fix(opendesk-static-files): Bump chart version to comply with ingress-nginx security defaults.

fix(element): Bump opendesk-well-known chart version, to comply with nginx security defaults
fix(opendesk-home): Bump chart version to comply with nginx security defaults.
2025-12-06 07:21:36 +01:00 · 2025-08-06 15:56:31 +02:00 · 2025-08-06 15:56:31 +02:00 · 2025-08-05 06:50:56 +00:00 · 2025-08-03 14:52:16 +00:00 · 2025-08-03 13:12:44 +00:00
25 changed files with 141 additions and 286 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -385,8 +385,7 @@ db-cleanup:
          "STACKIT")
            # In case of STACKIT resources the db content should just be dropped
            echo "[psql] [${ENV_DATABASE}] DROP OWNED BY ${PGUSER} in ${POSTGRES_DATABASE} on ${PGHOST}"
-            PGDATABASE=${POSTGRES_DATABASE} # env var PGDATABASE is interpreted by psql
-            psql -c "DROP OWNED BY ${PGUSER};" || true;
+            psql -c "DROP OWNED BY ${PGUSER}" || true;
            ;;
          "RUN")
            # Usually, e.g. in "RUN" cluster, databases can simply be dropped and recreated
@@ -404,7 +403,7 @@ db-cleanup:
      done;
    # Cleanup Objectstore
    - |
-      export BUCKETS="migrations nextcloud openproject nubus notes openxchange dovecot"
+      export BUCKETS="migrations nextcloud openproject nubus notes"
      export AWS_DEFAULT_REGION=""
      export AWS_ENDPOINT=""
      export AWS_ACCESS_KEY_ID=""
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,35 +1,3 @@
-# [1.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.6.0...v1.7.0) (2025-08-11)
-
-
-### Bug Fixes
-
-* **collabora:** Connect to Collabora Controller websocket via service ([5d01f60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d01f6023d6d300e106cc86dfca09a4ae388f4ca))
-* **collabora:** Update from 25.04.2 to 25.04.3 ([3507c62](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3507c62f832556c5d76e7a5b206acbdbcaca37a8))
-* **helmfile:** Adds default-enterprise-overrides to default values in helmfile-generic ([672e649](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/672e649b608fa03f04834837f13c360a08e8eb6c))
-* **nextcloud:** Block filesystem-unsafe characters in file and folder names ([0df6212](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0df6212ca9399d39bedc30c064cbae80c2684e44))
-* **nextcloud:** Include latest Helm chart version with supports `configuration.sharing.restrictUserEnumerationToGroup` ([c3dfa2a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c3dfa2a6075ae388764acbb20bd8282a64183ed3))
-* **notes:** Set Pod Disruption Budget (PDB) labels ([e35dac0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e35dac087aac54f545d361dee881196b264af906))
-* **nubus:** Add `livenessProbe` for `nubusUdmListener` to mitigate cases where the listener becomes uninitialized and stops forwarding provisioning data to NATS. Temporary until upstream provides a probe ([ef8d67f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ef8d67f3c1525de6f958ac7a8893b4b30ea3f7dc))
-* **open-xchange:** Disable documents role ([573e11f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/573e11f5c5103ee5906b0168317054a7e5a22e87))
-* **open-xchange:** Postfix to support submissions and external secrets ([13ab665](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13ab6659001abf5b6c683bf6a9309972ef7412b3))
-* **open-xchange:** Support application specific passwords in groupware when CalDAV/CardDAV support is enabled, see `functional.groupware.davSupport.enabled` for reference ([90b2290](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/90b22904dab0195f505021beb785317f8969ff7d))
-* **open-xchange:** Use dedicated pod for migration ([6fd52b1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6fd52b167eeed5c7e9eda2a21b209680131380ee))
-* **opendesk-certificates:** Update Helm chart to remove default host for `webmail` being set even if OX App Suite is not enabled ([09a0aac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09a0aace45227b60e9b39671e747958bd339c8c9))
-* **opendesk-services:** Update opendesk-alerts from 1.1.1 to 1.1.2, update opendesk-dashboards from 1.1.1 to 1.1.2 ([174d4fc](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/174d4fc61cbb718818015779012fa65353987f3c))
-* **openproject:** Update from 16.2.0 to 16.2.1 ([bba9b71](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bba9b716a3fdf915bfc2925f1c27fe91494edcb0))
-* **ox-connector:** Update OX Connector and OX Extension to v0.27.2; review `migrations.md` for required upgrade steps ([9d51e40](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9d51e40063d73226fc8a25365cbfa92ff09f0910))
-
-
-### Features
-
-* **nextcloud:** Enhance theming options for Nextcloud ([bdc7331](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bdc7331cb59da96941c3250625af3cb5f9b12e15))
-* **notes:** Switch to new Helm chart with support for self-signed deployments; review `migrations.md` for required upgrade steps ([3106ca7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3106ca793ee1e0021f7c03e620873c49adb54199))
-* **nubus:** Allow configuration of limits for password reset requests via `security.passwordResetLimits` ([09f54b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/09f54b41347ff5c90064c8d4c2c6a9db7f05d54c))
-* **nubus:** Update from 1.11.2 to 1.12.0 ([5537dbb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5537dbbd7cb93dcb2aeafe9017c68a89d2e19293))
-* **open-xchange:** Update from 8.38 to 8.39 ([489986e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/489986e906e828f3877e7a9087541f10c5bbfe8c))
-* **open-xchange:** Use internal endpoint for provisioning and support for optionally spinning up a dedicated internal Pod just for provisioning (see `technial.oxAppSuite.provisioning.dedicatedCoreMwPod` for details) ([31b7ec7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31b7ec78274e5a901b51aaaeed01e6ac82298b73))
-* **openproject:** Update from 16.1.1 to 16.2.0 ([e273abb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e273abbecf58b098e76c49e1763b4c3074bf5cec))
-
 # [1.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.5.0...v1.6.0) (2025-07-14)


--- a/README.md
+++ b/README.md
@@ -41,9 +41,9 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.39](https://documentation.open-xchange.com/appsuite/releases/8.39/)                                                       | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                             | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | AGPL-3.0-or-later                                                                      | [1.12.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.x/en/1.12.html#version-1-12-0-2025-07-31)      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.1](https://www.openproject.org/docs/release-notes/16-2-1/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | GPL-3.0-only                                                                           | [16.2.0](https://www.openproject.org/docs/release-notes/16-2-0/)                                                             | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | Apache-2.0                                                                             | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                        | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.3](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | MPL-2.0                                                                                | [25.04.2](https://www.collaboraoffice.com/code-25-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

 While not all components are perfectly designed for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/baseline-requirements.md
+++ b/docs/baseline-requirements.md
@@ -66,8 +66,8 @@ All parts of openDesk Community Edition must be open source with source code (al

 openCode provides some boundaries when it comes to open source license compliance openDesk has to adhere to:

- The components must be published under a license listed in the [openCode license allow list](https://opencode.de/de/wissen/rechtssichere-nutzung/open-source-lizenzen).
- Delivered artifacts (container images) must contain only components licensed under the aforementioned allow list. A container must not contain any artifact using a license from the [openCode license block list](https://opencode.de/de/wissen/rechtssichere-nutzung/open-source-lizenzen#3.-Negativliste-aller-nicht-freigegebenen-Lizenzen).
+- The components must be published under a license listed in the [openCode license allow list](https://wikijs.opencode.de/de/Hilfestellungen_und_Richtlinien/Lizenzcompliance#h-2-open-source-lizenzliste).
+- Delivered artifacts (container images) must contain only components licensed under the aforementioned allow list. A container must not contain any artifact using a license from the [openCode license block list](https://wikijs.opencode.de/de/Hilfestellungen_und_Richtlinien/Lizenzcompliance#h-3-negativliste-aller-nicht-freigegebenen-lizenzen).

 Deviations from the above requirements must be documented in the openDesk license deviation report.

--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -1,38 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-License-Identifier: Apache-2.0
-->
-
-<h1>External Secrets</h1>
-
-This document covers how to utilise external secrets and special requirements.
-
-<!-- TOC -->
-* [General](#general)
-* [Components](#components)
-  * [Notes](#notes)
-<!-- TOC -->
-
-# General
-
-For most components when set the external secret will supersede e.g. a password in a `values.yaml` file.
-
-The file [`external_secrets.yaml`](/helmfile/environments/default/external_secrets.yaml.gotmpl) lists all possible references to external secrets that are currently implemented in openDesk.
-
-# Components
-
-This section covers information and special requirements to external secrets that some Helm Charts expect.
-
-## Notes
-
-There are some values that consist of more than just one secret part.
-
-```yaml
-backend:
-  configuration:
-    django:
-      superuserEmail:
-        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
-    redisUrl:
-      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
-```
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -12,7 +12,6 @@ SPDX-License-Identifier: Apache-2.0
 * [Manual checks/actions](#manual-checksactions)
  * [v1.7.0+](#v170)
    * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
-    * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
      * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
    * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
      * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
@@ -129,16 +128,6 @@ If you would like more details about the automated migrations, please read secti

 ### Pre-upgrade to v1.7.0+

-### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
-
-**Target group:** All openDesk Enterprise deployments initiated from the project root using `helmfile_generic.yaml.gotmpl`
-
-Previously, the default values referenced in `helmfile_generic.yaml.gotmpl` did not include the necessary Enterprise overrides from `helmfile/environment/default-ee-overrides/`.
-
-As a result, when deploying openDesk Enterprise Edition from the project root, the correct Enterprise charts and images for Collabora, Nextcloud, OpenXchange, and Dovecot were not applied. This issue does not affect deployments started at the component level (e.g., `helmfile/apps/collabora`).
-
-Please verify that your deployment uses the correct Enterprise charts and images. If not, migrate to the Enterprise versions before upgrading to openDesk EE v1.7.0.
-
 #### Replace Helm chart: New Notes Helm chart with support for self-signed deployments

 **Target group:** All deployments that set `app.notes.enabled: true` (default is `false`).
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -172,9 +172,9 @@ This list gives you an overview of templated security settings and if they compl
 | **nextcloud**/opendesk-nextcloud-notifypush | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/aio | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **notes**/impress/backend | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
-| **notes**/impress/frontend | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
-| **notes**/impress/y-provider | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no |
+| **notes**/impress/backend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/frontend | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
+| **notes**/impress/yProvider | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **nubus**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/intercom-service/provisioning | :x: | n/a | n/a | n/a | n/a | n/a | n/a | yes | no |
 | **nubus**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
--- a/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
+++ b/helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl
@@ -32,9 +32,7 @@ imagePullSecrets:
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  annotations:
-    {{- with .Values.annotations.coco.ingress }}
-    {{ . | toYaml | nindent 4 }}
-    {{- end }}
+    {{ .Values.annotations.coco.ingress | toYaml | nindent 4 }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -30,7 +30,7 @@ collabora:
    {{- end }}
    {{- if .Values.apps.collaboraController.enabled }}
    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
-    --o:monitors.monitor[0]=ws://collabora-controller-cool-controller:9000/controller/ws
+    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
    --o:monitors.monitor[0][@retryInterval]=5
    {{- end }}
  username: "collabora-internal-admin"
@@ -77,8 +77,8 @@ ingress:
    # HAProxy
    haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    haproxy.org/backend-config-snippet: |
-      balance url_param WOPISrc check_post
-      hash-type consistent
+       balance url_param WOPISrc check_post
+       hash-type consistent
    # HAProxy - Community: https://haproxy-ingress.github.io/
    haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
@@ -89,9 +89,9 @@ ingress:
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
-    {{- with .Values.annotations.collabora.ingress }}
-    {{ . | toYaml | nindent 4 }}
-    {{- end }}
+   {{- with .Values.annotations.collabora.ingress }}
+   {{ . | toYaml | nindent 4 }}
+   {{- end }}
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -322,7 +322,7 @@ patchJVB:
      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}

--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -4,14 +4,8 @@
 global:
  collaborationServerSecret:
    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
-    existingSecret:
-      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
-      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
  yProviderApiKey:
    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
-    existingSecret:
-      name: {{ .Values.externalSecrets.notes.collaborationSecret.name | quote }}
-      key: {{ .Values.externalSecrets.notes.collaborationSecret.key | quote }}
  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}

@@ -41,23 +35,14 @@ backend:
    ai:
      apiKey:
        value: {{ .Values.ai.apiKey }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.ai.apiKey.name | quote }}
-          key: {{ .Values.externalSecrets.ai.apiKey.key | quote }}
      baseUrl: {{ .Values.ai.endpoint }}
      model: {{ .Values.ai.model | quote }}
    aws:
      endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
      s3AccessKeyId:
        value: {{ .Values.objectstores.notes.username }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
-          key: {{ .Values.externalSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
      s3SecretAccessKey:
        value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
-          key: {{ .Values.externalSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
      storageBucketName: {{ .Values.objectstores.notes.bucket }}
    collaboration:
      apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -67,15 +52,9 @@ backend:
      name: {{ .Values.databases.notes.name | quote }}
      password:
        value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.databases.notes.password.name | quote  }}
-          key: {{ .Values.externalSecrets.databases.notes.password.key | quote }}
      port: {{ .Values.databases.notes.port | quote }}
      user:
        value: {{ .Values.databases.notes.username | quote }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.databases.notes.user.name | quote }}
-          key: {{ .Values.externalSecrets.databases.notes.user.key | quote }}
    email:
      brandName: "openDesk"
      from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
@@ -84,23 +63,14 @@ backend:
      logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
      user:
        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.name | quote }}
-          key: {{ .Values.externalSecrets.postfix.opendeskSystemUsername.key | quote }}
      password:
        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.name | quote }}
-          key: {{ .Values.externalSecrets.postfix.opendeskSystemPassword.key | quote }}
    oidc:
      enabled: true
      rpClientId:
        value: "opendesk-notes"
      rpClientSecret:
        value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.keycloak.clientSecret.notes.name | quote }}
-          key: {{ .Values.externalSecrets.keycloak.clientSecret.notes.key | quote }}
      opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -117,26 +87,14 @@ backend:
    django:
      secretKey:
        value: {{ .Values.secrets.notes.djangoSecretKey }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.notes.django.secretKey.name | quote }}
-          key: {{ .Values.externalSecrets.notes.django.secretKey.key | quote }}
      createSuperuser: true
      superuserEmail:
        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.notes.django.superuserEmail.name | quote }}
-          key: {{ .Values.externalSecrets.notes.django.superuserEmail.key | quote }}
      superuserPassword:
        value: {{ .Values.secrets.notes.superuser }}
-        existingSecret:
-          name: {{ .Values.externalSecrets.notes.django.superuserPassword.name | quote }}
-          key: {{ .Values.externalSecrets.notes.django.superuserPassword.key | quote }}
    frontendTheme: "openDesk"
    redisUrl:
      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
-      existingSecret:
-        name: {{ .Values.externalSecrets.notes.redisUrl.name | quote }}
-        key: {{ .Values.externalSecrets.notes.redisUrl.key | quote }}
  extraEnvVars:
    - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
      value: "False"
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -1128,13 +1128,6 @@ nubusProvisioning:

 nubusUdmListener:
  enabled: true
-  # Temporary local liveness probe, should be removed once available in the upstream Nubus Helm chart
-  livenessProbe:
-    exec:
-      command:
-        - sh
-        - -c
-        - 'grep -E "^[13]$" /var/lib/univention-directory-listener/handlers/ldap_listener'
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -8,7 +8,7 @@ image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 imageInitCassandra:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
  repository: {{ .Values.images.cassandra.repository | quote }}
  tag: {{ .Values.images.cassandra.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -377,9 +377,6 @@ appsuite:
        open-xchange-admin-soap-usercopy: "disabled"
        open-xchange-admin-user-copy: "disabled"
        {{- end }}
-        {{- if .Values.functional.groupware.davSupport.enabled }}
-        open-xchange-authentication-application-storage-rdb: "enabled"
-        {{- end }}
    properties:
      com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
      com.openexchange.UIWebPath: "/appsuite/"
@@ -512,12 +509,6 @@ appsuite:
      com.openexchange.net.ssl.custom.truststore.path: "/etc/ssl/certs/truststore.jks"
      com.openexchange.net.ssl.custom.truststore.password: {{ .Values.secrets.certificates.password | quote }}
      {{- end }}
-      {{- if .Values.functional.groupware.davSupport.enabled }}
-      com.openexchange.authentication.application.appTypes: "caldav,carddav"
-      com.openexchange.authentication.application.enabled: "true"
-      com.openexchange.authentication.application.storage.rdb.loginNameSource: "mail"
-      com.openexchange.authentication.application.storage.rdb.contextLookupNamePart: "full"
-      {{- end }}
    {{- if .Values.certificate.selfSigned }}
    extraEnv:
    - name: "JAVA_OPTS_APPEND"
@@ -650,20 +641,6 @@ appsuite:
    initContainer:
      resources:
        {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 8 }}
-    {{- if .Values.functional.groupware.davSupport.enabled }}
-    yamlFiles:
-      app-password-apps.yml:
-        caldav:
-          displayName_t10e: "Calendar Client (CalDAV)"
-          restrictedScopes: [dav,read_caldav,write_caldav]
-          requiredCapabilities: [caldav]
-          sortOrder: 30
-        carddav:
-          displayName_t10e: "Addressbook Client (CardDAV)"
-          restrictedScopes: [dav,read_carddav,write_carddav]
-          requiredCapabilities: [carddav]
-          sortOrder: 40
-    {{- end }}

  core-ui:
    enabled: true
--- a/helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-alerts.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 additionalAnnotations:
@@ -7,5 +7,44 @@ additionalLabels:
  {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 2 }}

 config:
-  {{ .Values.apps | toYaml | nindent 2 }}
+  collabora:
+    enable: {{ .Values.apps.collabora.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.collabora.namespace | quote }}
+  matrix:
+    enable: {{ .Values.apps.element.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.element.namespace | quote }}
+  diagrams:
+    enable: {{ .Values.apps.cryptpad.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.cryptpad.namespace | quote }}
+  nextcloud:
+    enable: {{ .Values.apps.nextcloud.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.nextcloud.namespace | quote }}
+  openXChange:
+    enable: {{ .Values.apps.oxAppSuite.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
+  xwiki:
+    enable: {{ .Values.apps.xwiki.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.xwiki.namespace | quote }}
+  nubus:
+    enable: {{ .Values.apps.nubus.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.nubus.namespace | quote }}
+  openProject:
+    enable: {{ .Values.apps.openproject.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.openproject.namespace | quote }}
+  jitsi:
+    enable: {{ .Values.apps.jitsi.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.jitsi.namespace | quote }}
+  collabora:
+    enable: {{ .Values.apps.collabora.enabled }}
+    selectors:
+      namespace: {{ .Values.apps.collabora.namespace | quote }}

--- a/helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-dashboards.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -8,5 +8,45 @@ additionalLabels:
  {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 2 }}

 config:
-  {{ .Values.apps | toYaml | nindent 2 }}
+  apps:
+    collabora:
+      enable: {{ .Values.apps.collabora.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
+    matrixElement:
+      enable: {{ .Values.apps.element.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.element.namespace | quote }}
+    diagrams:
+      enable: {{ .Values.apps.cryptpad.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.cryptpad.namespace | quote }}
+    nextcloud:
+      enable: {{ .Values.apps.nextcloud.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.nextcloud.namespace | quote }}
+    openxchange:
+      enable: {{ .Values.apps.oxAppSuite.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.oxAppSuite.namespace | quote }}
+    xwiki:
+      enable: {{ .Values.apps.xwiki.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.xwiki.namespace | quote }}
+    nubus:
+      enable: {{ .Values.apps.nubus.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.nubus.namespace | quote }}
+    openproject:
+      enable: {{ .Values.apps.openproject.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.openproject.namespace | quote }}
+    jitsi:
+      enable: {{ .Values.apps.jitsi.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.jitsi.namespace | quote }}
+    collabora:
+      enable: {{ .Values.apps.collabora.enabled }}
+      selectors:
+        namespace: {{ .Values.apps.collabora.namespace | quote }}
 ...
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -26,7 +26,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandra.registry | quote }}
  repository: {{ .Values.images.cassandra.repository | quote }}
  tag: {{ .Values.images.cassandra.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -62,7 +62,7 @@ livenessProbe:
 metrics:
  enabled: false
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.cassandraExporter.registry | quote }}
    repository: {{ .Values.images.cassandraExporter.repository | quote }}
    tag: {{ .Values.images.cassandraExporter.tag | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services-external/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-memcached.yaml.gotmpl
@@ -28,7 +28,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.memcached.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.memcached.registry | quote }}
  repository: {{ .Values.images.memcached.repository | quote }}
  tag: {{ .Values.images.memcached.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -46,7 +46,7 @@ global:
    allowInsecureImages: true

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.minio.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
  repository: {{ .Values.images.minio.repository | quote }}
  tag: {{ .Values.images.minio.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -54,7 +54,7 @@ image:
 volumePermissions:
  enabled: true
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.minio.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
    repository: {{ .Values.images.bitnamiOSShell.repository | quote }}
    tag: {{ .Values.images.bitnamiOSShell.tag | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services-external/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-redis.yaml.gotmpl
@@ -16,7 +16,7 @@ global:
  storageClass: {{ coalesce .Values.persistence.storages.redis.storageClassName .Values.persistence.storageClassNames.RWO | quote }}

 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.redis.registry | quote }}
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.redis.registry | quote }}
  repository: {{ .Values.images.redis.repository | quote }}
  tag: {{ .Values.images.redis.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -5,8 +5,7 @@ images:
  collabora:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.3.4.1@sha256:929ce210bb1ff46275af64e94ce02ab0a0470572eba8251ad35b8b4296c3a171"
-
+    tag: "25.04.2.3.1@sha256:b6dbe27d7242488dfdb400219abbc6c97fb83df029975e1127f52abc8444475e"
  dovecot:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -56,7 +56,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
    name: "collabora-online"
-    version: "1.1.45"
+    version: "1.1.41"
    verify: true
  collaboraController:
    # Enterprise Component
@@ -84,6 +84,8 @@ charts:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter/opendesk-dkimpy-milter"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter"
    name: "opendesk-dkimpy-milter"
@@ -117,7 +119,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "6.1.3"
+    version: "6.1.4"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -127,7 +129,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
    name: "opendesk-home"
-    version: "1.0.2"
+    version: "1.1.0"
    verify: true
  intercomService:
    # providerCategory: "Supplier"
@@ -299,7 +301,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-impress"
    name: "impress"
-    version: "1.0.1"
+    version: "1.0.0"
    verify: true
  nubus:
    # providerCategory: "Supplier"
@@ -321,7 +323,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
    name: "opendesk-alerts"
-    version: "1.1.2"
+    version: "1.1.1"
    verify: true
  opendeskDashboards:
    # providerCategory: "Platform"
@@ -331,7 +333,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dashboards"
    name: "opendesk-dashboards"
-    version: "1.1.2"
+    version: "1.1.1"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
@@ -351,7 +353,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files"
    name: "opendesk-static-files"
-    version: "4.0.1"
+    version: "4.0.2"
    verify: true
  openproject:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -1,55 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
-# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
---
-externalSecrets:
-  ai:
-    apiKey:
-      name: "a"
-      key: "aiapikey"
-  databases:
-    notes:
-      password:
-        name: "a"
-        key: "notesDatabasePassword"
-      user:
-        name: "a"
-        key: "notesDatabaseUser"
-  keycloak:
-    clientSecret:
-      notes:
-        name: "a"
-        key: "keycloaknotes"
-  notes:
-    collaborationSecret:
-      name: "a"
-      key: "notesCollaborationSecret"
-    django:
-      secretKey:
-        name: "a"
-        key: "notesDjangoSecretKey"
-      superuserEmail:
-        name: "a"
-        key: "notessuperuserEmail"
-      superuserPassword:
-        name: "a"
-        key: "notessuperuserPassword"
-    redisUrl:
-      name: "a"
-      key: "notesredisurl"
-  objectstores:
-    notes:
-      s3AccessKeyId:
-        name: "a"
-        key: "objectstoresNotesS3AccessKeyId"
-      s3SecretAccessKey:
-        name: "a"
-        key: "objectstoresNotesS3SecretAccessKey"
-  postfix:
-    opendeskSystemPassword:
-      name: "a"
-      key: "postfixopendeskSystemPassword"
-    opendeskSystemUsername:
-      name: "a"
-      key: "postfixopendeskSystemUsername"
-...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -10,31 +10,25 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/os-shell"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)-debian-(\d+)-r(\d+)$'
-    # upstreamMirrorStartFrom: ["12", "12", "44"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/os-shell"
-    tag: "12-debian-12-r44@sha256:e0eab38c4e2e2ebfc9043bc9bc482109ec5cca3123154c1af8e040ea23c5ce98"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/os-shell"
+    tag: "12-debian-12-r44@sha256:6388c7c27a09472906e2f2094410c9ffdadf23b4b242293ce023d0314ec10920"
  cassandra:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/cassandra"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
-    # upstreamMirrorStartFrom: ["5", "0", "4", "12", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/cassandra"
-    tag: "5.0.4-debian-12-r4@sha256:93be59e318070e5c1d515c2b5840e9e07babfbac845b2c9bcc1cdf8efda6bb18"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/cassandra"
+    tag: "5.0.4-debian-12-r4@sha256:9d909ebe10802dae2fb99ef7c8e9e0dbc496c8d30366e2f7abbe0713b945fa7d"
  cassandraExporter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/cassandra-exporter"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
-    # upstreamMirrorStartFrom: ["2", "3", "8", "12", "46"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/cassandra-exporter"
-    tag: "2.3.8-debian-12-r46@sha256:3b460a6287f24ef96626439825c9e3fa822784d802209f38c7541d8289eb51d8"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/cassandra-exporter"
+    tag: "2.3.8-debian-12-r46@sha256:e44c65f08d85153041f68bcf180f948341d74018eef8b56e8869ed87fdfd34f0"
  clamd:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -50,7 +44,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "25.04.3.2.1@sha256:e2940b19d855bf6e557c445aaf5b2b7db978af9aeae7e6400bfcc99411dd8bb9"
+    tag: "25.04.2.2.1@sha256:03ec7f7740c5030eeb4f642c41fa0b9989d7a0dab81435a86b5c82479d0f78e2"
  collaboraController:
    # Enterprise Component
    # providerCategory: "Supplier"
@@ -216,10 +210,8 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/kubectl"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "32", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/kubectl"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/kubectl"
    tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
  jvb:
    # providerCategory: "Supplier"
@@ -294,11 +286,9 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/memcached"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "6", "38", "12", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/memcached"
-    tag: "1.6.38-debian-12-r3@sha256:ea35c7d38b5e080a900991220323e31539b2877069d8aa4dc6814fe384e3c0da"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/memcached"
+    tag: "1.6.38-debian-12-r3@sha256:3e548fba727578be9d996262471f5f3e07726d625702d26743a5e0f34684cb21"
  migrations:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -320,11 +310,9 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/minio"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
-    # upstreamMirrorStartFrom: ["2025", "4", "22", "12", "1"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/minio"
-    tag: "2025.4.22-debian-12-r1@sha256:b5c26fa4a2cc2abffe096a54d9e7fd3976d72e38bd2186338b1a06d66c63e651"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/minio"
+    tag: "2025.4.22-debian-12-r1@sha256:d7cd0e172c4cc0870f4bdc3142018e2a37be9acf04d68f386600daad427e0cab"
  nextcloud:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -764,7 +752,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "16.2.1@sha256:4b0c0589ad21b727cf4a7c896f8f446607319ac3ff476855f7576b5eb1173cff"
+    tag: "16.2.0@sha256:e4d50068411a7d5afbaf245211df9b7d18f622fed4b6c3c634bc7f88a3149419"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -948,11 +936,9 @@ images:
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/redis"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)-debian-(\d+)-r(\d+)$'
-    # upstreamMirrorStartFrom: ["7", "4", "3", "12", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/community/images-mirror/redis"
-    tag: "7.4.3-debian-12-r0@sha256:fbdf361bbb6a17be28913fb9e4a1cfe3244331d2cbf449ecfe7a1fbbab02efc4"
+    registry: "registry-1.docker.io"
+    repository: "bitnami/redis"
+    tag: "7.4.3-debian-12-r0@sha256:a25b5d07a14ec13730022c7cd9bab6308d55ccd86b74af7315553c17be884889"
  synapse:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
--- a/publiccode.yml
+++ b/publiccode.yml
@@ -22,8 +22,8 @@ name: "openDesk"
 platforms:
  - "web"
 developmentStatus: "stable"
-softwareVersion: "1.7.0"
-releaseDate: "2025-08-11"
+softwareVersion: "1.6.0"
+releaseDate: "2025-07-14"
 softwareType: "standalone/web"
 url: "https://gitlab.opencode.de/bmi/opendesk/"
 logo: ".opencode/openDesk-logo-rgb-color.svg"
Author	SHA1	Message	Date
Simon Herman	09c1a03764	fix(opendesk-static-files): Bump chart version to comply with ingress-nginx security defaults.	2025-08-06 15:56:31 +02:00
Simon Herman	f75c0d90f2	fix(element): Bump opendesk-well-known chart version, to comply with nginx security defaults	2025-08-06 15:56:31 +02:00
Simon Herman	9c50e18173	fix(opendesk-home): Bump chart version to comply with nginx security defaults.	2025-08-05 06:50:56 +00:00
Thomas Kaltenbrunner	a3b9e6067f	fix(open-xchange): Use dedicated pod for migration	2025-08-03 14:52:16 +00:00
Thomas Kaltenbrunner	355f6a1faf	feat(notes): Switch to new Helm chart with support for self-signed deployments; review `migrations.md` for required upgrade steps	2025-08-03 13:12:44 +00:00
Thorsten Roßner	7600e17304	chore(helmfile): Set `global.systemInformation.releaseVersion` to `v1.7.0`	2025-08-03 15:01:43 +02:00
Lilly Sell	883b0283f4	feat(nubus): Allow configuration of limits for password reset requests via `security.passwordResetLimits`	2025-08-03 15:00:18 +02:00
Norbert Tretkowski	1320ac3c6c	feat(nubus): Update from 1.11.2 to 1.12.0	2025-08-03 07:55:04 +00:00
Norbert Tretkowski	317e656a4f	fix(ox-connector): Update OX Connector and OX Extension to v0.27.2; review `migrations.md` for required upgrade steps	2025-08-02 16:40:15 +02:00
Viktor Pracht	fe19a02aa2	feat(open-xchange): Update from 8.38 to 8.39	2025-08-02 11:52:58 +00:00
Thomas Kaltenbrunner	ee2b082664	fix(open-xchange): Postfix to support submissions and external secrets	2025-08-02 07:20:17 +00:00
Philip Gaber	0ff7a9ba5e	fix(nextcloud): Block filesystem-unsafe characters in file and folder names	2025-08-02 09:03:58 +02:00
Thorsten Roßner	2e3bbc7f99	chore(mr-templates): Update merge request templates	2025-07-31 07:46:58 +02:00
Thorsten Roßner	1e22a455a2	docs(workflow.md): Update conventional commits section	2025-07-31 05:40:48 +00:00
Thorsten Roßner	5fc2395106	docs(README-EE.md): Remove the `#` before some number references to avoid GitLab thinking these are issue references	2025-07-31 05:40:48 +00:00
Simon Herman	db1c826abb	fix(helmfile): Adds default-enterprise-overrides to default values in helmfile-generic	2025-07-30 13:40:29 +02:00
Thorsten Roßner	67162e05f8	fix(opendesk-certificates): Update Helm chart to remove default host for `webmail` being set even if OX App Suite is not enabled	2025-07-25 14:40:32 +02:00
Thorsten Roßner	e1d816051d	fix(nextcloud): Include latest Helm chart version with supports `configuration.sharing.restrictUserEnumerationToGroup`	2025-07-24 14:58:55 +02:00
Thomas Kaltenbrunner	c982b483de	feat(open-xchange): Use internal endpoint for provisioning and support for optionally spinning up a dedicated internal Pod just for provisioning (see `technial.oxAppSuite.provisioning.dedicatedCoreMwPod` for details)	2025-07-24 08:54:33 +00:00
Philip Gaber	e3b6a28993	feat(nextcloud): Enhance theming options for Nextcloud	2025-07-23 15:43:29 +00:00
Oliver Günther	3f70629ad9	feat(openproject): Update from 16.1.1 to 16.2.0	2025-07-23 12:41:20 +02:00
René Fischer	420cd1640f	docs(releases.md): Add release and patch management process	2025-07-21 08:47:08 +00:00
René Fischer	2be44ac055	docs(README-EE.md): Add EE features	2025-07-21 09:15:09 +02:00
René Fischer	62c72aa8f6	docs(README-EE.md): Add CE licenses	2025-07-21 09:15:09 +02:00
René Fischer	cdfca526ed	docs(README-EE.md): Add overview of CE vs. EE	2025-07-21 09:15:09 +02:00
Thorsten Roßner	af94d28b6a	ci(dbcleanup): Fix RUN cluster cleanup	2025-07-20 19:36:59 +02:00
Philip Gaber	50315d78ee	ci(service-cleanup): Update for new `opendesk-env` structure and set STACKIT as default	2025-07-20 10:24:25 +00:00
Silvio Knizek	9faa326350	docs(migrations.md): Broken markdown table	2025-07-18 15:26:24 +02:00
Thomas Kaltenbrunner	c1c6b40b76	fix(open-xchange): Disable documents role	2025-07-15 04:41:50 +00:00