fix(nubus): Fix udm-rest-api extended_attributes

Might want to replace this commit and just use the same change
from `ums-stack`.

.gitlab-ci.yml

@@ -92,7 +92,7 @@ variables:
       - "yes"
       - "no"
   DEPLOY_UMS:
-    description: "Enable Univention Management Stack deployment."
+    description: "Enable Nubus deployment."
     value: "no"
     options:
       - "yes"
@@ -317,7 +317,7 @@ ums-deploy:
           ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
       when: "on_success"
   variables:
-    COMPONENT: "univention-management-stack"
+    COMPONENT: "nubus"
 
 ox-deploy:
   stage: "component-deploy-stage-1"

.gitlab/lint/lint-kyverno.yml

@@ -17,12 +17,12 @@ lint-kyverno:
           - "intercom-service"
           - "jitsi"
           - "nextcloud"
+          - "nubus"
           - "open-xchange"
           - "openproject"
           - "openproject-bootstrap"
           - "provisioning"
           - "services"
-          - "univention-management-stack"
           - "xwiki"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"

.reuse/dep5

@@ -3,8 +3,8 @@ Upstream-Name: openDesk - der Souveräne Arbeitsplatz
 Upstream-Contact: <opendesk@zendis.de>
 Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
 
-Files: helmfile/environments/default/theme/*
-Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+Files: helmfile/files/theme/*
+Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 License: Apache-2.0
 
 Files: helmfile/files/gpg-pubkeys/*

docs/getting-started.md

@@ -101,7 +101,7 @@ export DOMAIN=domain.tld
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
 
 | Component            | Name                        | Default | Description                    |
-| --------------------------- | ----------------------------------- | ------- | ------------------------------ |
+| -------------------- | --------------------------- | ------- | ------------------------------ |
 | Certificates         | `certificates.enabled`      | `true`  | TLS certificates               |
 | ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine               |
 | ClamAV (Simple)      | `clamavSimple.enabled`      | `true`  | Antivirus engine               |
@@ -121,7 +121,7 @@ All available apps and their default value can be found in `helmfile/environment
 | Postfix              | `postfix.enabled`           | `true`  | MTA                            |
 | PostgreSQL           | `postgresql.enabled`        | `true`  | Database                       |
 | Redis                | `redis.enabled`             | `true`  | Cache Database                 |
-| Univention Management Stack | `univentionManagementStack.enabled` | `true`  | Identity Management & Portal   |
+| Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
 | XWiki                | `xwiki.enabled`             | `true`  | Knowledge management           |
 
 Exemplary, Jitsi can be disabled like:
@@ -378,8 +378,7 @@ When all apps are successfully deployed and pod status' went to `Running` or `Su
 https://portal.domain.tld
 ```
 
-If you change the subdomain of `univentionManagementStack`, you need to replace `portal`
-by your specified subdomain.
+If you change the subdomain of `nubus`, you need to replace `portal` by your specified subdomain.
 
 **Credentials:**
 

docs/migrations.md

@@ -6,8 +6,13 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Upgrade migrations</h1>
 
 * [Disclaimer](#disclaimer)
+* [From v0.9.0](#from-v090)
+  * [Manual migrations](#manual-migrations)
+  * [Automated migrations](#automated-migrations)
+    * [Updated IAM component Nubus](#updated-iam-component-nubus)
 * [From v0.8.1](#from-v081)
   * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
+  * [Nubus LDAP PVCs](#nubus-ldap-pvcs)
   * [Updated customizable template attributes](#updated-customizable-template-attributes)
   * [`migrations` S3 bucket](#migrations-s3-bucket)
 
@@ -17,6 +22,29 @@ We do not offer support for upgrades before we reach openDesk 1.0.
 
 Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.
 
+# From v0.9.0
+
+## Manual migrations
+
+None.
+
+## Automated migrations
+
+### Updated IAM component Nubus
+
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
+upgrade migrations executes the following steps
+
+- Stage PRE:
+  - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier`.
+  - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
+- Stage POST:
+  - Delete the no longer used `shared-data-ums-ldap-server-0`.
+  - Restart Keycloak.
+
+**Note:** You should ensure you have a backup of the contents of `shared-data-ums-ldap-server-0` if something goes wrong during the
+upgrade migration.
+
 # From v0.8.1
 
 ## Updated `cluster.networking.cidr`
@@ -24,6 +52,114 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this
 - Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1), please update your setup accordingly if you explicitly set this value.
 - Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
 
+## Nubus LDAP PVCs
+
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires some manual action to upgrade from 0.8.1:
+
+- Action: Before the upgrade you have to prepare the PVCs for the LDAP primary Pods. First scale down the 0.8.1 LDAP Pod and pre-create and pre-populate the new PVCs with the data from the current LDAP PVC. You can do all this by running the following snippet on your commandline, after setting `NAMESPACE` to the appropriate value. The LDAP secondaries get sync'd from the primary to fill their own PVCs data.
+```
+export NAMESPACE=YOUR_NAMESPACE
+kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-notifier
+kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-server
+kubectl -n $NAMESPACE apply -f - <<EOF
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # Target PVC name
+  name: shared-data-ums-ldap-server-primary-0
+spec:
+  dataSource:
+    # Source PVC name
+    name: shared-data-ums-ldap-server-0
+    kind: PersistentVolumeClaim
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      # Target PVC size (deployments default to 1Gi)
+      storage: 1Gi
+...
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # Target PVC name
+  name: shared-data-ums-ldap-server-primary-1
+spec:
+  dataSource:
+    # Source PVC name
+    name: shared-data-ums-ldap-server-0
+    kind: PersistentVolumeClaim
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      # Target PVC size (deployments default to 1Gi)
+      storage: 1Gi
+...
+EOF
+```
+
+- Once you have verified that your upgrade was successful, you can delete the previous LDAP's PVC:
+```
+kubectl -n $NAMESPACE delete pvc shared-data-ums-ldap-server-0
+```
+
+## Nubus LDAP PVCs
+
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires some manual action to upgrade from 0.8.1:
+
+- Action: Before the upgrade you have to prepare the PVCs for the LDAP primary Pods. First scale down the 0.8.1 LDAP Pod and pre-create and pre-populate the new PVCs with the data from the current LDAP PVC. You can do all this by running the following snippet on your commandline, after setting `NAMESPACE` to the appropriate value. The LDAP secondaries get sync'd from the primary to fill their own PVCs data.
+```
+export NAMESPACE=YOUR_NAMESPACE
+kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-notifier
+kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-server
+kubectl -n $NAMESPACE apply -f - <<EOF
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # Target PVC name
+  name: shared-data-ums-ldap-server-primary-0
+spec:
+  dataSource:
+    # Source PVC name
+    name: shared-data-ums-ldap-server-0
+    kind: PersistentVolumeClaim
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      # Target PVC size (deployments default to 1Gi)
+      storage: 1Gi
+...
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # Target PVC name
+  name: shared-data-ums-ldap-server-primary-1
+spec:
+  dataSource:
+    # Source PVC name
+    name: shared-data-ums-ldap-server-0
+    kind: PersistentVolumeClaim
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      # Target PVC size (deployments default to 1Gi)
+      storage: 1Gi
+...
+EOF
+```
+
+- Once you have verified that your upgrade was successful, you can delete the previous LDAP's PVC:
+```
+kubectl -n $NAMESPACE delete pvc shared-data-ums-ldap-server-0
+```
+
 ## Updated customizable template attributes
 
 - Action: Please ensure you update you custom deployment values according with the updated default value structure.

helmfile/apps/element/values-element.yaml.gotmpl

@@ -5,15 +5,15 @@
 configuration:
   endToEndEncryption: true
   additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":
       config:
         banner:
           ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
           ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
-          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
-          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
+          portal_logo_svg_url: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+          portal_url: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-bg-action-primary-rest: {{ .Values.theme.colors.primary | quote }}
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -48,7 +48,7 @@ configuration:
         value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
   ldap:
     host: {{ .Values.ldap.host | quote }}
-    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
+    password: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
     adminGroupName: "managed-by-attribute-FileshareAdmin"
   objectstore:
     auth:

helmfile/apps/nubus/helmfile-child.yaml

@@ -3,15 +3,15 @@
 ---
 repositories:
   # Univention Management Stack Umbrella Chart
-  - name: "ums"
+  - name: "nubus"
     keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.ums.verify }}
+    verify: {{ .Values.charts.nubus.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.ums.registry }}/\
-      {{ .Values.charts.ums.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
+      {{ .Values.charts.nubus.repository }}"
   # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -25,11 +25,13 @@ repositories:
 releases:
   # Univention Management Stack Umbrella Chart
   - name: "ums"
-    chart: "ums/{{ .Values.charts.ums.name }}"
-    version: "{{ .Values.charts.ums.version }}"
+    chart: "nubus/{{ .Values.charts.nubus.name }}"
+    version: "{{ .Values.charts.nubus.version }}"
     values:
-      - "values-umbrella.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
+      - "values-nubus.yaml.gotmpl"
+      - "values-opendesk-customization.yaml.gotmpl"
+      - "values-opendesk-images.yaml.gotmpl"
+    installed: {{ .Values.nubus.enabled }}
     timeout: 900
   # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
@@ -39,10 +41,10 @@ releases:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
     needs:
       - "ums"
-    installed: {{ .Values.univentionManagementStack.enabled }}
+    installed: {{ .Values.nubus.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
-  component: "univention-management-stack"
+  component: "nubus"
 ...

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -0,0 +1,296 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+global:
+  nubusDeployment: true
+  ldap:
+    baseDn: {{ .Values.ldap.baseDn | quote }}
+    domainName: {{ .Values.global.domain | quote }}
+  domain: {{ .Values.global.domain | quote }}
+  ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
+  certManagerIssuer: "letsencrypt-prod-dns"
+  nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
+  keycloak:
+    realm: {{ .Values.platform.realm | quote }}
+  objectStorage:
+    bucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    connection:
+      host: "minio"
+      port: "9000"
+      protocol: "http"
+  credentialOverride:
+    ldapServer:
+      adminPassword: {{ .Values.secrets.nubus.ldapSecret | quote}}
+    defaultUsers:
+      defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
+      defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
+
+
+
+# Nubus bundled services
+postgresql:
+  enabled: false
+  provisioning:
+    enabled: false
+
+minio:
+  enabled: false
+
+# Nubus services which use customer supplied services
+keycloak:
+  keycloak:
+    auth:
+      username: "kcadmin"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+  postgresql:
+    connection:
+      host: {{ .Values.databases.keycloak.host | quote }}
+      port: {{ .Values.databases.keycloak.port }}
+    auth:
+      username: {{ .Values.databases.keycloak.username | quote }}
+      database: {{ .Values.databases.keycloak.name | quote }}
+      credentialSecret:
+        name: "ums-keycloak-postgresql-opendesk-credentials"
+        key: "keycloakDatabasePassword"
+  config:
+    exposeAdminConsole: {{ .Values.debug.enabled }}
+
+nubusGuardian:
+  provisioning:
+    enabled: true
+    config:
+      keycloak:
+        credentialSecret:
+          name: "ums-opendesk-keycloak-credentials"
+          key: "admin_password"
+      managementApi:
+        credentialSecret:
+          name: "ums-opendesk-guardian-client-secret"
+          key: "managementApiClientSecret"
+
+  postgresql:
+    connection:
+      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+      port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+      database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+      credentialSecret:
+        name: "ums-guardian-postgresql-opendesk-credentials"
+        key: "guardianDatabasePassword"
+
+nubusNotificationsApi:
+  postgresql:
+    connection:
+      host: {{ .Values.databases.umsNotificationsApi.host | quote }}
+      port: {{ .Values.databases.umsNotificationsApi.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsNotificationsApi.username | quote }}
+      database: {{ .Values.databases.umsNotificationsApi.name | quote }}
+      existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
+
+
+nubusKeycloakExtensions:
+  keycloak:
+    auth:
+      username: "kcadmin"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+  proxy:
+    ingress:
+      paths:
+        {{- if .Values.debug.enabled }}
+        - pathType: "Prefix"
+          path: "/admin/"
+        {{- end }}
+        - pathType: "Prefix"
+          path: "/realms/"
+        - pathType: "Prefix"
+          path: "/js/"
+        - pathType: "Prefix"
+          path: "/resources/"
+        - pathType: "Prefix"
+          path: "/fingerprintjs"
+
+
+  postgresql:
+    connection:
+      host: {{ .Values.databases.keycloakExtension.host | quote }}
+      port: {{ .Values.databases.keycloakExtension.port | quote }}
+    auth:
+      database: {{ .Values.databases.keycloakExtension.name | quote }}
+      username: {{ .Values.databases.keycloakExtension.username | quote }}
+      credentialSecret:
+        name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
+        key: "umcKeycloakExtensionsDatabasePassword"
+  smtp:
+    connection:
+      host: {{ .Values.smtp.host | quote }}
+      port: {{ .Values.smtp.port | quote }}
+    auth:
+      username: {{ .Values.smtp.username | quote }}
+      credentialSecret:
+        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
+        key: "umcKeycloakExtensionsSmtpPassword"
+  handler:
+    appConfig:
+      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+
+nubusPortalListener:
+  portalListener:
+    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    objectStorageCredentialSecret:
+      name: "ums-portal-listener-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"
+
+nubusPortalServer:
+  portalServer:
+    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    objectStorageCredentialSecret:
+      name: "ums-portal-server-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"
+    centralNavigation:
+      enabled: true
+      authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
+
+# NOTE: disabled until the next update.
+nubusProvisioning:
+  enabled: false
+nubusUdmListener:
+  enabled: false
+nubusSelfServiceListener:
+  enabled: true
+
+# Nubus services
+nubusStackDataUms:
+  stackDataContext:
+    umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
+    umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
+    umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
+    umcMemcachedUsername: ""
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    umcHtmlTitle: "openDesk Portal"
+    installUmcPolicies: true
+  nubusUmcServer:
+    memcached:
+      auth:
+        username: ""
+
+# TODO: Remove values when upstreaming fixes
+nubusStackDataSwp:
+  stackDataContext:
+    ldapSearchUsers:
+      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
+      - username: {{ printf "ldapsearch_%s" $username | quote }}
+        password: {{ $password | quote }}
+        lastname: "LDAP-Search-User"
+      {{- end }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    smtpHost: {{ .Values.smtp.host | quote }}
+    smtpPort: {{ .Values.smtp.port | quote }}
+    smtpUser: {{ .Values.smtp.username | quote }}
+    ldapBase: {{ .Values.ldap.baseDn }}
+    # FIXME: Should be templated correctly in the future
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+
+nubusUmcServer:
+  postgresql:
+    bundled: false
+    connection:
+      host: {{ .Values.databases.umsSelfservice.host | quote }}
+      port: {{ .Values.databases.umsSelfservice.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsSelfservice.username | quote }}
+      database: {{ .Values.databases.umsSelfservice.name | quote }}
+      credentialSecret:
+        name: "ums-umc-server-postgresql-opendesk-credentials"
+        key: "umcServerDatabasePassword"
+  memcached:
+    bundled: false
+    server: {{ .Values.cache.umsSelfservice.host | quote }}
+    auth:
+      credentialSecret:
+        name: "ums-umc-server-memcached-opendesk-credentials"
+        key: "umcServerMemcachedPassword"
+  smtp:
+    credentialSecret:
+      name: "ums-umc-server-smtp-credentials-custom"
+
+nubusUmcGateway:
+  umcGateway:
+    umcHtmlTitle: "openDesk Portal"
+
+nubusKeycloakBootstrap:
+  keycloak:
+    auth:
+      username: "kcadmin"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+  bootstrap:
+    ldapMappers:
+      - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
+      - ldapAndUserModelAttributeName: "oxContextIDNum"
+    twoFactorAuthentication:
+      enabled: true
+      group: "2fa-users"
+
+# Credential secrets for accessing customer supplied services
+extraSecrets:
+  - name: "ums-opendesk-portal-server-central-navigation"
+    stringData:
+      authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  - name: "ums-opendesk-guardian-client-secret"
+    stringData:
+      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  - name: "ums-opendesk-keycloak-credentials"
+    stringData:
+      admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  - name: "ums-keycloak-postgresql-opendesk-credentials"
+    stringData:
+      keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
+  - name: "ums-guardian-postgresql-opendesk-credentials"
+    stringData:
+      guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+  - name: "ums-notifications-api-postgresql-opendesk-credentials"
+    stringData:
+      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+  - name: "ums-umc-server-postgresql-opendesk-credentials"
+    stringData:
+      umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+  - name: "ums-umc-server-memcached-opendesk-credentials"
+    stringData:
+      umcServerMemcachedPassword: ""
+  - name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
+    stringData:
+      umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
+    stringData:
+      umcKeycloakExtensionsSmtpPassword: {{ .Values.smtp.password | quote }}
+  - name: "ums-portal-server-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-portal-listener-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-umc-server-smtp-credentials-custom"
+    stringData:
+      password: {{ .Values.smtp.password | quote }}

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -0,0 +1,269 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+keycloak:
+  enabled: true
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-keycloak"
+  replicaCount: {{ .Values.replicas.keycloak }}
+  resources:
+    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
+
+guardian:
+  authorizationApi:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-authorization-api"
+    resources:
+      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
+  managementApi:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-management-api"
+    resources:
+      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
+  managementUi:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-management-ui"
+    resources:
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
+  openPolicyAgent:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
+    resources:
+      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
+  provisioning:
+    # Using openDesk keycloak provisioning
+    enabled: false
+
+nubusNotificationsApi:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-notifications-api"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
+  resources:
+    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
+
+nubusUmcServer:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-umc-server"
+  replicaCount: {{ .Values.replicas.umsUmcServer }}
+  resources:
+    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
+  selfService:
+    passwordresetEmailBody: |
+        Sehr geehrte Benutzerin, sehr geehrter Benutzer,
+
+        Ihr Benutzername für {domainname} lautet: {username}
+
+        Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
+
+        Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
+        https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
+
+        Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
+        https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
+
+        Mit freundlichen Grüßen
+        Ihr {domainname} Passwort-Service
+
+nubusKeycloakExtensions:
+  handler:
+    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
+    resources:
+      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
+  proxy:
+    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
+    resources:
+      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
+
+nubusPortalListener:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-portal-listener"
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
+  resources:
+    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
+  persistence:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.nubus.portalListener | quote }}
+
+nubusPortalServer:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-portal-server"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  replicaCount: {{ .Values.replicas.umsPortalServer }}
+  resources:
+    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
+
+nubusLdapNotifier:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-ldap-notifier"
+  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
+  resources:
+    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
+
+nubusLdapServer:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-ldap-server"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
+  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
+  persistence:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
+  extraVolumes:
+    - name: "opendesk-schemas"
+      configMap:
+        name: "{{ .Release.Name }}-stack-data-swp-schemas"
+  extraVolumeMounts:
+    - name: "opendesk-schemas"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
+      subPath: "opendeskFileshare.schema"
+    - name: "opendesk-schemas"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
+      subPath: "opendeskKnowledgemanagement.schema"
+    - name: "opendesk-schemas"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
+      subPath: "opendeskLearnmanagement.schema"
+    - name: "opendesk-schemas"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
+      subPath: "opendeskLivecollaboration.schema"
+    - name: "opendesk-schemas"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
+      subPath: "opendeskProjectmanagement.schema"
+
+nubusPortalFrontend:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-portal-frontend"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
+  resources:
+    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
+  portalFrontend:
+    branding:
+      css: {{ .Values.theme.imagery.portalCss | toJson }}
+      favicon: {{ .Values.theme.imagery.faviconIcoB64 | toJson }}
+      logo: {{ .Values.theme.imagery.logoHeaderSvgB64 | toJson }}
+      backgroundImage: {{ .Values.theme.imagery.logoPortalBackgroundSvgB64 | toJson }}
+
+nubusStackDataUms:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-ums"
+  resources:
+    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
+
+nubusStackDataSwp:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-swp"
+  resources:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
+
+nubusSelfServiceListener:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-selfservice-listener"
+  resources:
+    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
+
+nubusUdmRestApi:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-udm-rest-api"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  resources:
+    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
+  initResources:
+    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
+  extraVolumes:
+    - name: "attribute-to-group-mapper-hook"
+      configMap:
+        name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
+  extraVolumeMounts:
+    - name: "attribute-to-group-mapper-hook"
+      mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
+      subPath: "AttributeToGroupMapper.py"
+    - name: "attribute-to-group-mapper-hook"
+      mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
+      subPath: "flag_to_group_mapping.json"
+
+nubusUmcGateway:
+  replicaCount: {{ .Values.replicas.umsUmcGateway }}
+  resources:
+    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
+  extraVolumes:
+    - name: "entrypoint-swp-patches"
+      configMap:
+        name: "ums-stack-data-swp-umc-gateway-entrypoint"
+        defaultMode: 0555
+    - name: "announcements-customization"
+      configMap:
+        name: "ums-stack-data-swp-umc-server-announcements"
+        defaultMode: 0444
+  extraVolumeMounts:
+    - name: "entrypoint-swp-patches"
+      mountPath: "/entrypoint.d/90-swp.sh"
+      subPath: "90-swp.sh"
+    - name: "announcements-customization"
+      mountPath:
+        "/usr/share/univention-management-console-frontend/js/dijit/themes\
+        /umc/icons/16x16/udm-portals-announcement.png"
+      subPath: "udm-portals-announcement.png"
+
+nubusKeycloakBootstrap:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  resources:
+    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
+
+nubusProvisioning:
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  nats:
+    resources:
+      {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-nats"
+    serviceAccount:
+      annotations:
+        intended.usage: "compliance"
+  api:
+    resources:
+      {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-api"
+  dispatcher:
+    resources:
+      {{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
+  prefill:
+    resources:
+      {{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-prefill"
+  registerConsumers:
+    resources:
+      {{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
+  udmTransformer:
+    resources:
+      {{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -0,0 +1,230 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+keycloak:
+  image:
+    registry: {{ .Values.images.nubusKeycloak.registry }}
+    repository: {{ .Values.images.nubusKeycloak.repository }}
+    tag: {{ .Values.images.nubusKeycloak.tag }}
+
+nubusKeycloakBootstrap:
+  image:
+    registry: {{ .Values.images.nubusKeycloakBootstrap.registry }}
+    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
+    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
+
+nubusKeycloakExtensions:
+    handler:
+      image:
+        registry: {{ .Values.images.nubusKeycloakExtensionHandler.registry }}
+        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
+        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
+    
+    proxy:
+      image:
+        registry: {{ .Values.images.nubusKeycloakExtensionProxy.registry }}
+        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
+        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
+
+nubusLdapNotifier:
+  image:
+    registry: {{ .Values.images.nubusLdapNotifier.registry }}
+    repository: {{ .Values.images.nubusLdapNotifier.repository }}
+    tag: {{ .Values.images.nubusLdapNotifier.tag }}
+
+nubusLdapServer:
+  ldapServer:
+    image:
+      registry: {{ .Values.images.nubusLdapServer.registry }}
+      repository: {{ .Values.images.nubusLdapServer.repository }}
+      tag: {{ .Values.images.nubusLdapServer.tag }}
+  dhInitcontainer:
+    image:
+      registry: {{ .Values.images.nubusLdapServerDhInitContainer.registry }} 
+      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
+      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
+  waitForDependency:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+      
+
+nubusPortalConsumer:
+  portalConsumer:
+    image:
+      registry: {{ .Values.images.nubusPortalConsumer.registry }}
+      repository: {{ .Values.images.nubusPortalConsumer.repository }}
+      tag: {{ .Values.images.nubusPortalConsumer.tag }}
+      
+
+nubusNotificationsApi:
+  image:
+    registry: {{ .Values.images.nubusNotificationsApi.registry }}
+    repository: {{ .Values.images.nubusNotificationsApi.repository }}
+    tag: {{ .Values.images.nubusNotificationsApi.tag }}
+
+nubusPortalFrontend:
+  image:
+    registry: {{ .Values.images.nubusPortalFrontend.registry }}
+    repository: {{ .Values.images.nubusPortalFrontend.repository }}
+    tag: {{ .Values.images.nubusPortalFrontend.tag }}
+
+nubusPortalListener:
+  image:
+    registry: {{ .Values.images.nubusPortalListener.registry }}
+    repository: {{ .Values.images.nubusPortalListener.repository }}
+    tag: {{ .Values.images.nubusPortalListener.tag }}
+  waitForDependency:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+
+nubusPortalServer:
+  image:
+    registry: {{ .Values.images.nubusPortalServer.registry }}
+    repository: {{ .Values.images.nubusPortalServer.repository }}
+    tag: {{ .Values.images.nubusPortalServer.tag }}
+
+nubusProvisioning:
+  api:
+    image:
+      registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
+      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
+      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
+  dispatcher:
+    image:
+      registry: {{ .Values.images.nubusProvisioningDispatcher.registry }}
+      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
+      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
+  udmTransformer:
+    image:
+      registry: {{ .Values.images.nubusProvisioningUdmTransformer.registry }}
+      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
+      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
+  prefill:
+    image:
+      registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
+      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
+      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
+  registerConsumers:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+  nats:
+    nats:
+        image:
+            registry: {{ .Values.images.nubusNats.registry }}
+            repository: {{ .Values.images.nubusNats.repository }}
+            tag: {{ .Values.images.nubusNats.tag }}
+    reloader:
+        image:
+            registry: {{ .Values.images.nubusNatsReloader.registry }}
+            repository: {{ .Values.images.nubusNatsReloader.repository }}
+            tag: {{ .Values.images.nubusNatsReloader.tag }}
+    natsBox:
+        image:
+            registry: {{ .Values.images.nubusNatsBox.registry }}
+            repository: {{ .Values.images.nubusNatsBox.repository }}
+            tag: {{ .Values.images.nubusNatsBox.tag }}
+
+nubusProvisioningEventsAndConsumerApi:
+  image:
+    registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
+    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
+    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
+
+nubusProvisioningPrefill:
+  image:
+    registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
+    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
+    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
+
+nubusUdmListener:
+  image:
+    registry: {{ .Values.images.nubusProvisioningUdmListener.registry }}
+    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
+    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
+
+nubusSelfServiceListener:
+  image:
+    registry: {{ .Values.images.nubusSelfserviceInvitation.registry }}
+    repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
+    tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
+
+nubusUdmRestApi:
+  # oxPlugin:
+  #   image:
+  #     registry: \{\{ .Values.images.nubusUdmRestApiOxPlugin.registry }}
+  #     repository: \{\{ .Values.images.nubusUdmRestApiOxPlugin.repository }}
+  #     tag: \{\{ .Values.images.nubusUdmRestApiOxPlugin.tag }}
+  # portalPlugin:
+  #   image:
+  #     registry: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.registry }}
+  #     repository: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.repository }}
+  #     tag: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.tag }}
+  udmRestApi:
+    image:
+      registry: {{ .Values.images.nubusUdmRestApi.registry }}
+      repository: {{ .Values.images.nubusUdmRestApi.repository }}
+      tag: {{ .Values.images.nubusUdmRestApi.tag }}
+
+nubusUmcGateway:
+  image:
+    registry: {{ .Values.images.nubusUmcGateway.registry }}
+    repository: {{ .Values.images.nubusUmcGateway.repository }}
+    tag: {{ .Values.images.nubusUmcGateway.tag }}
+
+nubusUmcServer:
+  image:
+    registry: {{ .Values.images.nubusUmcServer.registry }}
+    repository: {{ .Values.images.nubusUmcServer.repository }}
+    tag: {{ .Values.images.nubusUmcServer.tag }}
+
+nubusWaitForDependency:
+  image:
+    registry: {{ .Values.images.nubusWaitForDependency.registry }}
+    repository: {{ .Values.images.nubusWaitForDependency.repository }}
+    tag: {{ .Values.images.nubusWaitForDependency.tag }}
+
+
+nubusGuardian:
+  provisioning:
+    image:
+      registry: {{ .Values.images.nubusGuardianProvisioning.registry }}
+      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
+      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
+  authorizationApi:
+    image:
+      registry: {{ .Values.images.nubusGuardianAuthorizationApi.registry }}
+      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
+      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
+  managementApi:
+    image:
+      registry: {{ .Values.images.nubusGuardianManagementApi.registry }}
+      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
+      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
+  managementUi:
+    image:
+      registry: {{ .Values.images.nubusGuardianManagementUi.registry }}
+      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
+      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
+  openPolicyAgent:
+    image:
+      registry: {{ .Values.images.nubusOpenPolicyAgent.registry }}
+      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
+      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
+
+nubusStackDataUms:
+  image:
+    registry: {{ .Values.images.nubusDataLoader.registry }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}
+
+nubusStackDataSwp:
+  image:
+    registry: {{ .Values.images.nubusDataLoader.registry }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -461,7 +461,7 @@ config:
         redirectUris:
           - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
           - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         standardFlowEnabled: true
         directAccessGrantsEnabled: true
         serviceAccountsEnabled: true
@@ -472,7 +472,7 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-matrix-scope"
       # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
@@ -488,7 +488,7 @@ config:
         publicClient: false
         authorizationServicesEnabled: false
         attributes:
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes: []
         optionalClientScopes: []
       - name: "opendesk-nextcloud"
@@ -498,7 +498,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -506,7 +506,7 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-nextcloud-scope"
           - "read_contacts"
@@ -518,7 +518,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -527,7 +527,7 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-openproject-scope"
       - name: "opendesk-oxappsuite"
@@ -537,7 +537,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -545,7 +545,7 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-oxappsuite-scope"
           - "read_contacts"
@@ -557,7 +557,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -565,299 +565,9 @@ config:
         attributes:
           backchannel.logout.session.required: false
           backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
-      - name: "guardian-management-api"
-        clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        protocol: "openid-connect"
-        publicClient: false
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
-        fullScopeAllowed: true
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: true
-        protocolMappers:
-          - name: "Client Host"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientHost"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientHost"
-              jsonType.label: "String"
-          - name: "Client ID"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "client_id"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "client_id"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              userinfo.token.claim: false
-              id.token.claim: false
-              access.token.claim: true
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-cli"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "Client IP Address"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientAddress"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientAddress"
-              jsonType.label: "String"
-      - name: "guardian-scripts"
-        clientId: "guardian-scripts"
-        description: ""
-        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        surrogateAuthRequired: false
-        enabled: true
-        alwaysDisplayInConsole: false
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
-        webOrigins:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        bearerOnly: false
-        consentRequired: false
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        publicClient: true
-        frontchannelLogout: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-scripts"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              aggregate.attrs: false
-              multivalued: false
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "web-origins"
-          - "acr"
-          - "roles"
-          - "profile"
-          - "email"
-        optionalClientScopes:
-          - "address"
-          - "phone"
-          - "offline_access"
-          - "microprofile-jwt"
-      - name: "guardian-ui"
-        clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-        standardFlowEnabled: true
-        publicClient: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: "false"
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -23,7 +23,7 @@ dovecot:
     port: 389
     base: "dc=swp-ldap,dc=internal"
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
-    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
+    password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
   oidc:
     enabled: true
     clientID: "opendesk-dovecot"

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl

@@ -23,7 +23,7 @@ appsuite:
             type: "adminDN"
             adminDN:
               dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
-              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
+              password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
 
     uiSettings:
       # Enterprise contact picker

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -185,7 +185,7 @@ appsuite:
       com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
       com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
       com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/auth"
-      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
       com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/logout"
       com.openexchange.oidc.ssoLogout: "true"
       com.openexchange.oidc.startDefaultBackend: "true"
@@ -269,7 +269,7 @@ appsuite:
       /opt/open-xchange/etc/ldapauth.properties:
         java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
-        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
+        bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
         bindOnly: "false"
       /opt/open-xchange/etc/antivirus.properties:
         com.openexchange.antivirus.enabled: "true"
@@ -311,7 +311,7 @@ appsuite:
       # io.ox/mail//contactCollectOnMailAccess: "true"
       # Dynamic theme
       io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
-      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
       io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
       io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
       io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -37,7 +37,7 @@ environment:
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
@@ -57,7 +57,7 @@ environment:
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
   OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
@@ -68,7 +68,7 @@ environment:
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
   OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   {{- if .Values.enterprise.openproject.token }}

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -19,9 +19,9 @@ oxConnector:
   caCert: "ucctempldapstring"
   debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHost: "{{ .Values.ldap.host | quote }}-primary"
   logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   tlsMode: "off"

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -98,7 +98,7 @@ provisioning:
     - name: {{ .Values.objectstores.openproject.bucket | quote }}
       versioning: true
       withLock: false
-    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+    - name: {{ .Values.objectstores.nubus.bucket | quote }}
       versioning: false
       withLock: false
   policies:
@@ -169,7 +169,7 @@ provisioning:
       policies:
         - "openproject-bucket-policy"
       setPolicies: true
-    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+    - username: {{ .Values.objectstores.nubus.username | quote }}
       password: {{ .Values.secrets.minio.umsUser | quote }}
       disabled: false
       policies:

helmfile/apps/services/values-otterize.yaml.gotmpl

@@ -41,7 +41,7 @@ apps:
   redis:
     enabled: {{ .Values.redis.enabled }}
   univentionManagementStack:
-    enabled: {{ .Values.univentionManagementStack.enabled }}
+    enabled: {{ .Values.nubus.enabled }}
   xwiki:
     enabled: {{ .Values.xwiki.enabled }}
 

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -55,7 +55,7 @@ customConfigs:
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionManagementStack.ldapSearch.xwiki | quote }}
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
     xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
     ## Allow short update cycles of the LDAP group cache
@@ -83,8 +83,8 @@ customConfigs:
     # yamllint disable-line rule:line-length
     oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
-    workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
+    workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
     workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     openoffice.serverType: "0"
     notifications.emails.live.graceTime: "5"
@@ -129,8 +129,8 @@ postgresql:
   enabled: false
 
 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
-  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvgB64 }}"
+  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvgB64 }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1

helmfile/environments/default/charts.yaml

@@ -200,7 +200,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.0.1"
+    version: "1.1.1"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -242,6 +242,20 @@ charts:
     name: "nginx"
     version: "15.9.3"
     verify: true
+  nubus:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/charts/nubus"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "19", "3"]
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/charts"
+    name: "nubus"
+    version: "0.29.2-pre-jconde-fix-udm-rest-api"
+    verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -304,7 +318,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "2.0.1"
+    version: "2.1.0"
     verify: true
   oxConnector:
     # providerCategory: "Supplier"
@@ -378,30 +392,6 @@ charts:
     name: "opendesk-synapse-web"
     version: "3.3.0"
     verify: true
-  ums:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/charts/ums"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "12", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ums"
-    version: "0.16.0"
-    verify: true
-  umsKeycloakBootstrap:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/charts/keycloak-bootstrap"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "1", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "keycloak-bootstrap"
-    version: "0.1.0"
-    verify: true
   xwiki:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.9.0"
+    releaseVersion: "v0.9.1"
 ...

helmfile/environments/default/global.gotmpl

@@ -40,11 +40,11 @@ global:
     minioApi: "minio"
     minioConsole: "minio-console"
     nextcloud: "fs"
+    nubus: "portal"
     openproject: "project"
     openxchange: "webmail"
     synapse: "matrix"
     synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
     whiteboard: "whiteboard"
     xwiki: "wiki"
 

helmfile/environments/default/images.yaml

@@ -205,7 +205,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
+    tag: "1.1.7@sha256:08b2ca4d3e946a388576f41ab80b3e91e588580580bf53edfed695586818e2f7"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -487,7 +487,7 @@ images:
     registry: "registry-1.docker.io"
     repository: "rapidfort/haproxy-official"
     tag: "2.6.15-bullseye@sha256:47b6ca4074347788cb414fbf3db35d0c51e9e47af33be46457f95c750540887c"
-  umsDataLoader:
+  nubusDataLoader:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -496,8 +496,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.45.2@sha256:6e2e054903f361eea5cd54ae6dd3da94380d4a6a11f2628983e2acdbc66d605e"
-  umsGuardianAuthorizationApi:
+    tag: "0.58.1@sha256:9dcc4c8d99d3fa968aa3ddc67812c70816509c29111a503798d7a7c522cde850"
+  nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://docker.software-univention.de"
@@ -507,7 +507,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api"
     tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5"
-  umsGuardianManagementApi:
+  nubusGuardianManagementApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://docker.software-univention.de"
@@ -517,7 +517,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api"
     tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2"
-  umsGuardianManagementUi:
+  nubusGuardianManagementUi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://docker.software-univention.de"
@@ -527,7 +527,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
     tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
-  umsGuardianProvisioning:
+  nubusGuardianProvisioning:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -536,8 +536,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.4.0@sha256:390e20ad73a91ae2ecc33d91d1f21872a46e6af4d4d09095d1ce18a6d4a3635e"
-  umsKeycloak:
+    tag: "0.9.1@sha256:6006fb1c2779b906e7725df524f2587b2a610cc442793bf8f16b2b4b8c0494fb"
+  nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://docker.software-univention.de"
@@ -547,7 +547,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
     tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
-  umsKeycloakBootstrap:
+  nubusKeycloakBootstrap:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -557,7 +557,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
     tag: "0.1.0@sha256:351097e9e7b469f2fc149fe612ec6ad515d5e6b081d7e2785bd926a1d77209d2"
-  umsKeycloakExtensionHandler:
+  nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -566,8 +566,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.4.0@sha256:7c2728d6fce0fa6e6cc2a3c196294fcb4fcce0dd246b95ad96bd96325776a004"
-  umsKeycloakExtensionProxy:
+    tag: "0.9.1@sha256:4c8087cf871c1383a016c331a9687812d71ee6b6e1a899d241a1b887a1ec3702"
+  nubusKeycloakExtensionProxy:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -576,8 +576,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.4.0@sha256:d7369d8b9cb177fc19b08452266bf7440b683fd0a15c01baeb5c131db20081bf"
-  umsLdapNotifier:
+    tag: "0.9.1@sha256:01e5e160799f30e85cccecd3dc4c50d4c296f5fa48c15c5e1d52d94ea63eb5f7"
+  nubusLdapNotifier:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -586,8 +586,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.10.3@sha256:beb4577e7fdf1e18d3769e62296f210c0651460346dc2325e6cc29f4c671fa71"
-  umsLdapServer:
+    tag: "0.15.2@sha256:1f2a9d2136c8e87a4c4a59a94a2235d00e969c98bd7bfe75707a299918f271b5"
+  nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -596,16 +596,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
-  umsNats:
-    # providerCategory: 'Community'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry-1.docker.io'
-    # upstreamRepository: 'library/nats'
-    registry: "registry-1.docker.io"
-    repository: "library/nats"
-    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
-  umsNatsBox:
+    tag: "0.17.1@sha256:5b7b629b9655c7bb2857013f3399cefe5bdd3963d568bbf77d6d488c005e3b3b"
+  nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
     # upstreamRegistry: 'registry-1.docker.io'
@@ -613,7 +605,23 @@ images:
     registry: "registry-1.docker.io"
     repository: "natsio/nats-box"
     tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
-  umsNatsReloader:
+  nubusNats:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'library/nats'
+    registry: "registry-1.docker.io"
+    repository: "library/nats"
+    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
+  nubusNatsBox:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-box'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-box"
+    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
+  nubusNatsReloader:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
     # upstreamRegistry: 'registry-1.docker.io'
@@ -621,7 +629,7 @@ images:
     registry: "registry-1.docker.io"
     repository: "natsio/nats-server-config-reloader"
     tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
-  umsNotificationsApi:
+  nubusNotificationsApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -630,8 +638,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.20.3@sha256:1e32854d6d4413725870fde26a904da83282b3debea82b386c5753223ecc6a59"
-  umsOpenPolicyAgent:
+    tag: "0.27.0@sha256:d99173199f20c701b29b8a3c1a46465085a873b37f413882e7d2e106e258c35a"
+  nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://docker.software-univention.de"
@@ -641,7 +649,17 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa"
     tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4"
-  umsPortalFrontend:
+  nubusPortalConsumer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-consumer"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "27", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
+    tag: "0.27.0@sha256:e86bf827d1e93b61473a0730492f48f8dbf0d056b79dd9ecde7af1612696b144"
+  nubusPortalFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -650,8 +668,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.20.3@sha256:4fe6646711efcc07eb4b6e59a57f1d5080cca5f4ec2c960d073e92ecae8be42f"
-  umsPortalListener:
+    tag: "0.29.0@sha256:3af3d5d24f690557b4a644d5720113dca0c802465b0e43466b49db27acd37939"
+  nubusPortalListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -660,8 +678,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.20.7@sha256:8f158b88e0ceb7a5c79d2ad390f6ce851ce0c5ccb675d08d6b6c37f0b21f6177"
-  umsPortalServer:
+    tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
+  nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -670,8 +688,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.20.3@sha256:0ec3db74ce9b7c8706d1534b6dcb464eb016a5de94c3b5bfc49215ccb606715c"
-  umsProvisioningDispatcher:
+    tag: "0.27.0@sha256:e1ad659feb4a1948d07e6e7d99b94b6bdbd4525d96f4cf9a010b75189f0082fc"
+  nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -680,8 +698,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d"
-  umsProvisioningEventsAndConsumerApi:
+    tag: "0.28.3@sha256:79c81b0143e78c7cabb1efd63d47530eac686fba11db57c173abd8ebdd396778"
+  nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -690,8 +708,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f"
-  umsProvisioningPrefill:
+    tag: "0.28.3@sha256:5b0a2c52d715fde613ecfedb3a3f5e47b9eb73cdcf4c373a9cc58248a919f2bf"
+  nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -700,8 +718,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973"
-  umsProvisioningUdmListener:
+    tag: "0.28.3@sha256:a98bce46144a6ff943b0432b66277393b7b476b8969b221b9069c708d3380f5d"
+  nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -710,8 +728,18 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02"
-  umsSelfserviceInvitation:
+    tag: "0.28.3@sha256:b9c452e55e6716f93309bef0af7d401e218cd1e6ea9ad3d2819fb10dd631aecd"
+  nubusProvisioningUdmTransformer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/provisioning-udm-transformer"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "14", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
+    tag: "0.29.0@sha256:68e27eb9560d2729e9065da3573f28073c5e53fedabac4d19562c4b8c6c1d1f3"
+  nubusSelfserviceInvitation:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -720,8 +748,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.4.0@sha256:bd252758576e1733076c78756f04225ebed73d9c48de22440975ef11dd087caf"
-  umsSelfserviceListener:
+    tag: "0.6.2@sha256:28b111488e13deb565475c69bc6493b4bafbc96f50109cc77e23f8055b9f4e34"
+  nubusSelfserviceListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -730,8 +758,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
-    tag: "0.4.0@sha256:0bc0235fd64a19a183f112da73109b54712c2d70fe7fa77c6405beefb7167588"
-  umsStackGateway:
+    tag: "0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d"
+  nubusStackGateway:
     # providerCategory: "Community"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://registry-1.docker.io"
@@ -739,7 +767,7 @@ images:
     registry: "registry-1.docker.io"
     repository: "bitnami/nginx"
     tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
-  umsUdmRestApi:
+  nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -748,8 +776,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.9.3@sha256:7cf2fec05a4ff8b7085a35a215edbce1eb9456c1ae140af46257e66d5a6cd6f7"
-  umsUmcGateway:
+    tag: "0.19.0@sha256:41482c459655afa36eaf9ec21354ff8417e4da5e3a787ec2f865730952f6bb61"
+  nubusUmcGateway:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -758,8 +786,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.11.6@sha256:5d7c1a9b74409d2d7c42e08ca87b41cda506e43cad49efbc85a4ed6b8e9c6bc8"
-  umsUmcServer:
+    tag: "0.22.2@sha256:fe4d2c148946da6f5e92201f398ebd0d5a72795c50648993bd220ea1e228658d"
+  nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -768,8 +796,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.11.8@sha256:38a87524703a1e11fbb3cd3cc9d90d5b719e92329a0e3ea05c50451105d64ac6"
-  umsWaitForDependency:
+    tag: "0.22.2@sha256:474497f561c3532b37b7d5e77ec36bd1fefc4fbeaab9747b481533b0da086586"
+  nubusWaitForDependency:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -778,7 +806,240 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.20.3@sha256:d1ccba5fe7448c2bda71c8a93f265a42a000e8dc79fd884e7e6ecdf29ad80efc"
+    tag: "0.25.0@sha256:71a4d66fd67db6f92212b1936862b2b0d5a678d412213d74452a9195c2fe67f7"
+  opendeskKeycloakBootstrap:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
+    tag: "1.2.0@sha256:3b364c60bedb9ae001c39cbf84e4b4b326b9559078f21bfc993cf0e601196e6f"
+  openproject:
+    # providerCategory: "Supplier"
+    # providerResponsible: "OpenProject"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "openproject/open_desk"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["13", "1", "1"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
+    tag: "14.2.0@sha256:b4ea55b925de4fc8760ccf30268f0a2d472c4204bd4fc512720e8757489335d6"
+  openprojectBootstrap:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
+    tag: "1.1.3@sha256:401afe66c418fd130088edbed5cc3b4464dc667eb609f194ea68fd30dcbd1e90"
+  openprojectInitDb:
+    # providerCategory: "Community"
+    # providerResponsible: "OpenProject"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "library/postgres"
+    registry: "registry-1.docker.io"
+    repository: "library/postgres"
+    tag: "16.3-alpine3.20@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03f0b6839133ed05065"
+  openxchangeBootstrap:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "alpine/k8s"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
+  openxchangeCoreGuidedtours:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/core-guidedtours"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["8", "6", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
+    tag: "8.6.3@sha256:6fb8169cba4beb4bd9039f4ce7ab9b29fc02c4991b283824db949fe2b7be34e2"
+  openxchangeCoreMW:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/middleware-public-sector"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["8", "20", "51"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
+    tag: "8.23.47@sha256:b721bf41d7f06b328e9235a0561436cb678bc2a1a67202f0fa6e1f55956cc0cc"
+  openxchangeCoreUI:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/core-ui"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["8", "20", "1"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
+    tag: "8.23.2@sha256:0cc07053cbb9d7062a17ef807c6a6942a912748243a6f0c63a892d5cb2953351"
+  openxchangeCoreUIMiddleware:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/core-ui-middleware"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
+    tag: "2.0.3@sha256:56fe8afe841105f0725674e36afc6f10f22751e3c21a301a6322834383f2d786"
+  openxchangeCoreUserGuide:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/core-user-guide"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["8", "20", "799279"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
+    tag: "8.23.941932@sha256:231b13cb795241513d2f54ee4bc628843ae737b5ecceab758aba3658f03de1bd"
+  openxchangeDocumentConverter:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/documentconverter"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["8", "20", "50"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
+    tag: "8.23.43@sha256:aa9bbce833ae018573997fb07dcaf32bb7c5c4c6a7d6331f3d3156fd5b8d53b3"
+  openxchangeGotenberg:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/gotenberg"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["7", "9", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
+    tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
+  openxchangeGuardUI:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/guard-ui"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["4", "2", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
+    tag: "8.23.0@sha256:0510458017fa028582515ce18c0b12f91ac9e23f0e94e99ac34fd49b07146c01"
+  openxchangeImageConverter:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/imageconverter"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["8", "20", "50"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
+    tag: "8.23.43@sha256:ecc77a569f60e1b14f0d77ec93d891200b89d11eb9d7c26f59fa7696343e20e3"
+  openxchangeNextcloudIntegrationUI:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/nextcloud-integration-ui"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "2", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
+    tag: "1.2.0@sha256:3d0ef11196f7544a01539e6790e4402ad69e2a501312eb7c7bb128c6563d0a8d"
+  openxchangePublicSectorUI:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Open-Xchange"
+    # upstreamRegistry: "https://registry.open-xchange.com"
+    # upstreamRepository: "appsuite-public-sector/public-sector-ui"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2", "2", "1"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
+    tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
+  oxConnector:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/ox-connector-standalone"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "4", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
+    tag: "0.4.2@sha256:308489c0c0e0436bbbedbd757f78875d44468992c46c8d371c584dc778b30770"
+  postfix:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/postfix"
+    tag: "1.0.0@sha256:61e4661a7323101dfb51c85c5a48c345c75436f3f533176f049d2660d711a8a5"
+  postgresql:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "library/postgres"
+    registry: "registry-1.docker.io"
+    repository: "library/postgres"
+    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
+  prosody:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "jitsi/prosody"
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
+    # upstreamMirrorStartFrom: ["8922"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
+    tag: "stable-9457-2@sha256:5364b0c9c6de654b7b31b5821e9cd7a39660a19010348e7ac56b85be2944daa0"
+  redis:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "bitnami/redis"
+    # WE ARE STUCK WITH <7.4 because of https://redis.com/blog/redis-adopts-dual-source-available-licensing/
+    registry: "registry-1.docker.io"
+    repository: "bitnami/redis"
+    tag: "7.2.3-debian-11-r2@sha256:9ac3bbf7740969d32689e360ddcfa5f672538c47f6f6cf296173c3078de0edf2"
+  synapse:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "matrixdotorg/synapse"
+    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "91", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
+    tag: "v1.108.0@sha256:0754a5c372f4cfb5f69f58ad4b70d05bc2e380354f1b0c9101611e9157082712"
+  synapseCreateUser:
+    # providerCategory: "Community"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "alpine/k8s"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.30.0@sha256:d7a11b7032550e992667fd7725b039dcd639270fbceec368d7e66e3d9e41ee15"
+  synapseGuestModule:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://ghcr.io"
+    # upstreamRepository: "nordeck/synapse-guest-module"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module"
+    tag: "1.0.0@sha256:6b3b17183a7d163148cc1bc5342604682ec67d898394fc743db2f339e61c722e"
+  synapseWeb:
+    # providerCategory: "Community"
+    # providerResponsible: "Element"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "rapidfort/haproxy-official"
+    registry: "registry-1.docker.io"
+    repository: "rapidfort/haproxy-official"
+    tag: "2.6.15-bullseye@sha256:47b6ca4074347788cb414fbf3db35d0c51e9e47af33be46457f95c750540887c"
   wellKnown:
     # providerCategory: "Community"
     # providerResponsible: "Element"

helmfile/environments/default/objectstores.yaml

@@ -33,7 +33,7 @@ objectstores:
     username: "openproject_user"
     pathStyle: true
     useIamProfile: false
-  univentionManagementStack:
+  nubus:
     bucket: "ums"
     endpoint: ""
     region: "eu-west-1"

helmfile/environments/default/opendesk_main.gotmpl

@@ -49,6 +49,9 @@ minio:
 nextcloud:
   enabled: true
   namespace: {{ env "NAMESPACE" | quote }}
+nubus:
+  enabled: true
+  namespace: {{ env "NAMESPACE" | quote }}
 openproject:
   enabled: true
   namespace: {{ env "NAMESPACE" | quote }}
@@ -67,9 +70,6 @@ postgresql:
 redis:
   enabled: true
   namespace: {{ env "NAMESPACE" | quote }}
-univentionManagementStack:
-  enabled: true
-  namespace: {{ env "NAMESPACE" | quote }}
 xwiki:
   enabled: true
   namespace: {{ env "NAMESPACE" | quote }}

helmfile/environments/default/persistence.yaml

@@ -16,7 +16,7 @@ persistence:
     prosody: "1Gi"
     redis: "1Gi"
     synapse: "1Gi"
-    univentionManagementStack:
+    nubus:
       ldapServerData: "1Gi"
       ldapServerShared: "1Gi"
       portalListener: "1Gi"

helmfile/environments/default/resources.yaml

@@ -218,6 +218,49 @@ resources:
     requests:
       cpu: 0.1
       memory: "512Mi"
+  nubusProvisioning:
+    nats:
+      limits:
+        cpu: 288
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "128Mi"
+    dispatcher:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    registerConsumers:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    udmTransformer:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    prefill:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    api:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "100Mi"
   openproject:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -18,7 +18,7 @@ secrets:
     cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
-  univentionManagementStack:
+  nubus:
     ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
     ldapSearch:
       keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}

helmfile/environments/default/theme.gotmpl

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+## The theme properties will be used to set the installations color an images.
+## This is currently not supported by most of the components, but we still
+## want to collect and provide the related information based on the attributes
+## defined in this file.
+#
+theme:
+  ## Define texts
+  #
+  texts:
+    productName: "openDesk"
+
+  ## Define colors
+  #
+  colors:
+    # Element, OX AppSuite, Xwiki
+    primary: "#5e27dd"
+    # OX AppSuite
+    primary15: "#e7dffa"
+    # OX AppSuite
+    black: "#000000"
+    # OX AppSuite, Xwiki
+    white: "#ffffff"
+    # OX AppSuite, Xwiki
+    secondaryGreyLight: "#f5f5f5"
+
+    # Not in use yet
+    primary65: "#9673e9"
+    primary35: "#c7b3f3"
+    secondaryBlue: "#52c1ff"
+    secondaryBlueHighcontrast: "#0c3ff3"
+    secondaryRed: "#ff529e"
+    secondaryYellow: "#ffc700"
+    secondaryGreen: "#00ffcd"
+    secondaryGrey: "#adb3bc"
+
+  ## Define imagery
+  #
+  imagery:
+    # Xwiki
+    faviconSvgB64: {{ readFile "./../../files/theme/favicon.svg" | b64enc | quote }}
+    faviconIcoB64: {{ readFile "./../../files/theme/favicon.ico" | b64enc | quote }}
+    favicon16PngB64: {{ readFile "./../../files/theme/favicon16.png" | b64enc | quote }}
+    favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
+    logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}
+
+    # Portal
+    logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
+    portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}
+
+...

helmfile/environments/test/values.yaml.gotmpl

@@ -18,16 +18,16 @@ persistence:
     mariadb: "42Gi"
     matrixNeoDateFixBot: "42Gi"
     minio: "42Gi"
+    nubus:
+      ldapServerData: "42Gi"
+      ldapServerShared: "42Gi"
+      portalListener: "42Gi"
+      selfserviceListener: "42Gi"
     postfix: "42Gi"
     postgresql: "42Gi"
     prosody: "42Gi"
     redis: "42Gi"
     synapse: "42Gi"
-    univentionManagementStack:
-      ldapServerData: "42Gi"
-      ldapServerShared: "42Gi"
-      portalListener: "42Gi"
-      selfserviceListener: "42Gi"
     xwiki: "42Gi"
 ingress:
   ingressClassName: "kyverno"

helmfile/files/theme/favicon.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg id="b" width="40" height="40" viewBox="0 0 40 40" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg"><defs id="defs59" /><circle id="c" cx="20" cy="20" r="20" fill="#5e27dd" /><path d="m 34.23,19.98 c 0,2.12 -0.41,3.76 -1.2,4.92 -0.81,1.15 -1.84,1.92 -3.07,2.33 -1.25,0.41 -2.68,0.6 -4.29,0.6 H 19.9 v -9.45 h 3.58 v 6.31 h 2.19 c 1.15,0 2.06,-0.09 2.72,-0.25 0.65,-0.18 1.2,-0.6 1.62,-1.29 0.42,-0.67 0.64,-1.73 0.64,-3.18 0,-1.45 -0.21,-2.49 -0.65,-3.16 -0.42,-0.69 -0.97,-1.11 -1.62,-1.29 -0.67,-0.18 -1.57,-0.26 -2.7,-0.26 h -2.15 v -3.11 h 2.15 c 1.61,0 3.04,0.19 4.29,0.6 1.24,0.39 2.26,1.16 3.07,2.33 0.79,1.15 1.2,2.79 1.2,4.89 z" fill="#ffffff" id="path52" /><path d="m 16.38,19.31 c -0.44,-0.88 -1.09,-1.59 -1.96,-2.1 -0.86,-0.53 -1.85,-0.79 -3,-0.79 -1.15,0 -2.14,0.26 -3,0.79 -0.87,0.51 -1.52,1.22 -1.98,2.1 -0.44,0.86 -0.67,1.8 -0.67,2.82 0,1.02 0.23,1.94 0.67,2.82 0.46,0.86 1.11,1.57 1.98,2.1 0.86,0.51 1.85,0.78 3,0.78 1.15,0 2.14,-0.26 3,-0.78 0.86,-0.53 1.52,-1.24 1.96,-2.1 0.46,-0.88 0.69,-1.82 0.69,-2.82 0,-1 -0.23,-1.96 -0.69,-2.82 z m -1.02,5.14 c -0.34,0.71 -0.85,1.29 -1.52,1.73 -0.69,0.44 -1.48,0.67 -2.42,0.67 C 10.48,26.85 9.67,26.62 9,26.18 8.33,25.74 7.82,25.16 7.48,24.45 7.14,23.73 6.97,22.97 6.97,22.14 6.97,21.31 7.15,20.53 7.48,19.83 7.82,19.11 8.33,18.54 9,18.1 c 0.67,-0.44 1.48,-0.65 2.42,-0.65 0.94,0 1.73,0.21 2.42,0.65 0.67,0.44 1.18,1.01 1.52,1.73 0.34,0.71 0.51,1.48 0.51,2.31 0,0.83 -0.18,1.59 -0.51,2.31 z" fill="#ffffff" id="path54" /></svg>

helmfile/shared/migrations.yaml.gotmpl

@@ -15,16 +15,12 @@ cleanup:
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 migrations:
-  runId: 1
-  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
+  runId: 2
   namespace: {{ .Values.migrations.namespace | quote }}
   loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   failOnUnexpectedState: true
-  credentials:
-    keycloakAdminUsername: "kcadmin"
-    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-  urls:
-    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  environmentDetails:
+    {{ .Values | toYaml | nindent 4 }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile_generic.yaml

@@ -13,7 +13,7 @@ helmfiles:
       - {{ toYaml .Values | nindent 8 }}
   - path: "helmfile/apps/services/helmfile-child.yaml"
     values: *values
-  - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
+  - path: "helmfile/apps/nubus/helmfile-child.yaml"
     values: *values
   - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
     values: *values