ci(diff-on-branch): Merge doublette variables block

fix(notes): Support templating of Ingress annotations bodyTimeout and bodySize to allow application defined upload limits to be reached
feat(notes): Update from 2.4.0 to 3.2.1
2025-12-08 16:28:36 +01:00 · 2025-06-12 06:53:53 +00:00 · 2025-06-12 06:49:28 +00:00 · 2025-06-12 06:49:28 +00:00 · 2025-06-11 15:14:43 +02:00 · 2025-06-11 11:10:34 +00:00
31 changed files with 2579 additions and 300 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.4.9"
+    ref: "v2.4.10"
    file:
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
@@ -182,6 +182,9 @@ variables:
    options:
      - "yes"
      - "no"
  DIFF_ON_BRANCH:
    description: "Provide a branch to run `helmfile diff` for the specified branch."
    value: ""
  RUN_TESTS:
    description: "Triggers execution of E2E-tests."
    value: "no"
@@ -220,6 +223,9 @@ variables:
  TESTS_PROJECT_URL:
    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
    value: "gitlab.opencode.de/api/v4/projects/1506"
  HELM_IMAGE_PIN:
    description: "The Helm image tag/checksum."
    value: "1.3.3@sha256:3e195942e6988b8b93c62349700c0ed8428e3a8fbe2655bd7f5378dc88bc8ccb"
 # Declare .environments which is in `opendesk-env` repository. In case it is not available
 # 'cache' is used because job as a dummy key, as the job is not allowed to be empty.
@@ -232,8 +238,7 @@ variables:
  extends: ".environments"
  environment:
    name: "${NAMESPACE}"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.3.2\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:${HELM_IMAGE_PIN}"
          @sha256:87358b39af7403c9a536d1b71fd87ee84394310497dc0fbc90f78b75a3057712"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -671,6 +676,34 @@ fetch-administrator-credentials:
    reports:
      dotenv: ".env"
 diff-on-branch:
  stage: "post-execute"
  cache: {}
  dependencies: []
  extends: ".environments"
  environment:
    name: "${NAMESPACE}"
  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:${HELM_IMAGE_PIN}"
  rules:
    - if: "$DIFF_ON_BRANCH"
  script:
    - |
      echo "Downloading branch ${DIFF_ON_BRANCH}"
      SAFE_BRANCH_NAME=$(echo "$DIFF_ON_BRANCH" | tr '/' '-')
      BASE_URL="https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/archive"
      FILE_NAME="opendesk-${SAFE_BRANCH_NAME}.tar.gz"
      curl -L "${BASE_URL}/${DIFF_ON_BRANCH}/${FILE_NAME}" -o branch.tar.gz
      mkdir ${DIFF_ON_BRANCH_SUBDIRECTORY} && tar -xzf branch.tar.gz -C ${DIFF_ON_BRANCH_SUBDIRECTORY} --strip-components=1
      cd ${DIFF_ON_BRANCH_SUBDIRECTORY}
      helmfile --namespace ${NAMESPACE} diff | grep -v '^ ' || true
  tags:
    - "docker"
    - "kubernetes"
    - "${CLUSTER}"
  variables:
    HELMFILE_ENVIRONMENT: "dev"
    DIFF_ON_BRANCH_SUBDIRECTORY: "diff-on-branch"
 import-default-accounts:
  stage: "post-execute"
  extends: ".environments"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,41 @@
 ## [1.4.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.4.0...v1.4.1) (2025-06-02)
 ### Bug Fixes
 * **nextcloud:** Update NC CE to 30.0.10 ([785be8b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/785be8b6621305e79acca62250720028b9ca7a30))
 * **nextcloud:** Update Nextcloud incl. apps to 30.0.10 ([559fbf6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/559fbf6801fc785f26f9e6287e0730f86b459a01))
 * **nubus:** Use `.Values.theme.texts.productName` for Keycloak's `loginTitle` instead of static product name string ([d1a1e5d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1a1e5dc29ca21fd822abd127406f6859603b9c7))
 * **open-xchange:** Re-adding `com.openexchange.oauth.provider.*` to fix central contacts feature ([561e44f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/561e44fd4cc42089954868da60edbd210b9a2608))
 * **open-xchange:** Set `com.openexchange.hostname` to get working links in outgoing system mails (e.g. task assignments) ([0d61687](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0d616871e3f5114ec429714658500c09af842fe6))
 * **postfix:** Require TLSv1.3 ([3b3d8ac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3b3d8aca54bdaea055289c993e3f158d93864223))
 * **requirements.md:** Helm 3.18.x is not supported due to upstream bug ([1ea9cae](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1ea9cae1ce46f864dc03d94c1a72956c5f5ba9a9))
 # [1.4.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.3.2...v1.4.0) (2025-05-20)
 ### Bug Fixes
 * **docs:** Update requirements, bump helmfile to v1.0.0 ([88b29c5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/88b29c57e8197f072b9c80019255ee0b7d1188e1))
 * **dovecot:** Encode object storage password and add more template values ([c40de73](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c40de73ccf02bf77df0c3a17c2fccf2e113c4b35))
 * **nubus:** [[#182](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/182)] Add `KC_TRUSTSTORE_PATHS` to Keycloak when using self-signed certificates ([006aed7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/006aed791e5cf58850712e468a15c8abe1ee0973))
 * **nubus:** [[#183](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/183)] Do not override `nubusPortalConsumer.waitForDependency.image` when using self-signed certificates ([b45a0bf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b45a0bf832506fb60488cd01c9c883b58e1d60b6))
 * **nubus:** Update ArgoCD hook annotations ([f2b1384](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2b13846700d8a49a066b3343b043dac89d326f5))
 * **open-xchange:** Update Open-Xchange to v8.36 ([b40b863](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b40b8630c1a5ba7452d0461d38b1175fa647226d))
 * **open-xchange:** Update Open-Xchange to v8.37 ([174c73c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/174c73c012e911342644bdcb89d22b35be9baa36))
 * **openproject:** Update to 15.5.1 ([e91efa8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e91efa8ecc1be9b444092e1a291747bb9f0c00ea))
 * **openxchange:** Add proper dav URLs in client onboarding and disable unnecessary oauth section ([bba2af0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bba2af0f06942bd2063cc7b79f3e39fdb07838f0))
 * **openxchange:** Disable redundant o-x-authentication-oauth package ([1d2b17b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1d2b17b4951581e1f60d8a7f2402512dc1c1c568))
 * **openxchange:** Enable DAV support ([709e50f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/709e50ff7c020347dad953be7380d08438d3ab69))
 ### Features
 * **collabora:** Update enterprise image to 24.04.13.4.1 ([b590810](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b5908100ddbd7497f7f858e874bcbf7979480d1b))
 * **helmfile:** Define `global.additionalMailDomains` as list; if you use the setting already, check `migrations.md` for details ([4b30576](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/4b305768c444c166e28829ee05631451ba997126))
 * **helmfile:** Option to select default file format for weboffice using; see `functional.weboffice.defaultFormat` in `functional.yaml.gotmpl` for details ([5f58a85](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f58a857acab38fa7f56e1e14ef0a6f805c7622e))
 * **nubus:** Update nubus to v1.9.1 ([3d694a8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d694a8248d5e983ab3e05753326088b375f2d82))
 ## [1.3.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.3.1...v1.3.2) (2025-05-06)
--- a/README-EE.md
+++ b/README-EE.md
@@ -86,7 +86,7 @@ repositories:
 ## License keys
-Some applications require license information for their Enterprise features to be enabled. With the aforementioned registry credentials you will also receive a file called `enterprise.yaml` containing the relevant license keys.
+Some applications require license information for their Enterprise features to be enabled. With the aforementioned registry credentials you will also receive a file called [`enterprise.yaml`](./helmfile/environments/default/enterprise_keys.yaml.gotmpl) containing the relevant license keys.
 Please place the file next your other `.yaml.gotmpl` file(s) that configure your deployment.
--- a/README.md
+++ b/README.md
@@ -35,13 +35,13 @@ openDesk currently features the following functional main components:
 | Function             | Functional Component        | Component<br/>Version                                                                                                         | Upstream Documentation                                                                                                                |
 |----------------------|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89)                                                | [For the most recent release](https://element.io/user-guide)                                                                          |
-| Collaborative notes  | Notes (aka Docs)            | [2.4.0](https://github.com/suitenumerique/docs/releases/tag/v2.4.0)                                                           | Online documentation/welcome document available in installed application                                                              |
+| Collaborative notes  | Notes (aka Docs)            | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                           | Online documentation/welcome document available in installed application                                                              |
 | Diagram editor       | CryptPad ft. diagrams.net   | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
-| File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
+| File management      | Nextcloud                   | [30.0.10](https://nextcloud.com/de/changelog/#30-0-10)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | [8.36](https://documentation.open-xchange.com/appsuite/releases/8.36/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | [8.37](https://documentation.open-xchange.com/appsuite/releases/8.37/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.8.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-8-0-2025-04-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | [1.9.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-9-1-2025-05-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.5.1](https://www.openproject.org/docs/release-notes/15-5-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | [16.0.1](https://www.openproject.org/docs/release-notes/16-0-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                         | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.13](https://www.collaboraoffice.com/code-24-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
--- a/docs/architecture/apis.md
+++ b/docs/architecture/apis.md
@@ -16,9 +16,9 @@ This chapter presents APIs available in openDesk, grouped by application.
  * [UDM Simple API](#udm-simple-api)
  * [UDM REST API](#udm-rest-api)
  * [UCR Python API](#ucr-python-api)
-  * [LDAP](#ldap)
+  * [Identity Store and Directory Service (LDAP)](#identity-store-and-directory-service-ldap)
-  * [Nubus Provisioning Service (**TBD**)](#nubus-provisioning-service-tbd)
+  * [Nubus Provisioning Service](#nubus-provisioning-service)
-  * [Nubus Authorization Service (**TBD**)](#nubus-authorization-service-tbd)
+  * [Nubus Authorization Service](#nubus-authorization-service)
 * [Groupware - OX AppSuite / OX Dovecot](#groupware---ox-appsuite--ox-dovecot)
  * [Usage of APIs within openDesk](#usage-of-apis-within-opendesk)
  * [HTTP API](#http-api)
@@ -65,11 +65,13 @@ This chapter presents APIs available in openDesk, grouped by application.
 # IAM - Nubus
-![High-level architecture of Univention part withAPIs/interfaces highlighted](./apis_images/IAM-overview.png)
+![Overview of functional components in Univention Nubus for Kubernetes](./apis_images/IAM-overview_functional_components_structured.svg)  
 [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/components.html#overview-components-fig)
 ## UMC Python API
 ![Composition of UMC component with APIs highlighted](./apis_images/IAM-umc-architecture.png)  
 [Source](https://docs.software-univention.de/developer-reference/latest/en/umc/architecture.html#umc-api)
 | Name                           | UMC Python API                                                                                                                                                                                                                                 |
 | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -101,7 +103,7 @@ This chapter presents APIs available in openDesk, grouped by application.
 | Parallel access                | Allowed                                                                                                      |
 | Message protocol               |                                                                                                              |
 | Supported standards            |                                                                                                              |
-| Documentation                  | https://docs.software-univention.de/developer-reference/5.0/en/umc/local-system-module.html#umc-store-api |
+| Documentation                  | https://docs.software-univention.de/developer-reference/latest/en/umc/local-system-module.html#umc-store-api |
 ## IntercomService (ICS) API
@@ -135,13 +137,14 @@ This chapter presents APIs available in openDesk, grouped by application.
 | Parallel access                | Allowed                                                                                                                                                                                                                             |
 | Message protocol               | Depends on the integration use case.                                                                                                                                                                                                |
 | Supported standards            |                                                                                                                                                                                                                                     |
-| Documentation                  | https://docs.software-univention.de/developer-reference/5.0/en/listener/api.html                                                                                                                                                    |
+| Documentation                  | https://docs.software-univention.de/developer-reference/latest/en/listener/api.html                                                                                                                                                 |
-More details on the Nubus provisioning service can be found here: https://docs.software-univention.de/nubus-kubernetes-architecture/0.5/en/components/provisioning-service.html
+More details on the Nubus provisioning service can be found here: https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/provisioning-service.html
 ## UDM Simple API
-![Composition of UMC component with APIs highlighted](./apis_images/IAM-udm.png)
+![Architecture of UDM](./apis_images/IAM-udm-architecture.svg)  
 [Source](https://docs.software-univention.de/architecture/latest/en/services/udm.html#architecture-model-udm)
 | Name                           | UDM Simple API                                                                                                                                    |
 | ------------------------------ | -------------------------------------------------------------------                                                                               |
@@ -150,13 +153,13 @@ More details on the Nubus provisioning service can be found here: https://docs.s
 | Authentication                 |                                                                                                                                                   |
 | In openDesk provided by        | Univention Directory Manager                                                                                                                      |
 | Transport protocol             |                                                                                                                                                   |
-| Usage within component         |                                                                   |
+| Usage within component         | Allows to use UDM capability and objects directly in Python programs. UDM Simple API provides Python modules and classes below `univention.udm.*` |
 | Usage within openDesk          |                                                                                                                                                   |
 | Usage for external integration |                                                                                                                                                   |
 | Parallel access                | Allowed                                                                                                                                           |
 | Message protocol               | Depends on the integration use case.                                                                                                              |
 | Supported standards            |                                                                                                                                                   |
-| Documentation                  |                                                                   |
+| Documentation                  | https://docs.software-univention.de/ucs-python-api/univention.udm.html#module-univention.udm.                                                     |
 ## UDM REST API
@@ -166,18 +169,19 @@ More details on the Nubus provisioning service can be found here: https://docs.s
 | Versioning                     |                                                                                                                                            |
 | Authentication                 | Basic Auth                                                                                                                                 |
 | In openDesk provided by        | Univention Directory Manager                                                                                                               |
-| Transport protocol             | HTTP(S)                                                                                                                                    |
+| Transport protocol             | HTTP()                                                                                                                                     |
 | Usage within component         | The Nubus bootstrapping process makes use of the API.                                                                                      |
 | Usage within openDesk          |                                                                                                                                            |
 | Usage for external integration | The [openDesk User Importer](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/user-import) utilizes the API. |
 | Parallel access                | Allowed                                                                                                                                    |
 | Message protocol               | Depends on the integration use case.                                                                                                       |
 | Supported standards            |                                                                                                                                            |
-| Documentation                  | https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html                                                           |
+| Documentation                  | https://docs.software-univention.de/nubus-kubernetes-customization/latest/en/api/udm-rest.html                                             |
 ## UCR Python API
-![Composition of UCR component with APIs/interfaces highlighted](./apis_images/IAM-ucr.png)
+![Architecture overview of UCR](./apis_images/IAM-ucr-architecture.svg)  
 [Source](https://docs.software-univention.de/architecture/latest/en/services/ucr.html#services-ucr-architecture-model)
 | Name                           | UCR Python API                                                                                         |
 | ------------------------------ | ---------------------------------------------------------------------------------------------------    |
@@ -192,11 +196,14 @@ More details on the Nubus provisioning service can be found here: https://docs.s
 | Parallel access                | Allowed                                                                                                |
 | Message protocol               |                                                                                                        |
 | Supported standards            |                                                                                                        |
-| Documentation                  | https://docs.software-univention.de/developer-reference/5.0/en/ucr/usage.html#using-ucr-from-python |
+| Documentation                  | https://docs.software-univention.de/developer-reference/latest/en/ucr/usage.html#using-ucr-from-python |
-## LDAP
+## Identity Store and Directory Service (LDAP)
-| Name                           | LDAP                                                                                                                    |
+![Overview of the Identity Store and Directory Service](./apis_images/IAM-functional_component_identity_store.svg)  
 [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/identity-store.html#component-identity-store-figure)
 | Name                           | Identity Store and Directory Service (LDAP)                                                                                                           |
 | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------                             |
 | Purpose                        | Read access to Nubus LDAP                                                                                                                             |
 | Versioning                     | n/a                                                                                                                                                   |
@@ -209,15 +216,25 @@ More details on the Nubus provisioning service can be found here: https://docs.s
 | Parallel access                | Allowed                                                                                                                                               |
 | Message protocol               | LDAP                                                                                                                                                  |
 | Supported standards            | LDAP                                                                                                                                                  |
-| Documentation                  | https://docs.software-univention.de/manual/5.0/en/domain-ldap/ldap-directory.html                                       |
+| Documentation                  | https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/identity-store.html#component-identity-store-directory-service |
-## Nubus Provisioning Service (**TBD**)
+## Nubus Provisioning Service
-To be delivered.
+![Overview of the Provisioning Service and its components](./apis_images/IAM-functional_component_provisioning_service_complete.svg)  
 [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/provisioning-service.html#component-provisioning-service-complete-figure)
-## Nubus Authorization Service (**TBD**)
+| Name          | Nubus Proisioning Service                                                                                        |
 | ------------- | ---------------------------------------------------------------------------------------------------              |
 | Documentation | https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/components/provisioning-service.html |
-To be delivered.
+## Nubus Authorization Service
 ![ArchiMate view of the interfaces and protocols of the Authorization Service](./apis_images/IAM-interfaces_authorization_service.svg)  
 [Source](https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/interfaces-protocols.html#authorization-service)
 | Name          | Nubus Authorization Service                                                                                                          |
 | ------------- | ---------------------------------------------------------------------------------------------------                                  |
 | Documentation | https://docs.software-univention.de/nubus-kubernetes-architecture/latest/en/overview/interfaces-protocols.html#authorization-service |
 # Groupware - OX AppSuite / OX Dovecot
--- a/docs/architecture/apis_images/IAM-functional_component_identity_store.svg
+++ b/docs/architecture/apis_images/IAM-functional_component_identity_store.svg
--- a/docs/architecture/apis_images/IAM-functional_component_provisioning_service_complete.svg
+++ b/docs/architecture/apis_images/IAM-functional_component_provisioning_service_complete.svg
--- a/docs/architecture/apis_images/IAM-interfaces_authorization_service.svg
+++ b/docs/architecture/apis_images/IAM-interfaces_authorization_service.svg
--- a/docs/architecture/apis_images/IAM-overview_functional_components_structured.svg
+++ b/docs/architecture/apis_images/IAM-overview_functional_components_structured.svg
--- a/docs/architecture/apis_images/IAM-ucr-architecture.svg
+++ b/docs/architecture/apis_images/IAM-ucr-architecture.svg
--- a/docs/architecture/apis_images/IAM-udm-architecture.svg
+++ b/docs/architecture/apis_images/IAM-udm-architecture.svg
--- a/docs/enhanced-configuration/idp-federation.md
+++ b/docs/enhanced-configuration/idp-federation.md
@@ -22,7 +22,7 @@ SPDX-License-Identifier: Apache-2.0
 Most organizations already have an Identity and Access Management (IAM) system with an identity provider (IdP) for single sign-on (SSO) to internal or external web applications.
-This document explains how to configure your organization's IdP and the openDesk IdP to support account federation with openDesk SSO based on your organization's login.
+This document helps in setting up your organization's IdP and openDesk to enable IdP federation.
 # References
@@ -70,6 +70,23 @@ This document focuses on the OIDC federation between an external IdP and the ope
 # Example configuration
 The following section explains how to configure the IdP federation manually in an example upstream IdP and in openDesk.
 With openDesk 1.4.0 IdP federation has to be enabled as part of the deployment using the `functional.authentication.ssoFederation` section, see [`functional.yaml.gotmpl`](../../helmfile/environments/default/functional.yaml.gotmpl) for reference.
 You can use the description below to configure and test the federation that can be exported and used as part of the deployment afterwards, e.g. with the following commands from within the Keycloak Pod:
 ```shell
 # Set the variables according to your deployment first, below are just example values.
 export FEDERATION_IDP_ALIAS=sso-federation-idp
 export NAMESPACE=example_namespace
 export CLUSTER_NETWORKING_DOMAIN=svc.cluster.local
 # Authenticate with Keycloak
 /opt/keycloak/bin/kcadm.sh config credentials --server http://ums-keycloak.${NAMESPACE}.${CLUSTER_NETWORKING_DOMAIN}:8080 --realm master --user ${KEYCLOAK_ADMIN} --password ${KEYCLOAK_ADMIN_PASSWORD}
 # Request details of IdP configuration
 /opt/keycloak/bin/kcadm.sh get identity-provider/instances/${FEDERATION_IDP_ALIAS} -r opendesk
 ```
 ## Versions
 The example was tested with openDesk v0.7.0 using its integrated Keycloak v24.0.3. As external IdP, we also used an openDesk deployment of the same version, but created a separate realm for proper configuration separation.
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -11,6 +11,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Manual checks/actions](#manual-checksactions)
  * [v1.4.0+](#v140)
    * [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140)
      * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
      * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
  * [v1.2.0+](#v120)
    * [Pre-upgrade to v1.2.0+](#pre-upgrade-to-v120)
@@ -104,6 +105,12 @@ If you would like more details about the automated migrations, please read secti
 ### Pre-upgrade to v1.4.0+
 #### Helmfile new feature: `functional.authentication.ssoFederation`
 **Target group:** Deployments that make use of IdP federation as described in [`idp-federation.md`](./enhanced-configuration/idp-federation.md).
 Please ensure to configure your IdP federation config details as part of `functional.authentication.ssoFederation`. You can find more details in the "Example configuration" section of [`idp-federation.md`](./enhanced-configuration/idp-federation.md).
 #### Helmfile cleanup: `global.additionalMailDomains` as list
 **Target group:** Installations that have set `global.additionalMailDomains`.
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -29,14 +29,14 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
- [Helm](https://helm.sh/) >= v3.17.3
+- [Helm](https://helm.sh/) >= v3.17.3, but not v3.18.0[^1]
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0
 - [HelmDiff](https://github.com/databus23/helm-diff) >= v3.11.0
- Volume provisioner supporting RWO (read-write-once)[^1]
+- Volume provisioner supporting RWO (read-write-once)[^2]
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 **Additional openDesk Enterprise requirements**
- [OpenKruise](https://openkruise.io/)[^2] >= v1.6
+- [OpenKruise](https://openkruise.io/)[^3] >= v1.6
 # Hardware
@@ -117,7 +117,7 @@ deployments, you need to make use of your own production-grade services; see the
 |----------|---------------------|---------|-----------------------|
 | Cache    | Memcached           | `1.6.x` | Memcached             |
 |          | Redis               | `7.x.x` | Redis                 |
-| Database | Cassandra[^2]       | `5.0.x` | Cassandra             |
+| Database | Cassandra[^3]       | `5.0.x` | Cassandra             |
 |          | MariaDB             | `10.x`  | MariaDB               |
 |          | PostgreSQL          | `15.x`  | PostgreSQL            |
 | Mail     | Mail Transfer Agent |         | Postfix               |
@@ -137,6 +137,8 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 # Footnotes
-[^1]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail.
+[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
-[^2]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
+[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail.
 [^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -197,7 +197,7 @@ This list gives you an overview of templated security settings and if they compl
 | **nubus**/ums/nubusUdmListener | :x: | no | n/a | yes | yes | 102 | 65534 | yes | yes |
 | **nubus**/ums/nubusUdmRestApi | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
 | **nubus**/ums/nubusUmcGateway | :x: | no | n/a | yes | yes | 1000 | 1000 | yes | yes |
-| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | no | 0 | 0 | yes | yes |
+| **nubus**/ums/nubusUmcServer | :x: | no | n/a | yes | yes | 999 | 999 | yes | yes |
 | **open-xchange**/dovecot | :x: | no | n/a | yes | n/a | n/a | n/a | yes | no ["CHOWN","DAC_OVERRIDE","KILL","NET_BIND_SERVICE","SETGID","SETUID","SYS_CHROOT"] |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -17,6 +17,13 @@ ingress:
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}"
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.notes }}"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.notes }}s"
 ingressCollaborationWS:
  enabled: {{ .Values.ingress.enabled }}
@@ -27,12 +34,12 @@ ingressCollaborationWS:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: {{ .Values.ingress.tls.secretName | quote }}
  annotations:
    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Can-Edit, X-User-Id"
    nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/documents/collaboration-auth/
    nginx.ingress.kubernetes.io/enable-websocket: "true"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
    nginx.ingress.kubernetes.io/upstream-hash-by: $arg_room
    nginx.ingress.kubernetes.io/auth-response-headers: null
    nginx.ingress.kubernetes.io/auth-url: null
    {{- with .Values.annotations.notes.ingressCollaborationWS }}
    {{ . | toYaml | nindent 4 }}
    {{- end }}
@@ -91,7 +98,6 @@ frontend:
  envVars:
    PORT: 8080
    NEXT_PUBLIC_API_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
    NEXT_PUBLIC_Y_PROVIDER_URL: {{ printf "wss://%s.%s/ws" .Values.global.hosts.notes .Values.global.domain | quote }}
    NEXT_PUBLIC_MEDIA_URL: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  runtimeEnvs:
    ICS_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.intercomService .Values.global.domain | quote }}
@@ -144,6 +150,7 @@ yProvider:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.notesBackend | toYaml | nindent 6 }}
  envVars:
    COLLABORATION_BACKEND_BASE_URL: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
    COLLABORATION_LOGGING: {{ if .Values.debug.enabled }}"true"{{ else }}"false"{{ end }}
    COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
@@ -214,8 +221,8 @@ backend:
    OIDC_OP_LOGOUT_ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
    OIDC_RP_SIGN_ALGO: RS256
    OIDC_RP_SCOPES: "openid opendesk-notes-scope"
-    USER_OIDC_FIELD_TO_SHORTNAME: "given_name"
+    OIDC_USERINFO_SHORTNAME_FIELD: "given_name"
-    USER_OIDC_FIELDS_TO_FULLNAME: "given_name,family_name"
+    OIDC_USERINFO_FULLNAME_FIELDS: "given_name,family_name"
    USER_OIDC_ESSENTIAL_CLAIMS: "email"
    OIDC_REDIRECT_ALLOWED_HOSTS: {{ printf "https://%s.%s/*" .Values.global.hosts.notes .Values.global.domain | quote }}
    OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{}"
@@ -232,6 +239,8 @@ backend:
    COLLABORATION_SERVER_ORIGIN: {{ printf "https://%s.%s" .Values.global.hosts.notes .Values.global.domain | quote }}
    COLLABORATION_SERVER_SECRET: {{ .Values.secrets.notes.collaborationSecret | quote }}
    COLLABORATION_WS_URL:  {{ printf "wss://%s.%s/collaboration/ws/" .Values.global.hosts.notes .Values.global.domain | quote }}
    FRONTEND_HOMEPAGE_FEATURE_ENABLED: False
    FRONTEND_FOOTER_FEATURE_ENABLED: False
  migrate:
    command:
      - "/bin/sh"
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -197,6 +197,12 @@ keycloak:
        name: "ums-opendesk-keycloak-credentials"
        keyMapping:
          adminPassword: "admin_password"
    login:
      messages:
        de:
          loginTitle: "Anmeldung bei {{ .Values.theme.texts.productName }}"
        en:
          loginTitle: "Sign in to {{ .Values.theme.texts.productName }}"
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
    {{- with .Values.annotations.nubusKeycloak.pod }}
@@ -256,6 +262,20 @@ keycloak:
 nubusGuardian:
  authorizationApi:
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
@@ -274,20 +294,6 @@ nubusGuardian:
    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
    resources:
      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
  global:
    podAnnotations:
      {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
@@ -350,6 +356,20 @@ nubusGuardian:
          # enabled: true
          secretName: ""
  managementApi:
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
@@ -368,7 +388,8 @@ nubusGuardian:
    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
    resources:
      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-    securityContext:
+  managementUi:
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
@@ -381,8 +402,7 @@ nubusGuardian:
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
+        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
  managementUi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
@@ -398,7 +418,8 @@ nubusGuardian:
    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
    resources:
      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-    securityContext:
+  openPolicyAgent:
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
@@ -411,8 +432,7 @@ nubusGuardian:
      seccompProfile:
        type: RuntimeDefault
    seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
  openPolicyAgent:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
@@ -428,20 +448,6 @@ nubusGuardian:
    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
    resources:
      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
  postgresql:
    connection:
      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
@@ -449,26 +455,29 @@ nubusGuardian:
    auth:
      username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
      database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-      credentialSecret:
+      existingSecret:
        name: "ums-guardian-postgresql-opendesk-credentials"
-        key: "guardianDatabasePassword"
+        keyMapping:
          password: "guardianDatabasePassword"
  provisioning:
    enabled: false
    config:
      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
      keycloak:
        realm: {{ .Values.platform.realm | quote }}
        username: "kcadmin"
        connection:
          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
          baseUrl: "http://ums-keycloak:8080"
        credentialSecret:
          name: "ums-opendesk-keycloak-credentials"
          key: "admin_password"
-      managementApi:
+      realm: {{ .Values.platform.realm | quote }}
-        credentialSecret:
+      username: "kcadmin"
    keycloak:
      auth:
        existingSecret:
          name: "ums-opendesk-guardian-client-secret"
-          key: "managementApiClientSecret"
+          keyMapping:
            password: "managementApiClientSecret"
      connection:
        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        baseUrl: "http://ums-keycloak:8080"
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
@@ -697,6 +706,17 @@ nubusKeycloakExtensions:
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      enabled: true
      runAsUser: 1000
      runAsGroup: 1000
      seccompProfile:
        type: "RuntimeDefault"
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
@@ -787,8 +807,15 @@ nubusPortalConsumer:
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  objectStorage:
    auth:
      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
      accessKey: {{ .Values.objectstores.nubus.username | quote }}
      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
      secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
      existingSecret:
        name: "{{ .Release.Name }}-portal-consumer-minio-credentials"
        keyMapping:
          accessKey: "accessKey"
          secretKey: "secretKey"
    bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
    endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  persistence:
@@ -1469,6 +1496,7 @@ nubusStackDataUms:
      {{ .Values.annotations.nubusStackDataUms.serviceAccount | toYaml | nindent 6 }}
  templateContext:
    initialPasswordAdministrator: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote }}
    additionalMailDomains: {{ .Values.global.additionalMailDomains | toYaml | nindent 6 }}
    apps: {{ .Values.apps | toYaml | nindent 6 }}
    defaultGroupOtherObjects: "cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}"
    opendeskEnterprise: {{ env "OPENDESK_ENTERPRISE" }}
@@ -1557,12 +1585,12 @@ nubusUmcServer:
    capabilities:
      drop:
        - "ALL"
-    runAsUser: 0
+    runAsUser: 999
-    runAsGroup: 0
+    runAsGroup: 999
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
-    runAsNonRoot: false
+    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  containerSecurityContextInit:
@@ -1598,12 +1626,12 @@ nubusUmcServer:
        - "MKNOD"
        - "NET_BIND_SERVICE"
        - "SYS_CHROOT"
-    runAsUser: 0
+    runAsUser: 999
-    runAsGroup: 0
+    runAsGroup: 999
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
-    runAsNonRoot: false
+    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  image:
@@ -1749,7 +1777,7 @@ nubusKeycloakBootstrap:
    capabilities:
      drop:
        - "ALL"
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -28,7 +28,7 @@ dovecot:
      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
  sharedMailboxes:
-    enabled: false
+    enabled: true
    host: {{ .Values.databases.dovecotACL.host | quote }}
    port: {{ .Values.databases.dovecotACL.port }}
    username: {{ .Values.databases.dovecotACL.username | quote }}
@@ -36,6 +36,7 @@ dovecot:
      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
  objectStorage:
    bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
    encryption:
      privateKey:
        value: {{ env "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -83,6 +83,10 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 {{- if .Values.debug.enabled }}
 debug: true
 {{- end }}
 {{- if .Values.certificate.selfSigned }}
 extraVolumes:
  - name: "trusted-cert-secret-volume"
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -291,7 +291,12 @@ appsuite:
        open-xchange-documents-backend: "disabled"
        open-xchange-documents-monitoring: "disabled"
        open-xchange-documents-templates: "disabled"
        # Required for the central contacts integration
        open-xchange-oauth-provider: "enabled"
        # Needed to set com.openexchange.hostname
        open-xchange-hostname-config-cascade: "enabled"
    properties:
      com.openexchange.hostname: {{ printf "%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
      # PDF Export
@@ -323,14 +328,32 @@ appsuite:
      com.openexchange.oidc.userLookupNamePart: "full"
      com.openexchange.oidc.enablePasswordGrant: "true"
      com.openexchange.oidc.passwordGrantUserNamePart: "local-part"
      # OAUTH
      com.openexchange.oauth.provider.enabled: "true"
      com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      com.openexchange.oauth.provider.contextLookupClaim: "context"
      com.openexchange.oauth.provider.contextLookupNamePart: "full"
      com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      com.openexchange.oauth.provider.mode: "expect_jwt"
      com.openexchange.oauth.provider.userLookupNamePart: "full"
      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
-      com.openexchange.mail.loginSource: "mail"
+      com.openexchange.mail.loginSource: "name"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix-ox"
      com.openexchange.mail.transportServerSource: "global"
      # Mail Login Resolver
      com.openexchange.mail.login.resolver.enabled: "true"
      com.openexchange.mail.login.resolver.ldap.enabled: "true"
      com.openexchange.mail.login.resolver.ldap.clientId: "contactsLdapClient"
      com.openexchange.mail.login.resolver.ldap.mailLoginSearchFilter: "(entryUUID=[mailLogin])"
      com.openexchange.mail.login.resolver.ldap.userNameAttribute: "uid"
      com.openexchange.mail.login.resolver.ldap.contextNameAttribute: "oxContextIDNum"
      com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(oxContextIDNum=[cid])(uid=[uname]))"
      com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: "entryUUID"
      # Requirements for OX-Connector
      com.openexchange.user.enforceUniqueDisplayName: "false"
      com.openexchange.folderstorage.database.preferDisplayName: "false"
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -55,6 +55,10 @@ postfix:
  {{- if .Values.apps.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
  minTLSVersion: "TLSv1.3"
  smtpdTLSMandatoryCiphers: "high"
  rspamdHost: ""
  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
  allowRelayNets: false
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -65,8 +65,14 @@ postfix:
  {{- end }}
  rspamdHost: ""
  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
  # Warning: This setting allows unauthenticated mail relay from relayNets!
  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
  allowRelayNets: true
  minTLSVersion: "TLSv1.3"
  smtpdTLSMandatoryCiphers: "high"
  smtpSASLAuthEnable: "yes"
  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
  smtpTLSSecurityLevel: "encrypt"
--- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
@@ -18,8 +18,8 @@ containerSecurityContext:
      - "ALL"
  enabled: true
  privileged: false
-  runAsUser: 70
+  runAsUser: 1001
-  runAsGroup: 70
+  runAsGroup: 1001
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
@@ -29,7 +29,7 @@ containerSecurityContext:
 podSecurityContext:
  enabled: true
-  fsGroup: 70
+  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 replicaCount: {{ .Values.replicas.postgres }}
@@ -49,77 +49,37 @@ image:
 job:
  users:
    - username: {{ .Values.databases.keycloak.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
        value: {{ .Values.secrets.postgresql.keycloakUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.keycloakUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.keycloakUser.key | quote }}
      connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.notes.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.notesUser | quote }}
        value: {{ .Values.secrets.postgresql.notesUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.notesUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.notesUser.key | quote }}
      connectionLimit: {{ .Values.databases.notes.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.openproject.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
        value: {{ .Values.secrets.postgresql.openprojectUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.openprojectUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.openprojectUser.key | quote }}
      connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.keycloakExtension.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
        value: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.keycloakExtensionUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.keycloakExtensionUser.key | quote }}
      connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.synapse.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
        value: {{ .Values.secrets.postgresql.matrixUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.matrixUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.matrixUser.key | quote }}
      connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
        value: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.umsNotificationsApiUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.umsNotificationsApiUser.key | quote }}
      connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
        value: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.umsGuardianManagementApiUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.umsGuardianManagementApiUser.key | quote }}
      connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: {{ .Values.databases.umsSelfservice.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
        value: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.umsSelfserviceUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.umsSelfserviceUser.key | quote }}
      connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ if or (eq .Values.databases.nextcloud.type "postgresql") (eq .Values.databases.nextcloud.type "psql") }}
    - username: {{ .Values.databases.nextcloud.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.nextcloudUser | quote }}
        value: {{ .Values.secrets.postgresql.nextcloudUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.nextcloudUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.nextcloudUser.key | quote }}
      connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
 {{ if eq .Values.databases.xwiki.type "postgresql" }}
    - username: {{ .Values.databases.xwiki.username | quote }}
-      password:
+      password: {{ .Values.secrets.postgresql.xwikiUser | quote }}
        value: {{ .Values.secrets.postgresql.xwikiUser | quote }}
        secret:
          name: {{ .Values.external_secrets.postgresql.xwikiUser.name | quote }}
          key: {{ .Values.external_secrets.postgresql.xwikiUser.key | quote }}
      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
  databases:
@@ -165,11 +125,7 @@ podAnnotations:
 postgres:
  user: "postgres"
-  password:
+  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
    value: {{ .Values.secrets.postgresql.postgresUser | quote }}
    secret:
      name: {{ .Values.external_secrets.postgresql.postgresUser.name | quote }}
      key: {{ .Values.external_secrets.postgresql.postgresUser.key | quote }}
 resources:
  {{ .Values.resources.postgresql | toYaml | nindent 2 }}
--- a/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl
@@ -6,12 +6,11 @@ charts:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
    name: "dovecot"
-    version: "3.0.0"
+    version: "3.1.1"
    verify: true
  oxAppSuite:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector-pro-chart"
-    version: "1.15.236"
+    version: "1.17.292"
    verify: false
 ...
--- a/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
+++ b/helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl
@@ -9,13 +9,13 @@ images:
  dovecot:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"
-    tag: "3.0.1-rev3@sha256:b87f16562dd486c0f97e8147a797af16a54f25f1ac64826f4f53bd8177ec9a33"
+    tag: "3.0.2-rev7@sha256:4330240bfeda4dd8b6aa32a6b7f03382126d47caf4f37a5578ad17746101c88b"
  nextcloud:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.2.0@sha256:ddd2bec74a22a713967f62fcdcf18fa8d53d730c1db296d570143754c93d20a5"
+    tag: "30.0.10@sha256:a63374dd44d3c6a8873da31fe0554b97fb29993a4cf18b9dd6a304b577f2f2b8"
  openxchangeCoreMW:
    registry: "registry.opencode.de"
    repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"
-    tag: "8.35.85@sha256:54d01a16ea29a3ae8f1857e5bdf6d2e34046b8a3fa3d6179bb3ad3d047e1318f"
+    tag: "8.37.69@sha256:40908484e71bc45ad23598685b0519d82fc9e3cf372e00fe38befe9196cf84e2"
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -99,7 +99,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
    name: "dovecot"
-    version: "3.0.0"
+    version: "3.1.1"
    verify: true
  element:
    # providerCategory: "Platform"
@@ -303,7 +303,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "nubus"
-    version: "1.8.0"
+    version: "1.9.1"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
@@ -355,7 +355,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "9.10.1"
+    version: "10.0.3"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
@@ -387,7 +387,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.18.36"
+    version: "2.19.262"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -1,41 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 external_secrets:
  postgresql:
    postgresUser:
      name: ~
      key: ~
    keycloakUser:
      name: ~
      key: ~
    keycloakExtensionUser:
      name: ~
      key: ~
    matrixUser:
      name: ~
      key: ~
    nextcloudUser:
      name: ~
      key: ~
    notesUser:
      name: ~
      key: ~
    openprojectUser:
      name: ~
      key: ~
    umsNotificationsApiUser:
      name: ~
      key: ~
    umsGuardianManagementApiUser:
      name: ~
      key: ~
    umsSelfserviceUser:
      name: ~
      key: ~
    xwikiUser:
      name: ~
      key: ~
 ...
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.3.3"
+    releaseVersion: "v1.4.2"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bitnami/cassandra"
    registry: "registry-1.docker.io"
    repository: "bitnami/cassandra"
-    tag: "5.0.4-debian-12-r3@sha256:af57aa07f866673d4f605bc555e2699dfa7615de216d6a2d0cc607c81831ec2f"
+    tag: "5.0.4-debian-12-r4@sha256:9d909ebe10802dae2fb99ef7c8e9e0dbc496c8d30366e2f7abbe0713b945fa7d"
  cassandraExporter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -84,7 +84,7 @@ images:
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
-    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
+    tag: "1.33.1@sha256:7f8133af0dd210cb5b168f889c5bc77dd65ecc935f3e3cb72d1b98ff96bfed40"
  element:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
@@ -128,7 +128,7 @@ images:
    # providerResponsible: "Element"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-element-syncadmins"
-    tag: "1.0.3@sha256:1dea24d5f65a6f9ac63b402c772dd81dcd07a847d24845901c8a039461043097"
+    tag: "1.0.5@sha256:ae0e18eadea762e11f8edacc52285742a5c4ed6e2e92bfa32ec5638e377e7b7b"
  freshclam:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -320,7 +320,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.5.0@sha256:9457bc2116620e52dcd1f5f12f042090aa4cca2a3e4d5f64b7c84c232ca6bb63"
+    tag: "30.0.10@sha256:a022c6279072eb45d14cab29296860a15ad0d5801f50a56928334eb99bae50d0"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -328,7 +328,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
-    tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
+    tag: "1.0.3@sha256:d38f211a3cdc8397deccd0243061e20972a8a796eeb9bb552fe4ddec5d56c829"
  nginxS3Gateway:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -344,7 +344,7 @@ images:
    # upstreamRepository: "lasuite/impress-backend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.7.0-docs-v2.4.0-backend@sha256:837e09dfcb4014de97b5254956dda899e586170276d1d0b0f94cca0685f3d2ef"
+    tag: "1.9.0-docs-v3.2.1-backend@sha256:17c16e4e00b15e4637d01553d56e7eecb7a477bec48677d1e7fb07b04c48d2b8"
  notesFrontend:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -352,7 +352,7 @@ images:
    # upstreamRepository: "lasuite/impress-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-notes"
-    tag: "1.7.0-docs-v2.4.0-frontend@sha256:98fb87ad877eb5658c6bef1c09adf4e03f816dce61867bc099838aca15890887"
+    tag: "1.9.0-docs-v3.2.1-frontend@sha256:328d5a8bf41875eb5945229adfc4a52eb2fef109e25d980910ee77edd4bc1887"
  notesYProvider:
    # providerCategory: "Supplier"
    # providerResponsible: "DINUM"
@@ -360,7 +360,7 @@ images:
    # upstreamRepository: "lasuite/impress-y-provider"
    registry: "registry-1.docker.io"
    repository: "lasuite/impress-y-provider"
-    tag: "v2.4.0@sha256:329d47f5cda80941a7f0812969c3194ba68da3e7e1ef38e3d08c266fc97555c1"
+    tag: "v3.2.1@sha256:9dd7068336c02fe71806bc3576e7dc8636d7ccb139667c6303f0753e18d3ab7e"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -370,7 +370,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "41", "5"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.89.0@sha256:3ed16810357ed01152e1e3f0d1cd66825bde53302f32d3caf700e324f7c1cffb"
+    tag: "0.90.0@sha256:a776ea84ca5d4f984a1ecf1f97d8c90cd98894c3568401be6858a8e955c7ed92"
  nubusGuardianAuthorizationApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -410,17 +410,17 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.17.0@sha256:56acfc53c3d3e0a20ff77fe427ae794adbf03ccc66972c95188e0da9e87c4a62"
+    tag: "0.19.1@sha256:9030841a136d9addc37b2b62d39d80b113b824e50bd9cdcd5cf2c22bad74eeb0"
  nubusKeycloak:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
    # upstreamRegistry: "https://artifacts.software-univention.de"
    # upstreamRepository: "nubus/images/keycloak"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+).+$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["22", "0", "3"]
+    # upstreamMirrorStartFrom: ["0", "0", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak"
-    tag: "25.0.6-ucs6@sha256:1db8af70741bca9badeb3d5b0b145244dde1a2579fe4f966e488ce730cb07d65"
+    tag: "0.0.1@sha256:ce2397ac38920750b81a8a6065f7ed8a551641c6562a551963a2857fe6822beb"
  nubusKeycloakBootstrap:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -430,7 +430,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.10.2@sha256:7406bfee267dff6520b8b3c0db098a79e7f9fe1b45307ea6b1edf26a2bcfc1aa"
+    tag: "0.11.0@sha256:55ad741e01dd91bb9b0332fd602a6262d3618abdf97a86c13f1e6148b36bd242"
  nubusKeycloakExtensionHandler:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -460,7 +460,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.34.1@sha256:02d1a0d6ce7e154738f4a1c2323f901245b62c23c8e6c27ce19a57ab44cfdaa7"
+    tag: "0.37.0@sha256:b148e15c268badc45db9a6ce12c97cce332d25b86e86fec47fc417b8fe74d0d2"
  nubusLdapServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -470,7 +470,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "8", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.34.1@sha256:5bb7931393d2023dc63c1338632b01d4c50372cb83192cdb329512b93e109984"
+    tag: "0.37.0@sha256:caf7de9e121e5500c52dc8338b80057acd3eaa1e3877b526a5ae944bb53fe876"
  nubusLdapServerDhInitContainer:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -488,7 +488,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "29", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.33.0@sha256:c1304a156094b276199fb263baf93e3704ceece478d7f663061b1b1f05f5931c"
+    tag: "0.37.0@sha256:c9580e33ea48ec5d7ab2d4816926ca1b2ef72787f7615f31b124119c376c4324"
  nubusNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
@@ -522,7 +522,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.63.0@sha256:4c2e01e609fb83df6d090c389b5c63d4b1477bdb133b910cacf2f2a1ce1c39e1"
+    tag: "0.67.0@sha256:da28ce84d97b78027eafbe0bcf8286a333efffdfc52a8abe852caed9d8cde339"
  nubusOpendeskExtension:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -530,7 +530,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.14.0@sha256:66ee00b6e44276f5f1e9d7a8066352fd5772820c50c10381acfd48c97f0acf4a"
+    tag: "1.14.4@sha256:cf0e22c1eef138a413a90a60c5405126dc769195dd4dd37229a27afaa82ef3b3"
  nubusOpendeskExtensionA2gMapper:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -568,7 +568,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "27", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.63.0@sha256:e331f87738e716b0a16199b6aeaec917509946ce7b7ee91e608e70091dd279cc"
+    tag: "0.67.1@sha256:580adf9079d27f53f6efd0c519252c7855f6907e3badc033b994165856b16126"
  nubusPortalExtension:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -596,7 +596,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.63.0@sha256:04cff7bb6b565e4ff03ffd1a6b6ab6c76b98bb9ea0fb8e703551f1b586ea7c27"
+    tag: "0.67.0@sha256:d9418c7a1db7541ced1e3034f45683c190bf63270c6ba8f3d67c1fe0ac2edb1a"
  nubusProvisioningDispatcher:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -606,7 +606,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.49.3@sha256:1089683a7e04259b335c79c13ceca2879d5d834a13d9c93ef62315f3086c9efd"
+    tag: "0.51.0@sha256:f0cea25f788ff565b883e50c6138874c6f0338e0f91c5f8a32595323059930ef"
  nubusProvisioningEventsAndConsumerApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -616,7 +616,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.49.3@sha256:56a5ca05a570f5a0f68ac67abbf8726541455f03bf0bada0495187d1a0fe963a"
+    tag: "0.51.0@sha256:66fec83fd5033cf32cd759e9c73f7ae659a4ec45a433f13417a12e007b1d4db6"
  nubusProvisioningPrefill:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -626,7 +626,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.49.3@sha256:761863e5499eb702d0a606e9a58d10055c637ed286ff18998125cb5f82a7c788"
+    tag: "0.51.0@sha256:ff04d8cec6ecc0b33cdea164e1ba1222c90ed9fe8370057a58329b4521e56de1"
  nubusProvisioningUdmListener:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -636,7 +636,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.49.3@sha256:9bd8dd7531e3247761a6347a1889640821121c56435a96c286d1f6385a3152e7"
+    tag: "0.51.0@sha256:5f0bba855945da2fa97d40b0fe51a14e3495b0b6da83562def6a6fcf4c21c059"
  nubusProvisioningUdmTransformer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -646,7 +646,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "14", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.49.3@sha256:9ce6b3798fb6faba6ebfac1be19b51d12bc8b312decf87f482a2371cb961805e"
+    tag: "0.51.0@sha256:ce9c312699ebe42c2e1df0d6caf150dfda1e4cc3fc1aaebe62c9ea5de8c11780"
  nubusSelfServiceConsumer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -656,7 +656,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "3", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.14.0@sha256:999c50058a02f6006a8d1732b651a5c738c5ee91fc453dc8ae3fcdbb9d4192c0"
+    tag: "0.15.0@sha256:a7c4c097029de8903e3c2eee2082d740b5352dcc7a7a2a3c330bd9ebd7ad5b62"
  nubusUdmRestApi:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -666,7 +666,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.29.0@sha256:2b061d1cf244aeadcb790a08cac94804a32abe73dd442382355a6657b05c0ff2"
+    tag: "0.30.0@sha256:9503666bac5f44a1d7cb6f17c6fd11a7d6976bc9059938596b6ac9f7bb581ca5"
  nubusUmcGateway:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -676,7 +676,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.38.0@sha256:5abece086fc55cc318453a23634094bdf4e0f9922debce87fbb1aa4d55b9eac1"
+    tag: "0.43.1@sha256:e1f23a199e1e35667e2ba6a45866bcb6d37bc2b13f3b8134e511ae95973c743b"
  nubusUmcServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -686,7 +686,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "7", "3"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.38.0@sha256:2733c21900c8f861f53cff5f65ed20a21881180ff80472491c014e1e2a9c2a9d"
+    tag: "0.43.1@sha256:1aef76db446164c3ffaeaf233e9ef6303ebb1609b47f918ac4ab6714abf95283"
  nubusUmcServerProxy:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -704,7 +704,7 @@ images:
    # upstreamMirrorStartFrom: ["0", "9", "4"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.28.0@sha256:816ad27b76046be360398274ba3c1f1bcec8f58c2ea5a200b2fb675aab1a5ab8"
+    tag: "0.30.0@sha256:fa804c2a10aa42439bf3f388007d7e55c046d6da6dc8a74c27f5a989fd422c8d"
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -730,7 +730,7 @@ images:
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.5.1@sha256:9ca328a30fc1e143fc1a34942836ff44923c05c327c27779e248767f2ce9ffc7"
+    tag: "16.0.1@sha256:c5b1172aed7e5e5ae21cca915e3349cc67fdf1366c9ded3c94db1ae5084e3841"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -764,7 +764,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.15@sha256:f8ea7b3f4003b518c43b12118980d26d1258396f55848af6a64e7a3e7e103c1d"
+    tag: "8.6.17@sha256:27178fc42f2334385f1d206e4e7991d4953a102f114729d186b61c0d40babb4f"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -774,7 +774,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.36.51@sha256:db069f8e97f15081c6905f1c18fc1dde7a5b7a0caa9e61f80ea98e009339687b"
+    tag: "8.37.69@sha256:dc06c7d9880505ad44ec7892ddf8f379fcd5f106ba1508436501c8f6e94dddb3"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -784,7 +784,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.36.2@sha256:3a718662355f64846fd99f515a325cf0bfe598eb3a2237bdce649bda0ea8f380"
+    tag: "8.37.1@sha256:eb30e03a5976d57a62d00a613336631d46bffc84c0d67e422f062635669f6b62"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -794,7 +794,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.1.1@sha256:1a3e96243353a53e06bf3d90067d7d07de449e8273fa60a043d7ac4a5e6464c3"
+    tag: "2.1.2@sha256:36fe59a047fa466bef6fcdeed1ed8e4bbeaf7824c37c63e3bfe7262cd135cb9e"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -804,7 +804,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.36.1317070@sha256:7de0ced2a4d3f7ddb4bef3b001ae90e3b4a79d86b61ec5e767fe2d3068021558"
+    tag: "8.37.1354160@sha256:226b210268cd3c9b13a84a2ca1168e1ab08b62e19bccd3129adad7ffca514655"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -814,7 +814,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.36.1706@sha256:6245f13f6f945121d1d224adab24090efbbe41510ee0de22ce0296c1e5059937"
+    tag: "8.37.1818@sha256:d9dc76ac6b24987c1fc0d95ffd81b3d594f7f34aa38a687b98c738bdcd110928"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -844,7 +844,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.36.2042@sha256:ac358a10149901f944ca9a21f66a41f267ac5e33b6cce6d6f92309a44cdc0875"
+    tag: "8.37.2089@sha256:8109351da173fa836d5559973103c8890e6a6e2514866675387bbf4d49606917"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -882,7 +882,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "3.0.2@sha256:e65c6a70d2095a839c4337ef5dacefd42781641b7ac4dc202ff111881dae3716"
+    tag: "3.0.3@sha256:12bcebf57ddb53258c48eaa60e9c25b441f4319ee1b94b363c652ad0a992a875"
  postfixBootstrap:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
--- a/helmfile/environments/default/ingress.yaml.gotmpl
+++ b/helmfile/environments/default/ingress.yaml.gotmpl
@@ -12,6 +12,7 @@ ingress:
      collabora: "100M"
      element: "100M"
      nextcloud: "100M"
      notes: "100M"
      openproject: "100M"
      oxAppSuite: "100M"
      xwiki: "100M"
@@ -19,6 +20,7 @@ ingress:
      collabora: 600
      element: 60
      nextcloud: 600
      notes: 60
      openproject: 60
      oxAppSuite: 60
      xwiki: 60
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
@@ -145,6 +145,13 @@
  color: var(--color-opendesk-white) !important;
 }
 #social-sso-federation-idp {
    margin: 0;
    color: var(--color-opendesk-white);
    background-color: var(--pf-c-button--m-primary--BackgroundColor);
    border-radius: var(--border-radius-interactable, 0.25rem);
 }
 #kc-login:hover,
 #kc-logout:hover,
 #saveTOTPBtn:hover,
Author	SHA1	Message	Date
Thorsten Roßner	4a604f4586	ci(diff-on-branch): Merge doublette `variables` block	2025-06-12 06:53:53 +00:00
rweber	4e655c0752	fix(notes): Support templating of Ingress annotations `bodyTimeout` and `bodySize` to allow application defined upload limits to be reached	2025-06-12 06:49:28 +00:00
rweber	d85bc5e7ae	feat(notes): Update from 2.4.0 to 3.2.1	2025-06-12 06:49:28 +00:00
Thorsten Roßner	0e35ca7dad	ci(diff-on-branch): Update to ensure opendesk-env files are loaded	2025-06-11 15:14:43 +02:00
Thorsten Roßner	dbe088c16c	fix(nubus): Update CSS for login screen to show login button for federated IdP	2025-06-11 11:10:34 +00:00
Viktor Pracht	e50fca6e5a	Chore/openxchange/update 8.37	2025-06-11 11:04:31 +00:00
René Fischer	67dad8606b	docs(README-EE.md): Add link to enterprise_keys.yml.gotmpl	2025-06-11 09:58:29 +00:00
Yannik Schmidt	3183d82e9f	fix(nubus): Explicitly template security context for Keycloak proxy	2025-06-11 10:14:14 +02:00
Timo Hollwedel	42b545291c	fix(nubus): Use read-only root filesystem for Keycloak bootstrap	2025-06-11 10:13:39 +02:00
Thomas Kaltenbrunner	7748f58840	feat(open-xchange): Support for `mailAlternativAddress`(es) for sending and receiving emails	2025-06-06 10:06:46 +02:00
Christophe Bliard	4897d48952	fix(openproject): Update from 16.0.0 to 16.0.1	2025-06-06 07:03:55 +00:00
Thorsten Roßner	7a70cb4bd9	fix(nubus): Create required LDAP objects for `global.additionalMailDomains`	2025-06-06 07:09:01 +02:00
Thorsten Roßner	f1d25fa33b	ci: Add `diff-on-branch` feature	2025-06-05 11:04:56 +02:00
Thorsten Roßner	f7b9ecc5e8	chore(helmfile): Bump images of `opendesk-element-syncadmins`, `opendesk-nextcloud-exporter` and `postfix` to current builds using the gitlab-config v2.4.10 to avoid layer mimetype issues when mirroring images	2025-06-05 07:41:15 +00:00
Thomas Kaltenbrunner	00b763ca6e	fix(dovecot): Enable Dovecot ACL for CE (file) & EE (cassandra)	2025-06-05 05:24:38 +00:00
Viktor Pracht	228811e1b5	fix(open-xchange): Use login name instead of email between OX and Dovecot	2025-06-05 05:24:38 +00:00
Thorsten Roßner	d96d2de695	fix(open-xchange): Update Dovecot CE chart to support ACLs (mailbox sharing) and usernames different from local part of mail address	2025-06-05 05:24:38 +00:00
Viktor Pracht	7cf6fea3bc	fix(open-xchange): Enabled mail login resolver	2025-06-05 05:24:38 +00:00
Viktor Pracht	aed17a67bd	chore(openxchange): Updated OX App Suite to 8.37	2025-06-05 05:24:38 +00:00
Thorsten Roßner	59a40864ed	feat(ci): Update Helm to 3.18.1 and Helmfile to 1.1.1	2025-06-03 07:42:45 +00:00
Markus Kahl	add72669ae	feat(openproject): Update from 15.5.1 to 16.0.0 including Helm chart update	2025-06-03 06:49:58 +00:00
Thorsten Roßner	fe510fa679	chore(helmfile): Post release update of `global.generated.yaml.gotmpl`	2025-06-02 10:10:32 +02:00
Thorsten Roßner	805cdf26ae	chore(release): 1.4.1 [skip ci] ## [1.4.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.4.0...v1.4.1) (2025-06-02) ### Bug Fixes * nextcloud: Update NC CE to 30.0.10 ([`785be8b`](`785be8b662`)) * nextcloud: Update Nextcloud incl. apps to 30.0.10 ([`559fbf6`](`559fbf6801`)) * nubus: Use `.Values.theme.texts.productName` for Keycloak's `loginTitle` instead of static product name string ([`d1a1e5d`](`d1a1e5dc29`)) * open-xchange: Re-adding `com.openexchange.oauth.provider.` to fix central contacts feature ([`561e44f`](`561e44fd4c`)) open-xchange: Set `com.openexchange.hostname` to get working links in outgoing system mails (e.g. task assignments) ([`0d61687`](`0d616871e3`)) * postfix: Require TLSv1.3 ([`3b3d8ac`](`3b3d8aca54`)) * requirements.md: Helm 3.18.x is not supported due to upstream bug ([`1ea9cae`](`1ea9cae1ce`))	2025-06-02 08:01:20 +00:00
Thorsten Roßner	559fbf6801	fix(nextcloud): Update Nextcloud incl. apps to 30.0.10	2025-06-02 07:05:58 +02:00
Thorsten Roßner	561e44fd4c	fix(open-xchange): Re-adding `com.openexchange.oauth.provider.*` to fix central contacts feature	2025-06-02 07:05:58 +02:00
Thomas Kaltenbrunner	0d616871e3	fix(open-xchange): Set `com.openexchange.hostname` to get working links in outgoing system mails (e.g. task assignments)	2025-06-02 07:05:58 +02:00
Thorsten Roßner	b185fe055c	docs(migrations.md): [#188 ] Update to point out requirement for IdP federation configuration	2025-06-02 07:05:58 +02:00
Thorsten Roßner	d1a1e5dc29	fix(nubus): Use `.Values.theme.texts.productName` for Keycloak's `loginTitle` instead of static product name string	2025-06-02 07:05:58 +02:00
Tilman Lüttje	1ea9cae1ce	fix(requirements.md): Helm 3.18.x is not supported due to upstream bug	2025-06-02 07:05:52 +02:00
Thomas Kaltenbrunner	3b3d8aca54	fix(postfix): Require TLSv1.3	2025-05-30 17:02:07 +02:00
Tilman Lüttje	785be8b662	fix(nextcloud): Update NC CE to 30.0.10	2025-05-30 17:01:45 +02:00
Dominik Kaminski	6d06e1fcc2	chore(release): 1.4.0 [skip ci] # [1.4.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.3.2...v1.4.0) (2025-05-20) ### Bug Fixes * docs: Update requirements, bump helmfile to v1.0.0 ([`88b29c5`](`88b29c57e8`)) * dovecot: Encode object storage password and add more template values ([`c40de73`](`c40de73ccf`)) * nubus: [[#182](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/182)] Add `KC_TRUSTSTORE_PATHS` to Keycloak when using self-signed certificates ([`006aed7`](`006aed791e`)) * nubus: [[#183](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/183)] Do not override `nubusPortalConsumer.waitForDependency.image` when using self-signed certificates ([`b45a0bf`](`b45a0bf832`)) * nubus: Update ArgoCD hook annotations ([`f2b1384`](`f2b1384670`)) * open-xchange: Update Open-Xchange to v8.36 ([`b40b863`](`b40b8630c1`)) * open-xchange: Update Open-Xchange to v8.37 ([`174c73c`](`174c73c012`)) * openproject: Update to 15.5.1 ([`e91efa8`](`e91efa8ecc`)) * openxchange: Add proper dav URLs in client onboarding and disable unnecessary oauth section ([`bba2af0`](`bba2af0f06`)) * openxchange: Disable redundant o-x-authentication-oauth package ([`1d2b17b`](`1d2b17b495`)) * openxchange: Enable DAV support ([`709e50f`](`709e50ff7c`)) ### Features * collabora: Update enterprise image to 24.04.13.4.1 ([`b590810`](`b5908100dd`)) * helmfile: Define `global.additionalMailDomains` as list; if you use the setting already, check `migrations.md` for details ([`4b30576`](`4b305768c4`)) * helmfile: Option to select default file format for weboffice using; see `functional.weboffice.defaultFormat` in `functional.yaml.gotmpl` for details ([`5f58a85`](`5f58a857ac`)) * nubus: Update nubus to v1.9.1 ([`3d694a8`](`3d694a8248`))	2025-05-20 00:46:42 +00:00
Justus Holzberger	b9640d9321	chore(docs): Update links, images and tables in docs	2025-05-20 00:05:43 +02:00
Thomas Kaltenbrunner	c40de73ccf	fix(dovecot): Encode object storage password and add more template values	2025-05-20 00:00:55 +02:00
Norbert Tretkowski	3d694a8248	feat(nubus): Update nubus to v1.9.1	2025-05-19 23:57:45 +02:00
renovate	174c73c012	fix(open-xchange): Update Open-Xchange to v8.37	2025-05-19 14:56:20 +02:00