,Memcached,1
+
+OpenProject,PostgreSQL,1
+OpenProject,S3,1
+OpenProject,PersistentVolume,1
+OpenProject,Memcached,1
+
+Open-Xchange,MariaDB,1
+Open-Xchange,PersistentVolume,1
+Open-Xchange,Redis,1
+
+Postfix,PersistentVolume,1
+
+XWiki,MariaDB,1
+XWiki,PersistentVolume,1
+```
+
+# Details
+
+| Application          | Data Storage | Backup   | Content                                                                                    | Identifier                                     | Details                                               |
+| -------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------ | ---------------------------------------------- | ----------------------------------------------------- |
+| **ClamAV**           | PVC          | No       | ClamAV Database                                                                            | `clamav-database-clamav-simple-0`              | `/var/lib/clamav`                                     |
+| **Dovecot**          | PVC          | Yes      | User mail directories (openDesk CE only, openDesk EE uses Dovecot Pro with Object Storage) | `dovecot`                                      | `/srv/mail`                                           |
+| **Element/Synapse**  | PostgreSQL   | Yes      | Application's main database                                                                | `matrix`                                       |                                                       |
+|                      | PVC          | Yes      | Attachments                                                                                | `media-opendesk-synapse-0`                     | `/media`                                              |
+|                      |              | Yes      | Sync and state data                                                                        | `matrix-neodatefix-bot`                        | `/app/storage`                                        |
+| **Intercom-Service** | Redis        | No       | Shared session data                                                                        |                                                |                                                       |
+| **Jitsi**            | PVC          | Optional | Meeting recordings (feature not enabled in openDesk)                                       | `prosody-data-jitsi-prosody-0`                 | `/config/data`                                        |
+| **Nextcloud**        | MariaDB      | Yes      | Application's main database Meta-Data                                                      | `nextcloud`                                    |                                                       |
+|                      | S3           | Yes      | The Nextcloud managed user files                                                           | `nextcloud`                                    |                                                       |
+|                      | Redis        | No       | Distributed caching, as well as transactional file locking                                 |                                                |                                                       |
+| **Nubus**            | PostgreSQL   | Yes      | Main database for Nubus' IdP Keycloak                                                      | `keycloak`                                     |                                                       |
+|                      |              | Yes      | Login actions and device-fingerprints                                                      | `keycloak_extensions`                          |                                                       |
+|                      |              | Optional | Store of the temporary password reset token                                                | `selfservice`                                  |                                                       |
+|                      |              | No       | Notification features are not used in openDesk 1.1                                         | `notificationsapi`                             |                                                       |
+|                      |              | No       | Guardian features are currently not used in openDesk 1.1                                   | `guardianmanagementapi`                        |                                                       |
+|                      | S3           | No       | Static files for Portal                                                                    | `ums`                                          |                                                       |
+|                      | PVC          | Yes      | openLDAP database (primary R/W Pods), when restore select the one from the leader          | `shared-data-ums-ldap-server-primary-0`        | `/var/lib/univention-ldap`                            |
+|                      |              | Yes      | openLDAP process data                                                                      | `shared-run-ums-ldap-server-primary-0`         | `/var/run/slapd`                                      |
+|                      |              | No       | openLDAP database (secondary R/O Pods), secondaries can sync from the primary              | `shared-data-ums-ldap-server-secondary-0`      | `/var/lib/univention-ldap`                            |
+|                      |              | No       | openLDAP process data                                                                      | `shared-run-ums-ldap-server-secondary-0`       | `/var/run/slapd`                                      |
+|                      |              | Yes      | The state of the listener                                                                  | `data-ums-provisioning-listener-0`             | `/var/log/univention` and two others                  |
+|                      |              | No       | Cache                                                                                      | `group-membership-cache-ums-portal-consumer-0` | `/usr/share/univention-group-membership-cache/caches` |
+|                      |              | Yes      | Queued provisioning objects                                                                | `nats-data-ums-provisioning-nats-0`            | `/data`                                               |
+|                      | Memcached    | No       | Cache for UMC Server                                                                       |                                                |                                                       |
+| **OpenProject**      | PostgreSQL   | Yes      | Application's main database                                                                | `openproject`                                  |                                                       |
+|                      | S3           | Yes      | Attachments, custom styles                                                                 | `openproject`                                  |                                                       |
+|                      | Memcached    | No       | Cache                                                                                      |                                                |                                                       |
+|                      | PVC          | No       | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs               | `openproject-<web/worker>-*-tmp`               | `/tmp`                                                |
+|                      |              | No       | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs               | `openproject-<web/worker>-app-*-tmp`           | `/app/tmp`                                            |
+| **Open-Xchange**     | MariaDB      | Yes      | Application's control database to coordiate dynamically created ones                       | `configdb`                                     |                                                       |
+|                      |              | Yes      | Dynamically creates databases of schema `PRIMARYDB_n`containing multiple contexts          | `PRIMARYDB_*`                                  |                                                       |
+|                      |              | Yes      | OX Guard related settings                                                                  | `oxguard*`                                     |                                                       |
+|                      | Redis        | Optional | Cache, session related data, distributed maps                                              |                                                |                                                       |
+|                      | PVC          | Yes      | OX-Connector: OXAPI access details                                                         | `ox-connector-appcenter-ox-connector-0`        | `/var/lib/univention-appcenter/apps/ox-connector`     |
+|                      |              | Yes      | OX-Connector: Application's meta data                                                      | `ox-connector-ox-contexts-ox-connector-0`      | `/etc/ox-secrets`                                     |
+| **Postfix**          | PVC          | Yes      | Mail spool                                                                                 | `postfix`                                      | `/var/spool/postfix`                                  |
+| **XWiki**            | Database     | Yes      | Application's main database                                                                | `xwiki`                                        |                                                       |
+|                      | PVC          | Yes      | Attachments                                                                                | `xwiki-data-xwiki-0`                           | `/usr/local/xwiki/data`                               |
+
+Additionally, the following persistent volumes are mounted by pods that serve as a data storage for the applications mentioned above.
+
+| Service    | Pod              | Volume Name  | PVC                         | MountPath             |
+| ---------- | ---------------- | ------------ | --------------------------- | --------------------- |
+| MariaDB    | `mariadb-*`      | `data`       | `data-mariadb-0`            | `/var/lib/mysql`      |
+| MinIO      | `minio-*-*`      | `data`       | `minio`                     | `/bitnami/minio/data` |
+| PostgreSQL | `postgresql-*`   | `data`       | `data-postgresql-0`         | `/mnt/postgresql`     |
+| Redis      | `redis-master-*` | `redis-data` | `redis-data-redis-master-0` | `/data`               |

docs/debugging.md

@@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0
   * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
   * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
+  * [Helmfile](#helmfile)
   * [MariaDB](#mariadb)
   * [Nextcloud](#nextcloud)
   * [OpenProject](#openproject)
@@ -29,7 +30,7 @@ We for sure do not want to reinvent the wheel, so we might link to external sour
 information where available.
 
 > **Warning**<br>
-> You should never enable the debug option in production environments! By looking up `debug.enable` in the deployment, you
+> You should never enable the debug option in production environments! By looking up `debug.enabled` in the deployment, you
 will find the various places changes are applied when enabling debugging. So, outside of development and test
 environments, you should use them thoughtfully and carefully if needed.
 
@@ -38,7 +39,7 @@ environments, you should use them thoughtfully and carefully if needed.
 Check the openDesk [`debug.yaml.gotmpl`](../helmfile/environments/default/debug.yaml.gotmpl) and set for your deployment
 ```
 debug:
-  enable: true
+  enabled: true
 ```
 
 This will result in:
@@ -142,6 +143,15 @@ kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
 
 # Components
 
+## Helmfile
+
+When refactoring the Helmfile structure you want to ensure that there are not unintended mistakes by e.g. `diff`
+comparing the output of Helmfile from before and after the change by calling:
+
+```shell
+helmfile template -e dev >output_to_compare.yaml
+```
+
 ## MariaDB
 
 When using the openDesk bundled MariaDB, you can explore the database(s) using the MariaDB interactive terminal from the Pod's command line: `mariadb -u root -p`. On the password prompt, provide the value for `MARIADB_ROOT_PASSWORD` found in the Pod's environment.
@@ -158,7 +168,7 @@ While you will find all the details for the CLI tool in [the online documentatio
 
 `occ` is the CLI for Nextcloud; all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
 
-You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
+You can run occ commands in the `opendesk-nextcloud-aio` pod like this: `php /var/www/html/occ config:list`
 
 ## OpenProject
 

docs/enhanced-configuration/gitops.md

@@ -44,6 +44,10 @@ References:
 
 Afterwards, you can use the resulting manifests within an standard Argo CD workflow.
 
+> **Note**<br>
+> When creating the Argo CD application based on the resulting manifests you must not use the `Automated Sync Policy`
+> offered by Argo CD, as you have to manually ensure the applications are updated in the required sequence.
+
 ## Option 2: Helmfile plugin
 
 It is possible to deploy openDesk via Argo CD with community developed
@@ -52,4 +56,5 @@ It is possible to deploy openDesk via Argo CD with community developed
 You can find an example for this approach in the
 [Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository.
 It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`)
-according to `app of apps pattern` and is using sync waves to follow dependencies.
+according to `app of apps pattern` and is using sync waves to ensure to required deployment and update sequence
+for openDesk is met.

docs/enhanced-configuration/idp-federation.md

@@ -6,7 +6,6 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Federation with external identity provider (IdP)</h1>
 
 <!-- TOC -->
-* [Context](#context)
 * [References](#references)
 * [Prerequisites](#prerequisites)
   * [User accounts](#user-accounts)
@@ -153,10 +152,9 @@ The following configuration is taking place in the Keycloak realm `opendesk`.
   - *Client authentication*: `Client secret sent as post` (default)
   - *Client ID*: Use the client ID you took from your organization's IdP config (`opendesk-federation-client` in this example)
   - *Client Secret*: Use the secret you took from your organization's IdP config
-  - When completed with *Add*, you get to the detailed IdP configured that also needs some updates (you may need to open the *Advanced* section to access some settings)
-    - *Back-channel logout*: `On`
-    - *Disable user info*: `On`
+  - When completed with *Add*, you get to the detailed IdP configuration that at least needs some the following update:
     - *First login flow override*: `auto-federate-flow`
+    - Depending on your organizations IdP and process preferences additional setting may be required
 
 - In case you want to forcefully redirect all users to your organization's IdP (disabling login with local openDesk accounts):
   - *Authentication* > `2fa-browser`

docs/enhanced-configuration/self-signed-certificates.md

@@ -98,6 +98,8 @@ multiple namespaces in a cluster.
         name: selfsigned-issuer
         kind: ClusterIssuer
         group: cert-manager.io
+      duration: 87600h # 10y
+      renewBefore: 87599h
     ```
 
 1. Copy this cert's secret into the/each namespace you want to make use of the cert.

docs/external-services.md

@@ -11,6 +11,7 @@ This document will cover the additional configuration for external services like
 * [Database](#database)
 * [Object storage](#object-storage)
 * [Cache](#cache)
+* [Footnotes](#footnotes)
 <!-- TOC -->
 
 # Database
@@ -18,93 +19,134 @@ This document will cover the additional configuration for external services like
 When deploying this suite to production, you need to configure the applications to use your production-grade database
 service.
 
-| Component    | Name               | Type       | Parameter | Key                                      | Default                    |
-| ------------ | ------------------ | ---------- | --------- | ---------------------------------------- | -------------------------- |
-| Element      | Synapse            | PostgreSQL |           |                                          |                            |
-|              |                    |            | Name      | `databases.synapse.name`                 | `matrix`                   |
-|              |                    |            | Host      | `databases.synapse.host`                 | `postgresql`               |
-|              |                    |            | Port      | `databases.synapse.port`                 | `5432`                     |
-|              |                    |            | Username  | `databases.synapse.username`             | `matrix_user`              |
-|              |                    |            | Password  | `databases.synapse.password`             |                            |
-| Keycloak     | Keycloak           | PostgreSQL |           |                                          |                            |
-|              |                    |            | Name      | `databases.keycloak.name`                | `keycloak`                 |
-|              |                    |            | Host      | `databases.keycloak.host`                | `postgresql`               |
-|              |                    |            | Port      | `databases.keycloak.port`                | `5432`                     |
-|              |                    |            | Username  | `databases.keycloak.username`            | `keycloak_user`            |
-|              |                    |            | Password  | `databases.keycloak.password`            |                            |
-|              | Keycloak Extension | PostgreSQL |           |                                          |                            |
-|              |                    |            | Name      | `databases.keycloakExtension.name`       | `keycloak_extensions`      |
-|              |                    |            | Host      | `databases.keycloakExtension.host`       | `postgresql`               |
-|              |                    |            | Port      | `databases.keycloakExtension.port`       | `5432`                     |
-|              |                    |            | Username  | `databases.keycloakExtension.username`   | `keycloak_extensions_user` |
-|              |                    |            | Password  | `databases.keycloakExtension.password`   |                            |
-| UMS          | Notifications API  | PostgreSQL |           |                                          |                            |
-|              |                    |            | Name      | `databases.umsNotificationsApi.name`     | `notificationsapi`         |
-|              |                    |            | Host      | `databases.umsNotificationsApi.host`     | `postgresql`               |
-|              |                    |            | Port      | `databases.umsNotificationsApi.port`     | `5432`                     |
-|              |                    |            | Username  | `databases.umsNotificationsApi.username` | `notificationsapi_user`    |
-|              |                    |            | Password  | `databases.umsNotificationsApi.password` |                            |
-|              | Self Service       | PostgreSQL |           |                                          |                            |
-|              |                    |            | Name      | `databases.umsSelfservice.name`          | `selfservice`              |
-|              |                    |            | Host      | `databases.umsSelfservice.host`          | `postgresql`               |
-|              |                    |            | Port      | `databases.umsSelfservice.port`          | `5432`                     |
-|              |                    |            | Username  | `databases.umsSelfservice.username`      | `selfservice_user`         |
-|              |                    |            | Password  | `databases.umsSelfservice.password`      |                            |
-| Nextcloud    | Nextcloud          | MariaDB    |           |                                          |                            |
-|              |                    |            | Name      | `databases.nextcloud.name`               | `nextcloud`                |
-|              |                    |            | Host      | `databases.nextcloud.host`               | `mariadb`                  |
-|              |                    |            | Username  | `databases.nextcloud.username`           | `nextcloud_user`           |
-|              |                    |            | Password  | `databases.nextcloud.password`           |                            |
-| OpenProject  | OpenProject        | PostgreSQL |           |                                          |                            |
-|              |                    |            | Name      | `databases.openproject.name`             | `openproject`              |
-|              |                    |            | Host      | `databases.openproject.host`             | `postgresql`               |
-|              |                    |            | Port      | `databases.openproject.port`             | `5432`                     |
-|              |                    |            | Username  | `databases.openproject.username`         | `openproject_user`         |
-|              |                    |            | Password  | `databases.openproject.password`         |                            |
-| OX App Suite | OX App Suite       | MariaDB    |           |                                          |                            |
-|              |                    |            | Name      | `databases.oxAppSuite.name`              | `CONFIGDB`                 |
-|              |                    |            | Host      | `databases.oxAppSuite.host`              | `mariadb`                  |
-|              |                    |            | Username  | `databases.oxAppSuite.username`          | `root`                     |
-|              |                    |            | Password  | `databases.oxAppSuite.password`          |                            |
-| XWiki        | XWiki              | MariaDB    |           |                                          |                            |
-|              |                    |            | Name      | `databases.xwiki.name`                   | `xwiki`                    |
-|              |                    |            | Host      | `databases.xwiki.host`                   | `mariadb`                  |
-|              |                    |            | Username  | `databases.xwiki.username`               | `xwiki_user`               |
-|              |                    |            | Password  | `databases.xwiki.password`               |                            |
+> **Note**<br>
+> openDesk supports PostgreSQL as alternative database backend for Nextcloud and XWiki. PostgreSQL is likely become the preferred option/default in the future and MariaDB might be deprecated at a later point requiring migrations[^1] if you do not select PostgreSQL for new installations.
+
+| Component        | Name               | Parameter | Key                                           | Default                      |
+| ---------------- | ------------------ | --------- | --------------------------------------------- | ---------------------------- |
+| Element          | Synapse            |           |                                               |                              |
+|                  |                    | Type      | `databases.synapse.type`                      | `postgresql`                 |
+|                  |                    | Name      | `databases.synapse.name`                      | `matrix`                     |
+|                  |                    | Host      | `databases.synapse.host`                      | `postgresql`                 |
+|                  |                    | Port      | `databases.synapse.port`                      | `5432`                       |
+|                  |                    | Username  | `databases.synapse.username`                  | `matrix_user`                |
+|                  |                    | Password  | `databases.synapse.password`                  |                              |
+| Nubus            | Guardian Mgmt API  |           |                                               |                              |
+|                  |                    | Type      | `databases.umsGuardianManagementApi.type`     | `postgresql`                 |
+|                  |                    | Name      | `databases.umsGuardianManagementApi.name`     | `guardianmanagementapi`      |
+|                  |                    | Host      | `databases.umsGuardianManagementApi.host`     | `postgresql`                 |
+|                  |                    | Port      | `databases.umsGuardianManagementApi.port`     | `5432`                       |
+|                  |                    | Username  | `databases.umsGuardianManagementApi.username` | `guardianmanagementapi_user` |
+|                  |                    | Password  | `databases.umsGuardianManagementApi.password` |                              |
+|                  | Keycloak           |           |                                               |                              |
+|                  |                    | Type      | `databases.keycloak.type`                     | `postgresql`                 |
+|                  |                    | Name      | `databases.keycloak.name`                     | `keycloak`                   |
+|                  |                    | Host      | `databases.keycloak.host`                     | `postgresql`                 |
+|                  |                    | Port      | `databases.keycloak.port`                     | `5432`                       |
+|                  |                    | Username  | `databases.keycloak.username`                 | `keycloak_user`              |
+|                  |                    | Password  | `databases.keycloak.password`                 |                              |
+|                  | Keycloak Extension |           |                                               |                              |
+|                  |                    | Type      | `databases.keycloakExtension.type`            | `postgresql`                 |
+|                  |                    | Name      | `databases.keycloakExtension.name`            | `keycloak_extensions`        |
+|                  |                    | Host      | `databases.keycloakExtension.host`            | `postgresql`                 |
+|                  |                    | Port      | `databases.keycloakExtension.port`            | `5432`                       |
+|                  |                    | Username  | `databases.keycloakExtension.username`        | `keycloak_extensions_user`   |
+|                  |                    | Password  | `databases.keycloakExtension.password`        |                              |
+|                  | Notifications API  |           |                                               |                              |
+|                  |                    | Type      | `databases.umsNotificationsApi.type`          | `postgresql`                 |
+|                  |                    | Name      | `databases.umsNotificationsApi.name`          | `notificationsapi`           |
+|                  |                    | Host      | `databases.umsNotificationsApi.host`          | `postgresql`                 |
+|                  |                    | Port      | `databases.umsNotificationsApi.port`          | `5432`                       |
+|                  |                    | Username  | `databases.umsNotificationsApi.username`      | `notificationsapi_user`      |
+|                  |                    | Password  | `databases.umsNotificationsApi.password`      |                              |
+|                  | Self Service       |           |                                               |                              |
+|                  |                    | Type      | `databases.umsSelfservice.type`               | `postgresql`                 |
+|                  |                    | Name      | `databases.umsSelfservice.name`               | `selfservice`                |
+|                  |                    | Host      | `databases.umsSelfservice.host`               | `postgresql`                 |
+|                  |                    | Port      | `databases.umsSelfservice.port`               | `5432`                       |
+|                  |                    | Username  | `databases.umsSelfservice.username`           | `selfservice_user`           |
+|                  |                    | Password  | `databases.umsSelfservice.password`           |                              |
+| Nextcloud        | Nextcloud          |           |                                               |                              |
+|                  |                    | Type      | `databases.nextcloud.type`                    | `mariadb`                    |
+|                  |                    | Name      | `databases.nextcloud.name`                    | `nextcloud`                  |
+|                  |                    | Host      | `databases.nextcloud.host`                    | `mariadb`                    |
+|                  |                    | Port      | `databases.nextcloud.port`                    | `3306`                       |
+|                  |                    | Username  | `databases.nextcloud.username`                | `nextcloud_user`             |
+|                  |                    | Password  | `databases.nextcloud.password`                |                              |
+| Notes            | Notes              |           |                                               |                              |
+|                  |                    | Type      | `databases.notes.type`                        | `postgresql`                 |
+|                  |                    | Name      | `databases.notes.name`                        | `notes`                      |
+|                  |                    | Host      | `databases.notes.host`                        | `postgresql`                 |
+|                  |                    | Port      | `databases.notes.port`                        | `5432`                       |
+|                  |                    | Username  | `databases.notes.username`                    | `notes_user`                 |
+|                  |                    | Password  | `databases.notes.password`                    |                              |
+| OpenProject      | OpenProject        |           |                                               |                              |
+|                  |                    | Type      | `databases.openproject.type`                  | `postgresql`                 |
+|                  |                    | Name      | `databases.openproject.name`                  | `openproject`                |
+|                  |                    | Host      | `databases.openproject.host`                  | `postgresql`                 |
+|                  |                    | Port      | `databases.openproject.port`                  | `5432`                       |
+|                  |                    | Username  | `databases.openproject.username`              | `openproject_user`           |
+|                  |                    | Password  | `databases.openproject.password`              |                              |
+| OX App Suite[^2] | OX App Suite       |           |                                               |                              |
+|                  |                    | Type      | `databases.oxAppSuite.type`                   | `mariadb`                    |
+|                  |                    | Name      | `databases.oxAppSuite.name`                   | `openxchange`                |
+|                  |                    | Host      | `databases.oxAppSuite.host`                   | `mariadb`                    |
+|                  |                    | Port      | `databases.oxAppSuite.port`                   | `3306`                       |
+|                  |                    | Username  | `databases.oxAppSuite.username`               | `root`                       |
+|                  |                    | Password  | `databases.oxAppSuite.password`               |                              |
+| XWiki[^3]        | XWiki              |           |                                               |                              |
+|                  |                    | Type      | `databases.xwiki.type`                        | `mariadb`                    |
+|                  |                    | Name      | `databases.xwiki.name`                        | `xwiki`                      |
+|                  |                    | Host      | `databases.xwiki.host`                        | `mariadb`                    |
+|                  |                    | Port      | `databases.xwiki.port`                        | `3306`                       |
+|                  |                    | Username  | `databases.xwiki.username`                    | `root`                       |
+|                  |                    | Password  | `databases.xwiki.password`                    |                              |
 
 # Object storage
 
 When deploying this suite to production, you need to configure the applications to use your production-grade object
 storage service.
 
-| Component   | Name        | Parameter       | Key                                      | Default            |
+| Component   | Name        | Parameter       | Key                                      | Default            |
 |-------------|-------------|-----------------|------------------------------------------|--------------------|
-| OpenProject | OpenProject |                 |                                          |                    |
-|             |             | Backend         | `objectstores.openproject.backend` | `minio` |
-|             |             | Bucket          | `objectstores.openproject.bucket` | `openproject` |
-|             |             | Endpoint        | `objectstores.openproject.endpoint` |                    |
-|             |             | Provider        | `objectstores.openproject.provider` | `AWS` |
-|             |             | Region          | `objectstores.openproject.region` |                    |
-|             |             | Secret          | `objectstores.openproject.secret` |                    |
-|             |             | Username        | `objectstores.openproject.username` | `openproject_user` |
-|             |             | Use IAM profile | `objectstores.openproject.useIAMProfile` |                    |
+| OpenProject | OpenProject |                 |                                          |                    |
+|             |             | Backend         | `objectstores.openproject.backend`       | `minio`            |
+|             |             | Bucket          | `objectstores.openproject.bucket`        | `openproject`      |
+|             |             | Endpoint        | `objectstores.openproject.endpoint`      |                    |
+|             |             | Provider        | `objectstores.openproject.provider`      | `AWS`              |
+|             |             | Region          | `objectstores.openproject.region`        |                    |
+|             |             | Secret          | `objectstores.openproject.secret`        |                    |
+|             |             | Username        | `objectstores.openproject.username`      | `openproject_user` |
+|             |             | Use IAM profile | `objectstores.openproject.useIAMProfile` |                    |
 
 # Cache
 
 When deploying this suite to production, you need to configure the applications to use your production-grade cache
 service.
 
-| Component        | Name             | Type      | Parameter | Key                          | Default          |
+| Component        | Name             | Type      | Parameter | Key                          | Default          |
 |------------------|------------------|-----------|-----------|------------------------------|------------------|
-| Intercom Service | Intercom Service | Redis     |           |                              |                  |
-|                  |                  |           | Host      | `cache.intercomService.host` | `redis-headless` |
-|                  |                  |           | Port      | `cache.intercomService.port` | `6379` |
-| Nextcloud        | Nextcloud        | Redis     |           |                              |                  |
-|                  |                  |           | Host      | `cache.nextcloud.host` | `redis-headless` |
-|                  |                  |           | Port      | `cache.nextcloud.port` | `6379` |
-| OpenProject      | OpenProject      | Memcached |           |                              |                  |
-|                  |                  |           | Host      | `cache.openproject.host` | `memcached` |
-|                  |                  |           | Port      | `cache.openproject.port` | `11211` |
-| UMS              | Self Service     | Memcached |           |                              |                  |
-|                  |                  |           | Host      | `cache.umsSelfservice.host` | `memcached` |
-|                  |                  |           | Port      | `cache.umsSelfservice.port` | `11211` |
+| Intercom Service | Intercom Service | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.intercomService.host` | `redis-headless` |
+|                  |                  |           | Port      | `cache.intercomService.port` | `6379`           |
+| Nextcloud        | Nextcloud        | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.nextcloud.host`       | `redis-headless` |
+|                  |                  |           | Port      | `cache.nextcloud.port`       | `6379`           |
+| OpenProject      | OpenProject      | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
+|                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
+| UMS              | Self Service     | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.umsSelfservice.host`  | `memcached`      |
+|                  |                  |           | Port      | `cache.umsSelfservice.port`  | `11211`          |
+
+# Footnotes
+
+[^1] The upstream product provide some valuable information regarding database migrations:
+- Nextcloud: https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/db_conversion.html
+- XWiki:
+  - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Backup#HUsingtheXWikiExportfeature
+  - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/ImportExport
+
+[^2] OX App Suite only supports MariaDB and requires root access, as it manages its databases itself.
+
+[^3] XWiki requires root access when using MariaDB as sub-wikis are using separate databases that are managed by XWiki. When using PostgreSQL with XWiki no root user is required as the sub-wikis are managed within multiple schemes within a single database.

docs/getting-started.md

@@ -41,7 +41,7 @@ deploy openDesk onto your Kubernetes infrastructure.
 
 # Requirements
 
-Detailed system requirements are covered on the [requirements](requirements.md) page.
+Detailed system requirements are covered on the [requirements](./docs/requirements.md) page.
 
 # Customize environment
 
@@ -49,7 +49,7 @@ Before deploying openDesk, you must configure the deployment to fit your environ
 To keep your deployment up to date, we recommend customizing in `dev`, `test`, or `prod` and not in `default` environment
 files.
 
-> All configuration options and their default values can be found in files at `helmfile/environments/default/`
+> All configuration options and their default values can be found in files at [`helmfile/environments/default/`](../helmfile/environments/default/)
 
 For the following guide, we will use `dev` as environment where variables can be set in
 `helmfile/environments/dev/values.yaml.gotmpl`.
@@ -141,7 +141,7 @@ like Docker Hub.
 Doing a test deployment will be fine with this setup. In case you want to deploy multiple times a day
 and fetch from the same IP address, you might run into rate limits at Docker Hub. In that case and in cases you
 prefer the use of a private image registry, you can configure such for
-[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
+[your target environment](../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
 - `global.imageRegistry` for a private image registry and
 - `global.helmRegistry` for a private Helm chart registry.
 
@@ -221,7 +221,7 @@ cluster:
 
 By default, the `ingressClassName` is empty to select your default ingress controller. You may want to customize it by
 setting the following attribute to the name of the currently only supported ingress controller `ingress-nginx` (see
-[requirements.md](./requirements.md)) for reference) within your deployment if that is not the cluster's default ingress.
+[requirements.md](requirements.md)) for reference) within your deployment if that is not the cluster's default ingress.
 
 ```yaml
 ingress:

docs/migrations.md

@@ -7,73 +7,183 @@ SPDX-License-Identifier: Apache-2.0
 
 <!-- TOC -->
 * [Disclaimer](#disclaimer)
-* [openDesk supported upgrade path](#opendesk-supported-upgrade-path)
-* [Releases upgrade details](#releases-upgrade-details)
+* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
+* [Manual checks/actions](#manual-checksactions)
+  * [From v1.1.1](#from-v111)
+    * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
+      * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
+  * [From v1.1.0](#from-v110)
+    * [Pre-upgrade from v1.1.0](#pre-upgrade-from-v110)
+      * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
+      * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
   * [From v1.0.0](#from-v100)
-    * [Pre-upgrade: Manual checks/steps](#pre-upgrade-manual-checkssteps)
-      * [Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
-      * [Helmfile Cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
-      * [Helmfile Cleanup: Helmfile Cleanup: Splitting external vs. openDesk services](#helmfile-cleanup-helmfile-cleanup-splitting-external-vs-opendesk-services)
+    * [Pre-upgrade from v1.0.0](#pre-upgrade-from-v100)
+      * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
+      * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
+      * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
+      * [Helmfile cleanup: Helmfile cleanup: Splitting external vs. openDesk services](#helmfile-cleanup-helmfile-cleanup-splitting-external-vs-opendesk-services)
       * [Helmfile cleanup: Streamlining `openxchange` and `oxAppSuite` attribute names](#helmfile-cleanup-streamlining-openxchange-and-oxappsuite-attribute-names)
       * [Helmfile feature update: Dicts to define `customization.release`](#helmfile-feature-update-dicts-to-define-customizationrelease)
       * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
       * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
       * [External requirements: Redis 7.4](#external-requirements-redis-74)
+    * [Post-upgrade from v1.0.0](#post-upgrade-from-v100)
+      * [XWiki fix-ups](#xwiki-fix-ups)
   * [From v0.9.0](#from-v090)
-    * [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
+    * [Pre-upgrade from v0.9.0](#pre-upgrade-from-v090)
       * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
       * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
+      * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
       * [Changed openDesk defaults: Matrix ID](#changed-opendesk-defaults-matrix-id)
       * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
       * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
       * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
-    * [Automated migrations](#automated-migrations)
-    * [Post-upgrade: Manual steps](#post-upgrade-manual-steps)
+    * [Post-upgrade from v0.9.0](#post-upgrade-from-v090)
       * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
       * [Optional Cleanup](#optional-cleanup)
   * [From v0.8.1](#from-v081)
-    * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
-    * [Updated customizable template attributes](#updated-customizable-template-attributes)
-    * [`migrations` S3 bucket](#migrations-s3-bucket)
-* [Related components and artifacts](#related-components-and-artifacts)
+    * [Pre-upgrade from v0.8.1](#pre-upgrade-from-v081)
+      * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
+      * [Updated customizable template attributes](#updated-customizable-template-attributes)
+      * [`migrations` S3 bucket](#migrations-s3-bucket)
+* [Automated migrations - Details](#automated-migrations---details)
+  * [From v1.0.0 (automated)](#from-v100-automated)
+  * [From v0.9.0 (automated)](#from-v090-automated)
+  * [Related components and artifacts](#related-components-and-artifacts)
   * [Development](#development)
 <!-- TOC -->
 
 # Disclaimer
 
-With openDesk 1.0, we aim to offer hassle-free updates/upgrades.
+Starting with openDesk 1.0, we aim to offer hassle-free updates/upgrades.
 
-But openDesk requires a defined upgrade path that is described in the section [openDesk supported upgrade path](#opendesk-supported-upgrade-path).
+Therefore openDesk contains automated migrations between versions to lower the requirements for manual interaction. These automated migrations can have limitations in the way that they need a certain openDesk version to be installed causing a mandatory upgrade path that is described in the section [Automated migrations](#automated-migrations).
 
-Some upgrades even require manual interaction, which are referenced in the aforementioned section and described further down this document.
+Manual checks and possible activities are also required by openDesk updates, they are described in the section [Manual update steps](#manual-update-steps).
 
-> **Known limitations:**<br>
+> **Note**<br>
+> Please be sure you read / follow the requirements before you update / upgrade thoroughly.
+
+> **Known limitations**<br>
 > We assume that the PV reclaim policy is set to `delete`, resulting in PVs getting deleted as soon as the related PVC was deleted; we will not address explicit deletion for PVs.
 
-# openDesk supported upgrade path
+# Automated migrations - Overview and mandatory upgrade path
 
-When updating your openDesk installation you have to install the releases listed below in the sequential order from
-the lowest version number you are already on to the more current version you are looking to install.
+The following table gives an overview of the mandatory upgrade path of openDesk for the automated migrations to work as expected.
 
-Explanation of the table's columns:
-- *Coming from*: Check the column for the release you are currently on.
-- *Mandatory release*: Defines which release(s) support the upgrade from your currently installed version.
-- *Automatic migration*: Summary of, or link to openDesk's automatic migration details.
-- *Manual activities*: Reference to required manual steps to upgrade your openDesk installation to the *Mandatory release*.
+To upgrade existing deployments, you cannot skip any version mentioned in the column *Mandatory version*. When a version number is not fully defined (e.g. `v1.1.x`), you can install any version matching the given schema.
 
-| Coming from   | Mandatory (minimum) release | Automatic migration                                                                                                                                           | Manual activities             |
-| ------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
-| v0.9.0        | v1.x.x                      | [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py) | See [From v0.9.0](#from-v090) |
-| v0.8.1        | v0.9.0                      | Initializes migration system                                                                                                                                  | See [From v0.8.1](#from-v081) |
-| not supported | v0.8.1                      | First release that supporting updates                                                                                                                         |                               |
+| Mandatory version |
+| ----------------- |
+| v1.1.x            |
+| v1.0.0            |
+| v0.9.0            |
+| v0.8.1            |
 
-# Releases upgrade details
+> **Note**<br>
+> Be sure you check out the table in the release version you are going to install, an not the one that is currently installed.
+
+When interested in more details about the automated migrations, please read section [Automated migrations - Details](#automated-migrations---details).
+
+# Manual checks/actions
+
+Be sure you check all the sections for the releases your are going to update your current deployment from.
+
+## From v1.1.1
+
+### Pre-upgrade from v1.1.1
+
+#### Helmfile feature update: App settings wrapped in `apps.` element
+
+We require now [Helmfile v1.0.0-rc.8](https://github.com/helmfile/helmfile/releases/tag/v1.0.0-rc.8) for the deployment. This enables openDesk to lay the foundation for some significant cleanups where the information for the different apps especially on their `enabled` state is needed.
+
+Therefore it was required to introduce the `apps` level in [`opendesk_main.yaml.gotmpl`](../helmfile/environments/default/opendesk_main.yaml.gotmpl).
+
+If you have a deployment where you specify settings that can be found in the aforementioned file, usually to disable components or enable others, please ensure you insert the top-level attribute `apps` like shown in the following example:
+
+So a setting of:
+
+```
+certificates:
+  enabled: false
+notes:
+  enabled: true
+```
+
+needs to be changed to:
+
+```
+apps:
+  certificates:
+    enabled: false
+  notes:
+    enabled: true
+```
+
+## From v1.1.0
+
+### Pre-upgrade from v1.1.0
+
+#### Helmfile feature update: Component specific `storageClassName`
+
+With openDesk 1.1.1 we support component specific `storageClassName` definitions beside the global ones, but we had to adapt the structure that can be found in `persistence.yaml.gotmpl` to achieve this in a clean manner.
+
+If you have set custom `persistence.size.*`-values for your deployment, please continue reading as you need to adapt your `persistence` settings to the new structure.
+
+When comparing the [old 1.1.0 structure](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/v1.1.0/helmfile/environments/default/persistence.yaml.gotmpl) with the [new one](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/v1.1.1/helmfile/environments/default/persistence.yaml.gotmpl) you can spot the changes:
+
+- We replaced `persistence.size` with `persistence.storages`.
+- Below each component you can define now the `size` and the optional component specific `storageClassName`.
+- We streamlined all components to be on the same level, as Nubus had an additional level of nesting before.
+
+So a setting of:
+
+```yaml
+persistence:
+  size:
+    synapse: "1Gi"
+```
+
+needs to be changed to:
+
+```yaml
+persistence:
+  storages:
+    synapse:
+      size: "1Gi"
+```
+
+or for the Nubus related entries, the following:
+
+```yaml
+persistence:
+  size:
+    nubus:
+      ldapServerData: "1Gi"
+```
+
+needs to be changed to:
+
+```yaml
+persistence:
+  storages:
+    nubusLdapServerData:
+      size: "1Gi"
+```
+
+#### Helmfile new secret: `secrets.nubus.masterpassword`
+
+A not yet templated secret was discovered in the Nubus deployment that is now defined in [`secrets.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl) with the key `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the value of the `MASTER_PASSWORD` environment variable used in your deployment.
 
 ## From v1.0.0
 
-### Pre-upgrade: Manual checks/steps
+### Pre-upgrade from v1.0.0
 
-#### Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`
+#### Helmfile cleanup: Restructured `/helmfile/files/theme` folder
+
+If you make use of the [theme folder](../helmfile/files/theme/) or the [`theme.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl), e.g. to applying your own imagery, please ensure you adhere to the new structure of the folder and the yaml-file.
+
+#### Helmfile cleanup: Consistent use of `*.yaml.gotmpl`
 
 In v1.0.0 the files in [`/helmfile/environments/default`](../helmfile/environments/default/) had mixed extensions,
 we have streamlined them to consistently use `*.yaml.gotmpl`.
@@ -83,7 +193,7 @@ This change requires manual action likely in two situations:
 1. You are referencing our upstream files from the aforementioned directory, e.g. in your Argo CD deployment. Please update your references to use the filenames with the new extension.
 2. You have custom files containing configuration information that are named just `*.yaml`: Please rename them to `*.yaml.gotmpl`.
 
-#### Helmfile Cleanup: Prefixing certain app directories with `opendesk-`
+#### Helmfile cleanup: Prefixing certain app directories with `opendesk-`
 
 To make it more obvious that some elements from below the [`apps`](../helmfile/apps/) directory are completely
 provided by openDesk, we have prefixed these app directories with `opendesk-`.
@@ -98,7 +208,7 @@ The described changes most likely require manual action in the following situati
 
 - You are referencing our upstream files e.g. in your Argo CD deployment, please update your references to use the new directory names.
 
-#### Helmfile Cleanup: Helmfile Cleanup: Splitting external vs. openDesk services
+#### Helmfile cleanup: Helmfile cleanup: Splitting external vs. openDesk services
 
 In v1.0.0 there was a directory `/helmfile/apps/services` that was intended to contain all the services an operator had to provide externally for production deployments.
 
@@ -228,9 +338,34 @@ The update from openDesk 1.0.0 contains Redis 7.4.1, like the other openDesk bun
 
 Please ensure for the Redis you are using that it is updated to at least 7.4 to support the requirement of OX App Suite.
 
+### Post-upgrade from v1.0.0
+
+#### XWiki fix-ups
+
+Unfortunately XWiki does not upgrade itself as expected. A bug with the supplier has already been filed. The following additional steps are required:
+
+1. To enforce re-indexing of the now fixed full-text search access the XWiki Pod and run the following commands to delete two search related directories. To complete this you need to restart the XWiki Pod, but that is anyway part of the next step:
+   ```
+   rm -rf /usr/local/xwiki/data/store/solr/search_9
+   rm -rf /usr/local/xwiki/data/cache/solr/search_9
+   ```
+
+2. This is necessary if the openDesk single sign-on does not longer work and you get a standard XWiki login dialogue instead.
+   - Find the XWiki ConfigMap `xwiki-init-scripts` and find in its `entrypoint` key data the lines beginning with `xwiki_replace_or_add "/usr/local/xwiki/data/xwiki.cfg"`
+   - Before those lines add the following line, of course setting `<YOUR_TEMPORARY_SUPERADMIN_PASSWORD>` to a value you are happy with.
+     ```
+         xwiki_replace_or_add "/usr/local/xwiki/data/xwiki.cfg" 'xwiki.superadminpassword' '<YOUR_TEMPORARY_SUPERADMIN_PASSWORD>'
+     ```
+   - Restart the XWiki Pod.
+   - Access XWiki's web UI and login with `superadmin` and the above set password.
+   - Once XWiki UI is fully rendered, remove the line with the temporary `superadmin` password from the aforementioned ConfigMap.
+   - Restart the XWiki Pod.
+
+You should have now a properly working XWiki instance with single sign-on and full-text search.
+
 ## From v0.9.0
 
-### Pre-upgrade: Manual steps
+### Pre-upgrade from v0.9.0
 
 #### Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus
 
@@ -272,6 +407,19 @@ global:
     - "external-registry"
 ```
 
+#### Changed openDesk defaults: Matrix presence status disabled
+
+Show other user's Matrix presence status is now disabled by default to comply with data protection requirements.
+
+To enable it or keep the v0.9.0 default please set:
+
+```yaml
+functional:
+  dataProtection:
+    matrixPresence:
+      enabled: true
+```
+
 #### Changed openDesk defaults: Matrix ID
 
 Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's Matrix ID. Due to restrictions on the
@@ -401,15 +549,7 @@ The IAMs admin account `Administrator` is a member of this group by default, but
 
 If you need other accounts to use the API, please assign them to the aforementioned group.
 
-### Automated migrations
-
-The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
-
-The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
-
-The actual actions are described as code comments in the related run module [`run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py).
-
-### Post-upgrade: Manual steps
+### Post-upgrade from v0.9.0
 
 #### Configuration Improvement: Separate user permission for using Video Conference component
 
@@ -441,12 +581,14 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 
 ## From v0.8.1
 
-### Updated `cluster.networking.cidr`
+### Pre-upgrade from v0.8.1
+
+#### Updated `cluster.networking.cidr`
 
 - Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1); please update your setup accordingly if you explicitly set this value.
 - Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
 
-### Updated customizable template attributes
+#### Updated customizable template attributes
 
 - Action: Please update your custom deployment values according to the updated default value structure.
 - References:
@@ -455,12 +597,34 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
   - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
   - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
 
-### `migrations` S3 bucket
+#### `migrations` S3 bucket
 
 - Action: For self-managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
 - Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
 
-# Related components and artifacts
+# Automated migrations - Details
+
+## From v1.0.0 (automated)
+
+With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
+
+openDesk's automated migrations takes care of this upgrade requirement described here for
+[Nubus 1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.5.1/en/changelog.html#migrate-existing-ldap-server-to-mirror-mode-readiness),
+creating the config map with the mentioned label.
+
+> **Note**<br>
+> Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
+
+## From v0.9.0 (automated)
+
+The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
+
+The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
+
+> **Note**<br>
+> Details can be found in [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
+
+## Related components and artifacts
 
 openDesk comes with two upgrade steps as part of the deployment; they can be found in the folder [/helmfile/apps](../helmfile/apps/) as all other components:
 

docs/permissions.md

@@ -0,0 +1,202 @@
+<!--
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Roles & Permissions</h1>
+
+openDesk uses role-based access control (RBAC) to manage permissions. This system ensures that users have access only to the resources necessary for their role.
+
+<!-- TOC -->
+* [Identity and Access Management (IAM)](#identity-and-access-management-iam)
+  * [Permissions](#permissions)
+  * [Roles](#roles)
+    * [Application usage](#application-usage)
+    * [Application administration](#application-administration)
+  * [Groups](#groups)
+    * [Global groups](#global-groups)
+    * [Application groups](#application-groups)
+      * [Standard access to applications](#standard-access-to-applications)
+      * [Administrative access to applications](#administrative-access-to-applications)
+    * [Custom groups](#custom-groups)
+  * [Assigning roles/groups and permissions](#assigning-rolesgroups-and-permissions)
+  * [Predefined roles / user templates](#predefined-roles--user-templates)
+    * [*openDesk User*](#opendesk-user)
+    * [*openDesk Administrator*](#opendesk-administrator)
+  * [Managing permissions](#managing-permissions)
+  * [Hierarchies and delegation](#hierarchies-and-delegation)
+  * [Audit/Logging](#auditlogging)
+  * [Reporting](#reporting)
+  * [Delegation](#delegation)
+  * [Regular review](#regular-review)
+* [Applications](#applications)
+  * [Roles/groups](#rolesgroups)
+<!-- TOC -->
+
+# Identity and Access Management (IAM)
+
+Within openDesk's Identity and Access Management component Nubus the openDesk user accounts are managed, as well as some core roles and permissions.
+
+## Permissions
+
+A permission represents a specific authorization that defines an action a user is allowed to perform on a resource.
+
+As openDesk consists of multiple applications, each application may have different needs regarding its fine-grained internal permissions, usually these permissions are manged within each component.
+
+The overall permissions to access the application as well as group membership of users is managed in the IAM.
+
+## Roles
+
+Roles are defined sets of permissions that can be assigned to users. Each role corresponds to a specific set of tasks and responsibilities within the system. In openDesk's IAM, two roles are defined by default:
+
+- **openDesk Administrator**: Manages openDesk-global settings, such as users and groups.
+- **openDesk User**: Can login to openDesk to make use of defined openDesk applications.
+
+> **Note**<br>
+> It is strongly recommended that a user account is not granted both roles at the same time to address the segregation of duties, though it is not enforced by openDesk.
+
+### Application usage
+
+To access and use applications in openDesk and to address [the principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), a user needs to have the necessary permissions set. openDesk defines the following permissions to access applications:
+
+- **Groupware**: Use email, calendar and address book applications.
+- **Chat**: Use the chat application.
+- **Knowledge Management**: Use the wiki application.
+- **Project Management**: Use the project management application.
+- **File Sharing**: Use the file sharing application.
+- **Video Conference**: Use the video conferencing application.
+
+### Application administration
+
+For applications that provide application-specific administrative settings, openDesk defines the following permissions:
+
+- **Knowledge Management Admin**: Manage the wiki application.
+- **Project Management Admin**: Manage the project management application settings.
+- **File Sharing Admin**: Manage the file sharing administrative settings.
+
+## Groups
+
+Groups help in clustering users with similar responsibilities and enable easier assignment of roles or permissions. It is often the case that a group maps directly to a role.
+
+openDesk predefines the following groups.
+
+### Global groups
+
+- **Domain Users**: Members of this group are *openDesk Users*.
+- **Domain Admins**: Members of this group are *openDesk IAM Administrators*. By default this group is also enable for two-factor authentication (2FA).
+- **2fa-users**: Members of this group that are forced to use two-factor authentication (2FA).
+- **IAM API - Full Access**: Members of this group have full (read and write) access to the IAM's REST API.
+
+### Application groups
+
+When editing a user in the IAM you can select if a user can access or get elevated admin permission for a specific application within the "openDesk" tab. The selection is stored as an attribute on the user object, but for other applications it is helpful to also expose the information as a group membership. Therefore openDesk comes with the following [groups](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/blob/main/udm/udm-data-loader/63-groups.yaml).
+
+To easily identify these groups all of them are prefixed with `managed-by-Attribute-`.
+
+> **Note**<br>
+> The membership of these groups is automatically managed, based on the user's attributes from the "openDesk" tab. So any changes directly to the groups will be overwritten, please always use the "openDesk" of the respective user. The IAM supports to edit user attributes in multiple accounts at once.
+
+#### Standard access to applications
+
+Unless a user is member of a group the respective application is not shown in the portal.
+
+> **Note**<br>
+> In openDesk's identity provider the required OIDC claims to access an application are only granted when the respective group membership is available. So even if a user who is not a member of an application group, knows the link to the application and calls it directly, the single sign-on will not be successful.
+
+- **managed-by-Attribute-Groupware**: Members of this group have access to the groupware applications.
+- **managed-by-Attribute-Fileshare**: Members of this group have access to the file sharing application.
+- **managed-by-Attribute-Projectmanagement**: Members of this group have access to the project management application.
+- **managed-by-Attribute-Knowledgemanagement**: Members of this group have access to the wiki application.
+- **managed-by-Attribute-Livecollaboration**: Members of this group have access to the chat application.
+- **managed-by-Attribute-Videoconference**: Members of this group have access to the video conferencing application.
+
+#### Administrative access to applications
+
+Within some applications it is possible to grant users elevated permissions, these are also primarily managed by attributes from the "openDesk" tab when editing a user, but are also automatically mapped to the following groups:
+
+- **managed-by-Attribute-FileshareAdmin**: Members of this group can administrate the file sharing application.
+- **managed-by-Attribute-ProjectmanagementAdmin**: Members of this group can administrate the project management application.
+- **managed-by-Attribute-KnowledgemanagementAdmin**: Members of this group can administrate the wiki application.
+
+### Custom groups
+
+While openDesk ships with predefined groups, additional groups can be [created](https://docs.opendesk.eu/administration/gruppen/) by an *IAM Administrator*.
+
+## Assigning roles/groups and permissions
+
+Users get roles assigned based on their responsibilities and the tasks they need to perform. This assignment can be done by an admin through the [administration portal](https://docs.opendesk.eu/administration/).
+
+## Predefined roles / user templates
+
+openDesk defines [templates](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-nubus/-/blob/main/udm/udm-data-loader/65-usertemplate.yaml) for the *User* and *Administrator* roles. The templates can be used to create users with these roles by an *openDesk Administrator* using the [administration portal](https://docs.opendesk.eu/administration/).
+
+> **Notes**<br>
+> Additional/custom templates can be created using the UDM REST API.
+
+### *openDesk User*
+
+The *openDesk User* template sets the primary group to *Domain Users* and initially sets the following permissions:
+
+- **Groupware**: Enabled
+- **Chat**: Enabled
+- **Knowledge Management**: Enabled
+- **Project Management**: Enabled
+- **File Sharing**: Enabled
+- **Video Conference**: Enabled
+- **Knowledge Management Admin**: Disabled
+- **Project Management Admin**: Disabled
+- **File Sharing Admin**: Disabled
+
+### *openDesk Administrator*
+
+The *openDesk Administrator* template sets the primary group to *Domain Admins* and initially sets the following permissions:
+
+- **Groupware**: Disabled
+- **Chat**: Disabled
+- **Knowledge Management**: Disabled
+- **Project Management**: Disabled
+- **File Sharing**: Disabled
+- **Video Conference**: Disabled
+- **Knowledge Management Admin**: Disabled
+- **Project Management Admin**: Disabled
+- **File Sharing Admin**: Disabled
+
+## Managing permissions
+
+*Administrators* can manage permissions of *Users* using the [administration portal](https://docs.opendesk.eu/administration/).
+
+By using roles and permissions, openDesk ensures that users have the appropriate level of access, enhancing both security and efficiency.
+
+## Hierarchies and delegation
+
+The IAM allows the nesting of groups, in that case a group has no or not only users as members but other groups.
+
+## Audit/Logging
+
+Univention is about to provide an audit logging which brings the idea of the [UCS based directory logger](https://docs.software-univention.de/manual/5.0/en/domain-ldap/ldap-directory.html#audit-proof-logging-of-ldap-changes) to Nubus. openDesk will offer this feature as soon as it is made available in Nubus.
+
+## Reporting
+
+The IAM webinterface supports the export of reports for users and groups, which are the essential objects when it comes to permissions. These data exports can be subject to custom data analysis.
+
+## Delegation
+
+Currently the temporary assignment of roles is not supported. Role membership must be managed at the time of granting / revoking the membership.
+
+## Regular review
+
+While the overall role and permission setup must be checked by the customer including the respective custom roles, the openDesk team is challenging and improving the role and permission management on a regular basis, e.g. to address the need for a distinct "support" role.
+
+# Applications
+
+As managing all the application permissions within the IAM would require a superset of permissions to be available in the IAM causing a high level of administrative complexity, the permissions are usually managed within an application itself and mapped to roles/groups that are managed in the IAM.
+
+## Roles/groups
+
+For each IAM group it can be configured for which openDesk application the group should be visible. Like with users this is done in the "openDesk" tab of the [group administration](https://docs.opendesk.eu/administration/gruppen/).
+
+> **Note**<br>
+> Currently the openDesk applications do not support nested groups. As a result only direct group memberships of users are processed in the application.<br>
+> The plan is to enable the openDesk applications to either support nested groups or to actively provision users into an application while resolving the nested group memberships for the application.
+
+Within an application each available group can get a set of application specific permissions assigned.

docs/requirements.md

@@ -24,9 +24,10 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 
 - K8s cluster >= 1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
-- Ingress controller (Ingress NGINX)
+- Ingress controller (Ingress NGINX) == [4.11.x/1.11.x](https://github.com/kubernetes/ingress-nginx/releases) - tested with 1.11.1 up to 1.11.4
+  - **Note**: We are working on support for more recent versions, as issues have been reported with 1.12.x.
 - [Helm](https://helm.sh/) >= v3.9.0
-- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc8**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
@@ -48,7 +49,8 @@ Any self-hosted or managed K8s cluster >= 1.24 listed in
 
 The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/kubespray) based clusters.
 
-> **Note:** The deployment is not tested against OpenShift.
+> **Note**<br>
+> The deployment is not tested against OpenShift.
 
 # Ingress controller
 

docs/security-context.md

@@ -1,8 +1,7 @@
 <!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
-
 <h1>Kubernetes Security Context</h1>
 
 <!-- TOC -->
@@ -63,7 +62,7 @@ containerSecurityContext:
 ## privileged
 
 
-Privileged Pods disable most security mechanisms and must be disallowed.
+Privileged Pods eliminate most security mechanisms and must be disallowed.
 
 ```yaml
 containerSecurityContext:
@@ -93,7 +92,7 @@ containerSecurityContext:
 ## seccompProfile
 
 
-Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
+The seccompProfile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
 
 ```yaml
 containerSecurityContext:
@@ -113,7 +112,7 @@ containerSecurityContext:
 ## readOnlyRootFilesystem
 
 
-Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
+Containers should have an immutable file systems, so that attackers can not modify application code or download malicious code.
 
 ```yaml
 containerSecurityContext:
@@ -133,10 +132,10 @@ containerSecurityContext:
 # Status quo
 
 
-openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
+openDesk aims to ensure that all security relevant settings are explicitly templated and comply with security recommendations.
 
 
-The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
+The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are properly templated by the Helm charts.
 
 
 This list gives you an overview of templated security settings and if they comply with security standards:
@@ -144,11 +143,11 @@ This list gives you an overview of templated security settings and if they compl
 
  - **yes**: Value is set to `true`
  - **no**: Value is set to `false`
- - **n/a**: No explicitly templated in openDesk and default is used.
+ - **n/a**: Not explicitly templated in openDesk; default is used.
 
 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
-| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
+| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","FOWNER","SYS_CHROOT"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
@@ -164,14 +163,41 @@ This list gives you an overview of templated security settings and if they compl
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/jigasi | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 101 | 101 | yes | yes |
+| **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/keycloak | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/authorizationApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementApi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/managementUi | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusGuardian/openPolicyAgent | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakBootstrap | :x: | no | n/a | no | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusKeycloakExtensions/handler | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusKeycloakExtensions/proxy | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusLdapNotifier | :x: | no | n/a | yes | yes | 101 | 102 | yes | yes |
+| **nubus**/ums/nubusNotificationsApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalConsumer | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
+| **nubus**/ums/nubusPortalFrontend | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusPortalServer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusProvisioning/nats | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusSelfServiceConsumer | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusStackDataUms | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
+| **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | no | 0 | 0 | yes | yes |
 | **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
@@ -183,34 +209,26 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **open-xchange**/opendesk-open-xchange-bootstrap | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-post**/opendesk-migrations-post | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-migrations-pre**/opendesk-migrations-pre | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
+| **opendesk-services**/opendesk-static-files | :x: | no | n/a | yes | yes | 101 | 101 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
-| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
-| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
-| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums/ldap-notifier | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
-| **univention-management-stack**/ums/portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums/stack-gateway | :x: | no | no | no | yes | 1001 | 0 | yes | yes |
-| **univention-management-stack**/ums/umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums/umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **services-external**/cassandra | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
+| **services-external**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
+| **services-external**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/minio | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/opendesk-dkimpy-milter | :x: | yes | no | yes | yes | 1000 | 1000 | yes | no |
+| **services-external**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
+| **services-external**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **services-external**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
 
 

helmfile/apps/collabora/helmfile-child.yaml.gotmpl

@@ -10,7 +10,17 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+
+  # Collabora Controller - Enterprise Only
+  # Source: https://github.com/CollaboraOnline/online
+  - name: "collabora-controller-repo"
+    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
+    verify: {{ .Values.charts.collaboraController.verify }}
+    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
 
 releases:
   - name: "collabora-online"
@@ -18,10 +28,24 @@ releases:
     version: "{{ .Values.charts.collabora.version }}"
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.collaboraOnline }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.collaboraOnline }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.collabora.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.collabora.enabled }}
+  - name: "collabora-controller"
+    chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
+    version: "{{ .Values.charts.collaboraController.version }}"
+    values:
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-coco-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.collaboraController }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.collaboraController.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/collabora/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl

@@ -0,0 +1,63 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+controller:
+  enableHashmapParallelization: true
+  ingressUrl: "https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
+  namespacedRole: true
+  # CoolController uses `app.kubernetes.io/name` label to find deployment resource
+  # openDesk uses `fullnameOverride` in Collabora Deployment that updates `metadata.name` not the `app.kubernetes.io/name`
+  # Therefore we use the default of `collabora-online` for the `resourceName`
+  resourceName: "collabora-online"
+  statsInterval: 2000
+  watchNamespace: {{ (.Values.apps.collabora.namespace | default .Release.Namespace | quote) }}
+
+  documentMigrator:
+    enabled: true
+    coolMemoryUtilization: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
+    coolMemoryLimit: {{ .Values.resources.collabora.limits.memory }}
+
+  leaderElection:
+    enabled: {{ if gt .Values.replicas.collaboraController 1 }}true{{ else }}false{{ end }}
+
+image:
+  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collaboraController.registry }}/{{ .Values.images.collaboraController.repository }}"
+  tag: {{ .Values.images.collaboraController.tag | quote }}
+imagePullSecrets:
+  {{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+  {{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/controller"
+          pathType: "Prefix"
+
+podAnnotations: {}
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsGroup: 2000
+  runAsUser: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+
+replicaCount: {{ .Values.replicas.collaboraController }}
+
+resources:
+  {{ .Values.resources.collaboraController | toYaml | nindent 2 }}
+
+...

helmfile/apps/collabora/values-enterprise.yaml.gotmpl

@@ -0,0 +1,15 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
+autoscaling:
+  enabled: {{ .Values.apps.collaboraController.enabled }}
+  minReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.enterpriseFeatures.collabora.autoscaling.maxReplicas }}
+  targetMemoryUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetMemoryUtilizationPercentage }}
+  targetCPUUtilizationPercentage: {{ .Values.enterpriseFeatures.collabora.autoscaling.targetCPUUtilizationPercentage }}
+  scaleDownDisabled: {{ .Values.enterpriseFeatures.collabora.autoscaling.scaleDownDisabled }}
+...

helmfile/apps/collabora/values.yaml.gotmpl

@@ -8,17 +8,32 @@ autoscaling:
   enabled: false
 
 collabora:
+  aliasgroups:
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  env:
+    - name: "POD_NAME"
+      valueFrom:
+        fieldRef:
+          fieldPath: "metadata.name"
   extra_params: >
     --o:ssl.enable=false
     --o:ssl.termination=true
     --o:fetch_update_check=0
+    --o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }}
     --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
     --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
-
+    {{- if .Values.debug.enabled }}
+    --o:logging.level=debug
+    {{- else }}
+    --o:logging.anonymize.anonymize_user_data=true
+    {{- end }}
+    {{- if .Values.apps.collaboraController.enabled }}
+    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
+    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
+    --o:monitors.monitor[0][@retryInterval]=5
+    {{- end }}
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
-  aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 
 fullnameOverride: "collabora"
 
@@ -34,8 +49,11 @@ imagePullSecrets:
 
 ingress:
   annotations:
-    # Ingress NGINX
+    {{- if .Values.apps.collaboraController.enabled }}
+    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
+    {{- else }}
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    {{- end }}
     nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
@@ -44,32 +62,6 @@ ingress:
       location /cool/getMetrics { deny all; return 403; }
       location /cool/adminws/ { deny all; return 403; }
       location /browser/dist/admin/admin.html { deny all; return 403; }
-    # NGINX
-    nginx.org/websocket-services: "collabora"
-    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
-    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
-    nginx.org/server-snippets: |
-      # block admin and metrics endpoint from outside by default
-      location /cool/getMetrics { deny all; return 403; }
-      location /cool/adminws/ { deny all; return 403; }
-      location /browser/dist/admin/admin.html { deny all; return 403; }
-    # HAProxy
-    haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    haproxy.org/backend-config-snippet: |
-       balance url_param WOPISrc check_post
-       hash-type consistent
-    # HAProxy - Community: https://haproxy-ingress.github.io/
-    haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
-    haproxy-ingress.github.io/config-backend: |
-      hash-type consistent
-      # block admin urls from outside
-      acl admin_url path_beg /cool/getMetrics
-      acl admin_url path_beg /cool/adminws/
-      acl admin_url path_beg /browser/dist/admin/admin.html
-      http-request deny if admin_url
   enabled: {{ .Values.ingress.enabled }}
   className: {{ .Values.ingress.ingressClassName | quote }}
   hosts:

helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 
 releases:
   - name: "cryptpad"
@@ -18,10 +18,10 @@ releases:
     version: "{{ .Values.charts.cryptpad.version }}"
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.cryptpad }}
+      {{- range .Values.customization.release.cryptpad }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.cryptpad.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.cryptpad.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/cryptpad/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -10,35 +10,35 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
   - name: "element-well-known-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.elementWellKnown.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
   - name: "synapse-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseWeb.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
   - name: "synapse-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapse.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
   - name: "synapse-create-account-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseCreateAccount.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
 
   # openDesk Matrix Widgets
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +48,35 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
   - name: "matrix-neoboard-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neochoice-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
   - name: "matrix-neodatefix-widget-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
   - name: "matrix-neodatefix-bot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 
   # openDesk Enterprise Repositories
 
@@ -88,45 +88,39 @@ repositories:
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdmin.registry }}/{{ .Values.charts.synapseAdmin.repository }}"
   - name: "synapse-adminbot-web-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseAdminbotWeb.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseAdminbotWeb.registry }}/{{ .Values.charts.synapseAdminbotWeb.repository }}"
   - name: "synapse-groupsync-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseGroupsync.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapseGroupsync.registry }}/{{ .Values.charts.synapseGroupsync.repository }}"
   - name: "synapse-pipe-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapsePipe.verify }}
     username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.synapsePipe.registry }}/{{ .Values.charts.synapsePipe.repository }}"
 
 releases:
-  # During upgrade 1.0.0 -> 1.1.0 the chart 'opendesk-element' has been moved to 'opendesk-element-web'
   - name: "opendesk-element"
     chart: "element-repo/{{ .Values.charts.element.name }}"
     version: "{{ .Values.charts.element.version }}"
-    installed: false
-
-  - name: "opendesk-element-web"
-    chart: "element-repo/{{ .Values.charts.elementWeb.name }}"
-    version: "{{ .Values.charts.elementWeb.version }}"
     values:
       - "values-element.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskElement }}
+      {{- range .Values.customization.release.opendeskElement }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-well-known"
@@ -134,10 +128,10 @@ releases:
     version: "{{ .Values.charts.elementWellKnown.version }}"
     values:
       - "values-well-known.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskWellKnown }}
+      {{- range .Values.customization.release.opendeskWellKnown }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-web"
@@ -145,10 +139,10 @@ releases:
     version: "{{ .Values.charts.synapseWeb.version }}"
     values:
       - "values-synapse-web.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskSynapseWeb }}
+      {{- range .Values.customization.release.opendeskSynapseWeb }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse"
@@ -156,10 +150,10 @@ releases:
     version: "{{ .Values.charts.synapse.version }}"
     values:
       - "values-synapse.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskSynapse }}
+      {{- range .Values.customization.release.opendeskSynapse }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.element.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -167,7 +161,10 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixUserVerificationServiceBootstrap }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service"
@@ -175,7 +172,10 @@ releases:
     version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
       - "values-matrix-user-verification-service.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixUserVerificationService }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neoboard-widget"
@@ -183,15 +183,21 @@ releases:
     version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
       - "values-matrix-neoboard-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeoboardWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiceWidget.name }}"
+    version: "{{ .Values.charts.matrixNeochoiceWidget.version }}"
     values:
       - "values-matrix-neochoice-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeochoiceWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-widget"
@@ -199,7 +205,10 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
       - "values-matrix-neodatefix-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixWidget }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot-bootstrap"
@@ -207,7 +216,10 @@ releases:
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixBotBootstrap }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot"
@@ -215,7 +227,10 @@ releases:
     version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
       - "values-matrix-neodatefix-bot.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
+      {{- range .Values.customization.release.matrixNeodatefixBot }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.element.enabled }}
     timeout: 900
 
   # openDesk Enterprise Releases
@@ -223,70 +238,77 @@ releases:
     chart: "synapse-admin-repo/{{ .Values.charts.synapseAdmin.name }}"
     version: "{{ .Values.charts.synapseAdmin.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdmin }}
+      - "values-synapse-admin.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdmin }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-bootstrap"
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
+      - "values-synapse-adminbot-bootstrap.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdminbotBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-pipe"
     chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
     version: "{{ .Values.charts.synapsePipe.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotPipe }}
+      - "values-synapse-adminbot-pipe.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdminbotPipe }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-adminbot-web"
     chart: "synapse-adminbot-web-repo/{{ .Values.charts.synapseAdminbotWeb.name }}"
     version: "{{ .Values.charts.synapseAdminbotWeb.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAdminbotWeb }}
+      - "values-synapse-adminbot-web.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAdminbotWeb }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-auditbot-bootstrap"
     chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
     version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
+      - "values-synapse-auditbot-bootstrap.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAuditbotBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-auditbot-pipe"
     chart: "synapse-pipe-repo/{{ .Values.charts.synapsePipe.name }}"
     version: "{{ .Values.charts.synapsePipe.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseAuditbotPipe }}
+      - "values-synapse-auditbot-pipe.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseAuditbotPipe }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementAdmin.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementAdmin.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-groupsync"
     chart: "synapse-groupsync-repo/{{ .Values.charts.synapseGroupsync.name }}"
     version: "{{ .Values.charts.synapseGroupsync.version }}"
     values:
-      {{ range .Values.customization.release.opendeskSynapseGroupsync }}
+      - "values-synapse-groupsync.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskSynapseGroupsync }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.elementGroupsync.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.elementGroupsync.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/element/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/element/values-element.yaml.gotmpl

@@ -98,7 +98,7 @@ configuration:
             - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
             - org.matrix.msc3973.user_directory_search
 
-  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
+  welcomeUserId: "@meetings-bot:{{ .Values.global.matrixDomain | default .Values.global.domain }}"
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -149,6 +149,7 @@ resources:
   {{ .Values.resources.element | toYaml | nindent 2 }}
 
 theme:
+  title: "Chat - {{ .Values.theme.texts.productName }}"
   {{ .Values.theme | toYaml | nindent 2 }}
 
 ...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -81,8 +81,8 @@ liveness sample:
   enabled: true
 
 persistence:
-  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.storages.matrixNeoDateFixBot.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.matrixNeoDateFixBot.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 
 podAnnotations: {}
 

helmfile/apps/element/values-synapse-admin.yaml.gotmpl

@@ -0,0 +1,87 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  adminBot:
+    backupPhrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
+    #name: "adminbot"
+    #secretName: "matrix-adminbot-account"
+    #secretKey: "access_token"
+  auditBot:
+    backupPhrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
+    #name: "auditbot"
+  database:
+    host: {{ .Values.databases.synapse.host | quote }}
+    port: {{ .Values.databases.synapse.port }}
+    name: {{ .Values.databases.synapse.name | quote }}
+    user: {{ .Values.databases.synapse.username | quote }}
+    password:
+      value: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
+    requireAuth: {{ .Values.databases.synapse.requireAuth }}
+    channelBinding: {{ .Values.databases.synapse.channelBinding | quote }}
+    connectTimeout: {{ .Values.databases.synapse.connectTimeout }}
+    clientEncoding: {{ .Values.databases.synapse.clientEncoding | quote }}
+    keepalives: {{ .Values.databases.synapse.keepalives }}
+    keepalivesIdle: {{ .Values.databases.synapse.keepalivesIdle }}
+    keepalivesInterval: {{ .Values.databases.synapse.keepalivesInterval }}
+    keepalivesCount: {{ .Values.databases.synapse.keepalivesCount }}
+    replication: {{ .Values.databases.synapse.replication }}
+    gssencmode: {{ .Values.databases.synapse.gssencmode | quote }}
+    sslmode: {{ .Values.databases.synapse.sslmode | quote }}
+    sslcompression: {{ .Values.databases.synapse.sslcompression }}
+    sslMinProtocolVersion: {{ .Values.databases.synapse.sslMinProtocolVersion | quote }}
+    connectionPoolMin: {{ .Values.databases.synapse.connectionPoolMin }}
+    connectionPoolMax: {{ .Values.databases.synapse.connectionPoolMax }}
+  # Settings regarding homeserver.
+  homeserver:
+    # -- URL of synapse deployment. As default the url of synapse will be used.
+    #baseUrl: ""
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+  ldap:
+    base: {{ .Values.ldap.baseDn | quote }}
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
+    filter: "(memberOf=cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }})"
+    uri: {{ printf "ldap://%s:389" .Values.ldap.host | quote }}
+cron:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSyncAdmins.registry | quote }}
+    repository: {{ .Values.images.elementSyncAdmins.repository | quote }}
+    tag: {{ .Values.images.elementSyncAdmins.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+#fullnameOverride: "opendesk-synapse-admin"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementSynapseAdmin.registry | quote }}
+  repository: {{ .Values.images.elementSynapseAdmin.repository | quote }}
+  tag: {{ .Values.images.elementSynapseAdmin.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+{{- if .Values.certificate.selfSigned }}
+extraEnvVars:
+  - name: "NODE_EXTRA_CA_CERTS"
+    value: "/etc/ssl/certs/ca-certificates.crt"
+extraVolumes:
+  - name: "trusted-cert-secret-volume"
+    secret:
+      secretName: "opendesk-certificates-ca-tls"
+      items:
+        - key: "ca.crt"
+          path: "ca-certificates.crt"
+extraVolumeMounts:
+  - name: "trusted-cert-secret-volume"
+    mountPath: "/etc/ssl/certs/ca-certificates.crt"
+    subPath: "ca-certificates.crt"
+{{- end }}
+...

helmfile/apps/element/values-synapse-adminbot-bootstrap.yaml.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  username: "adminbot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-adminbot-account"
+  password: {{ .Values.secrets.matrixAdminBot.password | quote }}
+  pipeConfig:
+    enabled: true
+    type: "admin"
+    secretName: "matrix-adminbot-config"
+    asToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+    hsToken: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+    serviceUrl: "http://opendesk-synapse-web:8008"
+    backupPassphrase: {{ .Values.secrets.matrixAdminBot.backupPassphrase | quote }}
+    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "matrix-adminbot-bootstrap"
+...

helmfile/apps/element/values-synapse-adminbot-pipe.yaml.gotmpl

@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  secretName: "matrix-adminbot-config"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
+  url: {{ .Values.images.elementPipe.repository | quote }}
+  tag: {{ .Values.images.elementPipe.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "opendesk-synapse-adminbot-pipe"
+...

helmfile/apps/element/values-synapse-adminbot-web.yaml.gotmpl

@@ -0,0 +1,25 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  homeserver:
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementAdminBot.registry | quote }}
+  repository: {{ .Values.images.elementAdminBot.repository | quote }}
+  tag: {{ .Values.images.elementAdminBot.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/element/values-synapse-auditbot-bootstrap.yaml.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  username: "auditbot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-auditbot-account"
+  password: {{ .Values.secrets.matrixAuditBot.password | quote }}
+  pipeConfig:
+    enabled: true
+    type: "admin"
+    secretName: "matrix-auditbot-config"
+    asToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+    hsToken: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+    serviceUrl: "http://opendesk-synapse-web:8008"
+    backupPassphrase: {{ .Values.secrets.matrixAuditBot.backupPassphrase | quote }}
+    homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "matrix-auditbot-bootstrap"
+...

helmfile/apps/element/values-synapse-auditbot-pipe.yaml.gotmpl

@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  secretName: "matrix-auditbot-config"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementPipe.registry | quote }}
+  url: {{ .Values.images.elementPipe.repository | quote }}
+  tag: {{ .Values.images.elementPipe.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+fullnameOverride: "opendesk-synapse-auditbot-pipe"
+...

helmfile/apps/element/values-synapse-groupsync.yaml.gotmpl

@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  asToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+  dryRun: false
+  hsToken: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+  id: "gps"
+  homeserverName: {{ .Values.global.matrixDomain | default .Values.global.domain | quote }}
+  registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
+  runOnce: false
+  username: "groupsyncbot"
+  ldap:
+    attributes:
+      name: "description"
+      uid: "uid"
+    base: {{ .Values.ldap.baseDn | quote }}
+    bind_dn: "uid=ldapsearch_element,cn=users,{{ .Values.ldap.baseDn }}"
+    bind_password: {{ .Values.secrets.nubus.ldapSearch.element | quote }}
+    check_interval_seconds: 60
+    type: mapped-ldap
+    uri: "ldap://ums-ldap-server:389"
+  spaces:
+    - groups:
+        - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+          powerLevel: 50
+        - externalId: "cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}"
+      id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
+      name: "openDesk"
+      subspaces:
+        - groups:
+            - externalId: "cn=managed-by-attribute-LivecollaborationAdmin,cn=groups,{{ .Values.ldap.baseDn }}"
+              powerLevel: 50
+          id: "e7889d96-5baa-4e21-be6e-12c66b2e9565"
+          name: "openDesk Element Admins"
+  provisionerDefaultRooms:
+    - id: "c3122e32-4e05-4bf8-8a5d-66679076ed36"
+      properties:
+        name: "openDesk"
+  # Name of group sync service (default opendesk-synapse-groupsync)
+  groupSyncService: "opendesk-synapse-groupsync"
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.elementGroupsync.registry | quote }}
+  url: {{ .Values.images.elementGroupsync.repository | quote }}
+  tag: {{ .Values.images.elementGroupsync.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+...

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -69,6 +69,60 @@ configuration:
               regex: "@.*"
         url: null
         sender_localpart: ox-appsuite
+    {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      {{- if .Values.apps.elementAdmin.enabled }}
+      - as_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixAdminBot.synapseAsToken | quote }}
+        id: "element-adminbot-pipe"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: "@.*:.*"
+            - exclusive: true
+              regex: "@adminbot:{{ .Values.global.domain }}"
+        de.sorunome.msc2409.push_ephemeral: true
+        org.matrix.msc3202: true
+        url: "http://opendesk-synapse-adminbot-pipe:9995"
+        rate_limited: false
+        sender_localpart: "adminbot-sendernotinuse"
+      - as_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixAuditBot.synapseAsToken | quote }}
+        id: "element-auditbot-pipe"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: "@.*:.*"
+            - exclusive: true
+              regex: "@auditbot:{{ .Values.global.domain }}"
+        de.sorunome.msc2409.push_ephemeral: true
+        org.matrix.msc3202: true
+        url: "http://opendesk-synapse-auditbot-pipe:9995"
+        rate_limited: false
+        sender_localpart: "auditbot-sendernotinuse"
+      {{- end }}
+      {{- if .Values.apps.elementGroupsync.enabled }}
+      - as_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.matrixGroupsync.synapseAsToken | quote }}
+        id: "gps"
+        namespaces:
+          rooms:
+            - exclusive: false
+              regex: "!.*:{{ .Values.global.domain }}"
+          users:
+            - exclusive: false
+              regex: '@.*:{{ .Values.global.domain }}'
+        url: "http://opendesk-synapse-groupsync:10010"
+        rate_limited: false
+        sender_localpart: "groupsyncbot"
+      {{- end }}
+    registrationSharedSecret: {{ .Values.secrets.synapse.registrationSharedSecret | quote }}
+    {{- end }}
 
     presence:
       enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -78,7 +132,7 @@ configuration:
 
     smtp:
       senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
       port: 25
       tls: false
       starttls: false
@@ -176,8 +230,8 @@ image:
   tag: {{ .Values.images.synapse.tag | quote }}
 
 persistence:
-  size: {{ .Values.persistence.size.synapse | quote }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.storages.synapse.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.synapse.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 
 podAnnotations: {}
 

helmfile/apps/jitsi/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 
 releases:
   - name: "jitsi"
@@ -18,10 +18,10 @@ releases:
     version: "{{ .Values.charts.jitsi.version }}"
     values:
       - "values-jitsi.yaml.gotmpl"
-      {{ range .Values.customization.release.jitsi }}
+      {{- range .Values.customization.release.jitsi }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.jitsi.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.jitsi.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/jitsi/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -63,6 +63,7 @@ settings:
   keycloakClientId: "opendesk-jitsi"
 
 theme:
+  title: "Videokonferenz - {{ .Values.theme.texts.productName }}"
   {{ .Values.theme | toYaml | nindent 2 }}
 
 jitsi:
@@ -84,7 +85,7 @@ jitsi:
         - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    extraConfigJs:
+    extraConfig:
       doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
     extraEnvs:
       TURN_ENABLE: "1"
@@ -137,8 +138,8 @@ jitsi:
     resources:
       {{ .Values.resources.prosody | toYaml | nindent 6 }}
     persistence:
-      size: {{ .Values.persistence.size.prosody | quote }}
-      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+      size: {{ .Values.persistence.storages.prosody.size | quote }}
+      storageClassName: {{ coalesce .Values.persistence.storages.prosody.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
@@ -174,6 +175,35 @@ jitsi:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
+  jigasi:
+    replicaCount: {{ .Values.replicas.jigasi }}
+    enabled: {{ .Values.sip.jigasi.enabled }}
+    image:
+      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jigasi.registry }}/{{ .Values.images.jigasi.repository }}"
+      tag: {{ .Values.images.jigasi.tag | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    extraEnvs:
+      JIGASI_SIP_PASSWORD: {{ .Values.sip.jigasi.password | quote }}
+      JIGASI_SIP_PORT: {{ .Values.sip.jigasi.port | quote }}
+      JIGASI_SIP_SERVER: {{ .Values.sip.jigasi.server | quote }}
+      JIGASI_SIP_TRANSPORT: {{ .Values.sip.jigasi.transport | quote }}
+      JIGASI_SIP_URI: {{ .Values.sip.jigasi.uri | quote }}
+    xmpp:
+      password: {{ .Values.secrets.jitsi.jigasiXmppPassword | quote }}
+    resources:
+      {{ .Values.resources.jigasi | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
@@ -189,7 +219,7 @@ jitsi:
     resources:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
-      type: {{ .Values.cluster.service.type | quote }}
+      type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}

helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl

@@ -10,14 +10,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
   - name: "nextcloud-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.nextcloud.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 
 releases:
   - name: "opendesk-nextcloud-management"
@@ -25,24 +25,30 @@ releases:
     version: "{{ .Values.charts.nextcloudManagement.version }}"
     values:
       - "values-nextcloud-mgmt.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskNextcloudManagement }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-nextcloud-mgmt-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.opendeskNextcloudManagement }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     waitForJobs: true
     wait: true
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
     timeout: 900
   - name: "opendesk-nextcloud"
     chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
     version: "{{ .Values.charts.nextcloud.version }}"
     values:
       - "values-nextcloud.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskNextcloud }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-nextcloud-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.opendeskNextcloud }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     needs:
       - "opendesk-nextcloud-management"
-    installed: {{ .Values.nextcloud.enabled }}
+    installed: {{ .Values.apps.nextcloud.enabled }}
 
 commonLabels:
   deployStage: "050-components"

helmfile/apps/nextcloud/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/nextcloud/values-nextcloud-enterprise.yaml.gotmpl

@@ -0,0 +1,9 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+aio:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
+...

helmfile/apps/nextcloud/values-nextcloud-mgmt-enterprise.yaml.gotmpl

@@ -0,0 +1,12 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
+configuration:
+  enterprise:
+    subscriptionKey: {{ if .Values.enterpriseKeys.nextcloud.subscriptionKey }}{{ .Values.enterpriseKeys.nextcloud.subscriptionKey | quote }}{{ end }}
+    subscriptionData: {{ if .Values.enterpriseKeys.nextcloud.subscriptionData}}{{ .Values.enterpriseKeys.nextcloud.subscriptionData | quote }}{{ end }}
+...

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -12,7 +12,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 additionalAnnotations:
-  intents.otterize.com/service-name: "opendesk-nextcloud-php"
+  intents.otterize.com/service-name: "opendesk-nextcloud-management"
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
@@ -25,18 +25,20 @@ configuration:
       value: "nextcloud"
     password:
       value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+
   antivirus:
     {{- if .Values.antivirus.icap.host }}
     host: {{ .Values.antivirus.icap.host | quote }}
     port: {{ .Values.antivirus.icap.port | quote }}
     {{- else }}
-    {{- if .Values.clamavDistributed.enabled }}
+    {{- if .Values.apps.clamavDistributed.enabled }}
     host: "clamav-icap"
-    {{- else if .Values.clamavSimple.enabled }}
+    {{- else if .Values.apps.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
     port: 1344
     {{- end }}
+
   cache:
     auth:
       enabled: true
@@ -47,10 +49,36 @@ configuration:
     host: {{ .Values.cache.nextcloud.host | quote }}
     port: {{ .Values.cache.nextcloud.port | quote }}
     tls: {{ .Values.cache.nextcloud.tls }}
+
+  feature:
+    apps:
+      contacts:
+        enabled: false
+      cryptpad:
+        enabled: {{ .Values.apps.cryptpad.enabled }}
+      filesZip:
+        enabled: true
+      groupfolders:
+        enabled: true
+      integrationOpenproject:
+        enabled: {{ .Values.apps.openproject.enabled }}
+      spreed:
+        enabled: true
+    circles:
+      enabled: false
+
   collabora:
     # internalWopiUrl: ""
     wopiAllowlist: {{ join ", " ( concat .Values.cluster.networking.cidr .Values.cluster.networking.incomingCIDR ) | quote }}
+
   database:
+    {{ if eq .Values.databases.nextcloud.type "mariadb" }}
+    type: "mysql"
+    {{ else if eq .Values.databases.nextcloud.type "postgresql" }}
+    type: "pgsql"
+    {{ else }}
+    {{ .Values.databases.nextcloud.type | quote }}
+    {{ end }}
     host: {{ .Values.databases.nextcloud.host | quote }}
     port: {{ .Values.databases.nextcloud.port | quote }}
     name: {{ .Values.databases.nextcloud.name | quote }}
@@ -58,12 +86,20 @@ configuration:
       username:
         value: {{ .Values.databases.nextcloud.username | quote }}
       password:
+        {{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
         value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+        {{- else if or (eq .Values.databases.nextcloud.type "postgresql") (eq .Values.databases.nextcloud.type "psql") }}
+        value: {{ .Values.databases.nextcloud.password | default .Values.secrets.postgresql.nextcloudUser | quote }}
+        {{- else }}
+        value: {{ .Values.databases.nextcloud.password | quote }}
+        {{- end }}
+
   ldap:
     host: {{ .Values.ldap.host | quote }}
     password:
       value: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
     adminGroupName: "managed-by-attribute-FileshareAdmin"
+
   objectstore:
     auth:
       accessKey:
@@ -77,16 +113,19 @@ configuration:
     port: {{ .Values.objectstores.nextcloud.port | quote }}
     pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
     useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
+
   oidc:
     username:
       value: "opendesk-nextcloud"
     password:
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
+
   opendeskIntegration:
     username:
       value: "opendesk_username"
     password:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+
   sharing:
     allowLinks: {{ .Values.functional.filestore.sharing.external.enabled }}
     allowMailNotification: {{ .Values.functional.filestore.sharing.external.enabled }}
@@ -100,6 +139,7 @@ configuration:
     defaultExternalExpireEnforced: {{ .Values.functional.filestore.sharing.external.expiry.enforced }}
     defaultExternalExpireDays: {{ .Values.functional.filestore.sharing.external.expiry.defaultDays | quote }}
     sendPasswordMail: {{ .Values.functional.filestore.sharing.external.sendPasswordMail | quote }}
+
   smtp:
     auth:
       enabled: false
@@ -107,12 +147,13 @@ configuration:
         value: ""
       password:
         value: ""
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     port: 25
     fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
     mailDomain: "{{ .Values.global.domain }}"
     security: ""
     skipVerifyPeer: true
+
   quota:
     default: "{{ .Values.functional.filestore.quota.default }} GB"
     retentionObligation:

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -50,7 +50,7 @@ exporter:
 
 aio:
   additionalAnnotations:
-    intents.otterize.com/service-name: "opendesk-nextcloud"
+    intents.otterize.com/service-name: "opendesk-nextcloud-aio"
   configuration:
     cache:
       auth:
@@ -63,6 +63,13 @@ aio:
       port: {{ .Values.cache.nextcloud.port | quote }}
       tls: {{ .Values.cache.nextcloud.tls }}
     database:
+      {{ if eq .Values.databases.nextcloud.type "mariadb" }}
+      type: "mysql"
+      {{ else if eq .Values.databases.nextcloud.type "postgresql" }}
+      type: "pgsql"
+      {{ else }}
+      {{ .Values.databases.nextcloud.type | quote }}
+      {{ end }}
       host: {{ .Values.databases.nextcloud.host | quote }}
       port: {{ .Values.databases.nextcloud.port | quote }}
       name: {{ .Values.databases.nextcloud.name | quote }}
@@ -70,7 +77,13 @@ aio:
         username:
           value: {{ .Values.databases.nextcloud.username | quote }}
         password:
+          {{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
           value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+          {{- else if or (eq .Values.databases.nextcloud.type "postgresql") (eq .Values.databases.nextcloud.type "psql") }}
+          value: {{ .Values.databases.nextcloud.password | default .Values.secrets.postgresql.nextcloudUser | quote }}
+          {{- else }}
+          value: {{ .Values.databases.nextcloud.password | quote }}
+          {{- end }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
@@ -89,6 +102,9 @@ aio:
       {{ .Values.seLinuxOptions.nextcloud | toYaml | nindent 6 }}
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
+    resources:
+      {{ .Values.resources.nextcloudCron | toYaml | nindent 6 }}
+
   debug:
     loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
   {{- if .Values.certificate.selfSigned }}

helmfile/apps/notes/helmfile-child.yaml.gotmpl

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # Notes
+  # Source: https://github.com/numerique-gouv/impress
+  - name: "notes-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.notes.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.notes.registry }}/{{ .Values.charts.notes.repository }}"
+
+releases:
+  - name: "impress"
+    chart: "notes-repo/{{ .Values.charts.notes.name }}"
+    version: "{{ .Values.charts.notes.version }}"
+    wait: true
+    values:
+      - "values.yaml.gotmpl"
+      {{- range .Values.customization.release.notes }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.notes.enabled }}
+    timeout: 1800
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "notes"
+...

helmfile/apps/notes/helmfile.yaml.gotmpl

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml.gotmpl"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml.gotmpl"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/notes/values.yaml.gotmpl

@@ -0,0 +1,230 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesBackend.registry) (.Values.images.notesBackend.repository) | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.notesBackend.tag }}
+  credentials:
+    name: {{ .Values.global.imagePullSecrets | first | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+ingressCollaborationWS:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  path: "/collaboration/ws/"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+  annotations:
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Can-Edit, X-User-Id"
+    nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/collaboration-auth/
+    nginx.ingress.kubernetes.io/enable-websocket: "true"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
+    nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
+
+ingressAdmin:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+ingressMedia:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  annotations:
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/auth-url: "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/retrieve-auth/"
+    nginx.ingress.kubernetes.io/upstream-vhost: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.objectstores.notes.bucket }}/$1
+    nginx.ingress.kubernetes.io/session-cookie-path: /media
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+ingressCollaborationApi:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName }}
+  host: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
+  path: /collaboration/api/
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+
+serviceMedia:
+  host: {{ .Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  port: {{ .Values.objectstores.notes.port | default 443 }}
+
+frontend:
+  image:
+    repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.notesFrontend.registry) (.Values.images.notesFrontend.repository) | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.notesFrontend.tag }}
+  envVars:
+    PORT: 8080
+    NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    NEXT_PUBLIC_Y_PROVIDER_URL: {{ printf "wss://%s.%s/ws" .Values.global.hosts.notes .Values.global.domain | quote }}
+    NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+  runtimeEnvs:
+    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
+    PORTAL_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+  replicas: {{ .Values.replicas.notesFrontend }}
+  resources:
+    {{ .Values.resources.notesFrontend | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    runAsUser: 1001
+    runAsGroup: 1001
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.notesFrontend | toYaml | nindent 6 }}
+
+yProvider:
+  image:
+    repository: {{ printf "%s/%s" (coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.notesYProvider.registry) (.Values.images.notesYProvider.repository) | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.notesYProvider.tag }}
+  resources:
+    {{ .Values.resources.notesYProvider | toYaml | nindent 4 }}
+  replicas: {{ .Values.replicas.notesYProvider }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    runAsUser: 1001
+    runAsGroup: 1001
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
+  envVars:
+    COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }}
+    COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
+
+oidc:
+  clientId: "opendesk-notes"
+  clientSecret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+
+aiApiKey: {{ .Values.ai.apiKey }}
+aiBaseUrl: {{ .Values.ai.endpoint }}
+
+djangoSuperUserEmail: "default.admin@{{ .Values.global.domain }}"
+djangoSuperUserPass: {{ .Values.secrets.notes.superuser }}
+djangoSecretKey: {{ .Values.secrets.notes.djangoSecretKey }}
+
+backend:
+  replicas: {{ .Values.replicas.notesBackend }}
+  envVars:
+    DB_HOST: {{ .Values.databases.notes.host | quote }}
+    DB_NAME: {{ .Values.databases.notes.name | quote }}
+    DB_USER: {{ .Values.databases.notes.username | quote }}
+    DB_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+    DB_PORT: {{ .Values.databases.notes.port | quote }}
+    POSTGRES_DB: {{ .Values.databases.notes.name | quote }}
+    POSTGRES_USER: {{ .Values.databases.notes.username | quote }}
+    POSTGRES_PASSWORD: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
+    FRONTEND_THEME: "openDesk"
+    REDIS_URL: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
+    AWS_S3_ENDPOINT_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
+    AWS_S3_ACCESS_KEY_ID: {{ .Values.objectstores.notes.username }}
+    AWS_S3_SECRET_ACCESS_KEY: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
+    AWS_STORAGE_BUCKET_NAME: {{ .Values.objectstores.notes.bucket }}
+    DJANGO_CSRF_TRUSTED_ORIGINS: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    DJANGO_CONFIGURATION: Production
+    DJANGO_ALLOWED_HOSTS: "*"
+    DJANGO_SECRET_KEY: {{ .Values.secrets.notes.djangoSecretKey }}
+    DJANGO_SETTINGS_MODULE: impress.settings
+    DJANGO_SUPERUSER_PASSWORD: {{ .Values.secrets.notes.superuser }}
+    DJANGO_EMAIL_HOST: "postfix"
+    DJANGO_EMAIL_PORT: 25
+    DJANGO_EMAIL_USE_SSL: False
+    OIDC_RP_CLIENT_ID: "opendesk-notes"
+    OIDC_RP_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+    OIDC_OP_JWKS_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
+    OIDC_OP_AUTHORIZATION_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
+    OIDC_OP_TOKEN_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
+    OIDC_OP_USER_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
+    OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
+    OIDC_RP_SIGN_ALGO: RS256
+    OIDC_RP_SCOPES: "openid opendesk-notes-scope"
+    USER_OIDC_FIELD_TO_SHORTNAME: "given_name"
+    USER_OIDC_FIELDS_TO_FULLNAME: "given_name family_name"
+    OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
+    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}"
+    OIDC_RENEW_ID_TOKEN: "False"
+    LOGIN_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    LOGIN_REDIRECT_URL_FAILURE: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+    LOGOUT_REDIRECT_URL: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain | quote }}
+    AI_BASE_URL: {{ .Values.ai.endpoint | quote }}
+    AI_API_KEY: {{ .Values.ai.apiKey | quote }}
+    AI_MODEL: {{ .Values.ai.model | quote }}
+    Y_PROVIDER_API_KEY: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    Y_PROVIDER_API_BASE_URL: {{ printf "https://%s.%s/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_API_URL: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
+    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
+    COLLABORATION_WS_URL:  {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
+  migrate:
+    command:
+      - "/bin/sh"
+      - "-c"
+      - |
+        python manage.py migrate --no-input &&
+        python manage.py create_demo --force
+    restartPolicy: Never
+
+  createsuperuser:
+    command:
+      - "/bin/sh"
+      - "-c"
+      - |
+        python manage.py createsuperuser --email default.admin@{{ .Values.global.domain }} --password {{ .Values.secrets.notes.superuser }}
+    restartPolicy: Never
+
+  resources:
+    {{ .Values.resources.notesBackend | toYaml | nindent 4 }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    privileged: false
+    runAsUser: 1001
+    runAsGroup: 1001
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
+...

helmfile/apps/nubus/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
   # Intercom Service
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
@@ -19,7 +19,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
   # openDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -27,7 +27,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
   # NGINX S3 Gateway Chart
   - name: "nginx-s3-gateway-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -35,7 +35,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
 
 releases:
   # Univention Management Stack Umbrella Chart
@@ -44,12 +44,10 @@ releases:
     version: "{{ .Values.charts.nubus.version }}"
     values:
       - "values-nubus.yaml.gotmpl"
-      - "values-opendesk-customization.yaml.gotmpl"
-      - "values-opendesk-images.yaml.gotmpl"
-      {{ range .Values.customization.release.ums }}
+      {{- range .Values.customization.release.ums }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.nubus.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.nubus.enabled }}
     timeout: 900
   # Intercom-Service
   - name: "intercom-service"
@@ -57,10 +55,10 @@ releases:
     version: "{{ .Values.charts.intercomService.version }}"
     values:
       - "values-intercom-service.yaml.gotmpl"
-      {{ range .Values.customization.release.intercomService }}
+      {{- range .Values.customization.release.intercomService }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.nubus.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.nubus.enabled }}
 
   # openDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
@@ -68,12 +66,12 @@ releases:
     version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
     values:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskKeycloakBootstrap }}
+      {{- range .Values.customization.release.opendeskKeycloakBootstrap }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     needs:
       - "ums"
-    installed: {{ .Values.nubus.enabled }}
+    installed: {{ .Values.apps.nubus.enabled }}
     timeout: 900
 
   # NGINX S3 Gateway (when cluster minio is not used)
@@ -82,10 +80,10 @@ releases:
     version: "{{ .Values.charts.nginxS3Gateway.version }}"
     values:
       - "values-nginx-s3-gateway.yaml.gotmpl"
-      {{ range .Values.customization.release.nginxS3Gateway }}
+      {{- range .Values.customization.release.nginxS3Gateway }}
       - {{ . }}
-      {{ end }}
-    installed: {{ not .Values.minio.enabled }}
+      {{- end }}
+    installed: {{ not .Values.apps.minio.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/nubus/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/nubus/values-intercom-service.yaml.gotmpl

@@ -53,8 +53,8 @@ ics:
   secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   originRegex: "{{ .Values.global.domain }}"
-  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"phoenixusername"{{ end }}
-  usernameClaim: "phoenixusername"
+  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
+  usernameClaim: "opendesk_username"
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
   default:
@@ -107,7 +107,9 @@ podSecurityContext:
   fsGroupChangePolicy: "Always"
 
 provisioning:
-  enabled: true
+  # intercom OIDC client is created by opendesk-keycloak-bootstrap, as we have control over the
+  # client's claims this way.
+  enabled: false
   config:
     nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
     keycloak:
@@ -134,6 +136,8 @@ provisioning:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
     repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }}
     tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }}
+  resources:
+    {{ .Values.resources.intercomService | toYaml | nindent 4 }}
   securityContext:
     seccompProfile:
       type: "RuntimeDefault"

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -1,722 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-keycloak:
-  enabled: true
-  ingress:
-    enabled: false
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: false
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-keycloak"
-  replicaCount: {{ .Values.replicas.keycloak }}
-  resources:
-    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
-
-nubusGuardian:
-  authorizationApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-authorization-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
-    resources:
-      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
-  managementApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-management-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
-    resources:
-      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
-  managementUi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-guardian-management-ui"
-    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
-    resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
-  openPolicyAgent:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
-    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
-    resources:
-      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
-  provisioning:
-    # Using openDesk keycloak provisioning
-    enabled: false
-
-nubusNotificationsApi:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-notifications-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    create: true
-  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
-  resources:
-    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
-
-nubusUmcServer:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-umc-server"
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextInit:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextSssd:
-    enabled: true
-    allowPrivilegeEscalation: true
-    capabilities:
-      drop:
-        - "ALL"
-      add:
-        - "DAC_OVERRIDE"
-        - "SETGID"
-        - "AUDIT_WRITE"
-        - "SETUID"
-        - "CHOWN"
-        - "SETPCAP"
-        - "FOWNER"
-        - "FSETID"
-        - "KILL"
-        - "MKNOD"
-        - "NET_BIND_SERVICE"
-        - "SYS_CHROOT"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  proxy:
-    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
-  replicaCount: {{ .Values.replicas.umsUmcServer }}
-
-  resources:
-    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
-  selfService:
-    passwordresetEmailBody: |
-        Sehr geehrte Benutzerin, sehr geehrter Benutzer,
-
-        Ihr Benutzername für {domainname} lautet: {username}
-
-        Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
-
-        Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
-        https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
-
-        Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
-        https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
-
-        Mit freundlichen Grüßen
-        Ihr {domainname} Passwort-Service
-
-nubusKeycloakExtensions:
-  enabled: true
-  handler:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
-    resources:
-      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
-  proxy:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
-    podAnnotations:
-      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
-    resources:
-      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
-
-nubusPortalConsumer:
-  portalConsumer:
-    image:
-      pullSecrets:
-        {{- range .Values.global.imagePullSecrets }}
-        - name: {{ . | quote }}
-        {{- end }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
-  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
-  persistence:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
-  securityContext:
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
-  {{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "trusted-cert-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-          - key: "ca.crt"
-            path: "cacert.pem"
-  extraVolumeMounts:
-    - name: "trusted-cert-secret-volume"
-      mountPath: "/etc/ssl/certs/ca-certificates.crt"
-      subPath: "ca-certificates.crt"
-  waitForDependency:
-    extraVolumeMounts:
-      - name: "trusted-cert-secret-volume"
-        readOnly: true
-        mountPath: "/etc/ssl/certs/ca-certificates.crt"
-        subPath: "ca-certificates.crt"
-      - name: "trusted-cert-secret-volume"
-        readOnly: true
-        mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
-        subPath: "cacert.pem"
-    extraEnvVars:
-      - name: "REQUESTS_CA_BUNDLE"
-        value: "/etc/ssl/certs/ca-certificates.crt"
-      - name: "DEFAULT_CA_BUNDLE_PATH"
-        value: "/etc/ssl/certs/ca-certificates.crt"
-      - name: "SSL_CERT_FILE"
-        value: "/etc/ssl/certs/ca-certificates.crt"
-  {{- end }}
-
-nubusUdmListener:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 102
-    runAsGroup: 65534
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUdmListener }}
-  resources:
-    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
-
-nubusPortalServer:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-portal-server"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    create: true
-  replicaCount: {{ .Values.replicas.umsPortalServer }}
-  resources:
-    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
-  {{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "trusted-cert-crt-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-          - key: "ca.crt"
-            path: "cacert.pem"
-  extraVolumeMounts:
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/etc/ssl/certs/ca-certificates.crt"
-      subPath: "ca-certificates.crt"
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
-      subPath: "cacert.pem"
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
-      subPath: "cacert.pem"
-    - name: "trusted-cert-crt-secret-volume"
-      readOnly: true
-      mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
-      subPath: "cacert.pem"
-  {{- end }}
-
-nubusLdapNotifier:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 101
-    runAsGroup: 102
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-ldap-notifier"
-  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
-  resources:
-    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
-
-nubusLdapServer:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  highAvailabilityMode: false
-  replicaCountPrimary: 1
-  replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
-  replicaCountProxy: 0 # {{ .Values.replicas.umsLdapServerProxy }}
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-ldap-server"
-  serviceAccount:
-    create: true
-  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
-  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
-  persistence:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-  extraVolumes:
-    - name: "migration-scripts"
-      secret:
-        secretName: "ums-ldap-server-migration"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/30-purge.sh"
-      subPath: "30-purge.sh"
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
-      subPath: "95-slapadd-24-ldif.sh"
-  extraSecrets:
-    - name: "ums-ldap-server-migration"
-      stringData:
-        30-purge.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- Cleaning up /var/lib/univention-ldap."
-            cd /var/lib/univention-ldap
-            rm -rf internal
-            rm -rf ldap
-            ls -l
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-        95-slapadd-24-ldif.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          ls -l /var/lib/univention-ldap
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
-            ls -l /var/lib/univention-ldap/
-            rm -rf /var/lib/univention-ldap/ldap
-            rm -rf /var/lib/univention-ldap/internal
-            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            mkdir /var/lib/univention-ldap/ldap
-            mkdir /var/lib/univention-ldap/internal
-            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
-            echo "- slapadd executed"
-            ls -l /var/lib/univention-ldap/
-            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
-            echo "- import file renamed"
-            ls -l /var/lib/univention-ldap/
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-nubusPortalFrontend:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-portal-frontend"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    create: true
-  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
-  resources:
-    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
-  portalFrontend:
-    branding:
-      css: {{ .Values.theme.styles.portalCss | toJson }}
-      # Requires .ico, .svg does not work.
-      favicon: {{ .Values.theme.imagery.faviconIcoB64 | toJson }}
-      # The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
-      logo: {{ .Values.theme.imagery.portalWaitingSpinnerSvgB64 | toJson }}
-      backgroundImage: {{ .Values.theme.imagery.portalLogoBackgroundSvgB64 | toJson }}
-
-nubusStackDataUms:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
-  pullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-stack-data-ums"
-  resources:
-    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
-
-nubusSelfServiceConsumer:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-selfservice-listener"
-  resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
-
-nubusUdmRestApi:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-udm-rest-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  serviceAccount:
-    annotations:
-      intended.usage: "compliance"
-  resources:
-    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
-  initResources:
-    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-
-nubusUmcGateway:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUmcGateway }}
-  resources:
-    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-
-nubusKeycloakBootstrap:
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    readOnlyRootFilesystem: false
-    runAsGroup: 1000
-    runAsNonRoot: true
-    runAsUser: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  podAnnotations:
-    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
-  serviceAccount:
-    annotations:
-      intended.usage: "compliance"
-  resources:
-    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
-
-nubusProvisioning:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount:
-    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
-    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
-    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
-    api: {{ .Values.replicas.umsProvisioningApi }}
-
-  serviceAccount:
-    create: true
-  nats:
-    config:
-      cluster:
-        replicas: {{ .Values.replicas.umsProvisioningNats }}
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - "ALL"
-      enabled: true
-      runAsUser: 1000
-      runAsGroup: 1000
-      seccompProfile:
-        type: "RuntimeDefault"
-      readOnlyRootFilesystem: true
-      runAsNonRoot: true
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    persistence:
-      size: {{ .Values.persistence.size.nubus.provisioningNats }}
-    resources:
-      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-nats"
-    serviceAccount:
-      create: true
-  api:
-    resources:
-      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-api"
-  dispatcher:
-    resources:
-      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
-  prefill:
-    resources:
-      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-prefill"
-  registerConsumers:
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
-  udmTransformer:
-    resources:
-      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
-    additionalAnnotations:
-      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
-  resources:
-    registerConsumers:
-      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -1,260 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-keycloak:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
-    repository: {{ .Values.images.nubusKeycloak.repository }}
-    tag: {{ .Values.images.nubusKeycloak.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusKeycloakBootstrap:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
-    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
-    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusKeycloakExtensions:
-    handler:
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
-        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
-        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-    proxy:
-      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
-        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
-        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusLdapNotifier:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
-    repository: {{ .Values.images.nubusLdapNotifier.repository }}
-    tag: {{ .Values.images.nubusLdapNotifier.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusLdapServer:
-  ldapServer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
-      repository: {{ .Values.images.nubusLdapServer.repository }}
-      tag: {{ .Values.images.nubusLdapServer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  dhInitcontainer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
-      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
-      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForDependency:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusNotificationsApi:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
-    repository: {{ .Values.images.nubusNotificationsApi.repository }}
-    tag: {{ .Values.images.nubusNotificationsApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalFrontend:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
-    repository: {{ .Values.images.nubusPortalFrontend.repository }}
-    tag: {{ .Values.images.nubusPortalFrontend.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalConsumer:
-  portalConsumer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
-      repository: {{ .Values.images.nubusPortalConsumer.repository }}
-      tag: {{ .Values.images.nubusPortalConsumer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForDependency:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalServer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
-    repository: {{ .Values.images.nubusPortalServer.repository }}
-    tag: {{ .Values.images.nubusPortalServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusProvisioning:
-  api:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
-      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  dispatcher:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
-      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  udmTransformer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
-      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  prefill:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
-      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
-      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registerConsumers:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  nats:
-    nats:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
-        repository: {{ .Values.images.nubusNats.repository }}
-        tag: {{ .Values.images.nubusNats.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    reloader:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
-        repository: {{ .Values.images.nubusNatsReloader.repository }}
-        tag: {{ .Values.images.nubusNatsReloader.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    natsBox:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
-        repository: {{ .Values.images.nubusNatsBox.repository }}
-        tag: {{ .Values.images.nubusNatsBox.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusProvisioningEventsAndConsumerApi:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
-    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
-    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusProvisioningPrefill:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
-    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
-    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUdmListener:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
-    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
-    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusSelfServiceConsumer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
-    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
-    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  waitForDependency:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.nubusWaitForDependency.repository }}
-      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUdmRestApi:
-  udmRestApi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
-      repository: {{ .Values.images.nubusUdmRestApi.repository }}
-      tag: {{ .Values.images.nubusUdmRestApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUmcGateway:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
-    repository: {{ .Values.images.nubusUmcGateway.repository }}
-    tag: {{ .Values.images.nubusUmcGateway.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusUmcServer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
-    repository: {{ .Values.images.nubusUmcServer.repository }}
-    tag: {{ .Values.images.nubusUmcServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  proxy:
-    image:
-      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
-      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
-      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusWaitForDependency:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.nubusWaitForDependency.repository }}
-    tag: {{ .Values.images.nubusWaitForDependency.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-
-nubusGuardian:
-  provisioning:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
-      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  authorizationApi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
-      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  managementApi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
-      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  managementUi:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
-      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
-      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  openPolicyAgent:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
-      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
-      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusStackDataUms:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
-    repository: {{ .Values.images.nubusDataLoader.repository }}
-    tag: {{ .Values.images.nubusDataLoader.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -21,14 +21,73 @@ cleanup:
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
+  clientAccessRestrictions:
+    {{- if .Values.apps.element.enabled }}
+    matrix:
+      client: "opendesk-matrix"
+      scope: "opendesk-matrix-scope"
+      role: "opendesk-matrix-access-control"
+      group: "managed-by-attribute-Livecollaboration"
+    {{- end }}
+    {{- if .Values.apps.jitsi.enabled }}
+    jitsi:
+      client: "opendesk-jitsi"
+      scope: "opendesk-jitsi-scope"
+      role: "opendesk-jitsi-access-control"
+      group: "managed-by-attribute-Videoconference"
+    {{- end }}
+    {{- if .Values.apps.xwiki.enabled }}
+    xwiki:
+      client: "opendesk-xwiki"
+      scope: "opendesk-xwiki-scope"
+      role: "opendesk-xwiki-access-control"
+      group: "managed-by-attribute-Knowledgemanagement"
+    {{- end }}
+    {{- if .Values.apps.openproject.enabled }}
+    openproject:
+      client: "opendesk-openproject"
+      scope: "opendesk-openproject-scope"
+      role: "opendesk-openproject-access-control"
+      group: "managed-by-attribute-Projectmanagement"
+    {{- end }}
+    {{- if .Values.apps.nextcloud.enabled }}
+    nextcloud:
+      client: "opendesk-nextcloud"
+      scope: "opendesk-nextcloud-scope"
+      role: "opendesk-nextcloud-access-control"
+      group: "managed-by-attribute-Fileshare"
+    {{- end }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
+    oxAppSuite:
+      client: "opendesk-oxappsuite"
+      scope: "opendesk-oxappsuite-scope"
+      role: "opendesk-oxappsuite-access-control"
+      group: "managed-by-attribute-Groupware"
+    dovecot:
+      client: "opendesk-dovecot"
+      scope: "opendesk-dovecot-scope"
+      role: "opendesk-dovecot-access-control"
+      group: "managed-by-attribute-Groupware"
+    {{- end }}
+    {{- if .Values.apps.notes.enabled }}
+    notes:
+      client: "opendesk-notes"
+      scope: "opendesk-notes-scope"
+      role: "opendesk-notes-access-control"
+      group: "managed-by-attribute-Notes"
+    {{- end }}
+
   custom:
     clientScopes:
       {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
     clients:
       {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
   managed:
-    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
+                    'offline_access', 'roles', 'address', 'phone' ]
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}',
+               '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
+               '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -38,16 +97,26 @@ config:
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
   twoFactorSettings:
     additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+  precreateGroups: [ 'Domain Admins', 'Domain Users', '2fa-users', 'IAM API - Full Access',
+                     {{ if .Values.apps.nextcloud.enabled }}'managed-by-attribute-Fileshare', 'managed-by-attribute-FileshareAdmin',{{ end }}
+                     {{ if .Values.apps.xwiki.enabled }}'managed-by-attribute-Knowledgemanagement', 'managed-by-attribute-KnowledgemanagementAdmin',{{ end }}
+                     {{ if .Values.apps.element.enabled }}'managed-by-attribute-Livecollaboration', 'managed-by-attribute-LivecollaborationAdmin',{{ end }}
+                     {{ if .Values.apps.openproject.enabled }}'managed-by-attribute-Projectmanagement', 'managed-by-attribute-ProjectmanagementAdmin',{{ end }}
+                     {{ if .Values.apps.jitsi.enabled }}'managed-by-attribute-Videoconference',{{ end }}
+                     {{ if .Values.apps.oxAppSuite.enabled }}'managed-by-attribute-Groupware',{{ end }}
+                     {{ if .Values.apps.notes.enabled }}'managed-by-attribute-Notes',{{ end }}
+                      ]
+
   opendesk:
     # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
     # to LDAP group membership to ensure a user cannot access an application without the required
     # group membership.
-    # ToDo: Ensure all applications verify the token's signature to ensure it is not tampered.
     clientScopes:
       - name: "read_contacts"
         protocol: "openid-connect"
       - name: "write_contacts"
         protocol: "openid-connect"
+      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject-scope"
         description: "Scope for the claims required by openDesk's OpenProject instance."
         protocol: "openid-connect"
@@ -121,6 +190,8 @@ config:
               access.token.claim: true
               claim.name: "family_name"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi-scope"
         description: "Scope for the claims required by openDesk's Jitsi instance."
         protocol: "openid-connect"
@@ -168,6 +239,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud-scope"
         description: "Scope for the claims required by openDesk's Nextcloud instance."
         protocol: "openid-connect"
@@ -217,6 +290,8 @@ config:
               access.token.claim: true
               claim.name: "context"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix-scope"
         description: "Scope for the claims required by openDesk's Matrix instance."
         protocol: "openid-connect"
@@ -264,6 +339,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
       - name: "opendesk-xwiki-scope"
         description: "Scope for the claims required by openDesk's XWiki instance."
         protocol: "openid-connect"
@@ -311,6 +388,8 @@ config:
               access.token.claim: true
               claim.name: "email"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot-scope"
         description: "Scope for the claims required by openDesk's Dovecot instance."
         protocol: "openid-connect"
@@ -374,7 +453,138 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
+      {{ end }}
+      {{ if .Values.apps.notes.enabled }}
+      - name: "opendesk-notes-scope"
+        description: "Scope for the claims required by openDesk's Notes instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "given name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "firstName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "given_name"
+              jsonType.label: "String"
+          - name: "family name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "lastName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "family_name"
+              jsonType.label: "String"
+      {{ end }}
     clients:
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.revoke.offline.tokens: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "offline_access"
+      {{ if .Values.apps.notes.enabled }}
+      - name: "opendesk-notes"
+        clientId: "opendesk-notes"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        alwaysDisplayInConsole: false
+        bearerOnly: false
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: false
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        surrogateAuthRequired: false
+        attributes:
+          backchannel.logout.revoke.offline.tokens: false
+          backchannel.logout.session.required: false
+          client.introspection.response.allow.jwt.claim.enabled: false
+          client.use.lightweight.access.token.enabled: false
+          client_credentials.use_refresh_token: false
+          display.on.consent.screen: false
+          oauth2.device.authorization.grant.enabled: false
+          oidc.ciba.grant.enabled: false
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
+          require.pushed.authorization.requests: false
+          tls.client.certificate.bound.access.tokens: false
+          token.response.type.bearer.lower-case: false
+          use.jwks.url: false
+          use.refresh.tokens: false
+          # it is probably not even required to set this value explicitly.
+          user.info.response.signature.alg: "RS256"
+        defaultClientScopes:
+          - "opendesk-notes-scope"
+      {{ end }}
+      {{ if .Values.apps.oxAppSuite.enabled }}
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
         protocol: "openid-connect"
@@ -388,6 +598,28 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk-oxappsuite-scope"
+          - "read_contacts"
+          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.jitsi.enabled }}
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
@@ -401,6 +633,8 @@ config:
         authorizationServicesEnabled: false
         defaultClientScopes:
           - "opendesk-jitsi-scope"
+      {{ end }}
+      {{ if .Values.apps.element.enabled }}
       - name: "opendesk-matrix"
         clientId: "opendesk-matrix"
         protocol: "openid-connect"
@@ -423,6 +657,8 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-matrix-scope"
+      {{ end }}
+      {{ if .Values.apps.nextcloud.enabled }}
       - name: "opendesk-nextcloud"
         clientId: "opendesk-nextcloud"
         protocol: "openid-connect"
@@ -443,6 +679,8 @@ config:
           - "opendesk-nextcloud-scope"
           - "read_contacts"
           - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.openproject.enabled }}
       - name: "opendesk-openproject"
         clientId: "opendesk-openproject"
         protocol: "openid-connect"
@@ -462,26 +700,8 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-openproject-scope"
-      - name: "opendesk-oxappsuite"
-        clientId: "opendesk-oxappsuite"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
-          - "opendesk-oxappsuite-scope"
-          - "read_contacts"
-          - "write_contacts"
+      {{ end }}
+      {{ if .Values.apps.xwiki.enabled }}
       - name: "opendesk-xwiki"
         clientId: "opendesk-xwiki"
         protocol: "openid-connect"
@@ -500,6 +720,7 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
+      {{ end }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
@@ -7,19 +7,31 @@ repositories:
   - name: "dovecot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.dovecot.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+  {{- end }}
 
   # Open-Xchange
   - name: "open-xchange-repo"
     keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
     verify: {{ .Values.charts.oxAppSuite.verify }}
+    oci: true
+  {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDeEnterprise .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- else }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
+  {{- end }}
 
   # openDesk Open-Xchange Bootstrap
   # Source:
@@ -30,14 +42,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
 
   # OX Connector
   - name: "ox-connector-repo"
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 
 releases:
   - name: "dovecot"
@@ -45,10 +57,13 @@ releases:
     version: "{{ .Values.charts.dovecot.version }}"
     values:
       - "values-dovecot.yaml.gotmpl"
-      {{ range .Values.customization.release.dovecot }}
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-dovecot-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.dovecot }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.dovecot.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.dovecot.enabled }}
     timeout: 900
 
   - name: "open-xchange"
@@ -56,11 +71,14 @@ releases:
     version: "{{ .Values.charts.oxAppSuite.version }}"
     values:
       - "values-openxchange.yaml.gotmpl"
-      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
-      {{ range .Values.customization.release.openxchange }}
+      - "values-openxchange-contact-picker.yaml.gotmpl"
+      {{- if eq (env "OPENDESK_ENTERPRISE") "true" }}
+      - "values-openxchange-enterprise.yaml.gotmpl"
+      {{- end }}
+      {{- range .Values.customization.release.openxchange }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     timeout: 900
 
   - name: "opendesk-open-xchange-bootstrap"
@@ -68,10 +86,10 @@ releases:
     version: "{{ .Values.charts.oxAppSuiteBootstrap.version }}"
     values:
       - "values-openxchange-bootstrap.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOpenxchangeBootstrap }}
+      {{- range .Values.customization.release.opendeskOpenxchangeBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     timeout: 900
 
   - name: "ox-connector"
@@ -79,10 +97,10 @@ releases:
     version: "{{ .Values.charts.oxConnector.version }}"
     values:
       - "values-oxconnector.yaml.gotmpl"
-      {{ range .Values.customization.release.oxConnector }}
+      {{- range .Values.customization.release.oxConnector }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.oxAppSuite.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.oxAppSuite.enabled }}
     needs:
       - "open-xchange"
 

helmfile/apps/open-xchange/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -0,0 +1,45 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
+  repository: {{ .Values.images.dovecot.repository | quote }}
+  tag: {{ .Values.images.dovecot.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imageInitCassandra:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  repository: {{ .Values.images.cassandra.repository | quote }}
+  tag: {{ .Values.images.cassandra.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+
+dovecot:
+  dictmap:
+    enabled: true
+    host: {{ .Values.databases.dovecotDictmap.host | quote }}
+    port: {{ .Values.databases.dovecotDictmap.port }}
+    username: {{ .Values.databases.dovecotDictmap.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
+  sharedMailboxes:
+    enabled: false
+    host: {{ .Values.databases.dovecotACL.host | quote }}
+    port: {{ .Values.databases.dovecotACL.port }}
+    username: {{ .Values.databases.dovecotACL.username | quote }}
+    password: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
+  objectStorage:
+    encryption:
+      privateKey:
+        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
+      publicKey:
+        value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
+    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    username: {{ .Values.objectstores.dovecot.username | quote }}
+    password: {{ .Values.secrets.minio.dovecotUser | quote }}
+...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -23,8 +23,8 @@ dovecot:
     enabled: true
     host: {{ .Values.ldap.host | quote }}
     port: 389
-    base: "dc=swp-ldap,dc=internal"
-    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    base: "{{ .Values.ldap.baseDn }}"
+    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
     password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
   oidc:
     enabled: true
@@ -34,11 +34,10 @@ dovecot:
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"
   loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
-
   submission:
     enabled: true
     ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
 
 certificate:
   secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -92,23 +91,23 @@ podSecurityContext:
 
 persistence:
   {{- if .Values.cluster.persistence.readWriteMany.enabled }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
+  storageClassName: {{ coalesce .Values.persistence.storages.dovecot.storageClassName .Values.persistence.storageClassNames.RWX | quote }}
   accessModes:
     - "ReadWriteMany"
   {{- else }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  storageClassName: {{ coalesce .Values.persistence.storages.dovecot.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
   accessModes:
     - "ReadWriteOnce"
   {{- end }}
-  size: {{ .Values.persistence.size.dovecot | quote }}
+  size: {{ .Values.persistence.storages.dovecot.size | quote }}
 
 resources:
   {{ .Values.resources.dovecot | toYaml | nindent 2 }}
 
-{{- if or (eq .Values.cluster.service.type "NodePort") (eq .Values.cluster.service.type "LoadBalancer") }}
+{{- if or (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "NodePort") (eq (coalesce .Values.service.type.dovecot .Values.cluster.service.type) "LoadBalancer") }}
 service:
   external:
     enabled: true
-    type: {{ .Values.cluster.service.type | quote }}
+    type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
 {{- end }}
 ...

helmfile/apps/open-xchange/values-openxchange-contact-picker.yaml.gotmpl

@@ -25,7 +25,7 @@ appsuite:
           auth:
             type: "adminDN"
             adminDN:
-              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+              dn: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
               password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
 
     uiSettings:

helmfile/apps/open-xchange/values-openxchange-enterprise.yaml.gotmpl

@@ -0,0 +1,19 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  plugins-ui:
+    enabled: false
+  core-mw:
+    global:
+      extras:
+        monitoring:
+          enabled: true
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
+    update:
+      image:
+        registry: {{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
+...

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -13,10 +13,14 @@ global:
   mysql:
     host: {{ .Values.databases.oxAppSuite.host | quote }}
     database: {{ .Values.databases.oxAppSuite.name | quote }}
+    readHost: {{ .Values.databases.oxAppSuite.readHost | quote }}
+    readDatabase: {{ .Values.databases.oxAppSuite.name | quote }}
     auth:
       user: {{ .Values.databases.oxAppSuite.username | quote }}
       password: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
       rootPassword: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
+      readUser: {{ .Values.databases.oxAppSuite.readUser | default .Values.databases.oxAppSuite.username | quote }}
+      readPassword: {{ .Values.databases.oxAppSuite.readPassword | default .Values.databases.oxAppSuite.password | quote}}
 
 nextcloud-integration-ui:
   image:
@@ -276,7 +280,7 @@ appsuite:
       com.openexchange.conference.element.enabled: "true"
       com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot
       com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login
-      com.openexchange.conference.element.matrixUuidClaimName: opendesk_useruuid
+      com.openexchange.conference.element.matrixUuidClaimName: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
       # GDPR
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
@@ -330,8 +334,8 @@ appsuite:
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
-        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/{{ .Values.ldap.baseDn }}"
+        bindDN: "uid=ldapsearch_ox,cn=users,{{ .Values.ldap.baseDn }}"
         bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
         bindOnly: "false"
       /opt/open-xchange/etc/antivirus.properties:
@@ -340,9 +344,9 @@ appsuite:
         com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
         com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
         {{- else }}
-        {{- if .Values.clamavDistributed.enabled }}
+        {{- if .Values.apps.clamavDistributed.enabled }}
         com.openexchange.antivirus.server: "clamav-icap"
-        {{- else if .Values.clamavSimple.enabled }}
+        {{- else if .Values.apps.clamavSimple.enabled }}
         com.openexchange.antivirus.server: "clamav-simple"
         {{- end }}
         com.openexchange.antivirus.port: "1344"
@@ -422,6 +426,9 @@ appsuite:
     replicas: {{ .Values.replicas.openxchangeCoreMW }}
     resources:
       {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
+    initContainer:
+      resources:
+        {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 8 }}
 
   core-ui:
     enabled: true

helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl

@@ -23,9 +23,8 @@ image:
   repository: {{ .Values.images.oxConnector.repository | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.oxConnector.tag | quote }}
-
   waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
     repository: {{ .Values.images.nubusWaitForDependency.repository }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy }}
     pullSecrets:
@@ -63,55 +62,32 @@ provisioningApi:
 
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
+resourcesWaitForDependency:
+  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 
 persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.storages.oxConnector.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.oxConnector.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 
 podAnnotations: {}
 
-## Container deployment probes
-probes:
-  liveness:
-    enabled: true
-    initialDelaySeconds: 120
-    timeoutSeconds: 3
-    periodSeconds: 30
-    failureThreshold: 3
-    successThreshold: 1
-
-  readiness:
-    enabled: true
-    initialDelaySeconds: 30
-    timeoutSeconds: 3
-    periodSeconds: 15
-    failureThreshold: 30
-    successThreshold: 1
-
 replicaCount: {{ .Values.replicas.oxConnector }}
 
+podSecurityContext:
+  fsGroup: 1000
+
 securityContext:
+  privileged: false
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "SYS_CHROOT"
-  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
   seccompProfile:
     type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
   seLinuxOptions:
     {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 

helmfile/apps/opendesk-migrations-post/helmfile-child.yaml.gotmpl

@@ -4,27 +4,27 @@
 repositories:
   # openDesk Migrations
   # Source:
-  - name: "openproject-migrations-repo"
+  - name: "opendesk-migrations-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.migrations.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-post"
-    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    chart: "opendesk-migrations-repo/{{ .Values.charts.migrations.name }}"
     version: "{{ .Values.charts.migrations.version }}"
     wait: true
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
       - "../../shared/migrations.yaml.gotmpl"
-      {{ range .Values.customization.release.migrationsPost }}
+      {{- range .Values.customization.release.migrationsPost }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.migrations.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.migrations.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-migrations-post/helmfile.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-migrations-pre/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
 
 releases:
   - name: "opendesk-migrations-pre"
@@ -21,10 +21,10 @@ releases:
     values:
       - "values.yaml.gotmpl"
       - "../../shared/migrations.yaml.gotmpl"
-      {{ range .Values.customization.release.migrationsPre }}
+      {{- range .Values.customization.release.migrationsPre }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.migrations.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.migrations.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-migrations-pre/helmfile.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-openproject-bootstrap/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 
 releases:
   - name: "opendesk-openproject-bootstrap"
@@ -20,10 +20,10 @@ releases:
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOpenprojectBootstrap }}
+      {{- range .Values.customization.release.opendeskOpenprojectBootstrap }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.openproject.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.openproject.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/opendesk-openproject-bootstrap/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-services/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
 
   # openDesk Home
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
 
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +30,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
 
     # openDesk Alerts
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
@@ -40,17 +40,27 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
 
     # openDesk Grafana Dashboards
     # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dashboards
-  - name: "dashboards-repo"
+  - name: "opendesk-dashboards-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.opendeskDashboards.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskDashboards.registry }}/{{ .Values.charts.opendeskDashboards.repository }}"
+
+    # openDesk Static Files
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-static-files
+  - name: "opendesk-static-files-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.opendeskStaticFiles.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.opendeskStaticFiles.registry }}/{{ .Values.charts.opendeskStaticFiles.repository }}"
 
 releases:
   - name: "opendesk-otterize"
@@ -58,9 +68,9 @@ releases:
     version: "{{ .Values.charts.otterize.version }}"
     values:
       - "values-otterize.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskOtterize }}
+      {{- range .Values.customization.release.opendeskOtterize }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
@@ -69,20 +79,20 @@ releases:
     version: "{{ .Values.charts.home.version }}"
     values:
       - "values-home.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskHome }}
+      {{- range .Values.customization.release.opendeskHome }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.home.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.home.enabled }}
 
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"
     values:
       - "values-certificates.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskCertificates }}
+      {{- range .Values.customization.release.opendeskCertificates }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.certificates.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.certificates.enabled }}
     timeout: 900
 
   - name: "opendesk-alerts"
@@ -90,21 +100,34 @@ releases:
     version: "{{ .Values.charts.opendeskAlerts.version }}"
     values:
       - "values-opendesk-alerts.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskAlerts}}
+      {{- range .Values.customization.release.opendeskAlerts }}
       - {{ . }}
-      {{ end }}
+      {{- end }}
     installed: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
     timeout: 900
 
   - name: "opendesk-dashboards"
-    chart: "dashboards-repo/{{ .Values.charts.opendeskDashboards.name }}"
+    chart: "opendesk-dashboards-repo/{{ .Values.charts.opendeskDashboards.name }}"
     version: "{{ .Values.charts.opendeskDashboards.version }}"
     values:
-      - "values-dashboards.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskDashboards | default "additionalValues: false" }}
+      - "values-opendesk-dashboards.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskDashboards }}
+      - {{ . }}
+      {{- end }}
     installed: {{ .Values.monitoring.grafana.dashboards.enabled }}
     timeout: 900
 
+  - name: "opendesk-static-files"
+    chart: "opendesk-static-files-repo/{{ .Values.charts.opendeskStaticFiles.name }}"
+    version: "{{ .Values.charts.opendeskStaticFiles.version }}"
+    values:
+      - "values-opendesk-static-files.yaml.gotmpl"
+      {{- range .Values.customization.release.opendeskStaticFiles }}
+      - {{ . }}
+      {{- end }}
+    installed: {{ .Values.apps.staticFiles.enabled }}
+    timeout: 900
+
 commonLabels:
   deployStage: "030-opendesk-services"
   component: "opendesk-services"

helmfile/apps/opendesk-services/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl

@@ -7,13 +7,13 @@ SPDX-License-Identifier: Apache-2.0
 global:
   domain: {{ .Values.global.domain | quote }}
   hosts:
-    {{- if .Values.collabora.enabled }}
+    {{- if .Values.apps.collabora.enabled }}
     collabora: {{ .Values.global.hosts.collabora }}
     {{- end }}
-    {{- if .Values.cryptpad.enabled }}
+    {{- if .Values.apps.cryptpad.enabled }}
     cryptpad: {{ .Values.global.hosts.cryptpad }}
     {{- end }}
-    {{- if .Values.element.enabled }}
+    {{- if .Values.apps.element.enabled }}
     element: {{ .Values.global.hosts.element }}
     matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
     matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
@@ -23,30 +23,30 @@ global:
     synapseFederation: {{ .Values.global.hosts.synapseFederation }}
     whiteboard: {{ .Values.global.hosts.whiteboard }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
     intercomService: {{ .Values.global.hosts.intercomService }}
     {{- end }}
-    {{- if .Values.jitsi.enabled }}
+    {{- if .Values.apps.jitsi.enabled }}
     jitsi: {{ .Values.global.hosts.jitsi }}
     {{- end }}
-    {{- if .Values.minio.enabled }}
+    {{- if .Values.apps.minio.enabled }}
     minioApi: {{ .Values.global.hosts.minioApi }}
     minioConsole: {{ .Values.global.hosts.minioConsole }}
     {{- end }}
-    {{- if .Values.nextcloud.enabled }}
+    {{- if .Values.apps.nextcloud.enabled }}
     nextcloud: {{ .Values.global.hosts.nextcloud }}
     {{- end }}
-    {{- if .Values.openproject.enabled }}
+    {{- if .Values.apps.openproject.enabled }}
     openproject: {{ .Values.global.hosts.openproject }}
     {{- end }}
-    {{- if .Values.oxAppSuite.enabled }}
+    {{- if .Values.apps.oxAppSuite.enabled }}
     openxchange: {{ .Values.global.hosts.openxchange }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.apps.nubus.enabled }}
     keycloak: {{ .Values.global.hosts.keycloak }}
     nubus: {{ .Values.global.hosts.nubus }}
     {{- end }}
-    {{- if .Values.xwiki.enabled }}
+    {{- if .Values.apps.xwiki.enabled }}
     xwiki: {{ .Values.global.hosts.xwiki }}
     {{- end }}
 

helmfile/apps/opendesk-services/values-dashboards.yaml.gotmpl

@@ -1,54 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-additionalAnnotations:
-  {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 2 }}
-additionalLabels:
-  {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 2 }}
-
-config:
-  apps:
-    collabora:
-      enable: {{ .Values.collabora.enabled }}
-      selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
-    matrixElement:
-      enable: {{ .Values.element.enabled }}
-      selectors:
-        namespace: {{ .Values.element.namespace | quote }}
-    diagrams:
-      enable: {{ .Values.cryptpad.enabled }}
-      selectors:
-        namespace: {{ .Values.cryptpad.namespace | quote }}
-    nextcloud:
-      enable: {{ .Values.nextcloud.enabled }}
-      selectors:
-        namespace: {{ .Values.nextcloud.namespace | quote }}
-    openxchange:
-      enable: {{ .Values.oxAppSuite.enabled }}
-      selectors:
-        namespace: {{ .Values.oxAppSuite.namespace | quote }}
-    xwiki:
-      enable: {{ .Values.xwiki.enabled }}
-      selectors:
-        namespace: {{ .Values.xwiki.namespace | quote }}
-    nubus:
-      enable: {{ .Values.nubus.enabled }}
-      selectors:
-        namespace: {{ .Values.nubus.namespace | quote }}
-    openproject:
-      enable: {{ .Values.openproject.enabled }}
-      selectors:
-        namespace: {{ .Values.openproject.namespace | quote }}
-    jitsi:
-      enable: {{ .Values.jitsi.enabled }}
-      selectors:
-        namespace: {{ .Values.jitsi.namespace | quote }}
-    collabora:
-      enable: {{ .Values.collabora.enabled }}
-      selectors:
-        namespace: {{ .Values.collabora.namespace | quote }}
-...

helmfile/apps/opendesk-services/values-home.yaml.gotmpl

@@ -10,7 +10,6 @@ global:
 
 ingress:
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
   tls:
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...

helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl

@@ -10,43 +10,43 @@ additionalLabels:
 
 config:
   collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
     selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
   matrix:
-    enable: {{ .Values.element.enabled }}
+    enable: {{ .Values.apps.element.enabled }}
     selectors:
-      namespace: {{ .Values.element.namespace | quote }}
+      namespace: {{ .Values.apps.element.namespace | quote }}
   diagrams:
-    enable: {{ .Values.cryptpad.enabled }}
+    enable: {{ .Values.apps.cryptpad.enabled }}
     selectors:
-      namespace: {{ .Values.cryptpad.namespace | quote }}
+      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
   nextcloud:
-    enable: {{ .Values.nextcloud.enabled }}
+    enable: {{ .Values.apps.nextcloud.enabled }}
     selectors:
-      namespace: {{ .Values.nextcloud.namespace | quote }}
+      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
   openXChange:
-    enable: {{ .Values.oxAppSuite.enabled }}
+    enable: {{ .Values.apps.oxAppSuite.enabled }}
     selectors:
-      namespace: {{ .Values.oxAppSuite.namespace | quote }}
+      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
   xwiki:
-    enable: {{ .Values.xwiki.enabled }}
+    enable: {{ .Values.apps.xwiki.enabled }}
     selectors:
-      namespace: {{ .Values.xwiki.namespace | quote }}
+      namespace: {{ .Values.apps.xwiki.namespace | quote }}
   nubus:
-    enable: {{ .Values.nubus.enabled }}
+    enable: {{ .Values.apps.nubus.enabled }}
     selectors:
-      namespace: {{ .Values.nubus.namespace | quote }}
+      namespace: {{ .Values.apps.nubus.namespace | quote }}
   openProject:
-    enable: {{ .Values.openproject.enabled }}
+    enable: {{ .Values.apps.openproject.enabled }}
     selectors:
-      namespace: {{ .Values.openproject.namespace | quote }}
+      namespace: {{ .Values.apps.openproject.namespace | quote }}
   jitsi:
-    enable: {{ .Values.jitsi.enabled }}
+    enable: {{ .Values.apps.jitsi.enabled }}
     selectors:
-      namespace: {{ .Values.jitsi.namespace | quote }}
+      namespace: {{ .Values.apps.jitsi.namespace | quote }}
   collabora:
-    enable: {{ .Values.collabora.enabled }}
+    enable: {{ .Values.apps.collabora.enabled }}
     selectors:
-      namespace: {{ .Values.collabora.namespace | quote }}
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
 

helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl

@@ -0,0 +1,54 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+additionalAnnotations:
+  {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 2 }}
+additionalLabels:
+  {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 2 }}
+
+config:
+  apps:
+    collabora:
+      enable: {{ .Values.apps.collabora.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
+    matrixElement:
+      enable: {{ .Values.apps.element.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.element.namespace | quote }}
+    diagrams:
+      enable: {{ .Values.apps.cryptpad.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
+    nextcloud:
+      enable: {{ .Values.apps.nextcloud.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
+    openxchange:
+      enable: {{ .Values.apps.oxAppSuite.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
+    xwiki:
+      enable: {{ .Values.apps.xwiki.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.xwiki.namespace | quote }}
+    nubus:
+      enable: {{ .Values.apps.nubus.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.nubus.namespace | quote }}
+    openproject:
+      enable: {{ .Values.apps.openproject.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.openproject.namespace | quote }}
+    jitsi:
+      enable: {{ .Values.apps.jitsi.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.jitsi.namespace | quote }}
+    collabora:
+      enable: {{ .Values.apps.collabora.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
+...

helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl

@@ -0,0 +1,119 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+assets:
+  element:
+    subdomain: {{ .Values.global.hosts.element }}
+    paths:
+      - path: "/vector-icons/favicon.........ico"
+        data: {{ .Values.theme.imagery.chat.faviconIco }}
+  jitsi:
+    subdomain: {{ .Values.global.hosts.jitsi }}
+    paths:
+      - path: "/images/favicon.svg"
+        data: {{ .Values.theme.imagery.videoconference.faviconSvg }}
+  keycloak:
+    subdomain: {{ .Values.global.hosts.keycloak }}
+    paths:
+      - path: "/resources/...../login/UCS/img/favicon.ico"
+        data: {{ .Values.theme.imagery.login.faviconIco }}
+      - path: "/static-files/login/logo.svg"
+        data: {{ .Values.theme.imagery.login.logoSvg }}
+  nextcloud:
+    subdomain: {{ .Values.global.hosts.nextcloud }}
+    paths:
+      - path: "/core/img/favicon-touch.png"
+        data: {{ .Values.theme.imagery.files.faviconPng }}
+      - path: "/core/img/favicon.ico"
+        data: {{ .Values.theme.imagery.files.faviconIco }}
+  notes:
+    subdomain: {{ .Values.global.hosts.notes }}
+    paths:
+      - path: "/favicon.ico"
+        data: {{ .Values.theme.imagery.notes.faviconIco }}
+  openproject:
+    subdomain: {{ .Values.global.hosts.openproject }}
+    paths:
+      - path: "/custom_style/........../favicon/favicon.svg"
+        data: {{ .Values.theme.imagery.projects.faviconSvg }}
+  openxchange:
+    subdomain: {{ .Values.global.hosts.openxchange }}
+    paths:
+      - path: "/appsuite/favicon.ico"
+        data: {{ .Values.theme.imagery.groupware.faviconIco }}
+      - path: "/appsuite/favicon.svg"
+        data: {{ .Values.theme.imagery.groupware.faviconSvg }}
+  portal:
+    subdomain: {{ .Values.global.hosts.nubus }}
+    paths:
+      - path: "/favicon.ico"
+        data: {{ .Values.theme.imagery.portal.faviconIco }}
+      - path: "/static-files/portal/background.svg"
+        data: {{ .Values.theme.imagery.portal.backgroundSvg }}
+      - path: "/static-files/portal/waiting-spinner.svg"
+        data: {{ .Values.theme.imagery.portal.waitingSpinnerSvg }}
+      - path: "/static-files/login/background.jpg"
+        data: {{ .Values.theme.imagery.login.backgroundJpg }}
+
+  xwiki:
+    subdomain: {{ .Values.global.hosts.xwiki }}
+    paths:
+      - path: "/resources/icons/xwiki/favicon.svg"
+        data: {{ .Values.theme.imagery.knowledge.faviconSvg }}
+      - path: "/resources/icons/xwiki/favicon16.png"
+        data: {{ .Values.theme.imagery.knowledge.faviconPng }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 101
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.opendeskStaticFiles | toYaml | nindent 4 }}
+
+ingress:
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.static }}.{{ .Values.global.domain }}"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.opendeskStaticFiles.registry | quote }}
+  repository: {{ .Values.images.opendeskStaticFiles.repository | quote }}
+  tag: {{ .Values.images.opendeskStaticFiles.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+
+replicaCount: {{ .Values.replicas.opendeskStaticFiles }}
+
+resources:
+  {{ .Values.resources.opendeskStaticFiles | toYaml | nindent 2 }}
+
+service:
+  type: "ClusterIP"
+...

helmfile/apps/opendesk-services/values-otterize.yaml.gotmpl

@@ -3,43 +3,54 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
 apps:
   clamavDistributed:
-    enabled: {{ .Values.clamavDistributed.enabled }}
+    enabled: {{ .Values.apps.clamavDistributed.enabled }}
   clamavSimple:
-    enabled: {{ .Values.clamavSimple.enabled }}
+    enabled: {{ .Values.apps.clamavSimple.enabled }}
   collabora:
-    enabled: {{ .Values.collabora.enabled }}
+    enabled: {{ .Values.apps.collabora.enabled }}
   cryptpad:
-    enabled: {{ .Values.cryptpad.enabled }}
+    enabled: {{ .Values.apps.cryptpad.enabled }}
+  dkimpy:
+    enabled: {{ .Values.apps.dkimpy.enabled }}
   dovecot:
-    enabled: {{ .Values.dovecot.enabled }}
+    enabled: {{ .Values.apps.dovecot.enabled }}
   element:
-    enabled: {{ .Values.element.enabled }}
+    enabled: {{ .Values.apps.element.enabled }}
   jitsi:
-    enabled: {{ .Values.jitsi.enabled }}
+    enabled: {{ .Values.apps.jitsi.enabled }}
   mariadb:
-    enabled: {{ .Values.mariadb.enabled }}
+    enabled: {{ .Values.apps.mariadb.enabled }}
   memcached:
-    enabled: {{ .Values.memcached.enabled }}
+    enabled: {{ .Values.apps.memcached.enabled }}
+  migrations:
+    enabled: {{ .Values.apps.migrations.enabled }}
   minio:
-    enabled: {{ .Values.minio.enabled }}
+    enabled: {{ .Values.apps.minio.enabled }}
   nextcloud:
-    enabled: {{ .Values.nextcloud.enabled }}
+    enabled: {{ .Values.apps.nextcloud.enabled }}
+  notes:
+    enabled: {{ .Values.apps.notes.enabled }}
+  nubus:
+    enabled: {{ .Values.apps.nubus.enabled }}
   openproject:
-    enabled: {{ .Values.openproject.enabled }}
+    enabled: {{ .Values.apps.openproject.enabled }}
   oxAppsuite:
-    enabled: {{ .Values.oxAppSuite.enabled }}
+    enabled: {{ .Values.apps.oxAppSuite.enabled }}
   postfix:
-    enabled: {{ .Values.postfix.enabled }}
+    enabled: {{ .Values.apps.postfix.enabled }}
   postgresql:
-    enabled: {{ .Values.postgresql.enabled }}
+    enabled: {{ .Values.apps.postgresql.enabled }}
   redis:
-    enabled: {{ .Values.redis.enabled }}
-  univentionManagementStack:
-    enabled: {{ .Values.nubus.enabled }}
+    enabled: {{ .Values.apps.redis.enabled }}
   xwiki:
-    enabled: {{ .Values.xwiki.enabled }}
+    enabled: {{ .Values.apps.xwiki.enabled }}
 
 ingressController:
   {{ .Values.security.ingressController | toYaml | nindent 2 }}

helmfile/apps/openproject/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 
 releases:
   - name: "openproject"
@@ -20,10 +20,10 @@ releases:
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
-      {{ range .Values.customization.release.openproject }}
+      {{- range .Values.customization.release.openproject }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.openproject.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.openproject.enabled }}
     timeout: 1800
 
 commonLabels:

helmfile/apps/openproject/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -38,9 +38,12 @@ dbInit:
     {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 
 environment:
+  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
+  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
+  {{- end }}
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_APP__TITLE: "Projects | {{ .Values.theme.texts.productName }}"
+  OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
   OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
@@ -53,8 +56,8 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
   OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
     "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
@@ -63,7 +66,7 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
   OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
   OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
-  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "{{ .Values.ldap.baseDn }}"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
@@ -77,7 +80,7 @@ environment:
   OPENPROJECT_SMTP__PASSWORD: ""
   OPENPROJECT_SMTP__PORT: 25
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
   OPENPROJECT_SMTP__AUTHENTICATION: "none"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"

helmfile/apps/services-external/helmfile-child.yaml.gotmpl

@@ -10,7 +10,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
 
   # openDesk MariaDB
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -20,7 +20,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
 
   # openDesk dkimpy-milter
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
@@ -30,7 +30,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
 
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -40,7 +40,7 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
 
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -50,14 +50,14 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
   - name: "clamav-simple-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.clamavSimple.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
 
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
@@ -67,33 +67,32 @@ repositories:
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
   - name: "redis-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.redis.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
   - name: "minio-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.minio.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
-
-  # openDesk Enterprise Repositories
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
 
+  # openDesk Enterprise
   # Cassandra
   # Source: https://github.com/bitnami/charts/
   - name: "cassandra-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.cassandra.verify }}
-    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
+    url: "{{ coalesce .Values.repositories.helm.registryOpencodeDe .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
 
 releases:
   - name: "redis"
@@ -101,10 +100,10 @@ releases:
     version: "{{ .Values.charts.redis.version }}"
     values:
       - "values-redis.yaml.gotmpl"
-      {{ range .Values.customization.release.redis }}
+      {{- range .Values.customization.release.redis }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.redis.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.redis.enabled }}
     timeout: 900
 
   - name: "memcached"
@@ -112,10 +111,10 @@ releases:
     version: "{{ .Values.charts.memcached.version }}"
     values:
       - "values-memcached.yaml.gotmpl"
-      {{ range .Values.customization.release.memcached }}
+      {{- range .Values.customization.release.memcached }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.memcached.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.memcached.enabled }}
     timeout: 900
 
   - name: "postgresql"
@@ -123,10 +122,10 @@ releases:
     version: "{{ .Values.charts.postgresql.version }}"
     values:
       - "values-postgresql.yaml.gotmpl"
-      {{ range .Values.customization.release.postgresql }}
+      {{- range .Values.customization.release.postgresql }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.postgresql.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.postgresql.enabled }}
     timeout: 900
 
   - name: "mariadb"
@@ -134,10 +133,10 @@ releases:
     version: "{{ .Values.charts.mariadb.version }}"
     values:
       - "values-mariadb.yaml.gotmpl"
-      {{ range .Values.customization.release.mariadb }}
+      {{- range .Values.customization.release.mariadb }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.mariadb.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.mariadb.enabled }}
     timeout: 900
 
   - name: "postfix"
@@ -145,10 +144,10 @@ releases:
     version: "{{ .Values.charts.postfix.version }}"
     values:
       - "values-postfix.yaml.gotmpl"
-      {{ range .Values.customization.release.postfix }}
+      {{- range .Values.customization.release.postfix }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.postfix.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.postfix.enabled }}
     timeout: 900
 
   - name: "opendesk-dkimpy-milter"
@@ -156,10 +155,10 @@ releases:
     version: "{{ .Values.charts.dkimpy.version }}"
     values:
       - "values-dkimpy.yaml.gotmpl"
-      {{ range .Values.customization.release.opendeskDkimpyMilter }}
+      {{- range .Values.customization.release.opendeskDkimpyMilter }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.dkimpy.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.dkimpy.enabled }}
     timeout: 900
 
   - name: "clamav"
@@ -167,10 +166,10 @@ releases:
     version: "{{ .Values.charts.clamav.version }}"
     values:
       - "values-clamav-distributed.yaml.gotmpl"
-      {{ range .Values.customization.release.clamav }}
+      {{- range .Values.customization.release.clamav }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.clamavDistributed.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.clamavDistributed.enabled }}
     timeout: 900
 
   - name: "clamav-simple"
@@ -178,10 +177,10 @@ releases:
     version: "{{ .Values.charts.clamavSimple.version }}"
     values:
       - "values-clamav-simple.yaml.gotmpl"
-      {{ range .Values.customization.release.clamavSimple }}
+      {{- range .Values.customization.release.clamavSimple }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.clamavSimple.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.clamavSimple.enabled }}
     timeout: 900
 
   - name: "minio"
@@ -189,10 +188,10 @@ releases:
     version: "{{ .Values.charts.minio.version }}"
     values:
       - "values-minio.yaml.gotmpl"
-      {{ range .Values.customization.release.minio }}
+      {{- range .Values.customization.release.minio }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.minio.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.minio.enabled }}
     timeout: 900
 
   # openDesk Enterprise Releases
@@ -200,10 +199,11 @@ releases:
     chart: "cassandra-repo/{{ .Values.charts.cassandra.name }}"
     version: "{{ .Values.charts.cassandra.version }}"
     values:
-      {{ range .Values.customization.release.cassandra }}
+      - "values-cassandra.yaml.gotmpl"
+      {{- range .Values.customization.release.cassandra }}
       - {{ . }}
-      {{ end }}
-    installed: {{ .Values.cassandra.enabled }}
+      {{- end }}
+    installed: {{ .Values.apps.cassandra.enabled }}
     timeout: 900
 
 commonLabels:

helmfile/apps/services-external/helmfile.yaml.gotmpl

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
-  - "../../bases/environments.yaml"
+  - "../../bases/environments.yaml.gotmpl"
 ---
 helmfiles:
   - path: "./helmfile-child.yaml.gotmpl"

helmfile/apps/services-external/values-cassandra.yaml.gotmpl

@@ -0,0 +1,102 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 1001
+  runAsNonRoot: true
+  runAsUser: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.cassandra | toYaml | nindent 4 }}
+
+dbUser:
+  user: "root"
+  password: {{ .Values.secrets.cassandra.rootPassword | quote }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  repository: {{ .Values.images.cassandra.repository | quote }}
+  tag: {{ .Values.images.cassandra.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+initDB:
+  initUserData.cql: >
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+
+# Will print a warning if unset but is automatically calculated:
+jvm:
+  maxHeapSize: ""
+  newHeapSize: ""
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 60
+  periodSeconds: 30
+  timeoutSeconds: 30
+  successThreshold: 1
+  failureThreshold: 5
+
+metrics:
+  enabled: false
+  image:
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
+    repository: {{ .Values.images.cassandraExporter.repository | quote }}
+    tag: {{ .Values.images.cassandraExporter.tag | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+persistence:
+  commitLogsize: {{ .Values.persistence.storages.cassandra.commitLogsize | quote }}
+  size: {{ .Values.persistence.storages.cassandra.size | quote }}
+  storageClass: {{ coalesce .Values.persistence.storages.cassandra.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
+
+podAnnotations: {}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "Always"
+  supplementalGroups: []
+  sysctls: []
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 60
+  periodSeconds: 10
+  timeoutSeconds: 30
+  successThreshold: 1
+  failureThreshold: 5
+
+replicaCount: {{ .Values.replicas.cassandra }}
+
+resources:
+  {{ .Values.resources.cassandra | toYaml | nindent 2 }}
+
+startupProbe:
+  enabled: false
+  initialDelaySeconds: 0
+  periodSeconds: 10
+  timeoutSeconds: 5
+  successThreshold: 1
+  failureThreshold: 60
+...