chore(release): 1.7.0 [skip ci]

# [1.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.6.0...v1.7.0) (2025-08-11)

### Bug Fixes

* **collabora:** Connect to Collabora Controller websocket via service ([5d01f60](5d01f6023d))
* **collabora:** Update from 25.04.2 to 25.04.3 ([3507c62](3507c62f83))
* **helmfile:** Adds default-enterprise-overrides to default values in helmfile-generic ([672e649](672e649b60))
* **nextcloud:** Block filesystem-unsafe characters in file and folder names ([0df6212](0df6212ca9))
* **nextcloud:** Include latest Helm chart version with supports `configuration.sharing.restrictUserEnumerationToGroup` ([c3dfa2a](c3dfa2a607))
* **notes:** Set Pod Disruption Budget (PDB) labels ([e35dac0](e35dac087a))
* **nubus:** Add `livenessProbe` for `nubusUdmListener` to mitigate cases where the listener becomes uninitialized and stops forwarding provisioning data to NATS. Temporary until upstream provides a probe ([ef8d67f](ef8d67f3c1))
* **open-xchange:** Disable documents role ([573e11f](573e11f5c5))
* **open-xchange:** Postfix to support submissions and external secrets ([13ab665](13ab665900))
* **open-xchange:** Support application specific passwords in groupware when CalDAV/CardDAV support is enabled, see `functional.groupware.davSupport.enabled` for reference ([90b2290](90b22904da))
* **open-xchange:** Use dedicated pod for migration ([6fd52b1](6fd52b167e))
* **opendesk-certificates:** Update Helm chart to remove default host for `webmail` being set even if OX App Suite is not enabled ([09a0aac](09a0aace45))
* **opendesk-services:** Update opendesk-alerts from 1.1.1 to 1.1.2, update opendesk-dashboards from 1.1.1 to 1.1.2 ([174d4fc](174d4fc61c))
* **openproject:** Update from 16.2.0 to 16.2.1 ([bba9b71](bba9b716a3))
* **ox-connector:** Update OX Connector and OX Extension to v0.27.2; review `migrations.md` for required upgrade steps ([9d51e40](9d51e40063))

### Features

* **nextcloud:** Enhance theming options for Nextcloud ([bdc7331](bdc7331cb5))
* **notes:** Switch to new Helm chart with support for self-signed deployments; review `migrations.md` for required upgrade steps ([3106ca7](3106ca793e))
* **nubus:** Allow configuration of limits for password reset requests via `security.passwordResetLimits` ([09f54b4](09f54b4134))
* **nubus:** Update from 1.11.2 to 1.12.0 ([5537dbb](5537dbbd7c))
* **open-xchange:** Update from 8.38 to 8.39 ([489986e](489986e906))
* **open-xchange:** Use internal endpoint for provisioning and support for optionally spinning up a dedicated internal Pod just for provisioning (see `technial.oxAppSuite.provisioning.dedicatedCoreMwPod` for details) ([31b7ec7](31b7ec7827))
* **openproject:** Update from 16.1.1 to 16.2.0 ([e273abb](e273abbecf))

.gitlab-ci.yml

@@ -404,7 +404,7 @@ db-cleanup:
       done;
     # Cleanup Objectstore
     - |
-      export BUCKETS="migrations nextcloud openproject nubus notes openxchange"
+      export BUCKETS="migrations nextcloud openproject nubus notes openxchange dovecot"
       export AWS_DEFAULT_REGION=""
       export AWS_ENDPOINT=""
       export AWS_ACCESS_KEY_ID=""

CHANGELOG.md

@@ -1,3 +1,35 @@
+# [1.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.6.0...v1.7.0) (2025-08-11)
+
+
+### Bug Fixes
+
+* **collabora:** Connect to Collabora Controller websocket via service ([5d01f60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d01f6023d6d300e106cc86dfca09a4ae388f4ca))
+* **collabora:** Update from 25.04.2 to 25.04.3 ([3507c62](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3507c62f832556c5d76e7a5b206acbdbcaca37a8))
+* **helmfile:** Adds default-enterprise-overrides to default values in helmfile-generic ([672e649](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/672e649b608fa03f04834837f13c360a08e8eb6c))
+* **nextcloud:** Block filesystem-unsafe characters in file and folder names ([0df6212](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0df6212ca9399d39bedc30c064cbae80c2684e44))
+* **nextcloud:** Include latest Helm chart version with supports `configuration.sharing.restrictUserEnumerationToGroup` ([c3dfa2a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c3dfa2a6075ae388764acbb20bd8282a64183ed3))
+* **notes:** Set Pod Disruption Budget (PDB) labels ([e35dac0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e35dac087aac54f545d361dee881196b264af906))
+* **nubus:** Add `livenessProbe` for `nubusUdmListener` to mitigate cases where the listener becomes uninitialized and stops forwarding provisioning data to NATS. Temporary until upstream provides a probe ([ef8d67f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ef8d67f3c1525de6f958ac7a8893b4b30ea3f7dc))
+* **open-xchange:** Disable documents role ([573e11f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/573e11f5c5103ee5906b0168317054a7e5a22e87))
+* **open-xchange:** Postfix to support submissions and external secrets ([13ab665](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13ab6659001abf5b6c683bf6a9309972ef7412b3))
+* **open-xchange:** Support application specific passwords in groupware when CalDAV/CardDAV support is enabled, see `functional.groupware.davSupport.enabled` for reference ([90b2290](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/90b22904dab0195f505021beb785317f8969ff7d))
+* **open-xchange:** Use dedicated pod for migration ([6fd52b1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6fd52b167eeed5c7e9eda2a21b209680131380ee))
+* **opendesk-certificates:** Update Helm chart to remove default host for `webmail` being set even if OX App Suite is not enabled ([09a0aac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09a0aace45227b60e9b39671e747958bd339c8c9))
+* **opendesk-services:** Update opendesk-alerts from 1.1.1 to 1.1.2, update opendesk-dashboards from 1.1.1 to 1.1.2 ([174d4fc](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/174d4fc61cbb718818015779012fa65353987f3c))
+* **openproject:** Update from 16.2.0 to 16.2.1 ([bba9b71](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bba9b716a3fdf915bfc2925f1c27fe91494edcb0))
+* **ox-connector:** Update OX Connector and OX Extension to v0.27.2; review `migrations.md` for required upgrade steps ([9d51e40](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9d51e40063d73226fc8a25365cbfa92ff09f0910))
+
+
+### Features
+
+* **nextcloud:** Enhance theming options for Nextcloud ([bdc7331](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bdc7331cb59da96941c3250625af3cb5f9b12e15))
+* **notes:** Switch to new Helm chart with support for self-signed deployments; review `migrations.md` for required upgrade steps ([3106ca7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3106ca793ee1e0021f7c03e620873c49adb54199))
+* **nubus:** Allow configuration of limits for password reset requests via `security.passwordResetLimits` ([09f54b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09f54b41347ff5c90064c8d4c2c6a9db7f05d54c))
+* **nubus:** Update from 1.11.2 to 1.12.0 ([5537dbb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5537dbbd7cb93dcb2aeafe9017c68a89d2e19293))
+* **open-xchange:** Update from 8.38 to 8.39 ([489986e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/489986e906e828f3877e7a9087541f10c5bbfe8c))
+* **open-xchange:** Use internal endpoint for provisioning and support for optionally spinning up a dedicated internal Pod just for provisioning (see `technial.oxAppSuite.provisioning.dedicatedCoreMwPod` for details) ([31b7ec7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31b7ec78274e5a901b51aaaeed01e6ac82298b73))
+* **openproject:** Update from 16.1.1 to 16.2.0 ([e273abb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e273abbecf58b098e76c49e1763b4c3074bf5cec))
+
 # [1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.5.0...v1.6.0) (2025-07-14)
 
 

README.md

@@ -43,7 +43,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.1](https://www.openproject.org/docs/release-notes/16-2-1/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.2](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.3](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 
 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

docs/baseline-requirements.md

@@ -66,8 +66,8 @@ All parts of openDesk Community Edition must be open source with source code (al
 
 openCode provides some boundaries when it comes to open source license compliance openDesk has to adhere to:
 
-- The components must be published under a license listed in the [openCode license allow list](https://wikijs.opencode.de/de/Hilfestellungen_und_Richtlinien/Lizenzcompliance#h-2-open-source-lizenzliste).
-- Delivered artifacts (container images) must contain only components licensed under the aforementioned allow list. A container must not contain any artifact using a license from the [openCode license block list](https://wikijs.opencode.de/de/Hilfestellungen_und_Richtlinien/Lizenzcompliance#h-3-negativliste-aller-nicht-freigegebenen-lizenzen).
+- The components must be published under a license listed in the [openCode license allow list](https://opencode.de/de/wissen/rechtssichere-nutzung/open-source-lizenzen).
+- Delivered artifacts (container images) must contain only components licensed under the aforementioned allow list. A container must not contain any artifact using a license from the [openCode license block list](https://opencode.de/de/wissen/rechtssichere-nutzung/open-source-lizenzen#3.-Negativliste-aller-nicht-freigegebenen-Lizenzen).
 
 Deviations from the above requirements must be documented in the openDesk license deviation report.
 

docs/external-secrets.md

@@ -1,40 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
--->
-
-<h1>External Secrets</h1>
-
-This document covers how to utilise external secrets and special requirements.
-
-<!-- TOC -->
-* [General](#general)
-* [Components](#components)
-  * [MinIO](#minio)
-<!-- TOC -->
-
-# General
-
-For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
-
-The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
-
-# Components
-
-This section covers information and special requirements to external secrets that some Helm Charts expect.
-
-## MinIO
-
-Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in external secrets listed in `usersExistingSecrets` have to be formatted as follows:
-
-```yaml
-stringData:
-  username1: |
-    username=test-username
-    password=test-password
-    disabled=false
-    policies=readwrite,consoleAdmin,diagnostics
-    setPolicies=fa
-```
-
-Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.

docs/security-context.md

@@ -172,9 +172,9 @@ This list gives you an overview of templated security settings and if they compl
 | **nextcloud**/opendesk-nextcloud-notifypush | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/backend | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
+| **notes**/impress/frontend | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
+| **notes**/impress/y-provider | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
 | **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |

docs/security.md

@@ -1,5 +1,4 @@
 <!--
-SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -12,7 +11,6 @@ This document covers the current status of security measures.
 * [Helm Chart Trust Chain](#helm-chart-trust-chain)
 * [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
 * [NetworkPolicies](#networkpolicies)
-* [External Secrets](#external-secrets)
 <!-- TOC -->
 
 # Helm Chart Trust Chain
@@ -51,9 +49,3 @@ security:
   otterizeIntents:
     enabled: true
 ```
-
-# External Secrets
-
-We urge you to use external secrets for your confidential credentials.
-
-For further explanation and documentation please visit [External Secrets](./docs/external-secrets.md).

helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl

@@ -32,7 +32,9 @@ imagePullSecrets:
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   annotations:
-    {{ .Values.annotations.coco.ingress | toYaml | nindent 4 }}
+    {{- with .Values.annotations.coco.ingress }}
+    {{ . | toYaml | nindent 4 }}
+    {{- end }}
   className: {{ .Values.ingress.ingressClassName | quote }}
   hosts:
     - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"

helmfile/apps/collabora/values.yaml.gotmpl

@@ -30,7 +30,7 @@ collabora:
     {{- end }}
     {{- if .Values.apps.collaboraController.enabled }}
     --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
-    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
+    --o:monitors.monitor[0]=ws://collabora-controller-cool-controller:9000/controller/ws
     --o:monitors.monitor[0][@retryInterval]=5
     {{- end }}
   username: "collabora-internal-admin"
@@ -77,8 +77,8 @@ ingress:
     # HAProxy
     haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
     haproxy.org/backend-config-snippet: |
-       balance url_param WOPISrc check_post
-       hash-type consistent
+      balance url_param WOPISrc check_post
+      hash-type consistent
     # HAProxy - Community: https://haproxy-ingress.github.io/
     haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
     haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
@@ -89,9 +89,9 @@ ingress:
       acl admin_url path_beg /cool/adminws/
       acl admin_url path_beg /browser/dist/admin/admin.html
       http-request deny if admin_url
-   {{- with .Values.annotations.collabora.ingress }}
-   {{ . | toYaml | nindent 4 }}
-   {{- end }}
+    {{- with .Values.annotations.collabora.ingress }}
+    {{ . | toYaml | nindent 4 }}
+    {{- end }}
   enabled: {{ .Values.ingress.enabled }}
   className: {{ .Values.ingress.ingressClassName | quote }}
   hosts:

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -322,7 +322,7 @@ patchJVB:
       {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
     repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
     tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -1128,6 +1128,13 @@ nubusProvisioning:
 
 nubusUdmListener:
   enabled: true
+  # Temporary local liveness probe, should be removed once available in the upstream Nubus Helm chart
+  livenessProbe:
+    exec:
+      command:
+        - sh
+        - -c
+        - 'grep -E "^[13]$" /var/lib/univention-directory-listener/handlers/ldap_listener'
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -8,7 +8,7 @@ image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imageInitCassandra:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
   repository: {{ .Values.images.cassandra.repository | quote }}
   tag: {{ .Values.images.cassandra.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -377,6 +377,9 @@ appsuite:
         open-xchange-admin-soap-usercopy: "disabled"
         open-xchange-admin-user-copy: "disabled"
         {{- end }}
+        {{- if .Values.functional.groupware.davSupport.enabled }}
+        open-xchange-authentication-application-storage-rdb: "enabled"
+        {{- end }}
     properties:
       com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
       com.openexchange.UIWebPath: "/appsuite/"
@@ -509,6 +512,12 @@ appsuite:
       com.openexchange.net.ssl.custom.truststore.path: "/etc/ssl/certs/truststore.jks"
       com.openexchange.net.ssl.custom.truststore.password: {{ .Values.secrets.certificates.password | quote }}
       {{- end }}
+      {{- if .Values.functional.groupware.davSupport.enabled }}
+      com.openexchange.authentication.application.appTypes: "caldav,carddav"
+      com.openexchange.authentication.application.enabled: "true"
+      com.openexchange.authentication.application.storage.rdb.loginNameSource: "mail"
+      com.openexchange.authentication.application.storage.rdb.contextLookupNamePart: "full"
+      {{- end }}
     {{- if .Values.certificate.selfSigned }}
     extraEnv:
     - name: "JAVA_OPTS_APPEND"
@@ -641,6 +650,20 @@ appsuite:
     initContainer:
       resources:
         {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 8 }}
+    {{- if .Values.functional.groupware.davSupport.enabled }}
+    yamlFiles:
+      app-password-apps.yml:
+        caldav:
+          displayName_t10e: "Calendar Client (CalDAV)"
+          restrictedScopes: [dav,read_caldav,write_caldav]
+          requiredCapabilities: [caldav]
+          sortOrder: 30
+        carddav:
+          displayName_t10e: "Addressbook Client (CardDAV)"
+          restrictedScopes: [dav,read_carddav,write_carddav]
+          requiredCapabilities: [carddav]
+          sortOrder: 40
+    {{- end }}
 
   core-ui:
     enabled: true

helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 additionalAnnotations:
@@ -7,44 +7,5 @@ additionalLabels:
   {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 2 }}
 
 config:
-  collabora:
-    enable: {{ .Values.apps.collabora.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.collabora.namespace | quote }}
-  matrix:
-    enable: {{ .Values.apps.element.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.element.namespace | quote }}
-  diagrams:
-    enable: {{ .Values.apps.cryptpad.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
-  nextcloud:
-    enable: {{ .Values.apps.nextcloud.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
-  openXChange:
-    enable: {{ .Values.apps.oxAppSuite.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
-  xwiki:
-    enable: {{ .Values.apps.xwiki.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.xwiki.namespace | quote }}
-  nubus:
-    enable: {{ .Values.apps.nubus.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.nubus.namespace | quote }}
-  openProject:
-    enable: {{ .Values.apps.openproject.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.openproject.namespace | quote }}
-  jitsi:
-    enable: {{ .Values.apps.jitsi.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.jitsi.namespace | quote }}
-  collabora:
-    enable: {{ .Values.apps.collabora.enabled }}
-    selectors:
-      namespace: {{ .Values.apps.collabora.namespace | quote }}
+  {{ .Values.apps | toYaml | nindent 2 }}
 

helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -8,45 +8,5 @@ additionalLabels:
   {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 2 }}
 
 config:
-  apps:
-    collabora:
-      enable: {{ .Values.apps.collabora.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.collabora.namespace | quote }}
-    matrixElement:
-      enable: {{ .Values.apps.element.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.element.namespace | quote }}
-    diagrams:
-      enable: {{ .Values.apps.cryptpad.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
-    nextcloud:
-      enable: {{ .Values.apps.nextcloud.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
-    openxchange:
-      enable: {{ .Values.apps.oxAppSuite.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
-    xwiki:
-      enable: {{ .Values.apps.xwiki.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.xwiki.namespace | quote }}
-    nubus:
-      enable: {{ .Values.apps.nubus.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.nubus.namespace | quote }}
-    openproject:
-      enable: {{ .Values.apps.openproject.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.openproject.namespace | quote }}
-    jitsi:
-      enable: {{ .Values.apps.jitsi.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.jitsi.namespace | quote }}
-    collabora:
-      enable: {{ .Values.apps.collabora.enabled }}
-      selectors:
-        namespace: {{ .Values.apps.collabora.namespace | quote }}
+  {{ .Values.apps | toYaml | nindent 2 }}
 ...

helmfile/apps/services-external/values-cassandra.yaml.gotmpl

@@ -26,7 +26,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
   repository: {{ .Values.images.cassandra.repository | quote }}
   tag: {{ .Values.images.cassandra.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -62,7 +62,7 @@ livenessProbe:
 metrics:
   enabled: false
   image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
     repository: {{ .Values.images.cassandraExporter.repository | quote }}
     tag: {{ .Values.images.cassandraExporter.tag | quote }}
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/services-external/values-memcached.yaml.gotmpl

@@ -28,7 +28,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.memcached.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.memcached.registry | quote }}
   repository: {{ .Values.images.memcached.repository | quote }}
   tag: {{ .Values.images.memcached.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/services-external/values-minio.yaml.gotmpl

@@ -19,9 +19,6 @@ apiIngress:
 
 auth:
   rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
-  existingSecret: {{ .Values.externalSecrets.minio.existingSecret | quote }}
-  rootUserSecretKey: {{ .Values.externalSecrets.minio.rootUserSecretKey | quote }}
-  rootPasswordSecretKey: {{ .Values.externalSecrets.minio.rootPasswordSecretKey | quote }}
 
 commonAnnotations:
   {{ .Values.annotations.servicesExternalMinio.common | toYaml | nindent 2 }}
@@ -49,7 +46,7 @@ global:
     allowInsecureImages: true
 
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.minio.registry | quote }}
   repository: {{ .Values.images.minio.repository | quote }}
   tag: {{ .Values.images.minio.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -57,7 +54,7 @@ image:
 volumePermissions:
   enabled: true
   image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.minio.registry | quote }}
     repository: {{ .Values.images.bitnamiOSShell.repository | quote }}
     tag: {{ .Values.images.bitnamiOSShell.tag | quote }}
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -225,7 +222,6 @@ provisioning:
           actions:
             - "s3:*"
     {{- end }}
-  {{- if not .Values.externalSecrets.minio.usersExistingSecrets }}
   users:
     - username: {{ .Values.objectstores.migrations.username | quote }}
       password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -271,9 +267,6 @@ provisioning:
         - "dovecot-bucket-policy"
       setPolicies: true
     {{- end }}
-  {{- else }}
-  usersExistingSecrets: {{ .Values.externalSecrets.minio.usersExistingSecrets }}
-  {{- end }}
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 

helmfile/apps/services-external/values-redis.yaml.gotmpl

@@ -16,7 +16,7 @@ global:
   storageClass: {{ coalesce .Values.persistence.storages.redis.storageClassName .Values.persistence.storageClassNames.RWO | quote }}
 
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.redis.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.redis.registry | quote }}
   repository: {{ .Values.images.redis.repository | quote }}
   tag: {{ .Values.images.redis.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -5,7 +5,8 @@ images:
   collabora:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.2.3.1@sha256:b6dbe27d7242488dfdb400219abbc6c97fb83df029975e1127f52abc8444475e"
+    tag: "25.04.3.4.1@sha256:929ce210bb1ff46275af64e94ce02ab0a0470572eba8251ad35b8b4296c3a171"
+
   dovecot:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -56,7 +56,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.41"
+    version: "1.1.45"
     verify: true
   collaboraController:
     # Enterprise Component
@@ -84,8 +84,6 @@ charts:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry.opencode.de"
     # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter/opendesk-dkimpy-milter"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter"
     name: "opendesk-dkimpy-milter"
@@ -301,7 +299,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
     name: "impress"
-    version: "1.0.0"
+    version: "1.0.1"
     verify: true
   nubus:
     # providerCategory: "Supplier"
@@ -323,7 +321,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
     name: "opendesk-alerts"
-    version: "1.1.1"
+    version: "1.1.2"
     verify: true
   opendeskDashboards:
     # providerCategory: "Platform"
@@ -333,7 +331,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dashboards"
     name: "opendesk-dashboards"
-    version: "1.1.1"
+    version: "1.1.2"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -1,12 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-externalSecrets:
-  minio:
-    existingSecret: ~
-    rootUserSecretKey: ~
-    rootPasswordSecretKey: ~
-    usersExistingSecrets: []
-...

helmfile/environments/default/images.yaml.gotmpl

@@ -10,25 +10,31 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/os-shell"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/os-shell"
-    tag: "12-debian-12-r44@sha256:6388c7c27a09472906e2f2094410c9ffdadf23b4b242293ce023d0314ec10920"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)-debian-(\d+)-r(\d+)$'
+    # upstreamMirrorStartFrom: ["12", "12", "44"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/os-shell"
+    tag: "12-debian-12-r44@sha256:e0eab38c4e2e2ebfc9043bc9bc482109ec5cca3123154c1af8e040ea23c5ce98"
   cassandra:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/cassandra"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/cassandra"
-    tag: "5.0.4-debian-12-r4@sha256:9d909ebe10802dae2fb99ef7c8e9e0dbc496c8d30366e2f7abbe0713b945fa7d"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
+    # upstreamMirrorStartFrom: ["5", "0", "4", "12", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/cassandra"
+    tag: "5.0.4-debian-12-r4@sha256:93be59e318070e5c1d515c2b5840e9e07babfbac845b2c9bcc1cdf8efda6bb18"
   cassandraExporter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/cassandra-exporter"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/cassandra-exporter"
-    tag: "2.3.8-debian-12-r46@sha256:e44c65f08d85153041f68bcf180f948341d74018eef8b56e8869ed87fdfd34f0"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
+    # upstreamMirrorStartFrom: ["2", "3", "8", "12", "46"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/cassandra-exporter"
+    tag: "2.3.8-debian-12-r46@sha256:3b460a6287f24ef96626439825c9e3fa822784d802209f38c7541d8289eb51d8"
   clamd:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -44,7 +50,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.2.2.1@sha256:03ec7f7740c5030eeb4f642c41fa0b9989d7a0dab81435a86b5c82479d0f78e2"
+    tag: "25.04.3.2.1@sha256:e2940b19d855bf6e557c445aaf5b2b7db978af9aeae7e6400bfcc99411dd8bb9"
   collaboraController:
     # Enterprise Component
     # providerCategory: "Supplier"
@@ -210,8 +216,10 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/kubectl"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/kubectl"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "32", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
     tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
   jvb:
     # providerCategory: "Supplier"
@@ -286,9 +294,11 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/memcached"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/memcached"
-    tag: "1.6.38-debian-12-r3@sha256:3e548fba727578be9d996262471f5f3e07726d625702d26743a5e0f34684cb21"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "6", "38", "12", "3"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/memcached"
+    tag: "1.6.38-debian-12-r3@sha256:ea35c7d38b5e080a900991220323e31539b2877069d8aa4dc6814fe384e3c0da"
   migrations:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -310,9 +320,11 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/minio"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/minio"
-    tag: "2025.4.22-debian-12-r1@sha256:d7cd0e172c4cc0870f4bdc3142018e2a37be9acf04d68f386600daad427e0cab"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
+    # upstreamMirrorStartFrom: ["2025", "4", "22", "12", "1"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/minio"
+    tag: "2025.4.22-debian-12-r1@sha256:b5c26fa4a2cc2abffe096a54d9e7fd3976d72e38bd2186338b1a06d66c63e651"
   nextcloud:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -936,9 +948,11 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/redis"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/redis"
-    tag: "7.4.3-debian-12-r0@sha256:a25b5d07a14ec13730022c7cd9bab6308d55ccd86b74af7315553c17be884889"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
+    # upstreamMirrorStartFrom: ["7", "4", "3", "12", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/community/images-mirror/redis"
+    tag: "7.4.3-debian-12-r0@sha256:fbdf361bbb6a17be28913fb9e4a1cfe3244331d2cbf449ecfe7a1fbbab02efc4"
   synapse:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"

publiccode.yml

@@ -22,8 +22,8 @@ name: "openDesk"
 platforms:
   - "web"
 developmentStatus: "stable"
-softwareVersion: "1.6.0"
-releaseDate: "2025-07-14"
+softwareVersion: "1.7.0"
+releaseDate: "2025-08-11"
 softwareType: "standalone/web"
 url: "https://gitlab.opencode.de/bmi/opendesk/"
 logo: ".opencode/openDesk-logo-rgb-color.svg"