fix(openproject): Set HTML title explicitly based on product name

fix(docs): Add GitOps / Argo CD documentation
fix(helmfile): Auto-redirect user to login dialogue, please read migrations.md for more details
2025-12-06 15:31:38 +01:00 · 2024-12-04 13:08:13 +01:00 · 2024-12-04 13:07:57 +01:00 · 2024-12-04 13:07:26 +01:00 · 2024-12-04 13:07:26 +01:00 · 2024-12-04 13:07:26 +01:00
61 changed files with 1094 additions and 468 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,17 +36,18 @@ stages:
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
-  - "migrations-pre"
+  - "010-migrations-pre"
-  - "basic-services-deploy"
+  - "030-services"
-  - "component-deploy-stage-1"
+  - "050-components"
-  - "component-deploy-stage-2"
+  - "060-components"
-  - "migrations-post"
+  - "090-migrations-post"
  - "lint"
  - "tests"
  - "env-stop"
  - ".post"
 variables:
  RELEASE_BRANCH: "main"
  NAMESPACE:
    description: "The name of namespaces to deploy to."
    value: ""
@@ -223,9 +224,6 @@ env-cleanup:
  stage: "env-cleanup"
 env-start:
  environment:
    name: "${NAMESPACE}"
    on_stop: "env-stop"
  extends: ".deploy-common"
  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  rules:
@@ -236,6 +234,34 @@ env-start:
  script:
    - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
    - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
    - "export FILENAME_CERT_SECRET=cert_to_import.yaml"
    # from self-signed-certificates.md:
    # "Copy this cert's secret into the/each namespace you want to make use of the cert."
    - |
      kubectl get secret opendesk-root-cert-secret -n cert-manager -o yaml | \
        grep -v \ uid\: | \
        grep -v \ resourceVersion\: | \
        grep -v \ creationTimestamp\: | \
        sed --expression 's/namespace\:\ cert-manager/namespace: '"${NAMESPACE}"'/g' \
        >${FILENAME_CERT_SECRET} || true
    - |
      if [ -s ${FILENAME_CERT_SECRET} ]; then
        echo "Applying ${FILENAME_CERT_SECRET}"
        kubectl apply -f ${FILENAME_CERT_SECRET}
      fi
    # from self-signed-certificates.md:
    # "Create issuer in the/each namespace you want to make use of the cert."
    - |
      kubectl apply -f - <<EOF
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: "selfsigned-issuer"
        namespace: ${NAMESPACE}
      spec:
        ca:
          secretName: opendesk-root-cert-secret
      EOF
  stage: "env"
 policies-deploy:
@@ -252,7 +278,7 @@ policies-deploy:
    ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 migrations-pre:
-  stage: "migrations-pre"
+  stage: "010-migrations-pre"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -264,7 +290,7 @@ migrations-pre:
    COMPONENT: "migrations-pre"
 migrations-post:
-  stage: "migrations-post"
+  stage: "090-migrations-post"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -276,7 +302,7 @@ migrations-post:
    COMPONENT: "migrations-post"
 services-deploy:
-  stage: "basic-services-deploy"
+  stage: "030-services"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -288,7 +314,7 @@ services-deploy:
    COMPONENT: "services"
 nubus-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -300,7 +326,7 @@ nubus-deploy:
    COMPONENT: "nubus"
 ox-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  timeout: "30m"
  rules:
@@ -313,7 +339,7 @@ ox-deploy:
    COMPONENT: "open-xchange"
 xwiki-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -325,7 +351,7 @@ xwiki-deploy:
    COMPONENT: "xwiki"
 collabora-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -337,7 +363,7 @@ collabora-deploy:
    COMPONENT: "collabora"
 cryptpad-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -349,7 +375,7 @@ cryptpad-deploy:
    COMPONENT: "cryptpad"
 nextcloud-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -361,7 +387,7 @@ nextcloud-deploy:
    COMPONENT: "nextcloud"
 openproject-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -373,7 +399,7 @@ openproject-deploy:
    COMPONENT: "openproject"
 openproject-bootstrap-deploy:
-  stage: "component-deploy-stage-2"
+  stage: "060-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -385,7 +411,7 @@ openproject-bootstrap-deploy:
    COMPONENT: "openproject-bootstrap"
 jitsi-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -397,7 +423,7 @@ jitsi-deploy:
    COMPONENT: "jitsi"
 element-deploy:
-  stage: "component-deploy-stage-1"
+  stage: "050-components"
  extends: ".deploy-common"
  rules:
    - if: >
@@ -408,25 +434,6 @@ element-deploy:
  variables:
    COMPONENT: "element"
 env-stop:
  extends: ".deploy-common"
  environment:
    name: "${NAMESPACE}"
    action: "stop"
  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  needs: []
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/
      when: "manual"
  script:
    - "echo 'We do not stop the env (delete the namespace) at the moment in this stage, as deleting a branches also
      triggers this env-stop stage and we do not want this to happen.'"
    # - kubectl delete namespace "${NAMESPACE}"
  stage: "env-stop"
  variables:
    GIT_STRATEGY: "none"
 .ums-default-password: &ums-default-password
  - |
    DEFAULT_ADMINISTRATOR_PASSWORD=$(
@@ -472,9 +479,6 @@ run-tests:
          \"screenshot_redirect_step\": \"yes\", \
          \"testset\": \"${TESTS_TESTSET}\", \
          \"testprofile\": \"Namespace\", \
          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
          \"gitlab_default_env_namespace\": \"values\", \
          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
        } \
      }" \
@@ -486,7 +490,7 @@ avscan-prepare:
  rules:
    - if: >
          $JOB_AVSCAN_ENABLED != 'false' &&
-          $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+          $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "always"
    - when: "never"
@@ -536,7 +540,7 @@ avscan-start:
  rules:
    - if: >
        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "always"
    - when: "never"
@@ -582,7 +586,7 @@ generate-release-version:
  rules:
    - if: >
        $JOB_RELEASE_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "on_success"
@@ -590,7 +594,7 @@ release:
  rules:
    - if: >
        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
+        $CI_COMMIT_BRANCH == $RELEASE_BRANCH &&
        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "on_success"
  script:
@@ -618,7 +622,7 @@ release:
    - |
      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
      {
-        "branches": ["main"],
+        "branches": ["${RELEASE_BRANCH}"],
        "plugins": [
          "@semantic-release/gitlab",
          "@semantic-release/release-notes-generator",
--- a/.gitlab/generate/generate-docs.yml
+++ b/.gitlab/generate/generate-docs.yml
@@ -13,7 +13,7 @@ generate-docs:
  extends: ".generate-common"
  image: "${OPENDESK_CI_CLI_IMAGE}"
  rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $RELEASE_BRANCH"
      when: "on_success"
  script:
    - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
--- a/README.md
+++ b/README.md
@@ -31,13 +31,13 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                         |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                         |
-| File management      | Nextcloud                   | [29.0.7](https://nextcloud.com/de/changelog/#29-0-7)                                  | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                         |
+| File management      | Nextcloud                   | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8)                                  | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                         |
-| Groupware            | OX App Suite                | [8.28](https://documentation.open-xchange.com/appsuite/releases/8.28/)                | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                    |
 | Portal & IAM         | Nubus                       | [1.0](https://www.univention.de/produkte/nubus/)                                      | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                            |
-| Project management   | OpenProject                 | [14.6.1](https://www.openproject.org/docs/release-notes/14-6-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                          |
+| Project management   | OpenProject                 | [15.0.2](https://www.openproject.org/docs/release-notes/15-0-2/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                          |
-| Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                           |
+| Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                           |
-| Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)       |
+| Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)       |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/docs/components.md
+++ b/docs/components.md
@@ -27,28 +27,28 @@ openDesk consists of a variety of open-source projects. Here is a list with the
 Components of type `Eval` are used for development and evaluation purposes only,
 they need to be replaced in production deployments.
-| Component                   | Description                    | Type       |
+| Component            | Description                    | Type       |
-|-----------------------------|--------------------------------|------------|
+| -------------------- | ------------------------------ | ---------- |
-| Certificates                | TLS certificates               | Eval       |
+| Certificates         | TLS certificates               | Eval       |
-| ClamAV (Distributed)        | Antivirus engine               | Eval       |
+| ClamAV (Distributed) | Antivirus engine               | Eval       |
-| ClamAV (Simple)             | Antivirus engine               | Eval       |
+| ClamAV (Simple)      | Antivirus engine               | Eval       |
-| Collabora                   | Weboffice                      | Functional |
+| Collabora            | Weboffice                      | Functional |
-| CryptPad                    | Weboffice                      | Functional |
+| CryptPad             | Weboffice                      | Functional |
-| dkimpy-milter               | DKIM milter for Postfix        | Eval       |
+| dkimpy-milter        | DKIM milter for Postfix        | Eval       |
-| Element                     | Secure communications platform | Functional |
+| Element              | Secure communications platform | Functional |
-| Jitsi                       | Videoconferencing              | Functional |
+| Jitsi                | Videoconferencing              | Functional |
-| MariaDB                     | Database                       | Eval       |
+| MariaDB              | Database                       | Eval       |
-| Memcached                   | Cache Database                 | Eval       |
+| Memcached            | Cache Database                 | Eval       |
-| MinIO                       | Object Storage                 | Eval       |
+| MinIO                | Object Storage                 | Eval       |
-| Nextcloud                   | File share                     | Functional |
+| Nextcloud            | File share                     | Functional |
-| Nubus (UMS)                 | Identity Management & Portal   | Functional |
+| Nubus (UMS)          | Identity Management & Portal   | Functional |
-| OpenProject                 | Project management             | Functional |
+| OpenProject          | Project management             | Functional |
-| OX Appsuite                 | Groupware                      | Functional |
+| OX App Suite         | Groupware                      | Functional |
-| OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| OX Dovecot           | Mail backend (IMAP)            | Functional |
-| Postfix                     | MTA                            | Eval       |
+| Postfix              | MTA                            | Eval       |
-| PostgreSQL                  | Database                       | Eval       |
+| PostgreSQL           | Database                       | Eval       |
-| Redis                       | Cache Database                 | Eval       |
+| Redis                | Cache Database                 | Eval       |
-| XWiki                       | Knowledge Management           | Functional |
+| XWiki                | Knowledge Management           | Functional |
 # Component integration
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -201,3 +201,6 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 ```
 2. Restart the Keycloak Pod(s).
 > **Note**<br>
 > As the `ums-keycloak-extensions-handler` is performing frequent (one per second) requests to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.
--- a/docs/enhanced-configuration.md
+++ b/docs/enhanced-configuration.md
@@ -13,4 +13,5 @@ The following enhanced configuration use cases are described in separate documen
 - [Federation with external identity provider](./enhanced-configuration/idp-federation.md)
 - [Matrix federation](./enhanced-configuration/matrix-federation.md)
 - [Groupware migration from M365 to openDesk](./enhanced-configuration/groupware-migration.md)
- [Self-signed certificate and custom Certificate Authority (CA)](enhanced-configuration/self-signed-certificates.md)
+- [Self-signed certificate and custom Certificate Authority (CA)](./enhanced-configuration/self-signed-certificates.md)
 - [GitOps deployments using Argo CD](./enhanced-configuration/gitops.md)
--- a/docs/enhanced-configuration/gitops.md
+++ b/docs/enhanced-configuration/gitops.md
@@ -0,0 +1,55 @@
 <!--
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>GitOps Deployment</h1>
 <!-- TOC -->
 * [Considerations](#considerations)
 * [ArgoCD](#argocd)
  * [Option 1: Use YAML manifests](#option-1-use-yaml-manifests)
  * [Option 2: Helmfile plugin](#option-2-helmfile-plugin)
 <!-- TOC -->
 The recommended deployment method for openDesk is via Helmfile. This can be done "by hand", via CI/CD (Gitlab) or using
 the [GitOps](https://about.gitlab.com/topics/gitops/) approach with tools like [Argo CD](https://argoproj.github.io/cd/).
 This documentation will use Argo CD to explain how to deploy openDesk GitOps-style.
 # Considerations
 - openDesk consists of multiple applications which have to be deployed in order.
 - During upgrades, migrations have to run before and after applications.
 # ArgoCD
 We are continuously improving our Argo CD support, please share you experience with Argo CD deployments e.g. by [creating
 at ticket](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues).
 There are two options to deploy openDesk via Argo CD described in the following sections.
 ## Option 1: Use YAML manifests
 This option requires a preprocessing step before using Argo CD. This step requires you to compile the Helmfile based
 deployment into Kubernetes YAML manifest, to do so you need to execute the helmfile binary:
 ```shell
 helmfile template > opendesk.yaml
 ```
 References:
 - [Helmfile CLI documentation](https://helmfile.readthedocs.io/en/latest/#cli-reference)
 - [Generate K8s YAML Manifests for openDesk](https://gitlab.opencode.de/bmi/opendesk/deployment/options/generate-k8s-yaml-manifests)
 Afterwards, you can use the resulting manifests within an standard Argo CD workflow.
 ## Option 2: Helmfile plugin
 It is possible to deploy openDesk via Argo CD with community developed
 [Helmfile plugin](https://github.com/travisghansen/argo-cd-helmfile).
 You can find an example for this approach in the
 [Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository.
 It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`)
 according to `app of apps pattern` and is using sync waves to follow dependencies.
--- a/docs/enhanced-configuration/groupware-migration.md
+++ b/docs/enhanced-configuration/groupware-migration.md
@@ -6,7 +6,6 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Migration from M365 with audriga migration service and master authentication</h1>
 <!-- TOC -->
 * [Context](#context)
 * [Prerequisites](#prerequisites)
  * [Prepare M365 tenant for access](#prepare-m365-tenant-for-access)
  * [Provisioning user accounts in openDesk](#provisioning-user-accounts-in-opendesk)
@@ -75,18 +74,18 @@ With openDesk 1.0 Enterprise, you can set openDesk's email components (OX AppSui
 ```
 secrets:
-  oxAppsuite:
+  oxAppSuite:
    adminPassword: "your_temporary_master_password"
 functional:
  migration:
-    oxAppsuite:
+    oxAppSuite:
      enabled: true
 ```
 1. You must specify the master password referenced in the document's following sections.
 2. You need to enable the actual master authentication mode.
-Updating your deployment with these settings will allow you to continue with the migration scenario. Once the migration is completed, you can remove `secrets.oxAppsuite.adminPassword` and need to turn off the migration mode by setting `functional.migration.oxAppsuite.enabled` to `false` or removing that setting, as `false` is the default before you update your deployment once again.
+Updating your deployment with these settings will allow you to continue with the migration scenario. Once the migration is completed, you can remove `secrets.oxAppSuite.adminPassword` and need to turn off the migration mode by setting `functional.migration.oxAppSuite.enabled` to `false` or removing that setting, as `false` is the default before you update your deployment once again.
 > **Note**<br>
 > For the changes to take effect, it is sufficient to deploy the `open-xchange` component.
--- a/docs/enhanced-configuration/idp-federation.md
+++ b/docs/enhanced-configuration/idp-federation.md
@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 <!-- TOC -->
 * [Context](#context)
 * [References](#references)
 * [Prerequisites](#prerequisites)
  * [User accounts](#user-accounts)
  * [External IdP with OIDC](#external-idp-with-oidc)
@@ -24,6 +25,15 @@ Most organizations already have an Identity and Access Management (IAM) system w
 This document shows how to configure your organization's IdP and the openDesk IdP to support account federation with openDesk single sign-on based on your organization's login.
 # References
 We would like to list successful IdP federation scenarios, so we are also happy about input from the community:
 | External IdP                                                        | last openDesk version tested |
 | ------------------------------------------------------------------- | ---------------------------- |
 | [EU Login](https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi) | v0.9.0                       |
 | [ProConnect](https://www.proconnect.gouv.fr/)                       | v0.9.0                       |
 # Prerequisites
 ## User accounts
--- a/docs/enhanced-configuration/self-signed-certificates.md
+++ b/docs/enhanced-configuration/self-signed-certificates.md
@@ -6,10 +6,10 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Self-signed certificate and custom Certificate Authority (CA)</h1>
 <!-- TOC -->
 * [Use case](#use-case)
 * [Configuration](#configuration)
  * [Option 1: Bring Your Own Certificate](#option-1-bring-your-own-certificate)
-  * [Option 2: Use cert-manager.io](#option-2-use-cert-managerio)
+  * [Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate](#option-2a-use-cert-managerio-with-auto-generated-namespace-based-root-certificate)
  * [Option 2b: Use cert-manager.io with pre-defined/shared root-certificate](#option-2b-use-cert-managerio-with-pre-definedshared-root-certificate)
 <!-- TOC -->
 Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of
@@ -48,10 +48,10 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
 1. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
 trust store password.
-## Option 2: Use cert-manager.io
+## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
 This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from
-Let’s Encrypt.
+Let’s Encrypt. It will result in a cert-manager managed root certificate in the namespace you deploy openDesk into.
 1. Create self-signed cert-manager.io Cluster Issuer:
    ```yaml
@@ -70,3 +70,38 @@ Let’s Encrypt.
        name: "selfsigned-issuer"
      selfSigned: true
    ```
 ## Option 2b: Use cert-manager.io with pre-defined/shared root-certificate
 Use this approach if you like to use a pre-created CA root certificate that can be "shared" (as copy) between
 multiple namespaces in a cluster.
 1. Create self-signed cert-manager.io Cluster Issuer root certificate the same was as in *Option 2a*.
 1. Create the root certificate for the previously created CA, in the example it is placed into the namespace `cert-manager`.
    ```yaml
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: opendesk-root
      namespace: cert-manager
    spec:
      isCA: true
      commonName: opendesk.eu
      secretName: opendesk-root-cert-secret
      subject:
        organizations: [ "openDesk cluster root certificate organization" ]
      privateKey:
        algorithm: ECDSA
        size: 256
      issuerRef:
        name: selfsigned-issuer
        kind: ClusterIssuer
        group: cert-manager.io
    ```
 1. Copy this cert's secret into the/each namespace you want to make use of the cert.
 1. Create issuer in the/each namespace you want to make use of the cert.
 The latter two steps are part of the `env-start:` section within [`.gitlab-ci.yml`](../../.gitlab-ci.yml).
--- a/docs/external-services.md
+++ b/docs/external-services.md
@@ -18,59 +18,59 @@ This document will cover the additional configuration for external services like
 When deploying this suite to production, you need to configure the applications to use your production-grade database
 service.
-| Component   | Name               | Type       | Parameter | Key                                      | Default                    |
+| Component    | Name               | Type       | Parameter | Key                                      | Default                    |
-|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
+| ------------ | ------------------ | ---------- | --------- | ---------------------------------------- | -------------------------- |
-| Element     | Synapse            | PostgreSQL |           |                                          |                            |
+| Element      | Synapse            | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.synapse.name` | `matrix` |
+|              |                    |            | Name      | `databases.synapse.name`                 | `matrix`                   |
-|             |                    |            | Host      | `databases.synapse.host` | `postgresql` |
+|              |                    |            | Host      | `databases.synapse.host`                 | `postgresql`               |
-|             |                    |            | Port      | `databases.synapse.port` | `5432` |
+|              |                    |            | Port      | `databases.synapse.port`                 | `5432`                     |
-|             |                    |            | Username  | `databases.synapse.username` | `matrix_user` |
+|              |                    |            | Username  | `databases.synapse.username`             | `matrix_user`              |
-|             |                    |            | Password  | `databases.synapse.password` |                            |
+|              |                    |            | Password  | `databases.synapse.password`             |                            |
-| Keycloak    | Keycloak           | PostgreSQL |           |                                          |                            |
+| Keycloak     | Keycloak           | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.keycloak.name` | `keycloak` |
+|              |                    |            | Name      | `databases.keycloak.name`                | `keycloak`                 |
-|             |                    |            | Host      | `databases.keycloak.host` | `postgresql` |
+|              |                    |            | Host      | `databases.keycloak.host`                | `postgresql`               |
-|             |                    |            | Port      | `databases.keycloak.port` | `5432` |
+|              |                    |            | Port      | `databases.keycloak.port`                | `5432`                     |
-|             |                    |            | Username  | `databases.keycloak.username` | `keycloak_user` |
+|              |                    |            | Username  | `databases.keycloak.username`            | `keycloak_user`            |
-|             |                    |            | Password  | `databases.keycloak.password` |                            |
+|              |                    |            | Password  | `databases.keycloak.password`            |                            |
-|             | Keycloak Extension | PostgreSQL |           |                                          |                            |
+|              | Keycloak Extension | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.keycloakExtension.name` | `keycloak_extensions` |
+|              |                    |            | Name      | `databases.keycloakExtension.name`       | `keycloak_extensions`      |
-|             |                    |            | Host      | `databases.keycloakExtension.host` | `postgresql` |
+|              |                    |            | Host      | `databases.keycloakExtension.host`       | `postgresql`               |
-|             |                    |            | Port      | `databases.keycloakExtension.port` | `5432` |
+|              |                    |            | Port      | `databases.keycloakExtension.port`       | `5432`                     |
-|             |                    |            | Username  | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
+|              |                    |            | Username  | `databases.keycloakExtension.username`   | `keycloak_extensions_user` |
-|             |                    |            | Password  | `databases.keycloakExtension.password` |                            |
+|              |                    |            | Password  | `databases.keycloakExtension.password`   |                            |
-| UMS         | Notifications API  | PostgreSQL |           |                                          |                            |
+| UMS          | Notifications API  | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.umsNotificationsApi.name` | `notificationsapi` |
+|              |                    |            | Name      | `databases.umsNotificationsApi.name`     | `notificationsapi`         |
-|             |                    |            | Host      | `databases.umsNotificationsApi.host` | `postgresql` |
+|              |                    |            | Host      | `databases.umsNotificationsApi.host`     | `postgresql`               |
-|             |                    |            | Port      | `databases.umsNotificationsApi.port` | `5432` |
+|              |                    |            | Port      | `databases.umsNotificationsApi.port`     | `5432`                     |
-|             |                    |            | Username  | `databases.umsNotificationsApi.username` | `notificationsapi_user` |
+|              |                    |            | Username  | `databases.umsNotificationsApi.username` | `notificationsapi_user`    |
-|             |                    |            | Password  | `databases.umsNotificationsApi.password` |                            |
+|              |                    |            | Password  | `databases.umsNotificationsApi.password` |                            |
-|             | Self Service       | PostgreSQL |           |                                          |                            |
+|              | Self Service       | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.umsSelfservice.name` | `selfservice` |
+|              |                    |            | Name      | `databases.umsSelfservice.name`          | `selfservice`              |
-|             |                    |            | Host      | `databases.umsSelfservice.host` | `postgresql` |
+|              |                    |            | Host      | `databases.umsSelfservice.host`          | `postgresql`               |
-|             |                    |            | Port      | `databases.umsSelfservice.port` | `5432` |
+|              |                    |            | Port      | `databases.umsSelfservice.port`          | `5432`                     |
-|             |                    |            | Username  | `databases.umsSelfservice.username` | `selfservice_user` |
+|              |                    |            | Username  | `databases.umsSelfservice.username`      | `selfservice_user`         |
-|             |                    |            | Password  | `databases.umsSelfservice.password` |                            |
+|              |                    |            | Password  | `databases.umsSelfservice.password`      |                            |
-| Nextcloud   | Nextcloud          | MariaDB    |           |                                          |                            |
+| Nextcloud    | Nextcloud          | MariaDB    |           |                                          |                            |
-|             |                    |            | Name      | `databases.nextcloud.name` | `nextcloud` |
+|              |                    |            | Name      | `databases.nextcloud.name`               | `nextcloud`                |
-|             |                    |            | Host      | `databases.nextcloud.host` | `mariadb` |
+|              |                    |            | Host      | `databases.nextcloud.host`               | `mariadb`                  |
-|             |                    |            | Username  | `databases.nextcloud.username` | `nextcloud_user` |
+|              |                    |            | Username  | `databases.nextcloud.username`           | `nextcloud_user`           |
-|             |                    |            | Password  | `databases.nextcloud.password` |                            |
+|              |                    |            | Password  | `databases.nextcloud.password`           |                            |
-| OpenProject | OpenProject        | PostgreSQL |           |                                          |                            |
+| OpenProject  | OpenProject        | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.openproject.name` | `openproject` |
+|              |                    |            | Name      | `databases.openproject.name`             | `openproject`              |
-|             |                    |            | Host      | `databases.openproject.host` | `postgresql` |
+|              |                    |            | Host      | `databases.openproject.host`             | `postgresql`               |
-|             |                    |            | Port      | `databases.openproject.port` | `5432` |
+|              |                    |            | Port      | `databases.openproject.port`             | `5432`                     |
-|             |                    |            | Username  | `databases.openproject.username` | `openproject_user` |
+|              |                    |            | Username  | `databases.openproject.username`         | `openproject_user`         |
-|             |                    |            | Password  | `databases.openproject.password` |                            |
+|              |                    |            | Password  | `databases.openproject.password`         |                            |
-| OX Appsuite | OX Appsuite        | MariaDB    |           |                                          |                            |
+| OX App Suite | OX App Suite       | MariaDB    |           |                                          |                            |
-|             |                    |            | Name      | `databases.oxAppsuite.name` | `CONFIGDB` |
+|              |                    |            | Name      | `databases.oxAppSuite.name`              | `CONFIGDB`                 |
-|             |                    |            | Host      | `databases.oxAppsuite.host` | `mariadb` |
+|              |                    |            | Host      | `databases.oxAppSuite.host`              | `mariadb`                  |
-|             |                    |            | Username  | `databases.oxAppsuite.username` | `root` |
+|              |                    |            | Username  | `databases.oxAppSuite.username`          | `root`                     |
-|             |                    |            | Password  | `databases.oxAppsuite.password` |                            |
+|              |                    |            | Password  | `databases.oxAppSuite.password`          |                            |
-| XWiki       | XWiki              | MariaDB    |           |                                          |                            |
+| XWiki        | XWiki              | MariaDB    |           |                                          |                            |
-|             |                    |            | Name      | `databases.xwiki.name` | `xwiki` |
+|              |                    |            | Name      | `databases.xwiki.name`                   | `xwiki`                    |
-|             |                    |            | Host      | `databases.xwiki.host` | `mariadb` |
+|              |                    |            | Host      | `databases.xwiki.host`                   | `mariadb`                  |
-|             |                    |            | Username  | `databases.xwiki.username` | `xwiki_user` |
+|              |                    |            | Username  | `databases.xwiki.username`               | `xwiki_user`               |
-|             |                    |            | Password  | `databases.xwiki.password` |                            |
+|              |                    |            | Password  | `databases.xwiki.password`               |                            |
 # Object storage
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -59,34 +59,34 @@ For the following guide, we will use `dev` as environment where variables can be
 The deployment is designed to deploy each application/service under a dedicated subdomain.
 For your convenience, we recommend creating a `*.domain.tld` A-Record to your cluster ingress controller; otherwise, you must create an A-Record for each subdomain.
-| Record name                   | Type | Value                                              | Additional information                                           |
+| Record name                   | Type | Value                                              | Additional information                                           |
-|-------------------------------|------|----------------------------------------------------|------------------------------------------------------------------|
+| ----------------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------- |
-| *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                  |
+| *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                  |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                  |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                  |
-| mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
+| mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
-| mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
+| mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
-| domain.tld                    | MX   | `10 mail.domain.tld` |                                                                  |
+| domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                  |
-| domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all` | Optional, use proper MTA record if present                       |
+| domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                       |
-| _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine` | Optional                                                         |
+| _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                         |
-| default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...` | Optional DKIM settings                                           |
+| default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional DKIM settings                                           |
 ## Domain
-A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
+A list of all subdomains can be found in `helmfile/environments/default/global.gotmpl`.
 All subdomains can be customized. For example, _Nextcloud_ can be changed to `files.domain.tld` in `dev` environment:
 ```yaml
 global:
-  hosts:
+  hosts:
-    nextcloud: "files"
+    nextcloud: "files"
 ```
 The domain has to be set either via `dev` environment
 ```yaml
 global:
-  domain: "domain.tld"
+  domain: "domain.tld"
 ```
 or via environment variable
@@ -97,35 +97,37 @@ export DOMAIN=domain.tld
 ### Apps
-All available apps and their default value are in `helmfile/environments/default/workplace.yaml`.
+All available apps and their default value are in `helmfile/environments/default/opendesk_main.gotmpl`.
-| Component            | Name                        | Default | Description                    |
+| Component            | Name                        | Default | Description                    |
 | -------------------- | --------------------------- | ------- | ------------------------------ |
-| Certificates         | `certificates.enabled` | `true` | TLS certificates               |
+| Certificates         | `certificates.enabled`      | `true`  | TLS certificates               |
-| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine               |
+| ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine               |
-| ClamAV (Simple)      | `clamavSimple.enabled` | `true` | Antivirus engine               |
+| ClamAV (Simple)      | `clamavSimple.enabled`      | `true`  | Antivirus engine               |
-| Collabora            | `collabora.enabled` | `true` | Weboffice                      |
+| Collabora            | `collabora.enabled`         | `true`  | Weboffice                      |
-| CryptPad             | `cryptpad.enabled` | `true` | Weboffice                      |
+| CryptPad             | `cryptpad.enabled`          | `true`  | Weboffice                      |
-| Dovecot              | `dovecot.enabled` | `true` | Mail backend                   |
+| dkimpy               | `dkimpy.enabled`            | `false` | Postfix milter for DKIM        |
-| Element              | `element.enabled` | `true` | Secure communications platform |
+| Dovecot              | `dovecot.enabled`           | `true`  | Mail backend                   |
-| Jitsi                | `jitsi.enabled` | `true` | Videoconferencing              |
+| Element              | `element.enabled`           | `true`  | Secure communications platform |
-| MariaDB              | `mariadb.enabled` | `true` | Database                       |
+| Home                 | `home.enabled`              | `true`  | Base domain portal redirect    |
-| Memcached            | `memcached.enabled` | `true` | Cache Database                 |
+| Jitsi                | `jitsi.enabled`             | `true`  | Videoconferencing              |
-| MinIO                | `minio.enabled` | `true` | Object Storage                 |
+| MariaDB              | `mariadb.enabled`           | `true`  | Database                       |
-| Nextcloud            | `nextcloud.enabled` | `true` | File share                     |
+| Memcached            | `memcached.enabled`         | `true`  | Cache Database                 |
-| Nubus                | `nubus.enabled` | `true` | Identity Management & Portal   |
+| MinIO                | `minio.enabled`             | `true`  | Object Storage                 |
-| OpenProject          | `openproject.enabled` | `true` | Project management             |
+| Nextcloud            | `nextcloud.enabled`         | `true`  | File share                     |
-| OX Appsuite          | `oxAppsuite.enabled` | `true` | Groupware                      |
+| Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
-| Postfix              | `postfix.enabled` | `true` | MTA                            |
+| OpenProject          | `openproject.enabled`       | `true`  | Project management             |
-| PostgreSQL           | `postgresql.enabled` | `true` | Database                       |
+| OX App Suite         | `oxAppSuite.enabled`        | `true`  | Groupware                      |
-| Redis                | `redis.enabled` | `true` | Cache Database                 |
+| Postfix              | `postfix.enabled`           | `true`  | MTA                            |
-| XWiki                | `xwiki.enabled` | `true` | Knowledge management           |
+| PostgreSQL           | `postgresql.enabled`        | `true`  | Database                       |
 | Redis                | `redis.enabled`             | `true`  | Cache Database                 |
 | XWiki                | `xwiki.enabled`             | `true`  | Knowledge management           |
 Exemplary, Jitsi can be disabled like:
 ```yaml
 jitsi:
-  enabled: false
+  enabled: false
 ```
 ## Private registries
@@ -145,7 +147,7 @@ prefer the use of a private image registry, you can configure such for
 ```yaml
 global:
-  imageRegistry: "my_private_registry.domain.tld"
+  imageRegistry: "my_private_registry.domain.tld"
 ```
 alternatively, you can use an environment variable:
@@ -158,16 +160,16 @@ or control repository override fine-granular per registry:
 ```yaml
 repositories:
-  image:
+  image:
-    dockerHub: "my_private_registry.domain.tld/docker.io/"
+    dockerHub: "my_private_registry.domain.tld/docker.io/"
-    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
+    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
 ```
 If authentication is required, you can reference `imagePullSecrets` as follows:
 ```yaml
 global:
-  imagePullSecrets:
+  imagePullSecrets:
    - "external-registry"
 ```
@@ -182,8 +184,8 @@ used:
 ```yaml
 cluster:
-  service:
+  service:
-    type: "NodePort"
+    type: "NodePort"
 ```
 ### Networking
@@ -192,16 +194,16 @@ If your cluster has not the default `cluster.local` domain configured, you need
 ```yaml
 cluster:
-  networking:
+  networking:
-    domain: "acme.internal"
+    domain: "acme.internal"
 ```
 If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to provide the CIDR via the following:
 ```yaml
 cluster:
-  networking:
+  networking:
-    cidr:
+    cidr:
      - "127.0.0.0/8"
 ```
@@ -210,8 +212,8 @@ explicitly configure the related IPs or IP ranges:
 ```yaml
 cluster:
-  networking:
+  networking:
-    incomingCIDR:
+    incomingCIDR:
      - "172.16.0.0/12"
 ```
@@ -223,7 +225,7 @@ setting the following attribute to the name of the currently only supported ingr
 ```yaml
 ingress:
-  ingressClassName: "name-of-my-nginx-ingress"
+  ingressClassName: "name-of-my-nginx-ingress"
 ```
 ### Container runtime
@@ -233,30 +235,32 @@ Some apps require specific configurations for the container runtime. You can set
 ```yaml
 cluster:
-  container:
+  container:
-    engine: "containerd"
+    engine: "containerd"
 ```
 ### Volumes
-
+The **StorageClass** must be set by:
 When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from the distribution or scaling of apps. By
 default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
 ```yaml
 cluster:
   persistence:
     readWriteMany: true
 ```
 The **StorageClass** can be set by:
 ```yaml
 persistence:
-  storageClassNames:
+  storageClassNames:
-    RWX: "my-read-write-many-class"
+    RWX: "my-read-write-many-class"
-    RWO: "my-read-write-once-class"
+    RWO: "my-read-write-once-class"
 ```
 `RWX` is optional and requires that your cluster has a `ReadWriteMany` volume provisioner. If you can make use
 of it it benefits the distribution or scaling of apps. By default, only `ReadWriteOnce` is enabled.
 To enable `ReadWriteMany` you have to set:
 ```yaml
 cluster:
  persistence:
    readWriteMany: true
 ```
 ## Connectivity
 ### Ports
@@ -267,22 +271,22 @@ persistence:
 To use the openDesk functionality with its web-based user interface, you need to expose the following ports publicly:
-| Component          | Description             |  Port | Type |
+| Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
-| openDesk           | Kubernetes Ingress      |    80 |  TCP |
+| openDesk           | Kubernetes Ingress      |    80 |  TCP |
-| openDesk           | Kubernetes Ingress      |   443 |  TCP |
+| openDesk           | Kubernetes Ingress      |   443 |  TCP |
-| Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
+| Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
 #### Mail clients
 To connect with mail clients like [Thunderbird](https://www.thunderbird.net/), the following ports need public exposure:
-| Component          | Description             |  Port | Type |
+| Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
-| Dovecot            | IMAPS                   |   993 |  TCP |
+| Dovecot            | IMAPS                   |   993 |  TCP |
-|                    | POP3S                   |   995 |  TCP |
+|                    | POP3S                   |   995 |  TCP |
-| Postfix            | SMTP                    |    25 |  TCP |
+| Postfix            | SMTP                    |    25 |  TCP |
-|                    | SMTPS                   |   587 |  TCP |
+|                    | SMTPS                   |   587 |  TCP |
 ### Mail/SMTP configuration
@@ -291,9 +295,9 @@ the whole subdomain.
 ```yaml
 smtp:
-  host: "mail.open.desk"
+  host: "mail.open.desk"
-  username: "openDesk"
+  username: "openDesk"
-  password: "secret"
+  password: "secret"
 ```
 Enabling DKIM signing of emails helps to reduce spam and increases trust.
@@ -301,12 +305,12 @@ openDesk ships dkimpy-milter as Postfix milter for signing emails.
 ```yaml
 dkimpy:
-  enable: true
+  enable: true
-  dkim:
+  dkim:
-    key:
+    key:
-      value: "HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E="
+      value: "HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E="
-    selector: "default"
+    selector: "default"
-    useED25519: true # when false, RSA is used
+    useED25519: true # when false, RSA is used
 ```
 ### TURN configuration
@@ -316,14 +320,14 @@ these options:
 ```yaml
 turn:
-  transport: "udp" # or tcp
+  transport: "udp" # or tcp
-  credentials: "secret"
+  credentials: "secret"
-  server:
+  server:
-    host: "turn.open.desk"
+    host: "turn.open.desk"
-    port: "3478"
+    port: "3478"
-  tls:
+  tls:
-    host: "turns.open.desk"
+    host: "turns.open.desk"
-    port: "5349"
+    port: "5349"
 ```
 ### Certificate issuer
@@ -334,7 +338,7 @@ turn off `Certificate` resource creation by:
 ```yaml
 certificates:
-  enabled: false
+  enabled: false
 ```
 If you want to leverage the `cert-manager.io` to handle certificates, like `Let's encrypt`, you need to provide the
@@ -342,15 +346,15 @@ configured cluster issuer:
 ```yaml
 certificate:
-  issuerRef:
+  issuerRef:
-    name: "letsencrypt-prod"
+    name: "letsencrypt-prod"
 ```
 Additionally, it is possible to request wildcard certificates by:
 ```yaml
 certificate:
-  wildcard: true
+  wildcard: true
 ```
 ## Password seed
@@ -419,12 +423,12 @@ openDesk deploys with the standard user account `Administrator`, which password
 NAMESPACE=your-namespace
 # Get password for IAM "Administrator" account
-kubectl -n ${NAMESPACE} secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d
+kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d
 ```
 In openDesk Community Edition, you get two more default accounts:
- `default.admin`: `kubectl -n ${NAMESPACE} secret ums-nubus-credentials -o jsonpath='{.data.admin_password}' | base64 -d`
+- `default.admin`: `kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.admin_password}' | base64 -d`
- `default.user`: `kubectl -n ${NAMESPACE} secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d`
+- `default.user`: `kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d`
 ## Using from external repository
@@ -456,7 +460,7 @@ NAMESPACE=your-namespace
 # Uninstall all Helm charts
 for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
-  helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
+  helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
 done
 # Delete leftover resources
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -9,6 +9,12 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [openDesk supported upgrade path](#opendesk-supported-upgrade-path)
 * [Releases upgrade details](#releases-upgrade-details)
  * [From v1.0.0](#from-v100)
    * [Pre-upgrade: Manual checks/steps](#pre-upgrade-manual-checkssteps)
      * [New default enforces login](#new-default-enforces-login)
      * [Streamlining `openxchange` and `oxAppSuite` attribute names](#streamlining-openxchange-and-oxappsuite-attribute-names)
      * [Dicts to define `customization.release`](#dicts-to-define-customizationrelease)
      * [Redis 7.4](#redis-74)
  * [From v0.9.0](#from-v090)
    * [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
      * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
@@ -54,11 +60,117 @@ Explanation of the table's columns:
 | Coming from   | Mandatory (minimum) release | Automatic migration                                                                                                                                           | Manual activities             |
 | ------------- | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
 | v0.9.0        | v1.x.x                      | [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_2.py) | See [From v0.9.0](#from-v090) |
-| v0.8.1        | v0.9.0                      | Initializes migration system                                                                                                                                  | See [From v0.8.1](#from-v081)     |
+| v0.8.1        | v0.9.0                      | Initializes migration system                                                                                                                                  | See [From v0.8.1](#from-v081) |
 | not supported | v0.8.1                      | First release that supporting updates                                                                                                                         |                               |
 # Releases upgrade details
 ## From v1.0.0
 ### Pre-upgrade: Manual checks/steps
 #### New default enforces login
 Users accessing the openDesk portal are now automatically redirected to the login screen as a default.
 In case you want to keep the previous behavior you need to set the following `functional` flag:
 ```yaml
 functional:
  portal:
    enforceLogin: false
 ```
 #### Streamlining `openxchange` and `oxAppSuite` attribute names
 We have updated some attribute names around Open-Xchange / OX App Suite to be consistent within our Helmfile
 deployment and to aligning with the actual brand names as well as with our rule of thumb for brand based
 attribute names[^1].
 In case you are using any of the customizations below (`WAS`), please update as shown (`NOW`):
 ```
 WAS: oxAppsuite: ...
 NOW: oxAppSuite: ...
 ```
 ```
 WAS: cache.oxAppsuite: ...
 NOW: cache.oxAppSuite: ...
 ```
 ```
 WAS: charts.openXchangeAppSuite: ...
 NOW: charts.oxAppSuite: ...
 ```
 ```
 WAS: charts.openXchangeAppSuiteBootstrap: ...
 NOW: charts.oxAppSuiteBootstrap: ...
 ```
 ```
 WAS: customization.release.openXchange: ...
 NOW: customization.release.openxchange: ...
 ```
 ```
 WAS: customization.release.opendeskOpenXchangeBootstrap: ...
 NOW: customization.release.opendeskOpenxchangeBootstrap: ...
 ```
 ```
 WAS: databases.oxAppsuite: ...
 NOW: databases.oxAppSuite: ...
 ```
 ```
 WAS: ingress.parameters.openXchangeAppSuite: ...
 NOW: ingress.parameters.oxAppSuite: ...
 ```
 ```
 WAS: ingress.bodyTimeout.openXchangeAppSuite: ...
 NOW: ingress.bodyTimeout.oxAppSuite: ...
 ```
 ```
 WAS: migration.oxAppsuite: ...
 NOW: migration.oxAppSuite: ...
 ```
 ```
 WAS: secrets.oxAppsuite: ...
 NOW: secrets.oxAppSuite: ...
 ```
 #### Dicts to define `customization.release`
 If you make use of the `customization.release` option, you have to switch to a dictionary based definition of customization files e.g. from
 ```yaml
 customization:
  release:
    collaboraOnline: "./my_custom_templating.yaml"
 ```
 to
 ```yaml
 customization:
  release:
    collaboraOnline:
      file1: "./my_custom_templating.yaml"
 ```
 You can freely choose the `file1` dictionary key used in the example above, but it should start with a letter.
 #### Redis 7.4
 The update from openDesk 1.0.0 contains Redis 7.4.1, like the other openDesk bundled services the bundled Redis is as well not meant to be used in production.
 Please ensure for the Redis you are using that it is updated to at least 7.4 to support the requirement of OX App Suite.
 ## From v0.9.0
 ### Pre-upgrade: Manual steps
@@ -311,3 +423,6 @@ When a new upgrade migration is required, ensure to address the following list:
 - You most likely have to update the [`opendesk-migrations` Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations) within the `rules` section of the [`role.yaml`](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/main/charts/opendesk-migrations/templates/role.yaml) to provide the permissions required for the execution of your migration's logic.
 - You must set the runner's ID you want to execute in the [migrations.yaml.gotmpl](../helmfile/shared/migrations.yaml.gotmpl). See also the `migrations.*` section of [the Helm chart's README.md](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/main/charts/opendesk-migrations/README.md).
 - Update the [`charts.yaml`](../helmfile/environments/default/charts.yaml) and [`images.yaml`](../helmfile/environments/default/images.yaml) to reflect the newer releases of the `opendesk-migrations` Helm chart and container image.
 [^1]: We do not follow a brand name's specific spelling when it comes to upper and lower case and only use new word
 uppercase when names consist of multiple, space divided words.
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -46,7 +46,10 @@ prometheus:
 # Alerts
-Some Helm charts provide a default set of prometheusRules for alerting; enable it by:
+openDesk ships with a set of Prometheus alerting rules that are specific to the operation of openDesk.
 Some of these are created by our partners while others are defined in [opendesk-alerts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts).
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:
 ```yaml
 prometheus:
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -18,10 +18,12 @@ releases:
    version: "{{ .Values.charts.collabora.version }}"
    values:
      - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.collaboraOnline | default "additionalValues: false" }}
+      {{ range .Values.customization.release.collaboraOnline }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.collabora.enabled }}
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "collabora"
 ...
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -18,10 +18,12 @@ releases:
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
      - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.cryptpad | default "additionalValues: false" }}
+      {{ range .Values.customization.release.cryptpad }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.cryptpad.enabled }}
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "cryptpad"
 ...
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -80,12 +80,20 @@ repositories:
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 releases:
  # During upgrade 1.0.0 -> 1.1.0 the chart 'opendesk-element' has been moved to 'opendesk-element-web'
  - name: "opendesk-element"
    chart: "element-repo/{{ .Values.charts.element.name }}"
    version: "{{ .Values.charts.element.version }}"
    installed: false
  - name: "opendesk-element-web"
    chart: "element-repo/{{ .Values.charts.elementWeb.name }}"
    version: "{{ .Values.charts.elementWeb.version }}"
    values:
      - "values-element.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskElement | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskElement }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -94,7 +102,9 @@ releases:
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
      - "values-well-known.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskWellKnown | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskWellKnown }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -103,7 +113,9 @@ releases:
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
      - "values-synapse-web.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskSynapseWeb | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskSynapseWeb }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -112,7 +124,9 @@ releases:
    version: "{{ .Values.charts.synapse.version }}"
    values:
      - "values-synapse.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskSynapse | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskSynapse }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -173,6 +187,6 @@ releases:
    timeout: 900
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "element"
 ...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -27,9 +27,26 @@ configuration:
  database:
    host: {{ .Values.databases.synapse.host | quote }}
    port: {{ .Values.databases.synapse.port }}
    name: {{ .Values.databases.synapse.name | quote }}
    user: {{ .Values.databases.synapse.username | quote }}
-    password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
+    password:
      value: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
    requireAuth: {{ .Values.databases.synapse.requireAuth }}
    channelBinding: {{ .Values.databases.synapse.channelBinding | quote }}
    connectTimeout: {{ .Values.databases.synapse.connectTimeout }}
    clientEncoding: {{ .Values.databases.synapse.clientEncoding | quote }}
    keepalives: {{ .Values.databases.synapse.keepalives }}
    keepalivesIdle: {{ .Values.databases.synapse.keepalivesIdle }}
    keepalivesInterval: {{ .Values.databases.synapse.keepalivesInterval }}
    keepalivesCount: {{ .Values.databases.synapse.keepalivesCount }}
    replication: {{ .Values.databases.synapse.replication }}
    gssencmode: {{ .Values.databases.synapse.gssencmode | quote }}
    sslmode: {{ .Values.databases.synapse.sslmode | quote }}
    sslcompression: {{ .Values.databases.synapse.sslcompression }}
    sslMinProtocolVersion: {{ .Values.databases.synapse.sslMinProtocolVersion | quote }}
    connectionPoolMin: {{ .Values.databases.synapse.connectionPoolMin }}
    connectionPoolMax: {{ .Values.databases.synapse.connectionPoolMax }}
  homeserver:
    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
@@ -43,8 +60,8 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
-      - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+      - as_token: {{ .Values.secrets.oxAppSuite.synapseAsToken | quote }}
-        hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.oxAppSuite.synapseAsToken | quote }}
        id: ox-appsuite
        namespaces:
          users:
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -18,11 +18,13 @@ releases:
    version: "{{ .Values.charts.jitsi.version }}"
    values:
      - "values-jitsi.yaml.gotmpl"
-      - {{ .Values.customization.release.jitsi | default "additionalValues: false" }}
+      {{ range .Values.customization.release.jitsi }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.jitsi.enabled }}
    timeout: 900
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "jitsi"
 ...
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -57,7 +57,8 @@ image:
  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
 settings:
-  jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
+  jwtAppSecret:
    value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
  keycloakRealm: {{ .Values.platform.realm | quote }}
  keycloakClientId: "opendesk-jitsi"
@@ -175,6 +176,10 @@ jitsi:
        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since
    # upstream charts v1.4.0 a value for `publicIPs` is required. We set a dummy value as we anyway update it
    # later with the `patchJVB` job.
    publicIPs: [ 0.0.0.0 ]
    image:
      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
      tag: {{ .Values.images.jvb.tag | quote }}
--- a/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
@@ -21,11 +21,13 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
-      - {{ .Values.customization.release.migrationsPost | default "additionalValues: false" }}
+      {{ range .Values.customization.release.migrationsPost }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
 commonLabels:
-  deploy-stage: "component-0"
+  deployStage: "090-migrations-post"
-  component: "opendesk-migrations"
+  component: "migrations-post"
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
@@ -21,11 +21,13 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
-      - {{ .Values.customization.release.migrationsPre | default "additionalValues: false" }}
+      {{ range .Values.customization.release.migrationsPre }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
 commonLabels:
-  deploy-stage: "component-0"
+  deployStage: "010-migrations-pre"
-  component: "opendesk-migrations"
+  component: "migrations-pre"
 ...
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -25,7 +25,9 @@ releases:
    version: "{{ .Values.charts.nextcloudManagement.version }}"
    values:
      - "values-nextcloud-mgmt.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskNextcloudManagement | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskNextcloudManagement }}
      - {{ . }}
      {{ end }}
    waitForJobs: true
    wait: true
    installed: {{ .Values.nextcloud.enabled }}
@@ -35,12 +37,14 @@ releases:
    version: "{{ .Values.charts.nextcloud.version }}"
    values:
      - "values-nextcloud.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskNextcloud | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskNextcloud }}
      - {{ . }}
      {{ end }}
    needs:
      - "opendesk-nextcloud-management"
    installed: {{ .Values.nextcloud.enabled }}
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "nextcloud"
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -19,34 +19,44 @@ cleanup:
 configuration:
  administrator:
    # The admin user is (currently) required to bootstrap the OpenProject <> Nextcloud integration.
    enabled: true
    username:
      value: "nextcloud"
    password:
      value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
  antivirus:
    {{- if .Values.antivirus.icap.host }}
    host: {{ .Values.antivirus.icap.host | quote }}
    port: {{ .Values.antivirus.icap.port | quote }}
    {{- else }}
    {{- if .Values.clamavDistributed.enabled }}
    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
    port: 1344
    {{- end }}
  cache:
    auth:
      enabled: true
      username:
-        value: "default"
+        value: {{ .Values.cache.nextcloud.username }}
      password:
        value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
    host: {{ .Values.cache.nextcloud.host | quote }}
    port: {{ .Values.cache.nextcloud.port | quote }}
    tls: {{ .Values.cache.nextcloud.tls }}
  collabora:
    # internalWopiUrl: ""
    wopiAllowlist: {{ join ", " ( concat .Values.cluster.networking.cidr .Values.cluster.networking.incomingCIDR ) | quote }}
  database:
    host: {{ .Values.databases.nextcloud.host | quote }}
    port: {{ .Values.databases.nextcloud.port | quote }}
    name: {{ .Values.databases.nextcloud.name | quote }}
    auth:
      username:
-        value: "nextcloud_user"
+        value: {{ .Values.databases.nextcloud.username | quote }}
      password:
        value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  ldap:
@@ -89,6 +99,7 @@ configuration:
    defaultExternalExpireEnabled: {{ .Values.functional.filestore.sharing.external.expiry.activeByDefault }}
    defaultExternalExpireEnforced: {{ .Values.functional.filestore.sharing.external.expiry.enforced }}
    defaultExternalExpireDays: {{ .Values.functional.filestore.sharing.external.expiry.defaultDays | quote }}
    sendPasswordMail: {{ .Values.functional.filestore.sharing.external.sendPasswordMail | quote }}
  smtp:
    auth:
      enabled: false
@@ -131,6 +142,7 @@ podSecurityContext:
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  bootstrap: {{ .Values.debug.enabled }}
 {{- if .Values.certificate.selfSigned }}
 extraEnvVars:
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -55,17 +55,19 @@ aio:
      auth:
        enabled: true
        username:
-          value: "default"
+          value: {{ .Values.cache.nextcloud.username }}
        password:
          value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
      host: {{ .Values.cache.nextcloud.host | quote }}
      port: {{ .Values.cache.nextcloud.port | quote }}
      tls: {{ .Values.cache.nextcloud.tls }}
    database:
      host: {{ .Values.databases.nextcloud.host | quote }}
      port: {{ .Values.databases.nextcloud.port | quote }}
      name: {{ .Values.databases.nextcloud.name | quote }}
      auth:
        username:
-          value: "nextcloud_user"
+          value: {{ .Values.databases.nextcloud.username | quote }}
        password:
          value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
    trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -28,6 +28,14 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
  # NGINX S3 Gateway Chart
  - name: "nginx-s3-gateway-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nginxS3Gateway.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginxS3Gateway.registry }}/{{ .Values.charts.nginxS3Gateway.repository }}"
 releases:
  # Univention Management Stack Umbrella Chart
@@ -38,7 +46,9 @@ releases:
      - "values-nubus.yaml.gotmpl"
      - "values-opendesk-customization.yaml.gotmpl"
      - "values-opendesk-images.yaml.gotmpl"
-      - {{ .Values.customization.release.ums | default "additionalValues: false" }}
+      {{ range .Values.customization.release.ums }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.nubus.enabled }}
    timeout: 900
  # Intercom-Service
@@ -47,7 +57,9 @@ releases:
    version: "{{ .Values.charts.intercomService.version }}"
    values:
      - "values-intercom-service.yaml.gotmpl"
-      - {{ .Values.customization.release.intercomService | default "additionalValues: false" }}
+      {{ range .Values.customization.release.intercomService }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.nubus.enabled }}
  # openDesk Keycloak Bootstrap Chart
@@ -56,13 +68,27 @@ releases:
    version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
    values:
      - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskKeycloakBootstrap | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskKeycloakBootstrap }}
      - {{ . }}
      {{ end }}
    needs:
      - "ums"
    installed: {{ .Values.nubus.enabled }}
    timeout: 900
  # NGINX S3 Gateway (when cluster minio is not used)
  - name: "nubus"
    chart: "nginx-s3-gateway-repo/{{ .Values.charts.nginxS3Gateway.name }}"
    version: "{{ .Values.charts.nginxS3Gateway.version }}"
    values:
      - "values-nginx-s3-gateway.yaml.gotmpl"
      {{ range .Values.customization.release.nginxS3Gateway }}
      - {{ . }}
      {{ end }}
    installed: {{ not .Values.minio.enabled }}
    timeout: 900
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "nubus"
 ...
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -32,10 +32,15 @@ extraVolumeMounts:
  - name: "trusted-cert-secret-volume"
    mountPath: "/etc/ssl/certs/ca-certificates.crt"
    subPath: "ca-certificates.crt"
 {{- end }}
 extraEnvVars:
  - name: "REDIS_USER"
    value: {{ .Values.cache.intercomService.username }}
  {{- if .Values.certificate.selfSigned }}
  - name: "NODE_EXTRA_CA_CERTS"
    value: "/etc/ssl/certs/ca-certificates.crt"
-{{- end }}
+  {{- end }}
 global:
  domain: {{ .Values.global.domain | quote }}
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -0,0 +1,39 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nginxS3Gateway.registry | quote }}
  repository: {{ .Values.images.nginxS3Gateway.repository | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nginxS3Gateway.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  host: "{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: "/portal-assets/icons/$2/$3"
    nginx.ingress.kubernetes.io/use-regex: "true"
  path: "/univention/(portal|selfservice)/icons/(logos|entries)/(.*)$"
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 configuration:
  bucket: {{ .Values.objectstores.nubus.bucket | quote }}
  endpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  port: 443
  region: {{ .Values.objectstores.nubus.region | quote }}
  style: "path"
  credentials:
    accessKey:
      value: {{ .Values.objectstores.nubus.username | quote }}
    secretKey:
      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
 resources:
  {{ .Values.resources.nginxS3Gateway | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.nginxS3Gateway }}
 ...
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -144,6 +144,10 @@ global:
            groups: __DELETE_KEY__
 ingress:
  # temporary fix
  {{- if not .Values.minio.enabled }}
  enabled: false
  {{- end }}
  certManager:
    enabled: false
  tls:
@@ -333,7 +337,7 @@ nubusPortalConsumer:
  enabled: true
  portalConsumer:
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
  provisioningApi:
    auth:
@@ -341,7 +345,7 @@ nubusPortalConsumer:
 nubusPortalServer:
  portalServer:
-    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageEndpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
    objectStorageCredentialSecret:
      name: "ums-portal-server-minio-opendesk-credentials"
@@ -397,6 +401,7 @@ nubusStackDataUms:
  templateContext:
    # creates the default.user and default.admin
    loadDevData: true
    portalEnforceLogin: {{ .Values.functional.portal.enforceLogin }}
    portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
    portalTiles: {{ toYaml .Values.theme.imagery.portalTiles | nindent 6 }}
    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -15,22 +15,22 @@ repositories:
  # Open-Xchange
  - name: "open-xchange-repo"
    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
-    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
+    verify: {{ .Values.charts.oxAppSuite.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuite.registry }}/{{ .Values.charts.oxAppSuite.repository }}"
  # openDesk Open-Xchange Bootstrap
  # Source:
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
+    verify: {{ .Values.charts.oxAppSuiteBootstrap.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxAppSuiteBootstrap.registry }}/{{ .Values.charts.oxAppSuiteBootstrap.repository }}"
  # OX Connector
  - name: "ox-connector-repo"
@@ -45,27 +45,33 @@ releases:
    version: "{{ .Values.charts.dovecot.version }}"
    values:
      - "values-dovecot.yaml.gotmpl"
-      - {{ .Values.customization.release.dovecot | default "additionalValues: false" }}
+      {{ range .Values.customization.release.dovecot }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.dovecot.enabled }}
    timeout: 900
  - name: "open-xchange"
-    chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
+    chart: "open-xchange-repo/{{ .Values.charts.oxAppSuite.name }}"
-    version: "{{ .Values.charts.openXchangeAppSuite.version }}"
+    version: "{{ .Values.charts.oxAppSuite.version }}"
    values:
      - "values-openxchange.yaml.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
-      - {{ .Values.customization.release.openXchange | default "additionalValues: false" }}
+      {{ range .Values.customization.release.openxchange }}
-    installed: {{ .Values.oxAppsuite.enabled }}
+      - {{ . }}
      {{ end }}
    installed: {{ .Values.oxAppSuite.enabled }}
    timeout: 900
  - name: "opendesk-open-xchange-bootstrap"
-    chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
+    chart: "open-xchange-bootstrap-repo/{{ .Values.charts.oxAppSuiteBootstrap.name }}"
-    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
+    version: "{{ .Values.charts.oxAppSuiteBootstrap.version }}"
    values:
      - "values-openxchange-bootstrap.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskOpenXchangeBootstrap | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskOpenxchangeBootstrap }}
-    installed: {{ .Values.oxAppsuite.enabled }}
+      - {{ . }}
      {{ end }}
    installed: {{ .Values.oxAppSuite.enabled }}
    timeout: 900
  - name: "ox-connector"
@@ -73,12 +79,14 @@ releases:
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
      - "values-oxconnector.yaml.gotmpl"
-      - {{ .Values.customization.release.oxConnector | default "additionalValues: false" }}
+      {{ range .Values.customization.release.oxConnector }}
-    installed: {{ .Values.oxAppsuite.enabled }}
+      - {{ . }}
      {{ end }}
    installed: {{ .Values.oxAppSuite.enabled }}
    needs:
      - "open-xchange"
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "open-xchange"
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -17,8 +17,8 @@ dovecot:
  mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  password: {{ .Values.secrets.dovecot.doveadm | quote }}
  migration:
-    enabled: {{ .Values.functional.migration.oxAppsuite.enabled }}
+    enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
-    masterPassword: {{ .Values.secrets.oxAppsuite.migrationsMasterPassword | quote }}
+    masterPassword: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
  ldap:
    enabled: true
    host: {{ .Values.ldap.host | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -7,16 +7,16 @@ SPDX-License-Identifier: Apache-2.0
 global:
  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
  appsuite:
-    cookieHashSalt: {{ .Values.secrets.oxAppsuite.cookieHashSalt }}
+    cookieHashSalt: {{ .Values.secrets.oxAppSuite.cookieHashSalt }}
-    shareCryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey }}
+    shareCryptKey: {{ .Values.secrets.oxAppSuite.shareCryptKey }}
-    sessiondEncryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey }}
+    sessiondEncryptionKey: {{ .Values.secrets.oxAppSuite.sessiondEncryptionKey }}
  mysql:
-    host: {{ .Values.databases.oxAppsuite.host | quote }}
+    host: {{ .Values.databases.oxAppSuite.host | quote }}
-    database: {{ .Values.databases.oxAppsuite.name | quote }}
+    database: {{ .Values.databases.oxAppSuite.name | quote }}
    auth:
-      user: {{ .Values.databases.oxAppsuite.username | quote }}
+      user: {{ .Values.databases.oxAppSuite.username | quote }}
-      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
+      password: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
-      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
+      rootPassword: {{ .Values.databases.oxAppSuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 nextcloud-integration-ui:
  image:
@@ -105,9 +105,9 @@ appsuite:
    routes:
      http-api-routes-appsuite-api:
        annotations:
-          nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.openXchangeAppSuite }}"
+          nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.oxAppSuite }}"
-          nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.openXchangeAppSuite }}"
+          nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.oxAppSuite }}"
-          nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.openXchangeAppSuite }}"
+          nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.oxAppSuite }}"
      trailslash:
        enabled: false
  core-mw:
@@ -119,13 +119,13 @@ appsuite:
        oidcLogin: true
        oidcPath: "/oidc"
    masterAdmin: "admin"
-    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+    masterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
    hzGroupName: "hzgroup"
-    hzGroupPassword: {{ .Values.secrets.oxAppsuite.hzGroupPassword | quote }}
+    hzGroupPassword: {{ .Values.secrets.oxAppSuite.hzGroupPassword | quote }}
    basicAuthLogin: "oxlogin"
-    basicAuthPassword: {{ .Values.secrets.oxAppsuite.basicAuthPassword | quote }}
+    basicAuthPassword: {{ .Values.secrets.oxAppSuite.basicAuthPassword | quote }}
    jolokiaLogin: "jolokia"
-    jolokiaPassword: {{ .Values.secrets.oxAppsuite.jolokiaPassword | quote }}
+    jolokiaPassword: {{ .Values.secrets.oxAppSuite.jolokiaPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    podAnnotations: {}
    serviceAccount:
@@ -174,7 +174,7 @@ appsuite:
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
    packages:
      status:
-        {{- if .Values.functional.migration.oxAppsuite.enabled }}
+        {{- if .Values.functional.migration.oxAppSuite.enabled }}
        open-xchange-authentication-masterpassword: "enabled"
        open-xchange-authentication-ldap: "disabled"
        open-xchange-authentication-oauth: "disabled"
@@ -185,6 +185,10 @@ appsuite:
        open-xchange-authentication-oauth: "enabled"
        open-xchange-authentication-ldap: "disabled"
        {{- end }}
        # OX Documents (office-web) is not used in openDesk
        open-xchange-documents-backend: "disabled"
        open-xchange-documents-monitoring: "disabled"
        open-xchange-documents-templates: "disabled"
    properties:
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
@@ -297,7 +301,7 @@ appsuite:
    {{- if .Values.certificate.selfSigned }}
    extraEnv:
    - name: "JAVA_OPTS_APPEND"
-      value: {{ printf "%s %s=%s" "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStoreType=jks" "-Djavax.net.ssl.trustStorePassword" (.Values.secrets.certificates.password | quote) | quote }}
+      value: {{ printf "%s %s=%s" "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStoreType=jks" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
    extraVolumes:
      - name: "trusted-cert-secret-volume"
        secret:
@@ -312,13 +316,13 @@ appsuite:
        mountPath: "/etc/ssl/certs/"
    {{- end }}
    secretProperties:
-      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
+      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppSuite.cookieHashSalt | quote }}
-      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
+      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppSuite.sessiondEncryptionKey | quote }}
-      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
+      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppSuite.shareCryptKey | quote }}
-      com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+      com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppSuite.synapseAsToken | quote }}
    propertiesFiles:
      /opt/open-xchange/etc/masterpassword-authentication.properties:
-        com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppsuite.migrationsMasterPassword | quote }}
+        com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
      /opt/open-xchange/etc/AdminUser.properties:
@@ -332,12 +336,17 @@ appsuite:
        bindOnly: "false"
      /opt/open-xchange/etc/antivirus.properties:
        com.openexchange.antivirus.enabled: "true"
        {{- if .Values.antivirus.icap.host }}
        com.openexchange.antivirus.server: {{ .Values.antivirus.icap.host | quote }}
        com.openexchange.antivirus.port: {{ .Values.antivirus.icap.port | quote }}
        {{- else }}
        {{- if .Values.clamavDistributed.enabled }}
        com.openexchange.antivirus.server: "clamav-icap"
        {{- else if .Values.clamavSimple.enabled }}
        com.openexchange.antivirus.server: "clamav-simple"
        {{- end }}
        com.openexchange.antivirus.port: "1344"
        {{- end }}
        com.openexchange.antivirus.maxFileSize: "1024"
    uiSettings:
      io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
@@ -383,16 +392,17 @@ appsuite:
      # MC+base64(20 random bytes)
      # RC+base64(20 random bytes)
      oxguardpass: |
-        {{ .Values.secrets.oxAppsuite.oxguardMC }}
+        {{ .Values.secrets.oxAppSuite.oxguardMC }}
-        {{ .Values.secrets.oxAppsuite.oxguardRC }}
+        {{ .Values.secrets.oxAppSuite.oxguardRC }}
    redis: &redisConfiguration
      enabled: true
      mode: "standalone"
      hosts:
-        - "redis-master:6379"
+        - {{ printf "%s:%v" .Values.cache.oxAppSuite.host .Values.cache.oxAppSuite.port | quote }}
      auth:
        enabled: true
-        password: {{ .Values.secrets.redis.password | quote }}
+        username: {{ .Values.cache.oxAppSuite.username | quote }}
        password: {{ .Values.cache.oxAppSuite.password | default .Values.secrets.redis.password | quote }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
@@ -491,9 +501,9 @@ appsuite:
  core-documentconverter:
    adminUser: "admin"
-    adminPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+    adminPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
    basicAuthLogin: "oxlogin"
-    basicAuthPassword: {{ .Values.secrets.oxAppsuite.basicAuthPassword | quote }}
+    basicAuthPassword: {{ .Values.secrets.oxAppSuite.basicAuthPassword | quote }}
    enabled: true
    documentConverter:
      cache:
@@ -578,9 +588,9 @@ appsuite:
  core-imageconverter:
    enabled: true
    adminUser: "admin"
-    adminPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+    adminPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
    basicAuthLogin: "oxlogin"
-    basicAuthPassword: {{ .Values.secrets.oxAppsuite.basicAuthPassword | quote }}
+    basicAuthPassword: {{ .Values.secrets.oxAppSuite.basicAuthPassword | quote }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeImageConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -50,7 +50,7 @@ oxConnector:
  oxLocalTimezone: "Europe/Berlin"
  oxLanguage: "de_DE"
  oxMasterAdmin: "admin"
-  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+  oxMasterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
  oxSmtpServer: "smtp://127.0.0.1:587"
  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
--- a/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -20,11 +20,13 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskOpenprojectBootstrap | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskOpenprojectBootstrap }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
 commonLabels:
-  deploy-stage: "component-2"
+  deployStage: "060-components"
  component: "opendesk-openproject-bootstrap"
 ...
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -20,11 +20,13 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.openproject | default "additionalValues: false" }}
+      {{ range .Values.customization.release.openproject }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.openproject.enabled }}
    timeout: 1800
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "openproject"
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -40,7 +40,9 @@ dbInit:
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
+  OPENPROJECT_APP__TITLE: "Projects | {{ .Values.theme.texts.productName }}"
  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
  OPENPROJECT_APP__TITLE: "Projects | {{ .Values.theme.texts.productName }}"
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
@@ -84,9 +86,6 @@ environment:
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
  {{- if .Values.enterprise.openproject.token }}
  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
  {{- end }}
  {{- if .Values.certificate.selfSigned }}
  SSL_CERT_FILE: "/etc/ssl/certs/ca-certificates.crt"
  {{- end }}
@@ -192,8 +191,8 @@ s3:
  enabled: true
  directUploads: {{ .Values.objectstores.openproject.directUploads }}
  enableSignatureV4Streaming: {{ .Values.objectstores.openproject.enableSignatureV4Streaming }}
-  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  endpoint: {{ printf "https://%s" (.Values.objectstores.openproject.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
-  host: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  host: {{ printf "https://%s" (.Values.objectstores.openproject.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
  pathStyle: {{ .Values.objectstores.openproject.pathStyle }}
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
--- a/helmfile/apps/services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile-child.yaml.gotmpl
@@ -89,6 +89,16 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
  # openDesk Alerts
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-alerts
  - name: "opendesk-alerts-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.opendeskAlerts.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskAlerts.registry }}/{{ .Values.charts.opendeskAlerts.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
  - name: "memcached-repo"
@@ -113,13 +123,27 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
  # openDesk Enterprise Repositories
  # Cassandra
  # Source: https://github.com/bitnami/charts/
  - name: "cassandra-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.cassandra.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
 releases:
  - name: "opendesk-otterize"
    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
    version: "{{ .Values.charts.otterize.version }}"
    values:
      - "values-otterize.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskOtterize | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskOtterize }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
@@ -128,7 +152,9 @@ releases:
    version: "{{ .Values.charts.home.version }}"
    values:
      - "values-home.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskHome | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskHome }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.home.enabled }}
  - name: "opendesk-certificates"
@@ -136,16 +162,31 @@ releases:
    version: "{{ .Values.charts.certificates.version }}"
    values:
      - "values-certificates.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskCertificates | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskCertificates }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.certificates.enabled }}
    timeout: 900
  - name: "opendesk-alerts"
    chart: "opendesk-alerts-repo/{{ .Values.charts.opendeskAlerts.name }}"
    version: "{{ .Values.charts.opendeskAlerts.version }}"
    values:
      - "values-opendesk-alerts.yaml.gotmpl"
      {{ range .Values.customization.release.opendeskAlerts}}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
    timeout: 900
  - name: "redis"
    chart: "redis-repo/{{ .Values.charts.redis.name }}"
    version: "{{ .Values.charts.redis.version }}"
    values:
      - "values-redis.yaml.gotmpl"
-      - {{ .Values.customization.release.redis | default "additionalValues: false" }}
+      {{ range .Values.customization.release.redis }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.redis.enabled }}
    timeout: 900
@@ -154,7 +195,9 @@ releases:
    version: "{{ .Values.charts.memcached.version }}"
    values:
      - "values-memcached.yaml.gotmpl"
-      - {{ .Values.customization.release.memcached | default "additionalValues: false" }}
+      {{ range .Values.customization.release.memcached }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.memcached.enabled }}
    timeout: 900
@@ -163,7 +206,9 @@ releases:
    version: "{{ .Values.charts.postgresql.version }}"
    values:
      - "values-postgresql.yaml.gotmpl"
-      - {{ .Values.customization.release.postgresql | default "additionalValues: false" }}
+      {{ range .Values.customization.release.postgresql }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900
@@ -172,7 +217,9 @@ releases:
    version: "{{ .Values.charts.mariadb.version }}"
    values:
      - "values-mariadb.yaml.gotmpl"
-      - {{ .Values.customization.release.mariadb | default "additionalValues: false" }}
+      {{ range .Values.customization.release.mariadb }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900
@@ -181,7 +228,9 @@ releases:
    version: "{{ .Values.charts.postfix.version }}"
    values:
      - "values-postfix.yaml.gotmpl"
-      - {{ .Values.customization.release.postfix | default "additionalValues: false" }}
+      {{ range .Values.customization.release.postfix }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.postfix.enabled }}
    timeout: 900
@@ -190,7 +239,9 @@ releases:
    version: "{{ .Values.charts.dkimpy.version }}"
    values:
      - "values-dkimpy.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskDkimpyMilter | default "additionalValues: false" }}
+      {{ range .Values.customization.release.opendeskDkimpyMilter }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.dkimpy.enabled }}
    timeout: 900
@@ -199,7 +250,9 @@ releases:
    version: "{{ .Values.charts.clamav.version }}"
    values:
      - "values-clamav-distributed.yaml.gotmpl"
-      - {{ .Values.customization.release.clamav | default "additionalValues: false" }}
+      {{ range .Values.customization.release.clamav }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900
@@ -208,7 +261,9 @@ releases:
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
      - "values-clamav-simple.yaml.gotmpl"
-      - {{ .Values.customization.release.clamavSimple | default "additionalValues: false" }}
+      {{ range .Values.customization.release.clamavSimple }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900
@@ -217,11 +272,24 @@ releases:
    version: "{{ .Values.charts.minio.version }}"
    values:
      - "values-minio.yaml.gotmpl"
-      - {{ .Values.customization.release.minio | default "additionalValues: false" }}
+      {{ range .Values.customization.release.minio }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.minio.enabled }}
    timeout: 900
  # openDesk Enterprise Releases
  - name: "cassandra"
    chart: "cassandra-repo/{{ .Values.charts.cassandra.name }}"
    version: "{{ .Values.charts.cassandra.version }}"
    values:
      {{ range .Values.customization.release.cassandra }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.cassandra.enabled }}
    timeout: 900
 commonLabels:
-  deploy-stage: "services"
+  deployStage: "030-services"
  component: "services"
 ...
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -39,7 +39,7 @@ global:
    {{- if .Values.openproject.enabled }}
    openproject: {{ .Values.global.hosts.openproject }}
    {{- end }}
-    {{- if .Values.oxAppsuite.enabled }}
+    {{- if .Values.oxAppSuite.enabled }}
    openxchange: {{ .Values.global.hosts.openxchange }}
    {{- end }}
    {{- if .Values.nubus.enabled }}
@@ -52,6 +52,7 @@ global:
 issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
  kind: {{ .Values.certificate.issuerRef.kind | quote }}
 cleanup:
  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -47,9 +47,9 @@ job:
    - username: "openxchange_user"
    # - username: {{ .Values.databases.xwiki.username | quote }}
      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
-      connectionLimit: {{ .Values.databases.oxAppsuite.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+      connectionLimit: {{ .Values.databases.oxAppSuite.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: "xwiki_user"
-    # - username: {{ .Values.databases.oxAppsuite.username | quote }}
+    # - username: {{ .Values.databases.oxAppSuite.username | quote }}
      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
  databases:
@@ -59,15 +59,16 @@ job:
    # users for the moment.
    - name: "openxchange"
      user: "openxchange_user"
-    # - name: {{ .Values.databases.oxAppsuite.name | quote }}
+    # - name: {{ .Values.databases.oxAppSuite.name | quote }}
-    #   user: {{ .Values.databases.oxAppsuite.username | quote }}
+    #   user: {{ .Values.databases.oxAppSuite.username | quote }}
    - name: "xwiki"
      user: "xwiki_user"
    # - name: {{ .Values.databases.xwiki.name | quote }}
    #   user: {{ .Values.databases.xwiki.username | quote }}
 mariadb:
-  rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
+  rootPassword:
    value: {{ .Values.secrets.mariadb.rootPassword | quote }}
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
--- a/helmfile/apps/services/values-opendesk-alerts.yaml.gotmpl
+++ b/helmfile/apps/services/values-opendesk-alerts.yaml.gotmpl
@@ -0,0 +1,52 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 additionalAnnotations:
  {{ .Values.monitoring.prometheus.prometheusRules.annotations | toYaml | nindent 2 }}
 additionalLabels:
  {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 2 }}
 config:
  collabora:
    enable: {{ .Values.collabora.enabled }}
    selectors:
      namespace: {{ .Values.collabora.namespace | quote }}
  matrix:
    enable: {{ .Values.element.enabled }}
    selectors:
      namespace: {{ .Values.element.namespace | quote }}
  diagrams:
    enable: {{ .Values.cryptpad.enabled }}
    selectors:
      namespace: {{ .Values.cryptpad.namespace | quote }}
  nextcloud:
    enable: {{ .Values.nextcloud.enabled }}
    selectors:
      namespace: {{ .Values.nextcloud.namespace | quote }}
  openXChange:
    enable: {{ .Values.oxAppSuite.enabled }}
    selectors:
      namespace: {{ .Values.oxAppSuite.namespace | quote }}
  xwiki:
    enable: {{ .Values.xwiki.enabled }}
    selectors:
      namespace: {{ .Values.xwiki.namespace | quote }}
  nubus:
    enable: {{ .Values.nubus.enabled }}
    selectors:
      namespace: {{ .Values.nubus.namespace | quote }}
  openProject:
    enable: {{ .Values.openproject.enabled }}
    selectors:
      namespace: {{ .Values.openproject.namespace | quote }}
  jitsi:
    enable: {{ .Values.jitsi.enabled }}
    selectors:
      namespace: {{ .Values.jitsi.namespace | quote }}
  collabora:
    enable: {{ .Values.collabora.enabled }}
    selectors:
      namespace: {{ .Values.collabora.namespace | quote }}
--- a/helmfile/apps/services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/services/values-otterize.yaml.gotmpl
@@ -29,7 +29,7 @@ apps:
  openproject:
    enabled: {{ .Values.openproject.enabled }}
  oxAppsuite:
-    enabled: {{ .Values.oxAppsuite.enabled }}
+    enabled: {{ .Values.oxAppSuite.enabled }}
  postfix:
    enabled: {{ .Values.postfix.enabled }}
  postgresql:
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -68,11 +68,15 @@ postfix:
  smtpdTLSCertFile: "/etc/tls/tls.crt"
  smtpdKeyFile: "/etc/tls/tls.key"
  smtpdSASLPath: "inet:dovecot:3659"
  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
  {{- else }}
  {{- if .Values.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
  {{- else if .Values.clamavSimple.enabled }}
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
  {{- end }}
  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  virtualTransport: "lmtps:dovecot:24"
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -19,11 +19,13 @@ releases:
    wait: true
    values:
      - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.xwiki | default "additionalValues: false" }}
+      {{ range .Values.customization.release.xwiki }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.xwiki.enabled }}
    timeout: 1800
 commonLabels:
-  deploy-stage: "component-1"
+  deployStage: "050-components"
  component: "xwiki"
 ...
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -23,7 +23,7 @@ externalDB:
  password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
  database: {{ .Values.databases.xwiki.name | quote }}
  user: {{ .Values.databases.xwiki.username | quote }}
-  host: {{ .Values.databases.xwiki.host | quote }}
+  host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
  customKeyRef:
    enabled: false
@@ -57,8 +57,10 @@ customConfigs:
    xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
    ## Enable the synchronization of the LDAP profile picture
    xwiki.authentication.ldap.update_photo: 1
-    ## Password of default user
+    {{ if .Values.debug.enabled }}
    ## Password of "superadmin" user, disables account if not password is set
    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
    {{ end }}
    ## LDAP Server configuration
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
--- a/helmfile/environments/default/antivirus.yaml
+++ b/helmfile/environments/default/antivirus.yaml
@@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 antivirus:
  icap:
    host: ~
    port: 1344
  milter:
    host: ~
    port: 7357
 ...
--- a/helmfile/environments/default/cache.yaml
+++ b/helmfile/environments/default/cache.yaml
@@ -5,14 +5,22 @@ cache:
  intercomService:
    host: "redis-headless"
    port: 6379
    username: "default"
    password: ""
  nextcloud:
    host: "redis-headless"
    port: 6379
    username: "default"
    password: ""
    tls: false
  openproject:
    host: "memcached"
    port: 11211
  oxAppSuite:
    host: "redis-headless"
    port: 6379
    username: "default"
    password: ""
  umsSelfservice:
    host: "memcached"
    port: 11211
--- a/helmfile/environments/default/certificate.yaml
+++ b/helmfile/environments/default/certificate.yaml
@@ -5,6 +5,7 @@
 certificate:
  issuerRef:
    name: "letsencrypt-prod"
    kind: "ClusterIssuer"
  wildcard: false
  selfSigned: false
 ...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -6,6 +6,16 @@
 # yamllint disable rule:line-length
 ---
 charts:
  cassandra:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnamicharts/cassandra"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/external/charts/bitnami-charts"
    name: "cassandra"
    version: "12.0.4"
    verify: true
  certificates:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -80,7 +90,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
    name: "dovecot"
-    version: "1.4.0"
+    version: "1.4.1"
    verify: true
  element:
    # providerCategory: "Platform"
@@ -90,7 +100,17 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "3.4.1"
+    version: "5.0.0"
    verify: true
  elementWeb:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element-web"
    version: "5.0.0"
    verify: true
  elementWellKnown:
    # providerCategory: "Platform"
@@ -100,7 +120,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "3.4.1"
+    version: "5.0.0"
    verify: true
  home:
    # providerCategory: "Platform"
@@ -132,7 +152,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
    name: "opendesk-jitsi"
-    version: "1.12.5"
+    version: "2.1.1"
    verify: true
  mariadb:
    # providerCategory: "Platform"
@@ -142,7 +162,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
    name: "mariadb"
-    version: "2.3.1"
+    version: "3.0.3"
    verify: true
  matrixNeoboardWidget:
    # providerCategory: "Platform"
@@ -232,7 +252,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "3.4.1"
+    version: "3.6.2"
    verify: true
  nextcloudManagement:
    # providerCategory: "Platform"
@@ -242,7 +262,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "3.4.1"
+    version: "3.6.2"
    verify: true
  nginx:
    # providerCategory: "Community"
@@ -254,6 +274,16 @@ charts:
    name: "nginx"
    version: "15.9.3"
    verify: true
  nginxS3Gateway:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # packageName=bmi/opendesk/components/platform-development/charts/nginx-s3-gateway/nginx-s3-gateway
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/nginx-s3-gateway"
    name: "nginx-s3-gateway"
    version: "1.0.1"
    verify: true
  nubus:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -266,6 +296,16 @@ charts:
    name: "nubus"
    version: "0.64.2"
    verify: true
  opendeskAlerts:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
    name: "opendesk-alerts"
    version: "1.1.0"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -286,7 +326,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
    name: "openproject"
-    version: "8.0.0"
+    version: "9.0.1"
    verify: true
  openprojectBootstrap:
    # providerCategory: "Platform"
@@ -298,28 +338,6 @@ charts:
    name: "opendesk-openproject-bootstrap"
    version: "2.1.1"
    verify: true
  openXchangeAppSuite:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["2", "2", "37"]
    # upstreamRegistry: "https://registry.open-xchange.com"
    # upstreamRepository: "appsuite-public-sector/charts/appsuite-public-sector"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
    version: "2.10.9"
    verify: false
  openXchangeAppSuiteBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
    name: "opendesk-open-xchange-bootstrap"
    version: "2.1.2"
    verify: true
  otterize:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -330,6 +348,28 @@ charts:
    name: "opendesk-otterize"
    version: "2.1.0"
    verify: true
  oxAppSuite:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ["2", "2", "37"]
    # upstreamRegistry: "https://registry.open-xchange.com"
    # upstreamRepository: "appsuite-public-sector/charts/appsuite-public-sector"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
    version: "2.12.85"
    verify: false
  oxAppSuiteBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry.opencode.de"
    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
    name: "opendesk-open-xchange-bootstrap"
    version: "2.1.2"
    verify: true
  oxConnector:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -380,7 +420,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "3.4.1"
+    version: "5.0.0"
    verify: true
  synapseCreateAccount:
    # providerCategory: "Platform"
@@ -390,7 +430,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "3.4.1"
+    version: "5.0.0"
    verify: true
  synapseWeb:
    # providerCategory: "Platform"
@@ -400,7 +440,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "3.4.1"
+    version: "5.0.0"
    verify: true
  xwiki:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/customization.yaml
+++ b/helmfile/environments/default/customization.yaml
@@ -2,56 +2,69 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 # This variable allows customization of helmfile releases by loading custom values file.
 #
 # **Warning**: Customizations are a very powerful tool to apply individual changes to your
 # openDesk installation. As there are no limits set for what you use it, openDesk cannot
 # support the configurations you are about to create using the customization-option. If you
 # have the demand for a specific configuration, try to get it into the openDesk standard
 # by creating a ticket at https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/issues
 #
 # Example:
 # customization:
 #   release:
-#     collaboraOnline: /path/to/additional/file.yaml
+#     collaboraOnline:
 #       myCustomConfig: "/path/to/additional/file.yaml"
 customization:
  release:
    # collabora
-    collaboraOnline: ~
+    collaboraOnline: {}
    # cryptpad
-    cryptpad: ~
+    cryptpad: {}
    # element
-    opendeskElement: ~
+    opendeskElement: {}
-    opendeskWellKnown: ~
+    opendeskWellKnown: {}
-    opendeskSynapseWeb: ~
+    opendeskSynapseWeb: {}
-    opendeskSynapse: ~
+    opendeskSynapse: {}
    # jitsi
-    jitsi: ~
+    jitsi: {}
    # migrations-post
-    migrationsPost: ~
+    migrationsPost: {}
    # migrations-pre
-    migrationsPre: ~
+    migrationsPre: {}
    # nextcloud
-    opendeskNextcloudManagement: ~
+    opendeskNextcloudManagement: {}
-    opendeskNextcloud: ~
+    opendeskNextcloud: {}
    # nubus
-    ums: ~
+    ums: {}
-    intercomService: ~
+    intercomService: {}
-    opendeskKeycloakBootstrap: ~
+    opendeskKeycloakBootstrap: {}
    nginxS3Gateway: {}
    # open-xchange
-    dovecot: ~
+    dovecot: {}
-    openXchange: ~
+    openxchange: {}
-    opendeskOpenXchangeBootstrap: ~
+    opendeskOpenxchangeBootstrap: {}
-    oxConnector: ~
+    oxConnector: {}
    # openproject
-    openproject: ~
+    openproject: {}
    # openproject-bootstrap
-    opendeskOpenprojectBootstrap: ~
+    opendeskOpenprojectBootstrap: {}
    # services
-    opendeskOtterize: ~
+    opendeskOtterize: {}
-    opendeskHome: ~
+    opendeskHome: {}
-    opendeskCertificates: ~
+    opendeskCertificates: {}
-    redis: ~
+    opendeskAlerts: {}
-    memcached: ~
+    redis: {}
-    postgresql: ~
+    memcached: {}
-    mariadb: ~
+    postgresql: {}
-    postfix: ~
+    mariadb: {}
-    opendeskDkimpyMilter: ~
+    postfix: {}
-    clamav: ~
+    opendeskDkimpyMilter: {}
-    clamavSimple: ~
+    clamav: {}
-    minio: ~
+    clamavSimple: {}
    minio: {}
    # xwiki
-    xwiki: ~
+    xwiki: {}
    # openDesk Enterprise Components
    cassandra: {}
 ...
--- a/helmfile/environments/default/database.yaml
+++ b/helmfile/environments/default/database.yaml
@@ -32,7 +32,7 @@ databases:
    username: "openproject_user"
    password: ""
    connectionLimit: ~
-  oxAppsuite:
+  oxAppSuite:
    name: "configdb"
    host: "mariadb"
    port: 3306
@@ -45,6 +45,21 @@ databases:
    port: 5432
    username: "matrix_user"
    password: ""
    requireAuth: []
    channelBinding: "prefer"
    connectTimeout: 10
    clientEncoding: "auto"
    keepalives: 1
    keepalivesIdle: 10
    keepalivesInterval: 10
    keepalivesCount: 3
    replication: false
    gssencmode: "prefer"
    sslmode: "prefer"
    sslcompression: 0
    sslMinProtocolVersion: "TLSv1.2"
    connectionPoolMin: "3"
    connectionPoolMax: "5"
    connectionLimit: ~
  umsGuardianManagementApi:
    name: "guardianmanagementapi"
--- a/helmfile/environments/default/enterprise.yaml
+++ b/helmfile/environments/default/enterprise.yaml
@@ -1,9 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 # The variables set in this file are required to upgrade components to their "Enterprise" product variant.
 ---
 enterprise:
  openproject:
    # Enterprise token must match the deployment's OpenProject host name.
    token: ""
 ...
--- a/helmfile/environments/default/functional.yaml
+++ b/helmfile/environments/default/functional.yaml
@@ -45,6 +45,8 @@ functional:
        enabled: false
        # Enforces passwords to be used on external shares.
        enforcePasswords: false
        # Let Nextcloud send the password set for the share by mail to the recipient of the share.
        sendPasswordMail: true
        # Expiry settings for the external shares.
        expiry:
          # If true the check box for the expiry date is enabled by default.
@@ -85,6 +87,10 @@ functional:
      # Ref.:
      enabled: false
  portal:
    # Configure if the a re-direct to the login dialogue is enforced, or if the portal is shown and the user as to actively
    # trigger the login flow, e.g. but clicking on the "Login" portal tile.
    enforceLogin: true
  chat:
    matrix:
      profile:
@@ -99,10 +105,10 @@ functional:
        useImmutableIdentifierForLocalpart: false
  migration:
-    oxAppsuite:
+    oxAppSuite:
      # Note: Only available in openDesk Enterprise.
      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
-      # `secrets.oxAppsuite.migrationsMasterPassword`.
+      # `secrets.oxAppSuite.migrationsMasterPassword`.
      enabled: false
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -20,7 +20,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.7.2.1@sha256:5b00478f2c6c7372b2a67e68783d9b1a91265679bbd4afdc1416e50720d50ce6"
+    tag: "24.04.9.2.1@sha256:749917bf9146d8507b3a63d422a30ebe4f499700421c30527e32f322a015c73d"
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
@@ -29,7 +29,7 @@ images:
    # upstreamMirrorTagFilterRegEx: '^opendesk-(\d+)$'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
-    tag: "opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2"
+    tag: "opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17"
  dkimpy:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -89,7 +89,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9646@sha256:30173d35449d78f8958eaf4de77e76c534806db0e49bdbb930f8c81e003e5a3b"
+    tag: "stable-9823@sha256:dd7a330cb14d95b7661167d7b4e1a8f2e988952ba4ea24baa0a96e09bebd40b1"
  jicofo:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -99,7 +99,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9646@sha256:c2c72b6e4b6655d8758145f5c4d4201265626b7c3c1a03f41c7dda060ca7165d"
+    tag: "stable-9823@sha256:551aa2adf078f8872474481a9bda7b7526fc5cae2853ce0be2aa1f6d91bf2ecc"
  jitsi:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -109,7 +109,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9646@sha256:04157797558743fa9c478b76d7332a45c6fbfbe4e34d6550f8716dd8526a1c6c"
+    tag: "stable-9823@sha256:d37d0d34715a0089437c5c030251010e068926f93395d46753e1767d0ee16247"
  jitsiKeycloakAdapter:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -119,7 +119,7 @@ images:
    # upstreamMirrorStartFrom: ["2023", "12", "14"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20240808@sha256:73db5ae9bb617d076b6a877500dbeece38fd15f8ae933ffadbd72d9aa82ad8da"
+    tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
  jitsiPatchJVB:
    # providerCategory: "Community"
    # providerResponsible: "Nordeck"
@@ -137,7 +137,7 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9646@sha256:22dfb237cdda8142dcf2b141c28d40ec8a675dd379dda5e851dac49e43e677b7"
+    tag: "stable-9823@sha256:e6e43071ce26628c816bea46a259c7462c8d5edbbd2ed66f983b1e0f2d9a6cb2"
  mariadb:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -235,7 +235,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.2.3@sha256:b5e36b4922b50be96ecdd8628d8124880251da5b2e98cfa5b12cf1ef715d042f"
+    tag: "2.3.4@sha256:46c596818861486ee621cf8a454c2539a4e230e58b1aebb5735022de849de8e6"
  nextcloudExporter:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -244,6 +244,14 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
    tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
  nginxS3Gateway:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "nginxinc/nginx-s3-gateway"
    registry: "registry-1.docker.io"
    repository: "nginxinc/nginx-s3-gateway"
    tag: "unprivileged-oss-20241111@sha256:20d6b6ec5fc987b18c3e345de33674374a8335c593d6d0841ac64eb49ae2dea4"
  nubusDataLoader:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -403,7 +411,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.7.5@sha256:cc38d339abea18dc3644b7764d7be13798956161d1c87e34b26b5d8b7a11edc6"
+    tag: "1.8.1@sha256:8101e27a930cb2252914440680f16eb4bb395cb89b630a251e91b7301e0f7d41"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -451,7 +459,7 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.8.1@sha256:dd2c8e16b57d5b2a97f465b15e108231782e3ee2df1cc07cee0388459bf40e1c"
+    tag: "1.10.5@sha256:75461683a2233c2e5c99499791ceb576b717c68baa28eef2c307e7052aaaf754"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -583,11 +591,11 @@ images:
    # providerResponsible: "OpenProject"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "openproject/open_desk"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)'
    # upstreamMirrorStartFrom: ["13", "1", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.6.1@sha256:3c9828b1ab4dc91f2b3887f9bfddda8ba79b92a2f335dd2db2295d14a98deab0"
+    tag: "15.0.3@sha256:5deb1da1ae5769904b6d363d6c03b234de6087240f985bedb63e25246a7e74a1"
  openprojectBootstrap:
    # providerCategory: "Platform"
    # providerResponsible: "openDesk"
@@ -621,7 +629,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "6", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.6@sha256:3082f3259a03025c03f6b9b77fafcd5b9e391ae5ac4a47b47d5f546d4f1534ee"
+    tag: "8.6.9@sha256:c6ce1047292937af2f153ffa5f88d54955c90b52ed7b17a80efd112030dd2aa9"
  openxchangeCoreMW:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -631,7 +639,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "51"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.28.50@sha256:38447bd607c497977a5ba9189d957eebe7f82f09fa329ebc38c0785c70b04558"
+    tag: "8.30.62@sha256:9e4341c723cf6671479dfaad37635f8b28bb510decb9b7f0fd2616faacbf0d1a"
  openxchangeCoreUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -641,7 +649,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "1"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.28.1@sha256:be9cfb5a1d9389a151b057884857ddebba982cfde621e432c55a17c03fff28d0"
+    tag: "8.30.1@sha256:bd15c87f0bd929be56dea260e35de0e089758eaf394c0eb4ece2991371c7ad5e"
  openxchangeCoreUIMiddleware:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -651,7 +659,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "0", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.0.4@sha256:e1d647cca13e7c433a9d643aa1a350197511274b239ead100aa1682ffe2fa116"
+    tag: "2.1.1@sha256:1a3e96243353a53e06bf3d90067d7d07de449e8273fa60a043d7ac4a5e6464c3"
  openxchangeCoreUserGuide:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -661,7 +669,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "799279"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.28.1107609@sha256:96a700ef71b4c723146ed0a274482422e09f5a9ccd035c351e192ea4de81eb9f"
+    tag: "8.30.1161251@sha256:a082bcf5768c2cba22f36a4299665474af92fd18307a1de719fc541717aee0b7"
  openxchangeDocumentConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -671,7 +679,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.28.49@sha256:0b45243cb2b6453b4073f4b80f205873fff49d8ed93f05c55971d728aa957e07"
+    tag: "8.30.60@sha256:4b3c79f94beec71f1b3e6c1be3cb4894d25e3a3133390cb077bf6fa749cecbe8"
  openxchangeGotenberg:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -691,7 +699,7 @@ images:
    # upstreamMirrorStartFrom: ["4", "2", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.28.0@sha256:950dd4ec4633fb920502392e8e93d9f497eaf920ae4fe79629b53a835f129741"
+    tag: "8.28.1@sha256:eed6a81f8393ce6ecdc8ea83507e0a734431a0eb8d30221f4cabe9fc7906e4e6"
  openxchangeImageConverter:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -701,7 +709,7 @@ images:
    # upstreamMirrorStartFrom: ["8", "20", "50"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.28.49@sha256:90d2f7defae974d115654986acb2035e38bb16a9daa9b2bf15078d48c0c24366"
+    tag: "8.30.61@sha256:816008c99e38a7268a323c2c144f1855275c53ea678cd6fdf2ff2170bd7bcfac"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: "Supplier"
    # providerResponsible: "Open-Xchange"
@@ -757,16 +765,15 @@ images:
    # upstreamMirrorStartFrom: ["8922"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9457-2@sha256:5364b0c9c6de654b7b31b5821e9cd7a39660a19010348e7ac56b85be2944daa0"
+    tag: "stable-9823@sha256:1c52b4ca8397545d54067c67a54c50473d83242c75f001fbf20ee628dfc80b7b"
  redis:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/redis"
    # WE ARE STUCK WITH <7.4 because of https://redis.com/blog/redis-adopts-dual-source-available-licensing/
    registry: "registry-1.docker.io"
    repository: "bitnami/redis"
-    tag: "7.2.3-debian-11-r2@sha256:9ac3bbf7740969d32689e360ddcfa5f672538c47f6f6cf296173c3078de0edf2"
+    tag: "7.4.1-debian-12-r2@sha256:3cfa11e8fef45c006a101ed7cfaae2cdaed7a5167c8ada2a3f76a1de54488cd0"
  synapse:
    # providerCategory: "Supplier"
    # providerResponsible: "Element"
--- a/helmfile/environments/default/ingress.yaml
+++ b/helmfile/environments/default/ingress.yaml
@@ -13,13 +13,13 @@ ingress:
      element: "100M"
      nextcloud: "100M"
      openproject: "100M"
-      openXchangeAppSuite: "100M"
+      oxAppSuite: "100M"
      xwiki: "100M"
    bodyTimeout:
      collabora: 600
      element: 60
      nextcloud: 600
      openproject: 60
-      openXchangeAppSuite: 60
+      oxAppSuite: 60
      xwiki: 60
 ...
--- a/helmfile/environments/default/monitoring.yaml
+++ b/helmfile/environments/default/monitoring.yaml
@@ -13,6 +13,7 @@ monitoring:
        release: "kube-prometheus-stack"
    prometheusRules:
      enabled: false
      annotations: {}
      labels:
        release: "kube-prometheus-stack"
--- a/helmfile/environments/default/opendesk_main.gotmpl
+++ b/helmfile/environments/default/opendesk_main.gotmpl
@@ -55,7 +55,7 @@ nubus:
 openproject:
  enabled: true
  namespace: ~
-oxAppsuite:
+oxAppSuite:
  enabled: true
  namespace: ~
 postfix:
@@ -70,4 +70,9 @@ redis:
 xwiki:
  enabled: true
  namespace: ~
 # openDesk Enterprise Components
 cassandra:
  enabled: false
  namespace: ~
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -122,6 +122,8 @@ replicas:
  umsUmcServer: 1
  # -- scalable: tbd
  umsUmcServerProxy: 1
  # -- scalable: true
  nginxS3Gateway: 1
  # -- component: Video conference (Jitsi)
  # -- scalable: tbd
@@ -162,7 +164,7 @@ replicas:
  # dedicated workers for specific queues are possible with OpenProject.
  openprojectWorker: 1
-  # -- component: Groupware (OX Appsuite)
+  # -- component: Groupware (OX App Suite)
  # -- scalable: tbd
  openxchangeCoreDocumentConverter: 1
  # -- scalable: tbd
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -96,7 +96,7 @@ resources:
      cpu: 99
      memory: "128Mi"
    requests:
-      cpu: "10m"
+      cpu: 0.01
      memory: "48Mi"
  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
  jvb:
@@ -218,6 +218,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "32Mi"
  nginxS3Gateway:
    limits:
      cpu: 99
      memory: "64Mi"
    requests:
      cpu: "100m"
      memory: "16Mi"
  openproject:
    limits:
      cpu: 99
@@ -377,7 +384,7 @@ resources:
      cpu: 99
      memory: "4Gi"
    requests:
-      cpu: 1
+      cpu: 0.5
      memory: "256Mi"
  synapseWeb:
    limits:
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 secrets:
-  oxAppsuite:
+  oxAppSuite:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
    migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
    cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
--- a/helmfile/files/theme/favicon.ico
+++ b/helmfile/files/theme/favicon.ico
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -24,7 +24,7 @@ migrations:
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
  environmentDetails:
-    {{ .Values | toYaml | nindent 4 }}
+    {{ ( omit .Values "theme" ) | toYaml | nindent 4 }}
  cleanup: false
 containerSecurityContext:
Author	SHA1	Message	Date
Thorsten Roßner	f1c0abf585	fix(openproject): Set HTML title explicitly based on product name	2024-12-04 13:08:13 +01:00
Thorsten Roßner	9cd8c2e8db	fix(docs): Add GitOps / Argo CD documentation	2024-12-04 13:07:57 +01:00
Thorsten Roßner	2ae3dc623b	fix(helmfile): Auto-redirect user to login dialogue, please read migrations.md for more details	2024-12-04 13:07:26 +01:00
Lilly Sell	bba8dffeef	feat(helmfile): Add openDesk specific alerts	2024-12-04 13:07:26 +01:00
Thomas Kaltenbrunner	7317145c14	fix(cassandra): Prepare cassandra for openDesk Enterprise.	2024-12-04 13:07:26 +01:00
Thorsten Roßner	588e7491c8	fix(collabora): Update to 24.04.9.2.	2024-12-04 13:07:26 +01:00
Thorsten Roßner	fc4f5ffe46	fix(nextcloud): Update Chart to 3.6.1 and Image to 2.3.3 (including rollback to 29.0.8). Introducing setting for `functional.filestore.sharing.external.sendPasswordMail`	2024-12-04 13:07:26 +01:00
Thorsten Roßner	20de4189d3	fix(helmfile): Streamline `commonLabels.deployStage`.	2024-12-04 13:07:26 +01:00
Thorsten Roßner	cc96a1b59d	fix(jitsi): Update to 2.0.9823 and chart to 2.1.1	2024-12-04 13:07:26 +01:00
Thorsten Roßner	d5fb638040	fix(helmfile): Unify templating name for Open-Xchange to `openxchange` and for OX App Suite to `oxAppSuite`.	2024-12-04 13:07:26 +01:00
Dominik Kaminski	b24bc33e13	fix(open-xchange): Fix truststore decrypt error on self-signed deployments	2024-12-04 13:07:26 +01:00
Thorsten Roßner	a6e0fe73ea	fix(helmfile): Use dictionaries for defining `customization.yaml`, please read migrations.md for more details	2024-12-04 13:07:26 +01:00
Dominik Kaminski	a0024027cb	fix(services): Add template for certificate issuerRef.kind	2024-12-04 13:07:26 +01:00
Dominik Kaminski	9f59ea5202	feat(helmfile): Add template support for antivirus icap/milter	2024-12-04 13:07:26 +01:00
Thorsten Roßner	2c0c5792e8	fix(xwiki): Set superadmin password account only when debug is enabled	2024-12-04 13:07:26 +01:00
Thorsten Roßner	ba81f8b7dd	fix(ci): Explicitly set RELEASE_BRANCH (to `main`) for scan and release steps	2024-12-04 13:07:26 +01:00
Dominik Kaminski	d6b4298ada	fix(element): Rename release opendesk-element to opendesk-element-web	2024-12-04 13:07:26 +01:00
Dominik Kaminski	69d55e3464	fix(services): Update Redis to 7.4.1 as required by OX Appsuite, please read migrations.md for more details	2024-12-04 13:07:26 +01:00
Dominik Kaminski	fd901a01b6	fix(nextcloud): Add Redis TLS option	2024-12-04 13:07:26 +01:00
Dominik Kaminski	fd7d5ad47a	fix(helmfile): Add Redis username and tls option	2024-12-04 13:07:26 +01:00
Dominik Kaminski	665ab8309e	fix(element): Add extensive database options	2024-12-04 13:07:26 +01:00
Dominik Kaminski	41728b5842	fix(nubus): Add nginx s3 proxy when minio disabled	2024-12-04 13:07:26 +01:00
Dominik Kaminski	f15594275e	fix(nextcloud): Fix templating for nextcloud database name	2024-12-04 13:07:26 +01:00
Dominik Kaminski	1b515630ef	fix(xwiki): Fix templating for xwiki database port	2024-12-04 13:07:26 +01:00
Dominik Kaminski	52ae79a5de	fix(nextcloud): Fix templating for nextcloud database user	2024-12-04 13:07:26 +01:00
Thorsten Roßner	23c3c4c630	fix(openproject): Updated branding and Helm chart to 9.0.1	2024-12-04 13:05:03 +01:00
Thorsten Roßner	b1e21a9ab4	fix(openproject): Set HTML title explicitly based on product name	2024-11-22 13:17:39 +01:00
Luis Lürenbaum	71ff9141cb	chore(ci): Cleanup variables for e2e-test trigger	2024-11-22 11:55:49 +01:00
Thorsten Roßner	43f427e06a	fix(helmfile): Streamline `requests.cpu` in `resources.yaml`	2024-11-22 08:10:35 +01:00
Thorsten Roßner	31ea6e0e08	fix(open-xchange): Extend Dovecot LDAP filter to also match OX-Resources	2024-11-22 07:35:30 +01:00
Thorsten Roßner	1b13c3ea65	fix(nubus): Use favicon with transparent background for portal	2024-11-22 07:33:14 +01:00
Thorsten Roßner	0738fa080d	fix(helmfile): Allow usage of pre-defined CA certificates.	2024-11-20 16:01:45 +00:00
Oliver Günther	c06e0bb8d4	fix(openproject): Bump version to 15.0.2	2024-11-20 14:53:32 +01:00
Thorsten Roßner	c63cca72a3	fix(nextcloud): Update to 29.0.9 incl. latest apps.	2024-11-19 16:48:43 +01:00
Thorsten Roßner	9dbb2b755c	fix(jitsi): Update to switch the colors of `Hang up` and `End meeting for all` buttons.	2024-11-18 08:20:39 +01:00
openDesk Bot	08feab1cfc	fix(services): Update MariaDB chart to v3.0.3 in preparation for the use of external secrets.	2024-11-15 06:34:25 +00:00
Viktor Pracht	0c88699917	fix(open-xchange): Update AppSuite to 8.30, update Helm chart to 2.12.85	2024-11-14 16:55:19 +01:00
openDesk Bot	58fc76db5b	docs: Fix erroneous kubectl commands for fetching of secrets	2024-11-13 11:54:41 +00:00
Thorsten Roßner	5c691e4508	fix(jitsi): Update Jitsi Helm chart and images.	2024-11-13 12:23:19 +01:00
Thorsten Roßner	b6725dddc1	fix(helmfile): Remove `theme` subtree from the migration's `.Values` secret to avoid a bloated secret hitting limits in certain clusters setups and GitOps tools.	2024-11-06 16:33:49 +01:00
Oliver Günther	4c82adf668	fix(openproject): Update to 14.6.3 incl. latest Helm chart (8.3.2).	2024-11-05 07:46:27 +00:00