fix(ci): Add renovate

.gitlab-ci.yml

@@ -26,6 +26,7 @@ stages:
   - ".pre"
   - "scan"
   - "automr"
+  - "renovate"
   - "lint"
   - "env-cleanup"
   - "env"
@@ -34,7 +35,6 @@ stages:
   - "component-deploy-stage-2"
   - "tests"
   - "env-stop"
-  - "generate-release-assets"
   - ".post"
 
 variables:
@@ -132,6 +132,12 @@ variables:
     options:
       - "yes"
       - "no"
+  RUN_RENOVATE:
+    description: "Triggers the Renovate based check for dependency updates."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   RUN_TESTS:
     description: "Triggers execution of E2E-tests."
     value: "yes"
@@ -508,34 +514,6 @@ avscan-start:
         job: "avscan-prepare"
     strategy: "depend"
 
-generate-release-assets:
-  stage: "generate-release-assets"
-  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
-  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-    - when: "never"
-  script:
-    - |
-      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
-      cd opendesk-asset-generator
-      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
-      ./opendesk_asset_generator.py
-      mv ./build_artefacts ${CI_PROJECT_DIR}
-      cd ..
-      rm -rf opendesk-asset-generator
-      ls -l ./build_artefacts
-  artifacts:
-    paths:
-      - "./build_artefacts/chart-index.json"
-      - "./build_artefacts/image-index.json"
-  tags: []
-  variables:
-    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
-
 # Declare .environments which is in environments repository. In case it is not available
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
@@ -565,6 +543,19 @@ reuse-linter:
       when: "never"
     - when: "always"
 
+renovate:
+  rules:
+    - if: $RUN_RENOVATE == "yes"
+      when: "on_success"
+  image: "ghcr.io/renovatebot/renovate:37.59.7@sha256:a0dd48947ca03d9088ff7bfdcf689a5cc3c1eb9522d5ff87d14636b5ad60a3dc"
+  variables:
+    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    RENOVATE_LOG_FILE_LEVEL: "debug"
+  script:
+    - "renovate ${RENOVATE_EXTRA_FLAGS}"
+  stage: "renovate"
+
 generate-release-version:
   rules:
     - if: >
@@ -574,8 +565,6 @@ generate-release-version:
       when: "on_success"
 
 release:
-  dependencies:
-    - "generate-release-assets"
   rules:
     - if: >
         $JOB_AVSCAN_ENABLED != 'false' &&
@@ -609,16 +598,7 @@ release:
       {
         "branches": ["main"],
         "plugins": [
-          ["@semantic-release/gitlab",
+          "@semantic-release/gitlab",
-            {
-              "assets": [
-                { "path": "./build_artefacts/chart-index.json",
-                  "label": "Chart Index JSON" },
-                { "path": "./build_artefacts/image-index.json",
-                  "label": "Image Index JSON" },
-              ]
-            }
-          ],
           "@semantic-release/release-notes-generator",
           "@semantic-release/changelog",
           ["@semantic-release/git", {
@@ -637,6 +617,5 @@ release:
       EOF
     - "semantic-release"
   needs:
-    - "generate-release-assets"
     - "generate-docs"
 ...

.renovate/config.yaml

@@ -0,0 +1,81 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# Platform type of repository
+platform: "gitlab"
+
+# Enable oboarding merge request
+onboarding: false
+
+# If set to true: keep repository data between runs instead of deleting the data
+persistRepoData: true
+
+# Controls Renovate's behavior regarding repository config files such as renovate.json
+requireConfig: "ignored"
+
+# List of Repositories
+# See: https://docs.renovatebot.com/configuration-options/
+repositories:
+  - repository: ""
+    # Prefix to use for all branch names created by renovate bot (default: "renovate/")
+    branchPrefix: "renovate/"
+    # Lowercase merge request and commit titles ("never" = leave titles untouched )
+    commitMessageLowerCase: "never"
+    # Commit scope to use if Semantic Commits are enabled (fix(<scope>)...)
+    semanticCommitScope: "ci"
+    # Commit type to use if Semantic Commits are enabled (default: "chore")
+    semanticCommitType: "chore"
+    # Include package files only within these defined paths
+    includePaths:
+      - "helmfile/environments/default/images.yaml"
+      - "helmfile/environments/default/charts.yaml"
+    customManagers:
+      - customType: "regex"
+        fileMatch:
+          - "helmfile/environments/default/images.yaml"
+        datasourceTemplate: "docker"
+        matchStrings:
+          - >
+            # yamllint disable rule:line-length
+            providerCategory: ["|']?(?<providerCategory>.+?)["|']?\n(?:.|\n|\r)+ registry: ["|']?(?<registryUrl>.+?)["|']?\n(?:.|\n|\r)+ repository: ["|']?(?<depName>.+?)["|']?\n(?:.|\n|\r)+ tag: ["|']?(?<currentValue>[^@]+)@(?<currentDigest>sha256:[a-f0-9]+)["|']
+      - customType: "regex"
+        fileMatch:
+          - "helmfile/environments/default/charts.yaml"
+        matchStrings:
+          - >
+            # yamllint disable rule:quoted-strings
+            providerCategory: ["|']?(?<providerCategory>.+?)["|']?\n(?:.|\n|\r)+ registry: ["|']?(?<registryUrl>.+?)["|']?\n(?:.|\n|\r)+ repository: ["|']?(?<depName>.+?)["|']?\n(?:.|\n|\r)+ name: ["|']?(?<FIGURE_THAT_OUT>.+?)["|']?\n(?:.|\n|\r)+ version: ["|']?(?<currentValue>.+?)["|']?
+    # Rules for matching packages
+    packageRules:
+      - matchDatasources: "docker"
+        matchDepTypes:
+          - "external"
+        groupName: "external-dependencies"
+      - matchDatasources: "docker"
+        matchDepTypes:
+          - "supplier"
+        groupName: "supplier-dependencies"
+      - matchDatasources: "docker"
+        matchDepTypes:
+          - "platform"
+        groupName: "platform-dependencies"
+      - matchDatasources: "helm"
+        matchDepTypes:
+          - "external"
+        groupName: "external-dependencies"
+      - matchDatasources: "helm"
+        matchDepTypes:
+          - "supplier"
+        groupName: "supplier-dependencies"
+      - matchDatasources: "helm"
+        matchDepTypes:
+          - "platform"
+        groupName: "platform-dependencies"
+    # Add merge request labels
+    labels:
+      - "renovate"
+      - "dependencies"
+    # Enable custom regex manager only
+    enabledManagers:
+      - "custom.regex"
+...

README.md

@@ -11,6 +11,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
+* [Development](#development)
 * [Releases](#releases)
 * [Components](#components)
 * [Feedback](#feedback)
@@ -27,14 +28,14 @@ Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version                                                                                          | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- | --------------------- | ----------------- |
+| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
+| Project management   | OpenProject                 | [13.3.1](https://www.openproject.org/docs/release-notes/13-3-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
@@ -76,6 +77,10 @@ Of course, further development also includes enhancing the documentation itself.
 - [Monitoring](./docs/monitoring.md)
 - [Theming](./docs/theming.md)
 
+# Development
+
+⟶ To understand the repository contents from a developer perspective please read the [Development](./docs/development.md) guide.
+
 # Releases
 
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
@@ -84,9 +89,10 @@ Gitlab provides an
 [overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 of this project.
 
-The following release artefacts are provided beside the default source code assets:
+Please find a list of the artefacts related to the release either in the source code archive attached to the release or
-- `chart-index.json`: An overview of all Helm charts used by the release.
+in the files from the release's git-tag:
-- `image-index.json`: An overview of all container images used by the release.
+- `./helmfile/environments/default/images.yaml`
+- `./helmfile/environments/default/charts.yaml`
 
 ⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
 
@@ -102,7 +108,7 @@ Related to the deployment / contents of this repository,
 please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
 
 If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+["Rückmeldungen und Beteiligung" in the OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung) of the [openDesk Info Repository](https://gitlab.opencode.de/bmi/opendesk/info).
 
 # License
 

docs/components.md

@@ -73,7 +73,7 @@ flowchart TD
 
 ## Intercom Service (ICS)
 
-The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
+The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
 Handling authentication when the frontend of an application is using the API from another application is often a
 challenge.
 For more details on the ICS please refer to its own [doc](./components/intercom-service.md).

docs/development.md

@@ -0,0 +1,141 @@
+<!--
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Developing openDesk deployment automation</h1>
+
+Active development on the deployment is currently only available for project members.
+But contributions will be possible soon once the CLA process is sorted out.
+
+* [Overview](#overview)
+* [Default branch, `develop` and other branches](#default-branch-develop-and-other-branches)
+* [External artefacts - `charts.yaml` and `images.yaml`](#external-artefacts---chartsyaml-and-imagesyaml)
+  * [Linting](#linting)
+  * [Renovate](#renovate)
+  * [Mirroring](#mirroring)
+    * [Get new artefacts mirrored](#get-new-artefacts-mirrored)
+* [Creating new charts / images](#creating-new-charts--images)
+
+# Overview
+
+The following sketch provides an high level overview to get a basic understanding of the deployment relevant
+structure of this repository. An understanding of that structure is vital if you want to contribute to
+the development of the deployment automation of openDesk.
+
+```mermaid
+flowchart TD
+    A[./helmfile.yaml]-->B[./helmfile/apps/*all_configured_apps*/helmfile.yaml\nReferences the relevant app Helm\ncharts using details from 'charts.yaml']
+    B-->C[./values-*all_configured_components*.yaml.gotmpl\nValues to template the charts\nwith references to the `images.yaml`]
+    A-->D[./helmfile/environments/default/*\nwith just some examples below]
+    D-->F[charts.yaml]
+    D-->G[images.yaml]
+    D-->H[global.*]
+    D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
+    A-->|overwrite defaults with\nyour environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
+```
+
+The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
+global values files in `./environments/default`. It allows you to overwrite defaults by using one of the three predefined environments `dev`, `test`
+and `prod`.
+
+Before you look into any app specifc configuration it is recommended to review the contents of `./environments/default` to get an understanding of what
+details are maintained in there, as they are usually referenced by the app configurations.
+
+# Default branch, `develop` and other branches
+
+The `main` branch is configured to be the default branch, as visitors of the project on Open CoDE should see that
+branch by default.
+
+Please use the `develop` branch to diverge your own branch(es) from. See the [workflow guide](./workflow.md)
+for more details on naming conventions.
+
+There is a CI bot that automatically creates a merge request once you initially pushed your branch to Open CoDE.
+The merge request will of course target the `develop` branch, be in status `draft` and have you as assignee.
+
+In case you do not plan to actually merge from the branch you have pushed, please close or delete the autocreated MR.
+
+# External artefacts - `charts.yaml` and `images.yaml`
+
+The `charts.yaml` and `images.yaml` are the central place to reference external artefacts that are used for the deployment.
+
+Beside the deployment automation itself some tools work with the contents of the files:
+
+- **Linting**: Ensures consistency of the file contents for the other tools.
+- **Renovate**: Automatically create MRs that update the components to their latest version.
+- **Mirror**: Mirror artefacts to Open CoDE.
+
+Please find details on these tools below.
+
+## Linting
+
+In the project's CI there is a step dedicated to lint the two yaml files, as we want them to be in
+- alphabetical order regarding the components and
+- in a logical order regarding the non-commented lines (registry > repository > tag).
+
+In the linting step the [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli) is used to apply the
+just mentioned sorting and the result is compared with the unsorted version. If there is a delta the linting fails and you probably
+want to fix it by running the CLI tool locally.
+
+**Note**: Please ensure that in component blocks you use comments only at the beginning of the block or at its end. Ideally you just stick
+with the many available examples in the yaml files.
+
+Example:
+```
+  synapse:
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Element'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'matrixdotorg/synapse'
+    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['1', '91', '2']
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
+```
+
+## Renovate
+
+- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/renovate-opencode
+
+Uses a regular expression to match the values of the attributes
+- `# upstreamRegistry`
+- `# upstreamRepository`
+- `tag`
+check for newer versions of the given artefact and create a MR containing the newest version's tag (and digest).
+
+## Mirroring
+
+- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/oci-pull-mirror
+
+**Note:** The mirror is scheduled to run every hour at 42 minutes past the hour.
+
+openDesk strives to make all relevant artefacts available on Open CoDE so there is the mirroring process
+configured to pull artefacts that do not originate from Open CoDE into projects called `*-Mirror` within the
+[openDesk Components section](https://gitlab.opencode.de/bmi/opendesk/components).
+
+The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
+- `# upstreamRegistry` *required*: To identify the source registry
+- `# upstreamRepository` *required*: To identify the source repository
+- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
+- `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
+  in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
+  element here to define the version the mirror should start with.
+
+### Get new artefacts mirrored
+
+If you want new images or charts to be mirrored that are not yet included in one of the yaml files there are two options:
+
+You include them in your branch with all required annotations and either
+1. ask somebody from the platform development team to trigger the mirror's CI based on your branch or
+2. you get your branch merged to `develop` already.
+
+# Creating new charts / images
+
+When you create new Helm charts please check out the
+[openDesk Best Practises](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-best-practises)
+for Helm charts.
+
+You may also want to make use of our [standard CI](https://gitlab.opencode.de/bmi/opendesk/tooling/gitlab-config) to
+easily get Charts and Images that are signed, linted, scanned and released.
+Check out the `.gitlab-ci.yaml` files in the project's [Charts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts) or [Images](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images) to get an idea how little you need to do yourself.

docs/requirements.md

@@ -82,7 +82,6 @@ openDesk certificate management disabled.
 
 Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
 
-
 | Group    | Type                | Version | Tested against        |
 |----------|---------------------|---------|-----------------------|
 | Cache    | Memached            | `1.6.x` | Memached              |

helmfile/apps/collabora/values.yaml.gotmpl

@@ -19,9 +19,9 @@ grafana:
   dashboards:
     enabled: {{ .Values.grafana.dashboards.enabled }}
     labels:
-      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
+      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
     annotations:
-      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
+      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
 
 image:
   repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -90,11 +90,11 @@ prometheus:
   servicemonitor:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     labels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
   rules:
     enabled: {{ .Values.prometheus.prometheusRules.enabled }}
     additionalLabels:
-      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 
 replicaCount: {{ .Values.replicas.collabora }}
 
@@ -126,7 +126,7 @@ securityContext:
       - "NET_RAW"
       - "SYS_CHROOT"
       - "MKNOD"
-  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:
   create: true
 ...

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -70,7 +70,7 @@ securityContext:
   runAsNonRoot: true
   runAsUser: 4001
   runAsGroup: 4001
-  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
 
 serviceAccount:
   create: true

helmfile/apps/element/values-element.yaml.gotmpl

@@ -107,7 +107,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -35,6 +35,6 @@ securityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 
 ...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -35,7 +35,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
 
 extraEnvVars:
   - name: "ACCESS_TOKEN"

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -18,7 +18,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -35,5 +35,5 @@ securityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
   runAsUser: 0
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
 
 extraEnvVars:
   - name: "UVS_ACCESS_TOKEN"

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -79,7 +79,7 @@ containerSecurityContext:
   runAsGroup: 10991
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -18,7 +18,7 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -23,7 +23,7 @@ containerSecurityContext:
   runAsUser: 1993
   runAsGroup: 1993
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -75,7 +75,7 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -123,7 +123,7 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
@@ -145,7 +145,7 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
@@ -168,7 +168,7 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
@@ -206,7 +206,7 @@ patchJVB:
     runAsNonRoot: true
     seccompProfile:
       type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -95,7 +95,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 
 debug:
   loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -25,7 +25,7 @@ exporter:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
     repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -35,11 +35,11 @@ exporter:
     serviceMonitor:
       enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
       labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
       enabled: {{ .Values.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudExporter }}
   resources:
     {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -78,7 +78,7 @@ php:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
   debug:
@@ -92,11 +92,11 @@ php:
     serviceMonitor:
       enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
       labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
       enabled: {{ .Values.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudPHP }}
   resources:
     {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
@@ -118,7 +118,7 @@ apache2:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
   ingress:
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -66,7 +66,7 @@ containerSecurityContext:
   readOnlyRootFilesystem: true
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 
 podSecurityContext:
   enabled: true

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -40,7 +40,7 @@ nextcloud-integration-ui:
     privileged: false
     seccompProfile:
       type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
 
 public-sector-ui:
   image:
@@ -67,7 +67,7 @@ public-sector-ui:
     privileged: false
     seccompProfile:
       type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
 
 appsuite:
   appsuite-toolkit:
@@ -131,7 +131,7 @@ appsuite:
         privileged: false
         seccompProfile:
           type: "RuntimeDefault"
-        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
+        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
     hooks:
       beforeAppsuiteStart:
         create-guard-dir.sh: |
@@ -356,7 +356,7 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
 
   core-ui-middleware:
     enabled: true
@@ -398,7 +398,7 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
   core-cacheservice:
     enabled: false
 
@@ -428,7 +428,7 @@ appsuite:
           - "ALL"
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
 
   core-documents-collaboration:
     enabled: false
@@ -470,7 +470,7 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
 
   core-imageconverter:
     enabled: true
@@ -500,7 +500,7 @@ appsuite:
           - "ALL"
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
 
   guard-ui:
     enabled: true
@@ -526,7 +526,7 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
   core-spellcheck:
     enabled: false
 
@@ -555,5 +555,5 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
+      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
 ...

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -38,7 +38,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -20,7 +20,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 
 environment:
 # For more details and more options see

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -85,7 +85,7 @@ securityContext:
   runAsGroup: 0
   runAsNonRoot: false
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 
 serviceAccount:
   create: true

helmfile/apps/services/values-clamav-distributed.yaml.gotmpl

@@ -15,7 +15,7 @@ clamd:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
     repository: {{ .Values.images.clamd.repository | quote }}
@@ -41,7 +41,7 @@ containerSecurityContext:
   capabilities:
     drop: []
   privileged: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
 
 freshclam:
   containerSecurityContext:
@@ -57,7 +57,7 @@ freshclam:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
     repository: {{ .Values.images.freshclam.repository | quote }}
@@ -89,7 +89,7 @@ icap:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
     repository: {{ .Values.images.icap.repository | quote }}
@@ -117,7 +117,7 @@ milter:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
     repository: {{ .Values.images.milter.repository | quote }}

helmfile/apps/services/values-clamav-simple.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -17,7 +17,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-memcached.yaml.gotmpl

@@ -16,7 +16,7 @@ containerSecurityContext:
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -29,7 +29,7 @@ containerSecurityContext:
   readOnlyRootFilesystem: false
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
 
 defaultBuckets: "openproject,openxchange,ums,nextcloud"
 
@@ -68,7 +68,7 @@ metrics:
   serviceMonitor:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     additionalLabels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
 
 networkPolicy:
   enabled: false

helmfile/apps/services/values-otterize.yaml.gotmpl

@@ -20,8 +20,6 @@ apps:
     enabled: {{ .Values.intercom.enabled }}
   jitsi:
     enabled: {{ .Values.jitsi.enabled }}
-  keycloak:
-    enabled: {{ .Values.keycloak.enabled }}
   mariadb:
     enabled: {{ .Values.mariadb.enabled }}
   memcached:

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -17,7 +17,7 @@ containerSecurityContext:
   runAsUser: 0
   runAsGroup: 0
   privileged: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -14,7 +14,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
 
 job:
 

helmfile/apps/services/values-redis.yaml.gotmpl

@@ -30,7 +30,7 @@ master:
     capabilities:
       drop:
         - "ALL"
-    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
   count: {{ .Values.replicas.redis }}
   persistence:
     size: {{ .Values.persistence.size.redis | quote }}

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -55,6 +55,6 @@ securityContext:
   runAsGroup: 1000
   runAsNonRoot: true
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -73,6 +73,6 @@ securityContext:
   runAsGroup: 1000
   runAsNonRoot: true
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl

@@ -46,6 +46,6 @@ securityContext:
   runAsGroup: 0
   runAsNonRoot: false
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl

@@ -27,7 +27,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
 
 volumes:
   claims:

helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl

@@ -76,7 +76,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}
 
 service:
   type: "ClusterIP"

helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl

@@ -44,6 +44,6 @@ securityContext:
   runAsUser: 1000
   runAsGroup: 1000
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl

@@ -46,6 +46,6 @@ securityContext:
   runAsUser: 1000
   runAsGroup: 1000
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -597,7 +597,7 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
 
 podAnnotations:
   intents.otterize.com/service-name: "ums-keycloak-bootstrap"

helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl

@@ -112,5 +112,5 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
 ...

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -79,6 +79,6 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -56,6 +56,6 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl

@@ -73,6 +73,6 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl

@@ -29,7 +29,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
 
 stackDataContext:
   ldapBase: "dc=swp-ldap,dc=internal"

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -29,7 +29,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
 
 stackDataContext:
   idpSamlMetadataUrlInternal: null

helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl

@@ -53,7 +53,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
 
 storeDav:
   auth:

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl

@@ -53,7 +53,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}
 
 udmRestApi:
   # TODO: Stub value currently

helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl

@@ -58,6 +58,6 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
 
 ...

helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl

@@ -94,7 +94,7 @@ securityContext:
   runAsUser: 0
   runAsGroup: 0
   runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
 
 umcServer:
   certPemFile: "/var/secrets/ssl/tls.crt"

helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl

@@ -66,7 +66,7 @@ containerSecurityContext:
   runAsUser: 1000
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
 
 podAnnotations:
   intents.otterize.com/service-name: "ums-keycloak-bootstrap"

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -48,7 +48,7 @@ handler:
     runAsUser: 1000
     runAsGroup: 1000
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
   resources:
     {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
 postgresql:
@@ -103,7 +103,7 @@ proxy:
     runAsUser: 1000
     runAsGroup: 1000
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
+    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
   resources:
     {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -44,7 +44,7 @@ containerSecurityContext:
   runAsUser: 1000
   runAsGroup: 1000
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
 
 podSecurityContext:
   fsGroup: 1000

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -45,7 +45,7 @@ containerSecurityContext:
       - "ALL"
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
 
 service:
   type: "ClusterIP"

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -36,7 +36,7 @@ containerSecurityContext:
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
+  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}
 
 customConfigs:
   xwiki.cfg:

helmfile/environments/default/workplace.yaml

@@ -19,8 +19,6 @@ intercom:
   enabled: true
 jitsi:
   enabled: true
-keycloak:
-  enabled: true
 mariadb:
   enabled: true
 memcached: