fix(nubus): Do not force recreation of the Keycloak configuration

README.md

@@ -36,7 +36,7 @@ openDesk currently features the following functional main components:
 |----------------------|-----------------------------|----------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
 | Chat & collaboration | Element ft. Nordeck widgets | AGPL-3.0-or-later (Element Web), AGPL-3.0-only (Synapse), Apache-2.0 (Nordeck widgets) | [1.11.89](https://github.com/element-hq/element-web/releases/tag/v1.11.89)                                              | [For the most recent release](https://element.io/user-guide)                                                                          |
 | Collaborative notes  | Notes (aka Docs)            | MIT                                                                                    | [3.2.1](https://github.com/suitenumerique/docs/releases/tag/v3.2.1)                                                     | Online documentation/welcome document available in installed application                                                              |
-| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                  | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
+| Diagram editor       | CryptPad ft. diagrams.net   | AGPL-3.0-only                                                                          | [2025.6.0](https://github.com/cryptpad/cryptpad/releases/tag/2025.6.0)                                                  | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | AGPL-3.0-or-later                                                                      | [31.0.7](https://nextcloud.com/de/changelog/#31-0-7)                                                                    | [Nextcloud 31](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | GPL-2.0-only (backend), AGPL-3.0-or-later (frontend)                                   | [8.40](https://documentation.open-xchange.com/appsuite/releases/8.40/)                                                  | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | LGPL-2.1-or-later                                                                      | [17.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.4.4/)                                          | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |

docs/debugging.md

@@ -218,6 +218,9 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 > **Note**<br>
 > Because the `ums-keycloak-extensions-handler` is sending frequent requests (one per second) to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.
 
+> **Note**<br>
+> While you can set the standard log levels like `INFO`, `DEBUG`, `TRACE` etc. you can also set class specific logs by comma separating the details in the `KC_LOG_LEVEL` environment variable like e.g. `INFO,org.keycloak.protocol.oidc.endpoints:TRACE`. The example sets the overall loglevel to `INFO` but provides trace logs for `org.keycloak.protocol.oidc.endpoints`.
+
 ### Accessing the Keycloak admin console
 
 Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.

docs/migrations.md

@@ -10,9 +10,12 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [v1.7.1+](#v171)
+    * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
+      * [New Helmfile default: Restricting characters for directory and filenames in fileshare module](#new-helmfile-default-restricting-characters-for-directory-and-filenames-in-fileshare-module)
   * [v1.7.0+](#v170)
     * [Pre-upgrade to v1.7.0+](#pre-upgrade-to-v170)
-    * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
+      * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
       * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
     * [Post-upgrade to v1.7.0+](#post-upgrade-to-v170)
       * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
@@ -127,11 +130,49 @@ If you would like more details about the automated migrations, please read secti
 
 # Manual checks/actions
 
+## v1.7.1+
+
+### Pre-upgrade to v1.7.1+
+
+#### New Helmfile default: Restricting characters for directory and filenames in fileshare module
+
+**Target group:** All openDesk deployments using the fileshare module, as they may already contain files or directories with characters that are now restricted.
+
+openDesk now enforces restrictions on the characters allowed in directory and filenames by explicitly disallowing the following set: `* " | ? ; : \ / ~ < >`
+
+The reason is that desktop clients can not handle all characters due to restrictions in the underlying operating system and therefor syncing these directories and/or files will fail.
+
+This change was introduced because desktop clients cannot reliably handle certain characters due to operating system limitations, causing file synchronization to fail when these characters are present.
+
+For existing deployments, any files or directories containing restricted characters must be renamed before updates within the file or (sub)directory can succeed.
+
+Nextcloud provides tooling for renaming affected files using an [`occ command`](https://docs.nextcloud.com/server/latest/admin_manual/occ_command.html#sanitize-filenames) that can be executed by the operator, the command also supports a dry-run mode.
+
+You can customize the default restriction settings in `functional.yaml.gotmpl`:
+
+```
+functional:
+  filestore:
+    naming:
+      forbiddenChars:
+        - '*'
+        - '"'
+        - '|'
+        - '?'
+        - ';'
+        - ':'
+        - '\'
+        - '/'
+        - '~'
+        - '<'
+        - '>'
+```
+
 ## v1.7.0+
 
 ### Pre-upgrade to v1.7.0+
 
-### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
+#### Helmfile fix: Ensure enterprise overrides apply when deploying from project root
 
 **Target group:** All openDesk Enterprise deployments initiated from the project root using `helmfile_generic.yaml.gotmpl`
 

helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl

@@ -176,8 +176,7 @@ configuration:
     token:
       value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
-  # A sane default for windows clients would be: `* " | & ? , ; : \ / ~ < >`
-  forbiddenChars: "* \" | & ? , ; : \\ / ~ < >"
+  forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -7,7 +7,6 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 exporter:
-
   additionalAnnotations:
     intents.otterize.com/service-name: "opendesk-nextcloud-exporter"
     {{- with .Values.annotations.nextcloudExporter.additional }}
@@ -59,6 +58,23 @@ exporter:
       {{ .Values.annotations.nextcloudExporter.serviceAccount | toYaml | nindent 6 }}
 
 aio:
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          podAffinityTerm:
+            labelSelector:
+              matchExpressions:
+                - key: "app.kubernetes.io/name"
+                  operator: "In"
+                  values:
+                    - "aio"
+                - key: "app.kubernetes.io/instance"
+                  operator: "In"
+                  values:
+                    - "opendesk-nextcloud"
+            topologyKey: "kubernetes.io/hostname"
+
   additionalAnnotations:
     intents.otterize.com/service-name: "opendesk-nextcloud-aio"
     {{- with .Values.annotations.nextcloudAio.additional }}

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,7 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.8@sha256:605b560f736f6130e2927472a7379bf758fdf08aaaf20b8e9e816eba8692ab99"
+    tag: "1.6.9@sha256:3d9f2db7d3f38f3ba86d3ad3b46d98e566c18a9545f3ca14fc357b1944b41c5c"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -249,7 +249,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "4.4.1"
+    version: "4.4.3"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -259,7 +259,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "4.4.1"
+    version: "4.4.3"
     verify: true
   nextcloudNotifyPush:
     # providerCategory: "Platform"
@@ -269,7 +269,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-notifypush"
-    version: "4.4.1"
+    version: "4.4.3"
     verify: true
   nginx:
     # providerCategory: "Community"

helmfile/environments/default/functional.yaml.gotmpl

@@ -128,6 +128,25 @@ functional:
       enabled: true
 
   filestore:
+    # Settings related to directory and filenames
+    naming:
+      # Disallowed characters for directory and file names.
+      # Some operating systems do not support these characters, preventing affected clients from syncing files.
+      #
+      # Note: After changing the settings below and redeploying Nextcloud, restart the `aio` Pod(s) to
+      # apply the changes.
+      forbiddenChars:
+        - '*'
+        - '"'
+        - '|'
+        - '?'
+        - ';'
+        - ':'
+        - '\'
+        - '/'
+        - '~'
+        - '<'
+        - '>'
     quota:
       # Set the default quota for all users in gigabyte
       default: 1
@@ -190,8 +209,10 @@ functional:
   migration:
     oxAppSuite:
       # Note: Only available in openDesk Enterprise.
-      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
-      # `secrets.oxAppSuite.migrationsMasterPassword`.
+      # Note: Turn on temporary for migration purposes only.
+      # Will enable master password auth in Dovecot and add an additional OX App Suite Core Middelware Pod in the
+      # role `migration` that is master password enabled. The Pod is accessible through a ClusterIP.
+      # Master password is defined in `secrets.oxAppSuite.migrationsMasterPassword`.
       enabled: false
 
   portal:

helmfile/environments/default/images.yaml.gotmpl

@@ -63,10 +63,11 @@ images:
     # providerResponsible: "XWiki"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "cryptpad/cryptpad"
-    # upstreamMirrorTagFilterRegEx: '^opendesk-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^version-(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2025", "6", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
-    tag: "opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17"
+    tag: "version-2025.6.0@sha256:7711c08792637534445e6f1e42407149c2568ae0490b83ea36c06ba395389dec"
   dkimpy:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -332,7 +333,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.8@sha256:3fdc0b099d2c8343ea404708002e900c1ec74966384db3696948cc3a7a34300a"
+    tag: "2.10.10@sha256:b994d3d1e0664056122dc5275fdf0a4ec7215d9dc5e8b3c030c31a366eda9aa0"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -452,7 +453,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.16.3@sha256:8b455b329b6364580b7ab85d704c6ac5f025da7b313611b1f7cf66ca07f41c52"
+    tag: "0.17.1@sha256:3a2e39b22401c9800a5ff8538f966985512f3b154db1e6792d3e91b44a82eb90"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"

helmfile/shared/migrations.yaml.gotmpl

@@ -22,7 +22,7 @@ migrations:
   loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   failOnUnexpectedState: true
   environmentDetails:
-    {{ ( omit .Values "theme" ) | toYaml | nindent 4 }}
+    {{ ( omit .Values "theme" "functional" ) | toYaml | nindent 4 }}
   cleanup: false
 
 containerSecurityContext: