chore(release): 0.5.79 [skip ci]

## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)

### Bug Fixes

* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](f4b8226ea1))
* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](8b065fd9d7))
* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](31e5cf317c))
* **element:** Provide end-to-end encryption as user controlled option ([3d31127](3d31127a6a))
* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](d4442261aa))
* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](2efceef076))
* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](8807b24ce0))
* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](2023d5bce4))
* **univention-management-stack:** Provisioning version bump ([410a023](410a023714))
* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](7ec123b9a1))

CHANGELOG.md

@@ -1,3 +1,19 @@
+## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
+
+
+### Bug Fixes
+
+* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
+* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
+* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
+* **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
+* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
+* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
+* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
+* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
+* **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
+* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
+
 ## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
 
 

README.md

@@ -28,7 +28,7 @@ openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
 | -------------------- | --------------------------- | --------------------- | ----------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59) | [For the most recent release](https://element.io/user-guide) |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
 | File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
 | Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
@@ -36,7 +36,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
 | Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
-| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
+| Weboffice            | Collabora                   | [23.05.9.2.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.

docs/components.md

@@ -113,8 +113,13 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows
 
 An overview of
-- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
+- components that consume the LDAP service.
-- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
+  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP).
+  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
+  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
+    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
+    require an OIDC client to be configured in Keycloak.
 
 Some components trust others to handle authentication for them.
 

helmfile/apps/collabora/values.yaml.gotmpl

@@ -11,7 +11,7 @@ collabora:
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 
 fullnameOverride: "collabora"
 

helmfile/apps/element/values-element.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
-  endToEndEncryption: false
+  endToEndEncryption: true
   additionalConfiguration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
 
@@ -15,9 +15,6 @@ configuration:
           portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
-        widget_types:
-          - jitsi
-          - net.nordeck
 
     "net.nordeck.element_web.module.widget_lifecycle":
       widget_permissions:

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -43,8 +43,6 @@ extraEnvVars:
       secretKeyRef:
         name: "matrix-neodatefix-bot-account"
         key: "access_token"
-  - name: "ENABLE_CRYPTO"
-    value: "false"
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -3,7 +3,7 @@
 ---
 configuration:
   e2ee:
-    forceDisable: true
+    forceDisable: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -51,9 +51,16 @@ configuration:
   objectstore:
     auth:
       accessKey:
-        value: "nextcloud_user"
+        value: {{ .Values.objectstores.nextcloud.username | quote }}
       secretKey:
-        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
+        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    region: {{ .Values.objectstores.nextcloud.region | quote }}
+    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
+    port: {{ .Values.objectstores.nextcloud.port | quote }}
+    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
+    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
   oidc:
     username:
       value: "opendesk-nextcloud"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -25,7 +25,7 @@ containerSecurityContext:
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -155,13 +155,13 @@ s3:
   enabled: true
   endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
   host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: "true"
+  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
   region: {{ .Values.objectstores.openproject.region | quote }}
   bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
   use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
   auth:
     accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
 
 seederJob:
   annotations:

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -20,7 +20,7 @@ oxConnector:
   debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
   ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -88,16 +88,13 @@ provisioning:
   extraCommands:
     - "mc anonymous set download provisioning/ums/portal-assets"
   buckets:
-    - name: "openproject"
+    - name: {{ .Values.objectstores.openproject.bucket | quote }}
-      versioning: true
-      withLock: false
-    - name: "openxchange"
       versioning: true
       withLock: false
     - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
       versioning: false
       withLock: false
-    - name: "nextcloud"
+    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
       versioning: true
       withLock: false
   policies:
@@ -113,18 +110,6 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
-    - name: "openxchange-bucket-policy"
-      statements:
-        - resources:
-            - "arn:aws:s3:::openxchange"
-          effect: "Allow"
-          actions:
-            - "s3:*"
-        - resources:
-            - "arn:aws:s3:::openxchange/*"
-          effect: "Allow"
-          actions:
-            - "s3:*"
     - name: "ums-bucket-policy"
       statements:
         - resources:
@@ -150,25 +135,19 @@ provisioning:
           actions:
             - "s3:*"
   users:
-    - username: "openproject_user"
+    - username: {{ .Values.objectstores.openproject.username | quote }}
       password: {{ .Values.secrets.minio.openprojectUser | quote }}
       disabled: false
       policies:
         - "openproject-bucket-policy"
       setPolicies: true
-    - username: "openxchange_user"
-      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
-      disabled: false
-      policies:
-        - "openxchange-bucket-policy"
-      setPolicies: true
     - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
       password: {{ .Values.secrets.minio.umsUser | quote }}
       disabled: false
       policies:
         - "ums-bucket-policy"
       setPolicies: true
-    - username: "nextcloud_user"
+    - username: {{ .Values.objectstores.nextcloud.username | quote }}
       password: {{ .Values.secrets.minio.nextcloudUser | quote }}
       disabled: false
       policies:

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -350,6 +350,15 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 
+  - name: "ums-provisioning-udm-listener"
+    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
+    version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
+    values:
+      - "values-common.yaml.gotmpl"
+      - "values-provisioning-udm-listener.yaml.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+    timeout: 900
+
   - name: "ums-guardian-management-api"
     chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
     version: "{{ .Values.charts.umsGuardianManagementApi.version }}"

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -7,7 +7,7 @@ guardianAuthorizationApi:
   guardianAuthzAdapterAppPersistencePort: "udm_data"
   guardianAuthzAdapterPolicyPort: "opa"
   guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
   guardianAuthzLoggingStructured: false
   guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   home: "/guardian_service_dir"

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -16,7 +16,7 @@ guardianManagementApi:
   guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
   guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
   guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
   guardianManagementLoggingStructured: false
   guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
   guardianManagementBaseUrl: "http://0.0.0.0:8000"

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -41,10 +41,10 @@ portalListener:
   udmApiUsername: "cn=admin"
   umcGetUrl: "http://ums-umc-server/get"
   umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: "http://minio:9000"
+  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  objectStorageBucket: "ums"
+  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: "ums_user"
+  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
+  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
 
 resources:
   {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -16,13 +16,13 @@ portalServer:
   editable: "false"
   umcGetUrl: "http://ums-umc-server/get"
   umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
   adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
   ucsInternalPath: "portal-data"
-  objectStorageEndpoint: "http://minio:9000"
+  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  objectStorageBucket: "ums"
+  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: "ums_user"
+  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
+  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
   centralNavigation:
     enabled: true
     authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}

helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
+  repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+config:
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  tlsMode: "off"
+  natsHost: "ums-provisioning-nats"
+  natsPort: "4222"
+
+resources:
+  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
+...

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -15,22 +15,13 @@ dispatcher:
       - name: {{ . | quote }}
       {{- end }}
   resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
-  securityContext:
+  config:
-    allowPrivilegeEscalation: false
+    UDM_HOST: "ums-udm-rest-api"
-    capabilities:
+    UDM_PORT: 9979
-      drop:
+    UDM_USERNAME: "cn=admin"
-        - "ALL"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
 
-events-and-consumer-api:
+api:
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
     repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
@@ -40,98 +31,51 @@ events-and-consumer-api:
       {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
       {{- end }}
-  rootPath: "/univention/provisioning-api"
+  config:
-  ingress:
+    rootPath: "/univention/provisioning-api"
-    # copied from values-common.yaml.gotmpl
-    # Intentionally not using the Ingress configuration of the UMS stack at the
-    # moment, since it does depend on rewriting capabilities of the ingress
-    # controller. Those are encapsulated into the release "stack-gateway" so that
-    # the compatibility with all ingress controllers is increased.
-    enabled: false
-    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
   resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
   
-udm-listener:
+prefill:
   image: 
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
+    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
+    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
     pullSecrets:
       {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
       {{- end }}
-  config:
-    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
-    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-      add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 0
-    runAsGroup: 0
-    runAsNonRoot: false
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
 
 nats:
-  global:
+  bundled: true
-    image:
+  nameOverride: ""
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
-      pullSecretNames: {{ .Values.global.imagePullSecrets }}
+    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
+
-  container:
+containerSecurityContext:
-    image:
+  allowPrivilegeEscalation: false
-      registry: {{ .Values.global.imageRegistry }}
+  capabilities:
-      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
+    drop:
-      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
+      - "ALL"
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  enabled: true
-  natsBox:
+  runAsUser: 1000
-    container:
+  runAsGroup: 1000
-      image:
+  seccompProfile:
-        registry: {{ .Values.global.imageRegistry }}
+    type: "RuntimeDefault"
-        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
+  readOnlyRootFilesystem: true
-        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
+  runAsNonRoot: true
-        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
-  reloader:
+podSecurityContext:
-    image:
+  enabled: true
-      repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
+  fsGroup: 1000
-      tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
+  fsGroupChangePolicy: "Always"
-      registry: {{ .Values.global.imageRegistry }}
+  sysctls:
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    - name: "net.ipv4.ip_unprivileged_port_start"
+      value: "1"
+
+
 
 ...

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -27,6 +27,10 @@ handler:
   imagePullSecrets: {{ .Values.global.imagePullSecrets }}
   appConfig:
     captchaProtectionEnable: false
+    deviceProtectionEnable: true
+    ipProtectionEnable: true
+    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+    newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
     smtpPassword: {{ .Values.smtp.password | quote }}
     smtpHost: {{ .Values.smtp.host | quote }}
     smtpPort: {{ .Values.smtp.port | quote }}
@@ -50,6 +54,8 @@ handler:
 postgresql:
   enabled: false
 proxy:
+  appConfig:
+    logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
     repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
@@ -71,6 +77,14 @@ proxy:
         path: "/resources"
       - pathType: "Prefix"
         path: "/fingerprintjs"
+      - pathType: "Exact"
+        path: "/univention/meta.json"
+        backend:
+          service:
+            name: "ums-stack-gateway"
+            port:
+              name: "http"
+
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -25,7 +25,7 @@ config:
     user: {{ .Values.databases.keycloak.username | quote }}
     database: {{ .Values.databases.keycloak.name | quote }}
     password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
   enableMetrics: true
   # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
   # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -280,12 +280,6 @@ serverBlock: |
       proxy_pass http://ums-portal-frontend:80/;
     }
 
-    ## ums-provisioning
-    location /univention/provisioning-api/ {
-      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
-      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
-    }
-
     ## guardian
     location /univention/guardian/management-ui {
       proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;

helmfile/environments/default/charts.yaml

@@ -86,7 +86,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "2.6.6"
+    version: "2.6.7"
     verify: true
     # @supplier: "openDesk"
 
@@ -98,7 +98,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "2.6.6"
+    version: "2.6.7"
     verify: true
     # @supplier: "openDesk"
 
@@ -160,7 +160,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -172,7 +172,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -184,7 +184,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -196,7 +196,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
     # @supplier: "openDesk"
 
@@ -208,7 +208,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "2.6.6"
+    version: "2.6.7"
     verify: true
     # @supplier: "openDesk"
 
@@ -343,7 +343,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "1.7.3"
+    version: "1.7.5"
     verify: true
     # @supplier: "openDesk"
 
@@ -405,7 +405,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "2.6.6"
+    version: "2.6.7"
     verify: true
     # @supplier: "openDesk"
 
@@ -417,7 +417,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "2.6.6"
+    version: "2.6.7"
     verify: true
     # @supplier: "openDesk"
 
@@ -429,7 +429,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "2.6.6"
+    version: "2.6.7"
     verify: true
     # @supplier: "openDesk"
 
@@ -483,7 +483,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums-keycloak"
-    version: "1.0.3"
+    version: "1.0.5"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -511,7 +511,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "keycloak-extensions"
-    version: "0.1.0"
+    version: "0.2.1"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -623,7 +623,21 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "provisioning"
-    version: "0.9.5"
+    version: "0.14.0"
+    verify: true
+    # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '9', '5']
+
+  umsProvisioningUdmListener:
+    # renovate:
+    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRepository=souvap/tooling/charts/univention/udm-listener
+    # dependencyType=supplier
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    name: "udm-listener"
+    version: "0.14.0"
     verify: true
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'

helmfile/environments/default/debug.yaml

@@ -14,6 +14,6 @@ debug:
   # should activate debug output in all components and even allow e.g. successfully executed jobs
   # to stay available. This is going to be implemented on a case by case basis when we actually
   # need debugging in a component.
-  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}`
   enabled: false
 ...

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.5.78"
+    releaseVersion: "v0.5.79"
 ...

helmfile/environments/default/images.yaml

@@ -19,7 +19,7 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "23.05.9.1.1@sha256:9eeaf2795987d67cf6259f2942ea3318649fdf50beb939c895bef26a4c4dd146"
+    tag: "23.05.9.2.1@sha256:4cdf38a73cfa8771d8184137525511a887cd5eab9e75ed894cee9cf1006d95eb"
     # @supplier: "Collabora"
 
   cryptpad:
@@ -50,7 +50,7 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.8.2@sha256:0595292e824c039e9c088a845b3d49c6be93d46f9f99090783eb20cb1fc27227"
+    tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
     # @supplier: "Element"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '8', '0']
@@ -174,7 +174,7 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.4.0@sha256:da04d6c3c3e07ec1fcb6ecec245adc48897f107a2ab84c39d8924de951744d9f"
+    tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '4', '0']
@@ -198,7 +198,7 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
-    tag: "2.7.0@sha256:31e7b1fae0bdd3d712f8be1472f5b90dd567994c09a14aa5522a4ce94a1a7507"
+    tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c"
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['2', '7', '0']
@@ -210,7 +210,7 @@ images:
     # dependencyType=supplier
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
-    tag: "1.6.0@sha256:d213a410d6fb92f63aafa26517a55ffded5cf47b5314dfadc6e28ce8ede4965f"
+    tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd"
     # @supplier: "Nordeck"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '6', '0']
@@ -264,7 +264,7 @@ images:
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.13@sha256:874567579cbe8604e22caa06e8d5de42c74e41deda2d47bd6b50ab3898dd3dd7"
+    tag: "1.1.15@sha256:f8a2a08c44ad9f4941e34a5efb1010918e52df8ce0866848a00810ad34279a2e"
     # @supplier: "openDesk"
 
   nextcloudExporter:
@@ -284,7 +284,7 @@ images:
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.1@sha256:a4b781a6926ca4e7a4c9c58af7a46e93b74364f1fc5c2fd65de2bce17f8efc30"
+    tag: "1.3.5@sha256:790647d3424ab41cab1b0a7114a7737615b1772269699f9c3bcb078cba70d685"
     # @supplier: "openDesk"
 
   nextcloudPHP:
@@ -294,7 +294,7 @@ images:
     # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.1@sha256:4ad4a6ce6c8e01e1972fa19aae65b79d43aaf3f51083aa3c4302598fce2046c8"
+    tag: "1.8.4@sha256:d51ca3e22a493d6dd625cf9bfa40f96481ba36894a9d3eed1e082eadaef72c5c"
     # @supplier: "openDesk"
 
   opendeskKeycloakBootstrap:
@@ -762,68 +762,50 @@ images:
   umsProvisioningDispatcher:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/dispatcher
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatcher
     # dependencyType=supplier
-    registry: "registry.souvap-univention.de"
+    registry: "registry.opencode.de"
-    repository: "souvap/tooling/images/univention/dispatcher"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.11.1@sha256:e3f9f185c21ff893a654e0f08ebd6c59ce4d7513150cac530792ad656348ecfa"
+    tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '11', '1']
+    # @mirrorFrom: ['0', '14', '0']
 
   umsProvisioningEventsAndConsumerApi:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-events-and-consumer-api
     # dependencyType=supplier
-    registry: "registry.souvap-univention.de"
+    registry: "registry.opencode.de"
-    repository: "souvap/tooling/images/univention/events-and-consumer-api"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.11.1@sha256:c56c862e9687a9bcc0d3f808bf12b67fbc457cc1bb10d82505706572078282d6"
+    tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '11', '1']
+    # @mirrorFrom: ['0', '14', '0']
 
-  umsProvisioningNats:
+  umsProvisioningPrefill:
     # renovate:
-    # upstreamRegistry=registry-1.docker.io
+    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=library/nats
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-prefill
-    # dependencyType=external
+    # dependencyType=supplier
-    registry: "registry-1.docker.io"
+    registry: "registry.opencode.de"
-    repository: "library/nats"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
+    tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
-    # @supplier: "Univention"
-
-  umsProvisioningNatsBox:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=natsio/nats-box
-    # dependencyType=external
-    registry: "registry-1.docker.io"
-    repository: "natsio/nats-box"
-    tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
-    # @supplier: "Univention"
-
-  umsProvisioningNatsReloader:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=natsio/nats-server-config-reloader
-    # dependencyType=external
-    registry: "registry-1.docker.io"
-    repository: "natsio/nats-server-config-reloader"
-    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
     # @supplier: "Univention"
+    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
+    # @mirrorFrom: ['0', '14', '0']
 
   umsProvisioningUdmListener:
     # renovate:
     # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/udm-listener
+    # upstreamRepository=souvap/tooling/images/univention/provisioning-udm-listener
     # dependencyType=supplier
-    registry: "registry.souvap-univention.de"
+    registry: "registry.opencode.de"
-    repository: "souvap/tooling/images/univention/udm-listener"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.11.1@sha256:27e01c9941d19a60ced4aeac84a64a4ef566d764302ac892256b9b5dc3d7548f"
+    tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
     # @supplier: "Univention"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '11', '1']
+    # @mirrorFrom: ['0', '14', '0']
 
   umsSelfserviceInvitation:
     # renovate:

helmfile/environments/default/objectstore.gotmpl

@@ -4,20 +4,28 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
+  nextcloud:
+    bucket: "nextcloud"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "nextcloud_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
   openproject:
-    backend: "minio"
     bucket: "openproject"
     endpoint: ""
-    region: ""
+    region: "eu-west-1"
-    secret: ""
+    secretKey: ""
     username: "openproject_user"
+    pathStyle: true
     useIAMProfile: ""
   univentionManagementStack:
-    backend: "minio"
     bucket: "ums"
     endpoint: ""
-    region: ""
+    region: "eu-west-1"
-    secret: ""
+    secretKey: ""
     username: "ums_user"
-    useIAMProfile: ""
 ...

helmfile/environments/default/resources.yaml

@@ -431,7 +431,35 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsProvisioning:
+  umsProvisioningEventsAndConsumerApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningNats:
     limits:
       cpu: 99
       memory: "1Gi"