chore(release): 0.5.79 [skip ci]

## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29) ### Bug Fixes * **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](f4b8226ea1)) * **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](8b065fd9d7)) * **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](31e5cf317c)) * **element:** Provide end-to-end encryption as user controlled option ([3d31127](3d31127a6a)) * **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](d4442261aa)) * **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](2efceef076)) * **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](8807b24ce0)) * **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](2023d5bce4)) * **univention-management-stack:** Provisioning version bump ([410a023](410a023714)) * **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](7ec123b9a1))
fix(docs): Update version numbers of functional components for release in README.md
2025-12-06 15:31:38 +01:00 · 2024-02-29 07:28:22 +00:00 · 2024-02-29 07:29:16 +01:00 · 2024-02-28 16:06:09 +00:00 · 2024-02-28 16:06:09 +00:00 · 2024-02-28 16:06:09 +00:00
27 changed files with 257 additions and 234 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,19 @@
+## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
+
+
+### Bug Fixes
+
+* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
+* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
+* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
+* **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
+* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
+* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
+* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
+* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
+* **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
+* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
+
 ## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)


--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ openDesk currently features the following functional main components:

 | Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
 | -------------------- | --------------------------- | --------------------- | ----------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59) | [For the most recent release](https://element.io/user-guide) |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
 | File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
 | Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
@@ -36,7 +36,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
 | Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
-| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
+| Weboffice            | Collabora                   | [23.05.9.2.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |

 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.
--- a/docs/components.md
+++ b/docs/components.md
@@ -113,8 +113,13 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows

 An overview of
- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
+- components that consume the LDAP service.
+  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP).
+  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
+  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
+    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
+    require an OIDC client to be configured in Keycloak.

 Some components trust others to handle authentication for them.

--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -11,7 +11,7 @@ collabora:
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"

 fullnameOverride: "collabora"

--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
-  endToEndEncryption: false
+  endToEndEncryption: true
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

@@ -15,9 +15,6 @@ configuration:
          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
        custom_css_variables:
          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
-        widget_types:
-          - jitsi
-          - net.nordeck

    "net.nordeck.element_web.module.widget_lifecycle":
      widget_permissions:
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -43,8 +43,6 @@ extraEnvVars:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
-  - name: "ENABLE_CRYPTO"
-    value: "false"

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -3,7 +3,7 @@
 ---
 configuration:
  e2ee:
-    forceDisable: true
+    forceDisable: false

 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -51,9 +51,16 @@ configuration:
  objectstore:
    auth:
      accessKey:
-        value: "nextcloud_user"
+        value: {{ .Values.objectstores.nextcloud.username | quote }}
      secretKey:
-        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
+        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    region: {{ .Values.objectstores.nextcloud.region | quote }}
+    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
+    port: {{ .Values.objectstores.nextcloud.port | quote }}
+    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
+    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
  oidc:
    username:
      value: "opendesk-nextcloud"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -25,7 +25,7 @@ containerSecurityContext:
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -155,13 +155,13 @@ s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: "true"
+  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
  use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}

 seederJob:
  annotations:
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -20,7 +20,7 @@ oxConnector:
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -88,16 +88,13 @@ provisioning:
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
-    - name: "openproject"
-      versioning: true
-      withLock: false
-    - name: "openxchange"
+    - name: {{ .Values.objectstores.openproject.bucket | quote }}
      versioning: true
      withLock: false
    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
      versioning: false
      withLock: false
-    - name: "nextcloud"
+    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
      versioning: true
      withLock: false
  policies:
@@ -113,18 +110,6 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
-    - name: "openxchange-bucket-policy"
-      statements:
-        - resources:
-            - "arn:aws:s3:::openxchange"
-          effect: "Allow"
-          actions:
-            - "s3:*"
-        - resources:
-            - "arn:aws:s3:::openxchange/*"
-          effect: "Allow"
-          actions:
-            - "s3:*"
    - name: "ums-bucket-policy"
      statements:
        - resources:
@@ -150,25 +135,19 @@ provisioning:
          actions:
            - "s3:*"
  users:
-    - username: "openproject_user"
+    - username: {{ .Values.objectstores.openproject.username | quote }}
      password: {{ .Values.secrets.minio.openprojectUser | quote }}
      disabled: false
      policies:
        - "openproject-bucket-policy"
      setPolicies: true
-    - username: "openxchange_user"
-      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
-      disabled: false
-      policies:
-        - "openxchange-bucket-policy"
-      setPolicies: true
    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
      password: {{ .Values.secrets.minio.umsUser | quote }}
      disabled: false
      policies:
        - "ums-bucket-policy"
      setPolicies: true
-    - username: "nextcloud_user"
+    - username: {{ .Values.objectstores.nextcloud.username | quote }}
      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
      disabled: false
      policies:
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -350,6 +350,15 @@ releases:
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

+  - name: "ums-provisioning-udm-listener"
+    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
+    version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
+    values:
+      - "values-common.yaml.gotmpl"
+      - "values-provisioning-udm-listener.yaml.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+    timeout: 900
+
  - name: "ums-guardian-management-api"
    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -7,7 +7,7 @@ guardianAuthorizationApi:
  guardianAuthzAdapterAppPersistencePort: "udm_data"
  guardianAuthzAdapterPolicyPort: "opa"
  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
  guardianAuthzLoggingStructured: false
  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  home: "/guardian_service_dir"
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -16,7 +16,7 @@ guardianManagementApi:
  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
  guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
  guardianManagementLoggingStructured: false
  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  guardianManagementBaseUrl: "http://0.0.0.0:8000"
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -41,10 +41,10 @@ portalListener:
  udmApiUsername: "cn=admin"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
+  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}

 resources:
  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -16,13 +16,13 @@ portalServer:
  editable: "false"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
  ucsInternalPath: "portal-data"
-  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
+  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
  centralNavigation:
    enabled: true
    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
--- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
+  repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+config:
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  tlsMode: "off"
+  natsHost: "ums-provisioning-nats"
+  natsPort: "4222"
+
+resources:
+  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
+...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -15,22 +15,13 @@ dispatcher:
      - name: {{ . | quote }}
      {{- end }}
  resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
+    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 9979
+    UDM_USERNAME: "cn=admin"

-events-and-consumer-api:
+api:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
@@ -40,98 +31,51 @@ events-and-consumer-api:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
-  rootPath: "/univention/provisioning-api"
-  ingress:
-    # copied from values-common.yaml.gotmpl
-    # Intentionally not using the Ingress configuration of the UMS stack at the
-    # moment, since it does depend on rewriting capabilities of the ingress
-    # controller. Those are encapsulated into the release "stack-gateway" so that
-    # the compatibility with all ingress controllers is increased.
-    enabled: false
-    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  config:
+    rootPath: "/univention/provisioning-api"
  resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
-
-udm-listener:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
+  
+prefill:
+  image: 
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
-  config:
-    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
-    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-      add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 0
-    runAsGroup: 0
-    runAsNonRoot: false
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
+    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}

 nats:
-  global:
-    image:
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-      pullSecretNames: {{ .Values.global.imagePullSecrets }}
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
-  container:
-    image:
-      registry: {{ .Values.global.imageRegistry }}
-      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
-      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  natsBox:
-    container:
-      image:
-        registry: {{ .Values.global.imageRegistry }}
-        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
-        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
-        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  reloader:
-    image:
-      repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
-      tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
-      registry: {{ .Values.global.imageRegistry }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  bundled: true
+  nameOverride: ""
+  resources:
+    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+  sysctls:
+    - name: "net.ipv4.ip_unprivileged_port_start"
+      value: "1"
+
+

 ...
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -27,6 +27,10 @@ handler:
  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
  appConfig:
    captchaProtectionEnable: false
+    deviceProtectionEnable: true
+    ipProtectionEnable: true
+    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+    newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
    smtpPassword: {{ .Values.smtp.password | quote }}
    smtpHost: {{ .Values.smtp.host | quote }}
    smtpPort: {{ .Values.smtp.port | quote }}
@@ -50,6 +54,8 @@ handler:
 postgresql:
  enabled: false
 proxy:
+  appConfig:
+    logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
@@ -71,6 +77,14 @@ proxy:
        path: "/resources"
      - pathType: "Prefix"
        path: "/fingerprintjs"
+      - pathType: "Exact"
+        path: "/univention/meta.json"
+        backend:
+          service:
+            name: "ums-stack-gateway"
+            port:
+              name: "http"
+
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -25,7 +25,7 @@ config:
    user: {{ .Values.databases.keycloak.username | quote }}
    database: {{ .Values.databases.keycloak.name | quote }}
    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
  enableMetrics: true
  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -280,12 +280,6 @@ serverBlock: |
      proxy_pass http://ums-portal-frontend:80/;
    }

-    ## ums-provisioning
-    location /univention/provisioning-api/ {
-      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
-      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
-    }
-
    ## guardian
    location /univention/guardian/management-ui {
      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -86,7 +86,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -98,7 +98,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -160,7 +160,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neoboard-widget"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -172,7 +172,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neochoice-widget"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -184,7 +184,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-bot"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -196,7 +196,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-widget"
-    version: "3.4.1"
+    version: "3.5.0"
    verify: true
    # @supplier: "openDesk"

@@ -208,7 +208,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -343,7 +343,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
    name: "opendesk-otterize"
-    version: "1.7.3"
+    version: "1.7.5"
    verify: true
    # @supplier: "openDesk"

@@ -405,7 +405,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -417,7 +417,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -429,7 +429,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "2.6.6"
+    version: "2.6.7"
    verify: true
    # @supplier: "openDesk"

@@ -483,7 +483,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ums-keycloak"
-    version: "1.0.3"
+    version: "1.0.5"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -511,7 +511,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "keycloak-extensions"
-    version: "0.1.0"
+    version: "0.2.1"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -623,7 +623,21 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "provisioning"
-    version: "0.9.5"
+    version: "0.14.0"
+    verify: true
+    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '9', '5']
+
+  umsProvisioningUdmListener:
+    # renovate:
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/charts/univention/udm-listener
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    name: "udm-listener"
+    version: "0.14.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -14,6 +14,6 @@ debug:
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
-  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}`
  enabled: false
 ...
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.5.78"
+    releaseVersion: "v0.5.79"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -19,7 +19,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "23.05.9.1.1@sha256:9eeaf2795987d67cf6259f2942ea3318649fdf50beb939c895bef26a4c4dd146"
+    tag: "23.05.9.2.1@sha256:4cdf38a73cfa8771d8184137525511a887cd5eab9e75ed894cee9cf1006d95eb"
    # @supplier: "Collabora"

  cryptpad:
@@ -50,7 +50,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.8.2@sha256:0595292e824c039e9c088a845b3d49c6be93d46f9f99090783eb20cb1fc27227"
+    tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
    # @supplier: "Element"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '8', '0']
@@ -174,7 +174,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.4.0@sha256:da04d6c3c3e07ec1fcb6ecec245adc48897f107a2ab84c39d8924de951744d9f"
+    tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '4', '0']
@@ -198,7 +198,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
-    tag: "2.7.0@sha256:31e7b1fae0bdd3d712f8be1472f5b90dd567994c09a14aa5522a4ce94a1a7507"
+    tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['2', '7', '0']
@@ -210,7 +210,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
-    tag: "1.6.0@sha256:d213a410d6fb92f63aafa26517a55ffded5cf47b5314dfadc6e28ce8ede4965f"
+    tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '6', '0']
@@ -264,7 +264,7 @@ images:
    # dependencyType=platform
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.13@sha256:874567579cbe8604e22caa06e8d5de42c74e41deda2d47bd6b50ab3898dd3dd7"
+    tag: "1.1.15@sha256:f8a2a08c44ad9f4941e34a5efb1010918e52df8ce0866848a00810ad34279a2e"
    # @supplier: "openDesk"

  nextcloudExporter:
@@ -284,7 +284,7 @@ images:
    # dependencyType=platform
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.1@sha256:a4b781a6926ca4e7a4c9c58af7a46e93b74364f1fc5c2fd65de2bce17f8efc30"
+    tag: "1.3.5@sha256:790647d3424ab41cab1b0a7114a7737615b1772269699f9c3bcb078cba70d685"
    # @supplier: "openDesk"

  nextcloudPHP:
@@ -294,7 +294,7 @@ images:
    # dependencyType=platform
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.1@sha256:4ad4a6ce6c8e01e1972fa19aae65b79d43aaf3f51083aa3c4302598fce2046c8"
+    tag: "1.8.4@sha256:d51ca3e22a493d6dd625cf9bfa40f96481ba36894a9d3eed1e082eadaef72c5c"
    # @supplier: "openDesk"

  opendeskKeycloakBootstrap:
@@ -762,68 +762,50 @@ images:
  umsProvisioningDispatcher:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/dispatcher
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatcher
    # dependencyType=supplier
-    registry: "registry.souvap-univention.de"
-    repository: "souvap/tooling/images/univention/dispatcher"
-    tag: "0.11.1@sha256:e3f9f185c21ff893a654e0f08ebd6c59ce4d7513150cac530792ad656348ecfa"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
+    tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '11', '1']
+    # @mirrorFrom: ['0', '14', '0']

  umsProvisioningEventsAndConsumerApi:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-events-and-consumer-api
    # dependencyType=supplier
-    registry: "registry.souvap-univention.de"
-    repository: "souvap/tooling/images/univention/events-and-consumer-api"
-    tag: "0.11.1@sha256:c56c862e9687a9bcc0d3f808bf12b67fbc457cc1bb10d82505706572078282d6"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
+    tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '11', '1']
+    # @mirrorFrom: ['0', '14', '0']

-  umsProvisioningNats:
+  umsProvisioningPrefill:
    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=library/nats
-    # dependencyType=external
-    registry: "registry-1.docker.io"
-    repository: "library/nats"
-    tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
-    # @supplier: "Univention"
-
-  umsProvisioningNatsBox:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=natsio/nats-box
-    # dependencyType=external
-    registry: "registry-1.docker.io"
-    repository: "natsio/nats-box"
-    tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
-    # @supplier: "Univention"
-
-  umsProvisioningNatsReloader:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=natsio/nats-server-config-reloader
-    # dependencyType=external
-    registry: "registry-1.docker.io"
-    repository: "natsio/nats-server-config-reloader"
-    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-prefill
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
+    tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '14', '0']

  umsProvisioningUdmListener:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/udm-listener
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-udm-listener
    # dependencyType=supplier
-    registry: "registry.souvap-univention.de"
-    repository: "souvap/tooling/images/univention/udm-listener"
-    tag: "0.11.1@sha256:27e01c9941d19a60ced4aeac84a64a4ef566d764302ac892256b9b5dc3d7548f"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
+    tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '11', '1']
+    # @mirrorFrom: ['0', '14', '0']

  umsSelfserviceInvitation:
    # renovate:
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -4,20 +4,28 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
+  nextcloud:
+    bucket: "nextcloud"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "nextcloud_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
  openproject:
-    backend: "minio"
    bucket: "openproject"
    endpoint: ""
-    region: ""
-    secret: ""
+    region: "eu-west-1"
+    secretKey: ""
    username: "openproject_user"
+    pathStyle: true
    useIAMProfile: ""
  univentionManagementStack:
-    backend: "minio"
    bucket: "ums"
    endpoint: ""
-    region: ""
-    secret: ""
+    region: "eu-west-1"
+    secretKey: ""
    username: "ums_user"
-    useIAMProfile: ""
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -431,7 +431,35 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsProvisioning:
+  umsProvisioningEventsAndConsumerApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningNats:
    limits:
      cpu: 99
      memory: "1Gi"
Author	SHA1	Message	Date
Thorsten Roßner	d677ca5691	chore(release): 0.5.79 [skip ci] ## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29) ### Bug Fixes * collabora: Bump image to 23.05.9.2.1 ([`f4b8226`](`f4b8226ea1`)) * collabora: Fix aliasgroups configuration whitelisting the Nextcloud host ([`8b065fd`](`8b065fd9d7`)) * docs: Update version numbers of functional components for release in README.md ([`31e5cf3`](`31e5cf317c`)) * element: Provide end-to-end encryption as user controlled option ([`3d31127`](`3d31127a6a`)) * helmfile: Enhance objectore environment variables to allow external Object Store ([`d444226`](`d4442261aa`)) * helmfile: Set debuglevel to WARN instead of INFO when debug is not enabled. ([`2efceef`](`2efceef076`)) * nextcloud: Bump images to enable password_policy and fix email with groupware ([`8807b24`](`8807b24ce0`)) * univention-management-stack: Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([`2023d5b`](`2023d5bce4`)) * univention-management-stack: Provisioning version bump ([`410a023`](`410a023714`)) * univention-management-stack: Template more Keycloak Extension values incl. logLevel ([`7ec123b`](`7ec123b9a1`))	2024-02-29 07:28:22 +00:00
Thorsten Roßner	31e5cf317c	fix(docs): Update version numbers of functional components for release in README.md	2024-02-29 07:29:16 +01:00
jconde	410a023714	fix(univention-management-stack): Provisioning version bump fix(univention-management-stack): Use bundled NATS	2024-02-28 16:06:09 +00:00
Thorsten Roßner	8b065fd9d7	fix(collabora): Fix aliasgroups configuration whitelisting the Nextcloud host	2024-02-28 16:06:09 +00:00
Thorsten Roßner	f4b8226ea1	fix(collabora): Bump image to 23.05.9.2.1	2024-02-28 16:06:09 +00:00
Thorsten Roßner	2023d5bce4	fix(univention-management-stack): Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login.	2024-02-28 16:06:09 +00:00
Thorsten Roßner	8807b24ce0	fix(nextcloud): Bump images to enable password_policy and fix email with groupware	2024-02-28 16:06:09 +00:00
Dominik Kaminski	d4442261aa	fix(helmfile): Enhance objectore environment variables to allow external Object Store	2024-02-28 16:06:09 +00:00
Thorsten Roßner	2efceef076	fix(helmfile): Set debuglevel to WARN instead of INFO when debug is not enabled.	2024-02-28 16:06:09 +00:00
Thorsten Roßner	7ec123b9a1	fix(univention-management-stack): Template more Keycloak Extension values incl. logLevel	2024-02-28 16:06:09 +00:00
Milton Moura (Nordeck)	3d31127a6a	fix(element): Provide end-to-end encryption as user controlled option	2024-02-28 15:53:38 +00:00