chore(release): 0.7.0 [skip ci]

# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)

### Bug Fixes

* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](3dc648421b))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](b9ac5ecf2d))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](e9ec2f3a6e))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](2ad027082f))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](9be3b78761))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](d1bd43fa95))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](fefd2f6cae))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](cd225703eb))

### Features

* **element:** Add support for Matrix federation ([36139b4](36139b42f1))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](e6fe2a7c18))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](c7e217208c))

.gitlab-ci.yml

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -11,6 +12,7 @@ include:
   - local: "/.gitlab/generate/generate-docs.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    ref: "main"
   - local: "/.gitlab/lint/lint-opendesk.yml"
     rules:
       - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -18,7 +20,7 @@ include:
       - when: "always"
   - local: "/.gitlab/lint/lint-kyverno.yml"
     rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
         when: "never"
       - when: "always"
 
@@ -26,15 +28,15 @@ stages:
   - ".pre"
   - "scan"
   - "automr"
-  - "lint"
   - "env-cleanup"
   - "env"
+  - "pre-services-deploy"
   - "basic-services-deploy"
   - "component-deploy-stage-1"
   - "component-deploy-stage-2"
+  - "lint"
   - "tests"
   - "env-stop"
-  - "generate-release-assets"
   - ".post"
 
 variables:
@@ -42,14 +44,23 @@ variables:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
-      sovereign-workplace-env included above."
+    description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
+        repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
+        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     value: "dev"
   MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a passphrase to be used for password generation."
+    description: >
+      Optional: Provide a seed to be used for generation of all internal secrets.
+      Same seed will result in same secrets.
     value: ""
   ENV_STOP_BEFORE:
-    description: "Stop environment/delete namespace for the deployment"
+    description: "Stop environment/delete namespace for the deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  DEBUG_ENABLED:
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
     value: "no"
     options:
       - "yes"
@@ -157,7 +168,7 @@ variables:
       fi;
     - >
       echo "Installing ${COMPONENT} into ${NAMESPACE} namespace as ${HELMFILE_ENVIRONMENT} environment on ${CLUSTER}"
-    - "helmfile --namespace ${NAMESPACE} apply --suppress-diff"
+    - "helmfile --namespace ${NAMESPACE} apply --suppress-diff ${ADDITIONAL_ARGS}"
   tags:
     - "docker"
     - "kubernetes"
@@ -214,6 +225,19 @@ env-start:
       --dry-run=client -o yaml | kubectl apply -f -
   stage: "env"
 
+policies-deploy:
+  stage: "pre-services-deploy"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "services"
+    ADDITIONAL_ARGS: "-l name=opendesk-otterize"
+
 services-deploy:
   stage: "basic-services-deploy"
   extends: ".deploy-common"
@@ -452,7 +476,7 @@ avscan-prepare:
           $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
       when: "always"
     - when: "never"
-  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
   script:
     - |
       cat << 'EOF' > dynamic-scans.yml
@@ -508,34 +532,6 @@ avscan-start:
         job: "avscan-prepare"
     strategy: "depend"
 
-generate-release-assets:
-  stage: "generate-release-assets"
-  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
-  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
-      when: "on_success"
-    - when: "never"
-  script:
-    - |
-      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
-      cd opendesk-asset-generator
-      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
-      ./opendesk_asset_generator.py
-      mv ./build_artefacts ${CI_PROJECT_DIR}
-      cd ..
-      rm -rf opendesk-asset-generator
-      ls -l ./build_artefacts
-  artifacts:
-    paths:
-      - "./build_artefacts/chart-index.json"
-      - "./build_artefacts/image-index.json"
-  tags: []
-  variables:
-    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
-
 # Declare .environments which is in environments repository. In case it is not available
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
@@ -574,8 +570,6 @@ generate-release-version:
       when: "on_success"
 
 release:
-  dependencies:
-    - "generate-release-assets"
   rules:
     - if: >
         $JOB_AVSCAN_ENABLED != 'false' &&
@@ -596,7 +590,7 @@ release:
     - |
       echo -e "\n[INFO] Writing data to helm value file..."
       cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
       # SPDX-License-Identifier: Apache-2.0
       ---
       global:
@@ -609,16 +603,7 @@ release:
       {
         "branches": ["main"],
         "plugins": [
-          ["@semantic-release/gitlab",
-            {
-              "assets": [
-                { "path": "./build_artefacts/chart-index.json",
-                  "label": "Chart Index JSON" },
-                { "path": "./build_artefacts/image-index.json",
-                  "label": "Image Index JSON" },
-              ]
-            }
-          ],
+          "@semantic-release/gitlab",
           "@semantic-release/release-notes-generator",
           "@semantic-release/changelog",
           ["@semantic-release/git", {
@@ -637,6 +622,5 @@ release:
       EOF
     - "semantic-release"
   needs:
-    - "generate-release-assets"
     - "generate-docs"
 ...

CHANGELOG.md

@@ -1,3 +1,88 @@
+# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
+
+
+### Bug Fixes
+
+* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
+* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
+* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
+* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
+* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
+* **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
+* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
+* **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
+
+
+### Features
+
+* **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
+* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
+* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
+
+# [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
+
+
+### Bug Fixes
+
+* **helmfile:** Improve support for external Objectstore, and fix issue with DoveCot storageClassName ([1b748b6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1b748b6bf63d75fc5232c90407a3fa885c2dd3c8)), closes [#57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/57) [#60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/60) [#56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/56)
+* **nextcloud:** Bump to 28.0.4 ([cb33a92](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cb33a929ef7c13a9a578e56a631951292d14d0e4))
+* **univention-management-stack:** add Guardian provisioning job image ([79c52d0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/79c52d014cec188d010a2827bb63b2635abafb2c))
+* **univention-management-stack:** Update UMC to 0.11.8 ([5e3f4fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5e3f4faade2ea02e51f260d1d614296a6a484848))
+* **univention-management-stack:** Use umbrella helm chart ([10ecb44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10ecb44aa675d2f139aaec6fe8d4246fa1d3dd40))
+* **xwiki:** Bump to 15.10.8 and enable OIDC backchannel logout ([c395d35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c395d35dd77bbec5e6b7d01768533f87af843560))
+
+
+### Features
+
+* **open-xchange:** Bump to 8.23 and remove Istio prerequisite ([3be3564](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3be3564ec7168a1a2d72b58f11da84e89e81911d))
+
+## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
+
+
+### Bug Fixes
+
+* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
+* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
+* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
+* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
+* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
+* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
+* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
+* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
+* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
+* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
+* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
+* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
+* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
+
+## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)
+
+
+### Bug Fixes
+
+* **ci:** Remove creation of release artefacts, use the `images.yaml` and `charts.yaml` in `./helmfile/environments/default` for information about the artefacts instead. ([ee99eef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee99eefb72d3207866ffd1b3bd21a36bd55ad288))
+* **collabora:** Bump image to 23.05.9.4.1 ([9c32058](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9c32058fcc21a14e9e66a46064ea044402638920))
+* **docs:** Add development.md and refactor `images.yaml` and `charts.yaml` ([a2b333b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a2b333b46277a4bb86b75ca04edb64e69efff916))
+* **helmfile:** YAML handling of seLinuxOptions and align overall `toYaml` syntax ([011ad2c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/011ad2cd6bfe552e04a598452e8814d4d1029152))
+* **nextcloud:** Update images digests ([bc18724](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc18724d70ffff749d5192487944e62233cf4376))
+* **openproject:** Bump to 13.3.1 ([7ee9e47](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ee9e47e8269334294c80093a359b247d86f5d62))
+
+## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
+
+
+### Bug Fixes
+
+* **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
+* **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
+* **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
+* **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
+* **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
+* **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
+* **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
+* **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
+* **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
+* **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
+
 ## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
 
 

README.md

@@ -1,5 +1,5 @@
 <!--
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
 
@@ -11,6 +11,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
+* [Development](#development)
 * [Releases](#releases)
 * [Components](#components)
 * [Feedback](#feedback)
@@ -26,17 +27,17 @@ Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 
 openDesk currently features the following functional main components:
 
-| Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
-| -------------------- | --------------------------- | --------------------- | ----------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
-| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
-| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
-| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
-| Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
-| Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
-| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
-| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
+| Function             | Functional Component        | Component<br/>Version                                                                                          | Upstream Documentation                                                                                                                       |
+| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
+| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
+| File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
+| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
+| Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.
@@ -76,6 +77,10 @@ Of course, further development also includes enhancing the documentation itself.
 - [Monitoring](./docs/monitoring.md)
 - [Theming](./docs/theming.md)
 
+# Development
+
+⟶ To understand the repository contents from a developer perspective please read the [Development](./docs/development.md) guide.
+
 # Releases
 
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
@@ -84,9 +89,10 @@ Gitlab provides an
 [overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 of this project.
 
-The following release artefacts are provided beside the default source code assets:
-- `chart-index.json`: An overview of all Helm charts used by the release.
-- `image-index.json`: An overview of all container images used by the release.
+Please find a list of the artefacts related to the release either in the source code archive attached to the release or
+in the files from the release's git-tag:
+- `./helmfile/environments/default/images.yaml`
+- `./helmfile/environments/default/charts.yaml`
 
 ⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
 
@@ -102,7 +108,7 @@ Related to the deployment / contents of this repository,
 please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
 
 If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+["Rückmeldungen und Beteiligung" in the OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung) of the [openDesk Info Repository](https://gitlab.opencode.de/bmi/opendesk/info).
 
 # License
 

docs/ci.md

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 -->
 <h1>CI/CD</h1>
 
-This page will cover openDesk automation via Gitlab CI.
+This page covers openDesk deployment automation via Gitlab CI.
 
 <!-- TOC -->
 * [Deployment](#deployment)
@@ -13,30 +13,31 @@ This page will cover openDesk automation via Gitlab CI.
 
 # Deployment
 
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
 
 
-When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
+When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
 
 - `DOMAIN` = The domain to deploy to.
-- `ISTIO_DOMAIN` = istio.`DOMAIN`
-- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
+- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
+- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
+- `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
 - `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
 
 Based on your input, the following variables will be set:
 - `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
   is not set, the default for `MASTER_PASSWORD` will be used, unless you set
-  `MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
+  `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
 
-You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
 
 # Tests
 
-The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
-In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
 
-If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.

docs/components.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Components</h1>
@@ -34,7 +35,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
-| Dovecot                     | Mail backend                   | Functional |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -44,7 +44,8 @@ they need to be replaced in production deployments.
 | Nextcloud                   | File share                     | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
-| Provisioning                | Backend provisioning           | Functional |
+| OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
@@ -73,7 +74,7 @@ flowchart TD
 
 ## Intercom Service (ICS)
 
-The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
+The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
 Handling authentication when the frontend of an application is using the API from another application is often a
 challenge.
 For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
@@ -113,8 +114,13 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows
 
 An overview of
-- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
-- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
+- components that consume the LDAP service.
+  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP).
+  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
+  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
+    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
+    require an OIDC client to be configured in Keycloak.
 
 Some components trust others to handle authentication for them.
 

docs/debugging.md

@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
+* [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
+  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
+  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
   * [MariaDB](#mariadb)
   * [Nextcloud](#nextcloud)
@@ -35,6 +38,94 @@ and set the loglevel for components to "Debug".
 
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 
+# Adding containers to a pod for debugging purposes
+
+During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
+
+This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
+
+Adding a container to a Pod can ease the pain.
+
+Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
+
+## Adding a container to a pod/deployment - Dev/Test only
+
+You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
+
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Ensure the `shareProcessNamespace` option is enabled for the Pod.
+- Reference the selected container within the `containers` array of the deployment.
+- In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
+- Save & update the deployment.
+
+The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
+
+```
+      shareProcessNamespace: true
+      containers:
+        - name: debugging
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsUser: 65532
+            runAsGroup: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+```
+
+- After the deployment was reloaded open the shell of the debugging container.
+- When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
+- To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
+
+## Temporary/ephemeral containers
+
+Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
+
+Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
+
+For the commands further down this section we set some environment variables first:
+- `NAMESPACE`: The namespace the Pod you want to inspects is running in.
+- `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
+- `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
+- `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
+- `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
+
+e.g.
+
+```
+export EPH_CONTAINER_NAME=debugging
+export NAMESPACE=my_testdeployment
+export DEPLOYMENT_NAME=opendesk-nextcloud-php
+export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
+export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+```
+
+You still need to ensure that your deployment supports process namespace sharing:
+
+```
+kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
+spec:
+  template:
+    spec:
+      shareProcessNamespace: true'
+```
+
+Now you can add the ephemeral container with:
+```
+kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
+```
+and open it's interactive terminal with
+```
+kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
+```
+
 # Components
 
 ## MariaDB

docs/development.md

@@ -0,0 +1,142 @@
+<!--
+SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Developing openDesk deployment automation</h1>
+
+Active development on the deployment is currently only available for project members.
+But contributions will be possible soon once the CLA process is sorted out.
+
+* [Overview](#overview)
+* [Default branch, `develop` and other branches](#default-branch-develop-and-other-branches)
+* [External artefacts - `charts.yaml` and `images.yaml`](#external-artefacts---chartsyaml-and-imagesyaml)
+  * [Linting](#linting)
+  * [Renovate](#renovate)
+  * [Mirroring](#mirroring)
+    * [Get new artefacts mirrored](#get-new-artefacts-mirrored)
+* [Creating new charts / images](#creating-new-charts--images)
+
+# Overview
+
+The following sketch provides an high level overview to get a basic understanding of the deployment relevant
+structure of this repository. An understanding of that structure is vital if you want to contribute to
+the development of the deployment automation of openDesk.
+
+```mermaid
+flowchart TD
+    A[./helmfile.yaml]-->B[./helmfile/apps/*all_configured_apps*/helmfile.yaml\nReferences the relevant app Helm\ncharts using details from 'charts.yaml']
+    B-->C[./values-*all_configured_components*.yaml.gotmpl\nValues to template the charts\nwith references to the `images.yaml`]
+    A-->D[./helmfile/environments/default/*\nwith just some examples below]
+    D-->F[charts.yaml]
+    D-->G[images.yaml]
+    D-->H[global.*]
+    D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
+    A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
+```
+
+The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
+global values files in `./environments/default`. It allows you to overwrite defaults by using one of the three predefined environments `dev`, `test`
+and `prod`.
+
+Before you look into any app specifc configuration it is recommended to review the contents of `./environments/default` to get an understanding of what
+details are maintained in there, as they are usually referenced by the app configurations.
+
+# Default branch, `develop` and other branches
+
+The `main` branch is configured to be the default branch, as visitors of the project on Open CoDE should see that
+branch by default.
+
+Please use the `develop` branch to diverge your own branch(es) from. See the [workflow guide](./workflow.md)
+for more details on naming conventions.
+
+There is a CI bot that automatically creates a merge request once you initially pushed your branch to Open CoDE.
+The merge request will of course target the `develop` branch, be in status `draft` and have you as assignee.
+
+In case you do not plan to actually merge from the branch you have pushed, please close or delete the autocreated MR.
+
+# External artefacts - `charts.yaml` and `images.yaml`
+
+The `charts.yaml` and `images.yaml` are the central place to reference external artefacts that are used for the deployment.
+
+Beside the deployment automation itself some tools work with the contents of the files:
+
+- **Linting**: Ensures consistency of the file contents for the other tools.
+- **Renovate**: Automatically create MRs that update the components to their latest version.
+- **Mirror**: Mirror artefacts to Open CoDE.
+
+Please find details on these tools below.
+
+## Linting
+
+In the project's CI there is a step dedicated to lint the two yaml files, as we want them to be in
+- alphabetical order regarding the components and
+- in a logical order regarding the non-commented lines (registry > repository > tag).
+
+In the linting step the [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli) is used to apply the
+just mentioned sorting and the result is compared with the unsorted version. If there is a delta the linting fails and you probably
+want to fix it by running the CLI tool locally.
+
+**Note**: Please ensure that in component blocks you use comments only at the beginning of the block or at its end. Ideally you just stick
+with the many available examples in the yaml files.
+
+Example:
+```
+  synapse:
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Element'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'matrixdotorg/synapse'
+    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['1', '91', '2']
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
+```
+
+## Renovate
+
+Uses a regular expression to match the values of the following attributes:
+
+- `registry`
+- `repository`
+- `tag`
+
+Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
+
+## Mirroring
+
+- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/oci-pull-mirror
+
+**Note:** The mirror is scheduled to run every hour at 42 minutes past the hour.
+
+openDesk strives to make all relevant artefacts available on Open CoDE so there is the mirroring process
+configured to pull artefacts that do not originate from Open CoDE into projects called `*-Mirror` within the
+[openDesk Components section](https://gitlab.opencode.de/bmi/opendesk/components).
+
+The mirror script takes the information on what artefacts to mirror from the annotation inside the two yaml files:
+- `# upstreamRegistry` *required*: To identify the source registry
+- `# upstreamRepository` *required*: To identify the source repository
+- `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression.
+- `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artefacts beginning with a specific version. You must use capturing groups
+  in `# upstreamMirrorTagFilterRegEx` to identify the single numeric elements of the version within the tag and use per capturing group (left to right) one numeric array
+  element here to define the version the mirror should start with.
+
+### Get new artefacts mirrored
+
+If you want new images or charts to be mirrored that are not yet included in one of the yaml files there are two options:
+
+You include them in your branch with all required annotations and either
+1. ask somebody from the platform development team to trigger the mirror's CI based on your branch or
+2. you get your branch merged to `develop` already.
+
+# Creating new charts / images
+
+When you create new Helm charts please check out the
+[openDesk Best Practises](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-best-practises)
+for Helm charts.
+
+You may also want to make use of our [standard CI](https://gitlab.opencode.de/bmi/opendesk/tooling/gitlab-config) to
+easily get Charts and Images that are signed, linted, scanned and released.
+Check out the `.gitlab-ci.yaml` files in the project's [Charts](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts) or [Images](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images) to get an idea how little you need to do yourself.

docs/getting-started.md

@@ -10,6 +10,7 @@ This documentation should enable you to create your own evaluation instance of o
 <!-- TOC -->
 * [Requirements](#requirements)
 * [Customize environment](#customize-environment)
+  * [DNS](#dns)
   * [Domain](#domain)
     * [Apps](#apps)
   * [Private registries](#private-registries)
@@ -49,10 +50,24 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 
-## Domain
+## DNS
 
-The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
-`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
+The deployment is designed to deploy each application/service under a dedicated subdomain.
+For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
+otherwise you need to create an A-Record for each subdomain.
+
+| Record name             | Type | Value                                              | Additional information                                                                  |
+| ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                         |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                         |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                         |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                              |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                                |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
+
+## Domain
 
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
 
@@ -68,29 +83,49 @@ The domain have to be set either via `dev` environment
 
 ```yaml
 global:
-  domain: "my.open.desk"
-istio:
-  domain: "istio.my.open.desk"
+  domain: "domain.tld"
 ```
 
 or via environment variable
 
 ```shell
-export DOMAIN=my.open.desk
-export ISTIO_DOMAIN=istio.my.open.desk
+export DOMAIN=domain.tld
 ```
 
-When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
+Additionally, you can announce/specify an alternative domain for mail and chat.
 
-Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
+As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
+`*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
+Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
+The required routing have to be implemented by yourself.
+
+The alternative domains have to be set either via `dev` environment
 
 ```yaml
-istio:
-  enabled: false
-oxAppsuite:
-  enabled: false
+global:
+  mailDomain: "open.desk"
+  synapseDomain: "open.desk"
 ```
 
+or via environment variable
+
+```shell
+export MAIL_DOMAIN=open.desk
+export SYNAPSE_DOMAIN=open.desk
+```
+
+If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
+
+| Record name                    | Type | Value                     |
+|--------------------------------|------|---------------------------|
+| _matrix._tcp.SYNAPSE_DOMAIN    | SRV  | `1 10 PORT matrix.DOMAIN` |
+| matrix-fed._tcp.SYNAPSE_DOMAIN | SRV  | `1 10 PORT matrix.DOMAIN` |
+| MAIL_DOMAIN                    | MX   | `10 mail.domain.tld`    |
+
+_Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
+
+_Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
+
 ### Apps
 
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.

docs/requirements.md

@@ -28,7 +28,6 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
-- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
 
 # Hardware
 
@@ -56,12 +55,8 @@ configured ingress controller deployed.
 
 **Maintained controllers:**
 - [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
-- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
-
-**Community Supported:**
 - [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
-
-When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
+- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
 
 # Volume provisioner
 
@@ -82,7 +77,6 @@ openDesk certificate management disabled.
 
 Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
 
-
 | Group    | Type                | Version | Tested against        |
 |----------|---------------------|---------|-----------------------|
 | Cache    | Memached            | `1.6.x` | Memached              |

docs/workflow.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 
@@ -139,17 +140,19 @@ As a standard, the openDesk platform development team uses [reuse.software](http
 
 openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
 ```
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ```
 As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).
 
+**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
+
 ## Development workflow
 
 ### Disclaimer
 
 openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
-- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
+- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
 - openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.
 
 ### Workflow
@@ -225,22 +228,28 @@ gitGraph
 
 The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.
 
+1. Linting
+   - Blocking
+     - Licening: [reuse](https://github.com/fsfe/reuse-tool)
+     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
+   - Non Blocking
+     - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
+     - Formal: Yaml
 1. Deploy the full openDesk stack from scratch:
    - All deployment steps must be successful (green)
    - All tests from the end-to-end test set must be successful
-2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
+1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
    - Deploy the current merge target baseline (`develop` or `main`)
    - Update deploy from your QA branch into the instance from the previous step
-3. No showstopper found regarding
+1. No showstopper found regarding
    - SBOM compliance[^4]
    - Malware check
    - CVE check[^5]
    - Kubescape scan[^5]
-   - Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]
 
-Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
+Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
 
-Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
+Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
 
 ```mermaid
 flowchart TD

helmfile/apps/collabora/values.yaml.gotmpl

@@ -11,7 +11,7 @@ collabora:
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 
 fullnameOverride: "collabora"
 
@@ -19,9 +19,9 @@ grafana:
   dashboards:
     enabled: {{ .Values.grafana.dashboards.enabled }}
     labels:
-      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
+      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
     annotations:
-      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
+      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
 
 image:
   repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -90,11 +90,11 @@ prometheus:
   servicemonitor:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     labels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
   rules:
     enabled: {{ .Values.prometheus.prometheusRules.enabled }}
     additionalLabels:
-      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 
 replicaCount: {{ .Values.replicas.collabora }}
 
@@ -126,7 +126,8 @@ securityContext:
       - "NET_RAW"
       - "SYS_CHROOT"
       - "MKNOD"
-  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:
   create: true
 ...

helmfile/apps/cryptpad/values.yaml.gotmpl

@@ -70,7 +70,8 @@ securityContext:
   runAsNonRoot: true
   runAsUser: 4001
   runAsGroup: 4001
-  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.cryptpad | toYaml | nindent 4 }}
 
 serviceAccount:
   create: true

helmfile/apps/element/values-element.yaml.gotmpl

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
-  endToEndEncryption: false
+  endToEndEncryption: true
   additionalConfiguration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
 
@@ -15,9 +15,6 @@ configuration:
           portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
-        widget_types:
-          - jitsi
-          - net.nordeck
 
     "net.nordeck.element_web.module.widget_lifecycle":
       widget_permissions:
@@ -110,7 +107,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.element | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -14,7 +14,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -14,7 +14,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -35,6 +35,7 @@ securityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 
 ...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -12,7 +12,7 @@ configuration:
   bot:
     username: "meetings-bot"
     displayname: "Terminplaner Bot"
-  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
   strings:
     breakoutSessionWidgetName: "Breakoutsessions"
     calendarRoomName: "Terminplaner"
@@ -35,7 +35,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
 
 extraEnvVars:
   - name: "ACCESS_TOKEN"
@@ -43,8 +44,6 @@ extraEnvVars:
       secretKeyRef:
         name: "matrix-neodatefix-bot-account"
         key: "access_token"
-  - name: "ENABLE_CRYPTO"
-    value: "false"
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -4,6 +4,7 @@
 configuration:
   bot:
     username: "meetings-bot"
+    homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -18,7 +19,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -35,5 +35,6 @@ securityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
 ...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -14,7 +14,8 @@ containerSecurityContext:
   runAsUser: 0
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
 
 extraEnvVars:
   - name: "UVS_ACCESS_TOKEN"

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -1,6 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+clusterDomain: {{ .Values.cluster.networking.domain }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -14,7 +16,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapseWeb | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -29,6 +29,7 @@ configuration:
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
+    serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
     appServiceConfigs:
       - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -79,7 +80,8 @@ containerSecurityContext:
   runAsGroup: 10991
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/element/values-well-known.yaml.gotmpl

@@ -3,7 +3,7 @@
 ---
 configuration:
   e2ee:
-    forceDisable: true
+    forceDisable: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -18,7 +18,8 @@ containerSecurityContext:
   runAsUser: 101
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.wellKnown | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -14,7 +14,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.intercom | toYaml | nindent 4 }}
 
 global:
   domain: {{ .Values.global.domain | quote }}
@@ -26,7 +27,7 @@ global:
 ics:
   secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-  originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
+  originRegex: "{{ .Values.global.domain }}"
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
   default:
@@ -48,7 +49,7 @@ ics:
     password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     oci: true
-    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
     audience: "opendesk-oxappsuite"
   nextcloud:
     audience: "opendesk-nextcloud"

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -23,7 +23,8 @@ containerSecurityContext:
   runAsUser: 1993
   runAsGroup: 1993
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -67,7 +68,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -75,7 +75,8 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -115,7 +116,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -123,7 +123,8 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.prosody | toYaml | nindent 8 }}
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
@@ -137,7 +138,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -145,7 +145,8 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
@@ -160,7 +161,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -168,7 +168,8 @@ jitsi:
       runAsUser: 0
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jvb | toYaml | nindent 8 }}
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
@@ -206,7 +207,8 @@ patchJVB:
     runAsNonRoot: true
     seccompProfile:
       type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
   image:
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -9,7 +9,6 @@ global:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  istioDomain: {{ .Values.istio.domain }}
 
 additionalAnnotations:
   intents.otterize.com/service-name: "opendesk-nextcloud-php"
@@ -51,9 +50,16 @@ configuration:
   objectstore:
     auth:
       accessKey:
-        value: "nextcloud_user"
+        value: {{ .Values.objectstores.nextcloud.username | quote }}
       secretKey:
-        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
+        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
+    region: {{ .Values.objectstores.nextcloud.region | quote }}
+    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
+    port: {{ .Values.objectstores.nextcloud.port | quote }}
+    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
+    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
   oidc:
     username:
       value: "opendesk-nextcloud"
@@ -88,7 +94,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 
 debug:
   loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -25,7 +25,8 @@ exporter:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
     repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -35,11 +36,11 @@ exporter:
     serviceMonitor:
       enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
       labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
       enabled: {{ .Values.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudExporter }}
   resources:
     {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -78,7 +79,8 @@ php:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
   debug:
@@ -92,11 +94,11 @@ php:
     serviceMonitor:
       enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
       labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
       enabled: {{ .Values.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
+        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudPHP }}
   resources:
     {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
@@ -118,7 +120,8 @@ apache2:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
   ingress:
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}

helmfile/apps/open-xchange/helmfile.yaml

@@ -6,7 +6,7 @@ bases:
 ---
 repositories:
   # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
   - name: "dovecot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.dovecot.verify }}
@@ -18,6 +18,8 @@ repositories:
 
   # Open-Xchange
   - name: "open-xchange-repo"
+    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
+    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
@@ -25,7 +27,8 @@ repositories:
       {{ .Values.charts.openXchangeAppSuite.repository }}"
 
   # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
+  # Source:
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
   - name: "open-xchange-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -66,7 +66,8 @@ containerSecurityContext:
   readOnlyRootFilesystem: true
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 
 podSecurityContext:
   enabled: true

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
   mysql:
     host: {{ .Values.databases.oxAppsuite.host | quote }}
     database: {{ .Values.databases.oxAppsuite.name | quote }}
@@ -13,9 +13,6 @@ global:
       password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
       rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 
-istio:
-  enabled: {{ .Values.istio.enabled }}
-
 nextcloud-integration-ui:
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
@@ -40,7 +37,8 @@ nextcloud-integration-ui:
     privileged: false
     seccompProfile:
       type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
 
 public-sector-ui:
   image:
@@ -67,7 +65,8 @@ public-sector-ui:
     privileged: false
     seccompProfile:
       type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
 
 appsuite:
   appsuite-toolkit:
@@ -75,18 +74,22 @@ appsuite:
   switchboard:
     enabled: false
   istio:
-    enabled: {{ .Values.istio.enabled }}
-    ingressGateway:
-      name: "opendesk-gateway-istio-gateway"
+    enabled: false
+  ingress:
+    enabled: {{ .Values.ingress.enabled }}
+    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+    tls:
+      enabled: true
+      existingSecret: {{ .Values.ingress.tls.secretName | quote }}
+    appsuite:
       hosts:
-        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-    virtualServices:
-      appsuite:
-        hosts:
-          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-      dav:
-        hosts:
-          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+    dav:
+      hosts:
+        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+    routes:
+      trailslash:
+        enabled: false
   core-mw:
     enabled: true
     asConfig:
@@ -97,7 +100,7 @@ appsuite:
         oidcPath: "/oidc"
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
-    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
     serviceAccount:
       create: true
     features:
@@ -131,7 +134,8 @@ appsuite:
         privileged: false
         seccompProfile:
           type: "RuntimeDefault"
-        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
+        seLinuxOptions:
+          {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
     hooks:
       beforeAppsuiteStart:
         create-guard-dir.sh: |
@@ -165,9 +169,9 @@ appsuite:
       com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
       com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
       com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
+      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/auth"
       com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
+      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/logout"
       com.openexchange.oidc.ssoLogout: "true"
       com.openexchange.oidc.startDefaultBackend: "true"
       com.openexchange.oidc.userLookupClaim: "opendesk_username"
@@ -356,13 +360,14 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
 
   core-ui-middleware:
     enabled: true
     ingress:
       hosts:
-        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
       enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
@@ -381,6 +386,8 @@ appsuite:
       auth:
         enabled: true
         password: {{ .Values.secrets.redis.password | quote }}
+        # Workaround for a bug in 8.23
+        ca: ""
     resources:
       {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
       updater:
@@ -398,7 +405,8 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
   core-cacheservice:
     enabled: false
 
@@ -428,7 +436,8 @@ appsuite:
           - "ALL"
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
 
   core-documents-collaboration:
     enabled: false
@@ -470,7 +479,8 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
 
   core-imageconverter:
     enabled: true
@@ -500,7 +510,8 @@ appsuite:
           - "ALL"
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
 
   guard-ui:
     enabled: true
@@ -526,7 +537,8 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
   core-spellcheck:
     enabled: false
 
@@ -555,5 +567,6 @@ appsuite:
       privileged: false
       seccompProfile:
         type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
 ...

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -38,7 +38,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -20,12 +20,13 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -154,14 +155,14 @@ resources:
 s3:
   enabled: true
   endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: "true"
+  host: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
   region: {{ .Values.objectstores.openproject.region | quote }}
   bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
   use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
   auth:
     accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
 
 seederJob:
   annotations:

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -20,7 +20,7 @@ oxConnector:
   debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
   ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
@@ -33,7 +33,7 @@ oxConnector:
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
   oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
 
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
@@ -85,7 +85,8 @@ securityContext:
   runAsGroup: 0
   runAsNonRoot: false
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}
 
 serviceAccount:
   create: true

helmfile/apps/services/helmfile.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -16,6 +17,17 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
       {{ .Values.charts.otterize.repository }}"
 
+  # openDesk Home
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
+  - name: "home-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.home.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"
+
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
   - name: "certificates-repo"
@@ -60,17 +72,6 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
       {{ .Values.charts.postfix.repository }}"
 
-  # openDesk Istio Resources
-  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
-  - name: "istio-resources-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.istioResources.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\
-      {{ .Values.charts.istioResources.repository }}"
-
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
   - name: "clamav-repo"
@@ -126,6 +127,13 @@ releases:
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
+  - name: "opendesk-home"
+    chart: "home-repo/{{ .Values.charts.home.name }}"
+    version: "{{ .Values.charts.home.version }}"
+    values:
+      - "values-home.yaml.gotmpl"
+    installed: {{ .Values.home.enabled }}
+
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"
@@ -190,14 +198,6 @@ releases:
     installed: {{ .Values.clamavSimple.enabled }}
     timeout: 900
 
-  - name: "opendesk-gateway"
-    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
-    version: "{{ .Values.charts.istioResources.version }}"
-    values:
-      - "values-istio-gateway.yaml.gotmpl"
-    installed: {{ .Values.istio.enabled }}
-    timeout: 900
-
   - name: "minio"
     chart: "minio-repo/{{ .Values.charts.minio.name }}"
     version: "{{ .Values.charts.minio.version }}"

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -11,14 +11,6 @@ global:
 issuerRef:
   name: {{ .Values.certificate.issuerRef.name | quote }}
 
-{{- if .Values.istio.enabled }}
-istio:
-  enabled: {{ .Values.istio.enabled }}
-  domain: {{ .Values.istio.domain | quote }}
-  issuerRef:
-    name: {{ .Values.istio.issuerRef.name | quote }}
-{{- end }}
-
 cleanup:
   keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
 

helmfile/apps/services/values-clamav-distributed.yaml.gotmpl

@@ -15,7 +15,8 @@ clamd:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
     repository: {{ .Values.images.clamd.repository | quote }}
@@ -41,7 +42,8 @@ containerSecurityContext:
   capabilities:
     drop: []
   privileged: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.clamav | toYaml | nindent 4 }}
 
 freshclam:
   containerSecurityContext:
@@ -57,7 +59,8 @@ freshclam:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
     repository: {{ .Values.images.freshclam.repository | quote }}
@@ -89,7 +92,8 @@ icap:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
     repository: {{ .Values.images.icap.repository | quote }}
@@ -117,7 +121,8 @@ milter:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
     repository: {{ .Values.images.milter.repository | quote }}

helmfile/apps/services/values-clamav-simple.yaml.gotmpl

@@ -14,7 +14,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.clamavSimple | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-home.yaml.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+ingress:
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/services/values-istio-gateway.yaml.gotmpl

@@ -1,12 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-global:
-  domain: {{ .Values.istio.domain | quote }}
-  hosts:
-    openxchange: {{ .Values.global.hosts.openxchange | quote }}
-
-tls:
-  httpsRedirect: false
-  secretName: "{{ .Values.istio.domain }}-tls"
-...

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -17,7 +17,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.mariadb | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-memcached.yaml.gotmpl

@@ -16,7 +16,8 @@ containerSecurityContext:
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.memcached | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -29,7 +29,8 @@ containerSecurityContext:
   readOnlyRootFilesystem: false
   seccompProfile:
     type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.minio }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.minio | toYaml | nindent 4 }}
 
 defaultBuckets: "openproject,openxchange,ums,nextcloud"
 
@@ -68,7 +69,7 @@ metrics:
   serviceMonitor:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     additionalLabels:
-      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
 
 networkPolicy:
   enabled: false
@@ -88,16 +89,13 @@ provisioning:
   extraCommands:
     - "mc anonymous set download provisioning/ums/portal-assets"
   buckets:
-    - name: "openproject"
-      versioning: true
-      withLock: false
-    - name: "openxchange"
+    - name: {{ .Values.objectstores.openproject.bucket | quote }}
       versioning: true
       withLock: false
     - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
       versioning: false
       withLock: false
-    - name: "nextcloud"
+    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
       versioning: true
       withLock: false
   policies:
@@ -113,18 +111,6 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
-    - name: "openxchange-bucket-policy"
-      statements:
-        - resources:
-            - "arn:aws:s3:::openxchange"
-          effect: "Allow"
-          actions:
-            - "s3:*"
-        - resources:
-            - "arn:aws:s3:::openxchange/*"
-          effect: "Allow"
-          actions:
-            - "s3:*"
     - name: "ums-bucket-policy"
       statements:
         - resources:
@@ -150,25 +136,19 @@ provisioning:
           actions:
             - "s3:*"
   users:
-    - username: "openproject_user"
+    - username: {{ .Values.objectstores.openproject.username | quote }}
       password: {{ .Values.secrets.minio.openprojectUser | quote }}
       disabled: false
       policies:
         - "openproject-bucket-policy"
       setPolicies: true
-    - username: "openxchange_user"
-      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
-      disabled: false
-      policies:
-        - "openxchange-bucket-policy"
-      setPolicies: true
     - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
       password: {{ .Values.secrets.minio.umsUser | quote }}
       disabled: false
       policies:
         - "ums-bucket-policy"
       setPolicies: true
-    - username: "nextcloud_user"
+    - username: {{ .Values.objectstores.nextcloud.username | quote }}
       password: {{ .Values.secrets.minio.nextcloudUser | quote }}
       disabled: false
       policies:

helmfile/apps/services/values-otterize.yaml.gotmpl

@@ -20,8 +20,6 @@ apps:
     enabled: {{ .Values.intercom.enabled }}
   jitsi:
     enabled: {{ .Values.jitsi.enabled }}
-  keycloak:
-    enabled: {{ .Values.keycloak.enabled }}
   mariadb:
     enabled: {{ .Values.mariadb.enabled }}
   memcached:
@@ -47,6 +45,10 @@ apps:
   xwiki:
     enabled: {{ .Values.xwiki.enabled }}
 
+ingressController:
+  {{ .Values.security.ingressController | toYaml | nindent 2 }}
+
+
 extraApps:
   clusterPostfix:
     enabled: {{ .Values.security.clusterPostfix.enabled }}

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -17,7 +17,8 @@ containerSecurityContext:
   runAsUser: 0
   runAsGroup: 0
   privileged: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.postfix }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.postfix | toYaml | nindent 4 }}
 
 global:
   imagePullSecrets:
@@ -40,7 +41,7 @@ podSecurityContext:
 postfix:
   amavisHost: ""
   amavisPortIn: ""
-  domain: {{ .Values.global.domain | quote }}
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
@@ -66,7 +67,7 @@ postfix:
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.domain | quote }}
+  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
   virtualTransport: "lmtps:dovecot:24"
 
 replicaCount: {{ .Values.replicas.postfix }}

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -14,7 +14,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.postgresql }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
 
 job:
 

helmfile/apps/services/values-redis.yaml.gotmpl

@@ -30,7 +30,8 @@ master:
     capabilities:
       drop:
         - "ALL"
-    seLinuxOptions: {{ .Values.seLinuxOptions.redis }}
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.redis | toYaml | nindent 6 }}
   count: {{ .Values.replicas.redis }}
   persistence:
     size: {{ .Values.persistence.size.redis | quote }}

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -5,168 +5,17 @@ bases:
   - "../../bases/environments.yaml"
 ---
 repositories:
-  # Univention Management Stack
-  - name: "ums-guardian-management-api-repo"
+  # Univention Management Stack Umbrella Chart
+  - name: "ums"
     keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
+    verify: {{ .Values.charts.ums.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\
-      {{ .Values.charts.umsGuardianManagementApi.repository }}"
-  - name: "ums-guardian-management-ui-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\
-      {{ .Values.charts.umsGuardianManagementUi.repository }}"
-  - name: "ums-guardian-authorization-api-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\
-      {{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
-  - name: "ums-open-policy-agent-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\
-      {{ .Values.charts.umsOpenPolicyAgent.repository }}"
-  - name: "ums-ldap-server-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsLdapServer.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\
-      {{ .Values.charts.umsLdapServer.repository }}"
-  - name: "ums-ldap-notifier-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsLdapNotifier.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\
-      {{ .Values.charts.umsLdapNotifier.repository }}"
-  - name: "ums-udm-rest-api-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsUdmRestApi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\
-      {{ .Values.charts.umsUdmRestApi.repository }}"
-  - name: "ums-stack-data-ums-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsStackDataUms.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\
-      {{ .Values.charts.umsStackDataUms.repository }}"
-  - name: "ums-stack-data-swp-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsStackDataSwp.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\
-      {{ .Values.charts.umsStackDataSwp.repository }}"
-  - name: "ums-portal-server-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsPortalServer.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\
-      {{ .Values.charts.umsPortalServer.repository }}"
-  - name: "ums-notifications-api-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsNotificationsApi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\
-      {{ .Values.charts.umsNotificationsApi.repository }}"
-  - name: "ums-portal-listener-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsPortalListener.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\
-      {{ .Values.charts.umsPortalListener.repository }}"
-  - name: "ums-portal-frontend-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsPortalFrontend.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\
-      {{ .Values.charts.umsPortalFrontend.repository }}"
-  - name: "ums-umc-gateway-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsUmcGateway.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\
-      {{ .Values.charts.umsUmcGateway.repository }}"
-  - name: "ums-umc-server-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsUmcServer.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\
-      {{ .Values.charts.umsUmcServer.repository }}"
-  - name: "ums-selfservice-listener-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsSelfserviceListener.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\
-      {{ .Values.charts.umsSelfserviceListener.repository }}"
-  - name: "ums-provisioning-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsProvisioning.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\
-      {{ .Values.charts.umsProvisioning.repository }}"
-
-  # Univention Keycloak Extensions
-  - name: "ums-keycloak-extensions-repo"
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\
-      {{ .Values.charts.umsKeycloakExtensions.repository }}"
-  # Univention Keycloak
-  - name: "ums-keycloak-repo"
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-    verify: {{ .Values.charts.umsKeycloak.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\
-      {{ .Values.charts.umsKeycloak.repository }}"
-  - name: "ums-keycloak-bootstrap-repo"
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\
-      {{ .Values.charts.umsKeycloakBootstrap.repository }}"
+    url:
+      "{{ .Values.global.helmRegistry | default .Values.charts.ums.registry }}/\
+      {{ .Values.charts.ums.repository }}"
+  # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -175,214 +24,24 @@ repositories:
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
       {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
-  # VMWare Bitnami
-  # Source: https://github.com/bitnami/charts/
-  - name: "nginx-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.nginx.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\
-      {{ .Values.charts.nginx.repository }}"
 
 releases:
-  - name: "ums-keycloak"
-    chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}"
-    version: "{{ .Values.charts.umsKeycloak.version }}"
+  # Univention Management Stack Umbrella Chart
+  - name: "ums"
+    chart: "ums/{{ .Values.charts.ums.name }}"
+    version: "{{ .Values.charts.ums.version }}"
     values:
-      - "values-ums-keycloak.yaml.gotmpl"
+      - "values-umbrella.yaml.gotmpl"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
-
-  - name: "ums-keycloak-extensions"
-    chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}"
-    version: "{{ .Values.charts.umsKeycloakExtensions.version }}"
-    values:
-      - "values-ums-keycloak-extensions.yaml.gotmpl"
-    needs:
-      - "ums-keycloak"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-keycloak-bootstrap"
-    chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
-    version: "{{ .Values.charts.umsKeycloakBootstrap.version }}"
-    values:
-      - "values-ums-keycloak-bootstrap.yaml.gotmpl"
-    needs:
-      - "ums-keycloak"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
+  # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
     chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
     version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
     values:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
     needs:
-      - "ums-keycloak-bootstrap"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-stack-gateway"
-    chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
-    version: "{{ .Values.charts.nginx.version }}"
-    values:
-      - "values-ums-stack-gateway.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-ldap-server"
-    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
-    version: "{{ .Values.charts.umsLdapServer.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-ldap-server.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-ldap-notifier"
-    chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
-    version: "{{ .Values.charts.umsLdapNotifier.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-ldap-notifier.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-udm-rest-api"
-    chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
-    version: "{{ .Values.charts.umsUdmRestApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-udm-rest-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-stack-data-ums"
-    chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
-    version: "{{ .Values.charts.umsStackDataUms.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-stack-data-ums.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-stack-data-swp"
-    chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
-    version: "{{ .Values.charts.umsStackDataSwp.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-stack-data-swp.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-portal-server"
-    chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
-    version: "{{ .Values.charts.umsPortalServer.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-server.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-notifications-api"
-    chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
-    version: "{{ .Values.charts.umsNotificationsApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-notifications-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-portal-listener"
-    chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
-    version: "{{ .Values.charts.umsPortalListener.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-listener.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-portal-frontend"
-    chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
-    version: "{{ .Values.charts.umsPortalFrontend.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-frontend.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-umc-gateway"
-    chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
-    version: "{{ .Values.charts.umsUmcGateway.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-umc-gateway.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-umc-server"
-    chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
-    version: "{{ .Values.charts.umsUmcServer.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-umc-server.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-selfservice-listener"
-    chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
-    version: "{{ .Values.charts.umsSelfserviceListener.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-selfservice-listener.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-provisioning"
-    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
-    version: "{{ .Values.charts.umsProvisioning.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-provisioning.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-guardian-management-api"
-    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
-    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-management-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-guardian-management-ui"
-    chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
-    version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-management-ui.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-guardian-authorization-api"
-    chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
-    version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-authorization-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-open-policy-agent"
-    chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
-    version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-open-policy-agent.yaml.gotmpl"
+      - "ums"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 

helmfile/apps/univention-management-stack/values-common.yaml.gotmpl

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-global:
-  configMapUcrDefaults: "ums-stack-data-ums-ucr"
-  configMapUcr: "ums-stack-data-swp-ucr"
-  configMapUcrForced: null
-
-ingress:
-  # Intentionally not using the Ingress configuration of the UMS stack at the
-  # moment, since it does depend on rewriting capabilities of the ingress
-  # controller. Those are encapsulated into the release "stack-gateway" so that
-  # the compatibility with all ingress controllers is increased.
-  enabled: false
-  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
-    enabled: false
-    secretName: ""
-
-istio:
-  enabled: false
-
-...

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -1,60 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianAuthorizationApi:
-  guardianAuthzCorsAllowedOrigins: "*"
-  guardianAuthzAdapterSettingsPort: "env"
-  guardianAuthzAdapterAppPersistencePort: "udm_data"
-  guardianAuthzAdapterPolicyPort: "opa"
-  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-  guardianAuthzLoggingStructured: false
-  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
-  home: "/guardian_service_dir"
-  isUniventionAppCenter: 0
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-  opaAdapterUrl: "http://ums-open-policy-agent/"
-  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
-  udmDataAdapterUsername: "cn=admin"
-  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi }}
-
-...

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -1,78 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianManagementApi:
-  home: "/guardian_service_dir"
-  isUniventionAppCenter: 0
-  guardianManagementCorsAllowedOrigins: "*"
-  guardianManagementAdapterSettingsPort: "env"
-  guardianManagementAdapterAppPersistencePort: "sql"
-  guardianManagementAdapterConditionPersistencePort: "sql"
-  guardianManagementAdapterContextPersistencePort: "sql"
-  guardianManagementAdapterNamespacePersistencePort: "sql"
-  guardianManagementAdapterPermissionPersistencePort: "sql"
-  guardianManagementAdapterRolePersistencePort: "sql"
-  guardianManagementAdapterCapabilityPersistencePort: "sql"
-  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
-  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
-  guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-  guardianManagementLoggingStructured: false
-  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
-  guardianManagementBaseUrl: "http://0.0.0.0:8000"
-  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
-  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-  sqlPersistenceAdapterDialect: "postgresql"
-  sqlPersistenceAdapterDbName: "postgres"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
-    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-
-resources:
-  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementApi }}
-
-...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl

@@ -1,51 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianManagementUi:
-  viteManagementUiAdapterAuthenticationPort: "keycloak"
-  viteManagementUiAdapterDataPort: "api"
-  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
-  viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
-  viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-  viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsGuardianManagementUi }}
-
-...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl

@@ -1,37 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
-  repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapNotifier }}
-
-volumes:
-  claims:
-    shared-data: "shared-data-ums-ldap-server-0"
-    shared-run: "shared-run-ums-ldap-server-0"
-
-...

helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl

@@ -1,87 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "opendesk-schemas"
-    configMap:
-      name: "ums-stack-data-swp-schemas"
-
-extraVolumeMounts:
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
-    subPath: "opendeskFileshare.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
-    subPath: "opendeskKnowledgemanagement.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
-    subPath: "opendeskLearnmanagement.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
-    subPath: "opendeskLivecollaboration.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
-    subPath: "opendeskProjectmanagement.schema"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsLdapServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-ldapServer:
-  waitForSamlMetadata: true
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-persistence:
-  sharedData:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  sharedRun:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsLdapServer }}
-
-service:
-  type: "ClusterIP"
-
-resources:
-  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
-
-...

helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl

@@ -1,49 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
-  repository: {{ .Values.images.umsNotificationsApi.repository }}
-  pullPolicy: {{ .Values.global.imagePullPolicy }}
-  tag: {{ .Values.images.umsNotificationsApi.tag }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-notificationsapi:
-  apply_database_migrations: "True"
-  dev_mode: "False"
-  environment: "staging"
-  log_level: "DEBUG"
-  sql_echo: "False"
-  api_prefix: "/univention/portal/notifications-api"
-
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
-    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
-    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-
-resources:
-  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsNotificationsApi }}
-
-...

helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl

@@ -1,51 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
-  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-openPolicyAgent:
-  isUniventionAppCenter: 0
-  opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
-  opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
-  opaPollingMinDelay: 10
-  opaPollingMaxDelay: 15
-  opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
-
-resources:
-  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsOpenPolicyAgent }}
-
-...

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -253,7 +253,7 @@ config:
         clientAuthenticatorType: "client-secret"
         secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
         redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*"
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
           - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
@@ -261,8 +261,8 @@ config:
         authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         protocolMappers:
           - name: "context"
             protocol: "openid-connect"
@@ -293,296 +293,13 @@ config:
         authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: false
-          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk"
           - "address"
           - "email"
           - "profile"
-      - name: "guardian-management-api"
-        clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "Client Host"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientHost"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientHost"
-              jsonType.label: "String"
-          - name: "Client ID"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "client_id"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "client_id"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              userinfo.token.claim: false
-              id.token.claim: false
-              access.token.claim: true
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-cli"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "Client IP Address"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientAddress"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientAddress"
-              jsonType.label: "String"
-      - name: "guardian-scripts"
-        clientId: "guardian-scripts"
-        description: ""
-        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        surrogateAuthRequired: false
-        enabled: true
-        alwaysDisplayInConsole: false
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
-        webOrigins:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        bearerOnly: false
-        consentRequired: false
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        publicClient: true
-        frontchannelLogout: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-scripts"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              aggregate.attrs: false
-              multivalued: false
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "opendesk"
-          - "web-origins"
-          - "acr"
-          - "roles"
-          - "profile"
-          - "email"
-        optionalClientScopes:
-          - "address"
-          - "phone"
-          - "offline_access"
-          - "microprofile-jwt"
-      - name: "guardian-ui"
-        clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-        standardFlowEnabled: true
-        publicClient: true
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: "false"
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-ui"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -597,7 +314,8 @@ containerSecurityContext:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
   runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
 
 podAnnotations:
   intents.otterize.com/service-name: "ums-keycloak-bootstrap"

helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl

@@ -1,116 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-extraIngresses:
-  redirects:
-    # Using "stack-gateway" currently.
-    enabled: false
-    # The TLS configuration is on the "master" Ingress, see below.
-    tls:
-      enabled: false
-  master:
-    # Using "stack-gateway" currently.
-    enabled: false
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-  # See "extraVolumeMounts" below
-  custom-favicon:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      - pathType: "Exact"
-        path: "/favicon.ico"
-    tls: {}
-
-extraVolumes:
-  - name: "opendesk-branding"
-    configMap:
-      name: "ums-stack-data-swp-branding"
-
-extraVolumeMounts:
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/favicon.ico"
-    subPath: "favicon.ico"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/css/custom.css"
-    subPath: "custom.css"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/icons/logo.svg"
-    subPath: "logo.svg"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/icons/logo_small_border.svg"
-    subPath: "logo_small_border.svg"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/custom/portal_background_image.png"
-    subPath: "portal_background_image.png"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/custom/portal_background_image.svg"
-    subPath: "portal_background_image.svg"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
-  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  # See "extraVolumeMounts" below
-  custom-branding:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.ingress.kubernetes.io/configuration-snippet: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/location-snippets: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      # This relies on the correct implementation of the matching for paths of
-      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
-      # store-dav.
-      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
-      - pathType: "Prefix"
-        path: "/univention/portal/icons/"
-      - pathType: "Prefix"
-        path: "/univention/portal/custom/"
-    tls: {}
-
-replicaCount: {{ .Values.replicas.umsPortalFrontend }}
-
-resources:
-  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
-...

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -1,84 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
-  repository: {{ .Values.images.umsPortalListener.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalListener.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-persistence:
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
-
-portalListener:
-  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  assetsRootPath: "portal-assets"
-  ucsInternalPath: "portal-data"
-
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUsername: "cn=admin"
-  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
-  tlsMode: "off"
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUsername: "cn=admin"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
-
-resources:
-  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
-
-resourcesDependencyWaiter:
-  {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
-
-store-dav:
-  bundled: false
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalListener }}
-
-...

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -1,61 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
-  repository: {{ .Values.images.umsPortalServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-portalServer:
-  authMode: "saml"
-  editable: "false"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  ucsInternalPath: "portal-data"
-  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
-  centralNavigation:
-    enabled: true
-    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-
-replicaCount: {{ .Values.replicas.umsPortalServer }}
-
-resources:
-  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalServer }}
-
-...

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -1,137 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-
-dispatcher:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
-
-events-and-consumer-api:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  rootPath: "/univention/provisioning-api"
-  ingress:
-    # copied from values-common.yaml.gotmpl
-    # Intentionally not using the Ingress configuration of the UMS stack at the
-    # moment, since it does depend on rewriting capabilities of the ingress
-    # controller. Those are encapsulated into the release "stack-gateway" so that
-    # the compatibility with all ingress controllers is increased.
-    enabled: false
-    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
-
-udm-listener:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  config:
-    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
-    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  resources:
-    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-      add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    runAsUser: 0
-    runAsGroup: 0
-    runAsNonRoot: false
-    readOnlyRootFilesystem: false
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
-
-nats:
-  global:
-    image:
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-      pullSecretNames: {{ .Values.global.imagePullSecrets }}
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
-  container:
-    image:
-      registry: {{ .Values.global.imageRegistry }}
-      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
-      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  natsBox:
-    container:
-      image:
-        registry: {{ .Values.global.imageRegistry }}
-        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
-        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
-        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  reloader:
-    image:
-      repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
-      tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
-      registry: {{ .Values.global.imageRegistry }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl

@@ -1,78 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  selfserviceListener:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }}
-    repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
-    tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
-
-  selfserviceInvitation:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
-    repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
-    tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-persistence:
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
-
-resources:
-  {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
-
-resourcesDependencyWaiter:
-  {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
-
-selfserviceListener:
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
-  tlsMode: "off"
-  umcServerUrl: "http://ums-umc-server"
-  umcAdminUser: "default.admin"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsSelfserviceListener }}
-
-...

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl

@@ -1,73 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-additionalAnnotations:
-  intents.otterize.com/service-name: "ums-stack-data-swp"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
-  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsDataLoader.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
-
-stackDataContext:
-  ldapBase: "dc=swp-ldap,dc=internal"
-  oxDefaultContext: "1"
-  smtpStartTls: true
-  ldapSearchUsers:
-    {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
-    - username: {{ printf "ldapsearch_%s" $username | quote }}
-      password: {{ $password | quote }}
-      lastname: "LDAP-Search-User"
-    {{- end }}
-
-  externalDomainName: {{ .Values.global.domain | quote }}
-  externalMailDomain: {{ .Values.global.domain | quote }}
-
-  portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
-  portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
-  portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
-  portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
-  portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
-  portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
-  portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
-  portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
-
-  smtpHost: {{ .Values.smtp.host | quote }}
-  smtpPort: {{ .Values.smtp.port | quote }}
-  smtpUser: {{ .Values.smtp.username | quote }}
-
-  userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
-  adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-
-stackDataSwp:
-  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  systemInformation:
-    deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-    releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-  udmApiUser: "cn=admin"
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
-
-...

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -1,58 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-additionalAnnotations:
-  intents.otterize.com/service-name: "ums-stack-data-ums"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
-  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsDataLoader.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsDataLoader }}
-
-stackDataContext:
-  idpSamlMetadataUrlInternal: null
-  umcSamlSchemes: "https"
-  # The openDesk configuration brings its own UMC policies.
-  installUmcPolicies: false
-  domainname: {{ .Values.global.domain | quote }}
-  externalMailDomain: {{ .Values.global.domain | quote }}
-  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapBase: {{ .Values.ldap.baseDn | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
-  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
-  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
-  initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
-
-stackDataUms:
-  loadDevData: true
-  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUser: "cn=admin"
-
-...

helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl

@@ -1,64 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
-  repository: {{ .Values.images.umsStoreDav.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsStoreDav.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  configHtpasswd:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsConfigHtpasswd.registry | quote }}
-    repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-
-persistence:
-  data:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
-
-resources:
-  {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsStoreDav }}
-
-storeDav:
-  auth:
-    basicAuth:
-      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
-      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
-
-...

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl

@@ -1,66 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "attribute-to-group-mapper-hook"
-    configMap:
-      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
-
-extraVolumeMounts:
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
-    subPath: "AttributeToGroupMapper.py"
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
-    subPath: "flag_to_group_mapping.json"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
-  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-
-replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUdmRestApi }}
-
-udmRestApi:
-  # TODO: Stub value currently
-  caCert: ""
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-
-...

helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl

@@ -1,63 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "entrypoint-swp-patches"
-    configMap:
-      name: "ums-stack-data-swp-umc-gateway-entrypoint"
-      defaultMode: 0555
-  - name: "announcements-customization"
-    configMap:
-      name: "ums-stack-data-swp-umc-server-announcements"
-      defaultMode: 0444
-
-extraVolumeMounts:
-  - name: "entrypoint-swp-patches"
-    mountPath: "/entrypoint.d/90-swp.sh"
-    subPath: "90-swp.sh"
-  - name: "announcements-customization"
-    mountPath:
-      "/usr/share/univention-management-console-frontend/js/dijit/themes\
-      /umc/icons/16x16/udm-portals-announcement.png"
-    subPath: "udm-portals-announcement.png"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
-  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcGateway }}
-
-...

helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl

@@ -1,108 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "certificates"
-    secret:
-      secretName: "opendesk-certificates-tls"
-  - name: "entrypoint-swp-patches"
-    configMap:
-      name: "ums-stack-data-swp-umc-server-entrypoint"
-      defaultMode: 0555
-  - name: "self-service-emails"
-    configMap:
-      name: "ums-stack-data-swp-self-service-emails"
-      defaultMode: 0444
-  - name: "attribute-to-group-mapper-hook"
-    configMap:
-      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
-  - name: "announcements-customization"
-    configMap:
-      name: "ums-stack-data-swp-umc-server-announcements"
-      defaultMode: 0444
-
-extraVolumeMounts:
-  - name: "certificates"
-    mountPath: "/var/secrets/ssl"
-  - name: "entrypoint-swp-patches"
-    mountPath: "/entrypoint.d/90-customization.sh"
-    subPath: "90-customization.sh"
-  - name: "self-service-emails"
-    mountPath: "/usr/share/univention-self-service/email_bodies"
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
-    subPath: "AttributeToGroupMapper.py"
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
-    subPath: "flag_to_group_mapping.json"
-  - name: "announcements-customization"
-    mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
-    subPath: "udm-portals-announcement.xml"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
-  repository: {{ .Values.images.umsUmcServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUmcServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-memcached:
-  bundled: false
-  auth:
-    username: null
-    password: null
-  server: {{ .Values.cache.umsSelfservice.host | quote }}
-
-postgresql:
-  bundled: false
-  auth:
-    username: {{ .Values.databases.umsSelfservice.username | quote }}
-    database: {{ .Values.databases.umsSelfservice.name | quote }}
-    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-  connection:
-    host: {{ .Values.databases.umsSelfservice.host | quote }}
-    port: {{ .Values.databases.umsSelfservice.port | quote }}
-
-resources:
-  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsUmcServer }}
-
-umcServer:
-  certPemFile: "/var/secrets/ssl/tls.crt"
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  smtpSecret: {{ .Values.smtp.password | quote }}
-  privateKeyFile: "/var/secrets/ssl/tls.key"
-
-...

helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl

@@ -1,82 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }}
-  repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
-  tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
-
-config:
-  keycloak:
-    adminUser: "kcadmin"
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-    realm: {{ .Values.platform.realm | quote }}
-    intraCluster:
-      enabled: true
-      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
-    loginLinks:
-      - link_number: 1
-        language: "de"
-        description: "Passwort vergessen?"
-        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-      - link_number: 1
-        language: "en"
-        description: "Forgot password?"
-        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-  ums:
-    ldap:
-      internalHostname: {{ .Values.ldap.host | quote }}
-      baseDN: {{ .Values.ldap.baseDn | quote }}
-      readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
-      readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
-      mappers:
-        - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
-        - ldapAndUserModelAttributeName: "oxContextIDNum"
-    saml:
-      serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  twoFactorAuthentication:
-    enabled: true
-    group: "2fa-users"
-
-containerSecurityContext:
-  enabled: true
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  readOnlyRootFilesystem: false
-  privileged: false
-  runAsGroup: 1000
-  runAsNonRoot: true
-  runAsUser: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakBootstrap }}
-
-podAnnotations:
-  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-
-resources:
-  {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
-
-...

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -1,95 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  keycloak:
-    host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
-    adminUsername: "kcadmin"
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-    adminRealm: "master"
-    realm: {{ .Values.platform.realm | quote }}
-  postgresql:
-    connection:
-      host: {{ .Values.databases.keycloakExtension.host | quote }}
-      port: {{ .Values.databases.keycloakExtension.port }}
-    auth:
-      database: {{ .Values.databases.keycloakExtension.name | quote }}
-      username: {{ .Values.databases.keycloakExtension.username | quote }}
-      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
-handler:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }}
-    repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
-    tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
-  appConfig:
-    captchaProtectionEnable: false
-    smtpPassword: {{ .Values.smtp.password | quote }}
-    smtpHost: {{ .Values.smtp.host | quote }}
-    smtpPort: {{ .Values.smtp.port | quote }}
-    smtpUsername: {{ .Values.smtp.username | quote }}
-    mailFrom: "noreply@{{ .Values.global.domain }}"
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    privileged: false
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler }}
-  resources:
-    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
-postgresql:
-  enabled: false
-proxy:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
-    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
-    tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
-  ingress:
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
-      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
-    paths:
-      {{- if .Values.debug.enabled }}
-      - pathType: "Prefix"
-        path: "/admin"
-      {{- end }}
-      - pathType: "Prefix"
-        path: "/realms"
-      - pathType: "Prefix"
-        path: "/resources"
-      - pathType: "Prefix"
-        path: "/fingerprintjs"
-    enabled: {{ .Values.ingress.enabled }}
-    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    privileged: false
-    readOnlyRootFilesystem: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy }}
-  resources:
-    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
-...

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -1,63 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }}
-  repository: {{ .Values.images.umsKeycloak.repository | quote }}
-  tag: {{ .Values.images.umsKeycloak.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-config:
-  admin:
-    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
-  database:
-    host: {{ .Values.databases.keycloak.host | quote }}
-    port: {{ .Values.databases.keycloak.port }}
-    user: {{ .Values.databases.keycloak.username | quote }}
-    database: {{ .Values.databases.keycloak.name | quote }}
-    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-  enableMetrics: true
-  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
-  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
-  # through an own ingress.
-  exposeAdminConsole: false
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  seccompProfile:
-    type: "RuntimeDefault"
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsKeycloak }}
-
-podSecurityContext:
-  fsGroup: 1000
-  fsGroupChangePolicy: "OnRootMismatch"
-
-theme:
-  univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
-  univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
-  favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
-
-replicaCount: {{ .Values.replicas.keycloak }}
-
-resources:
-  {{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
-
-...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -1,306 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-fullnameOverride: "ums-stack-gateway"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
-  repository: {{ .Values.images.umsStackGateway.repository | quote }}
-  tag: {{ .Values.images.umsStackGateway.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-ingress:
-  annotations:
-    # Ensure that the ingress controller can handle responses with plenty of
-    # headers. This is a requirement from the UDM Rest API.
-    nginx.org/proxy-buffer-size: "64k"
-    nginx.org/proxy-buffers: "4 128k"
-  enabled: {{ .Values.ingress.enabled }}
-  extraTls:
-    - hosts:
-        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls: false
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-
-containerSecurityContext:
-  enabled: true
-  runAsUser: 1001
-  runAsGroup: 0
-  runAsNonRoot: true
-  privileged: false
-  readOnlyRootFilesystem: false
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.umsStackGateway }}
-
-service:
-  type: "ClusterIP"
-
-serviceAccount:
-  create: true
-
-fullnameOverride: "ums-stack-gateway"
-
-# The content of the "serverBlock" does resemble the Ingress configuration of
-# the UMS components. The "location" entries do intentionally reflect precisely
-# the respective paths which are configured.
-serverBlock: |
-  server {
-    listen 8080;
-
-    proxy_http_version 1.1;
-
-    proxy_set_header Host $http_host;
-
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
-    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
-    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-
-    ## portal-frontend
-    # The frontend does not own "/univention/portal" nor
-    # "/univention/selfservice", only these two bits
-    location = /univention/portal/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/portal/index.html {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/selfservice/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    # The following prefixes are owned by the frontend
-    location /univention/portal/css/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/fonts/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/i18n/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/media/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/js/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/oidc/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/css/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/fonts/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/i18n/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/media/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/js/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/oidc/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-
-
-    ## frontend redirects
-    location = / {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/ {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/portal {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/selfservice {
-       absolute_redirect off;
-       return 302 /univention/selfservice/;
-    }
-
-
-    ## portal-server
-    location = /univention/portal/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/selfservice/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/portal/navigation.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-
-
-    ## object storage (minio)
-    location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-    location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-    location /univention/selfservice/icons/entries/ {
-      rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-    location /univention/selfservice/icons/logos/ {
-      rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-
-
-    ## udm-rest-api
-    location /univention/udm/ {
-      # The UDM Rest API does return on some endpoints a lot of headers
-      proxy_busy_buffers_size 128k;
-      proxy_buffers 4 128k;
-      proxy_buffer_size 64k;
-
-      rewrite ^/univention(/udm/.*)$ $1 break;
-      proxy_pass http://ums-udm-rest-api:80;
-    }
-
-
-    ## umc-gateway
-    location = /univention/languages.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/meta.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/theme.css {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/js/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/login/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/management/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/themes/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-
-
-    ## umc-server
-    location = /univention/auth {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-      proxy_set_header X-UMC-HTTPS 'on';
-    }
-    location /univention/logout {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/saml {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-      proxy_set_header X-UMC-HTTPS 'on';
-    }
-    location /univention/get {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/set {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/command {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/upload {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-
-
-    ## notifications-api
-    location /univention/portal/notifications-api/ {
-      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
-      proxy_pass http://ums-notifications-api:80;
-    }
-
-    ## openDesk branding
-    location = /favicon.ico {
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location /univention/portal/custom/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location /univention/portal/icons/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    ## ums-provisioning
-    location /univention/provisioning-api/ {
-      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
-      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
-    }
-
-    ## guardian
-    location /univention/guardian/management-ui {
-      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
-    }
-    location /guardian/opa {
-      rewrite ^/guardian/opa(/.*)$ $1 break;
-      proxy_pass http://ums-open-policy-agent:80/;
-    }
-    location /guardian/management {
-      proxy_pass http://ums-guardian-management-api:80/guardian/management;
-    }
-    location /guardian/authorization {
-      proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
-    }
-
-  }
-
-...

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -36,7 +36,8 @@ containerSecurityContext:
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.xwiki }}
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.xwiki | toYaml | nindent 4 }}
 
 customConfigs:
   xwiki.cfg:
@@ -61,21 +62,21 @@ customConfigs:
     xwiki.authentication.ldap.groupcache_expiration: 300
 
   xwiki.properties:
-    oidc.endpoint.authorization: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
-    oidc.endpoint.token: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-    oidc.endpoint.userinfo: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
-    oidc.endpoint.logout: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
-    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
-    oidc.scope: "openid,profile,email,address,opendesk"
-    oidc.endpoint.userinfo.method: "GET"
-    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
-    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
-    # yamllint disable-line rule:line-length
-    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     oidc.clientid: "opendesk-xwiki"
     oidc.endpoint.token.auth_method: "client_secret_basic"
-    oidc.skipped: false
+    oidc.endpoint.userinfo.method: "GET"
     oidc.logoutMechanism: "rpInitiated"
+    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
+    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+    oidc.skipped: false
+    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
+    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
+    # Using the claims below some user based information can be passed through OIDC to XWiki that partitially has an
+    # impact on the user experience. E.g. you can define the default editor for the user `xwiki_user_editor` or if
+    # the `xwiki_user_usertype` is advanced or simple.
+    # yamllint disable-line rule:line-length
+    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

helmfile/environments/default/charts.yaml

@@ -1,729 +1,409 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+#
+# Please read the /docs/development.md for information about structure and annotations used in this file.
+# yamllint disable rule:line-length
 ---
 charts:
   certificates:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-certificates/opendesk-certificates
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-certificates/opendesk-certificates'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
     name: "opendesk-certificates"
-    version: "2.1.1"
+    version: "2.1.3"
     verify: true
-    # @supplier: "openDesk"
-
   clamav:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-clamav/opendesk-clamav
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-clamav/opendesk-clamav'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "opendesk-clamav"
-    version: "4.0.1"
+    version: "4.0.5"
     verify: true
-    # @supplier: "openDesk"
-
   clamavSimple:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-clamav/clamav-simple
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-clamav/clamav-simple'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "clamav-simple"
-    version: "4.0.1"
+    version: "4.0.5"
     verify: true
-    # @supplier: "openDesk"
-
   collabora:
-    # renovate:
-    # upstreamRegistry=ghcr.io/collaboraonline/charts
-    # upstreamRepository=collabora-online
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Collabora'
+    # upstreamRegistry: 'ghcr.io/collaboraonline/charts'
+    # upstreamRepository: 'collabora-online'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['1', '1', '8']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
     version: "1.1.11"
     verify: true
-    # @supplier: "Collabora"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['1', '1', '8']
-
   cryptpad:
-    # renovate:
-    # upstreamRegistry=ghcr.io/cryptpad/helm
-    # upstreamRepository=cryptpad
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'XWiki'
+    # upstreamRegistry: 'ghcr.io/cryptpad/helm'
+    # upstreamRepository: 'cryptpad'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['0', '0', '17']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "cryptpad"
     version: "0.0.18"
     verify: true
-    # @supplier: "XWiki"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '0', '17']
-
   dovecot:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-dovecot/dovecot
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'Open-Xchange'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-dovecot/dovecot'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "1.3.8"
+    version: "1.3.10"
     verify: true
-    # @supplier: "Open-Xchange"
-
   element:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "2.6.6"
+    version: "2.7.1"
     verify: true
-    # @supplier: "openDesk"
-
   elementWellKnown:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-well-known
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-well-known'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "2.6.6"
+    version: "2.7.1"
+    verify: true
+  home:
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-home'
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
+    name: "opendesk-home"
+    version: "1.0.1"
     verify: true
-    # @supplier: "openDesk"
-
   intercomService:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/intercom-service/intercom-service
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRepository: 'souvap/tooling/charts/intercom-service/intercom-service'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['2', '0', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
     version: "2.0.1"
     verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['2', '0', '1']
-
-  istioResources:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-istio-resources/istio-gateway
-    # dependencyType=platform
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-istio-resources"
-    name: "istio-gateway"
-    version: "2.0.1"
-    verify: true
-    # @supplier: "openDesk"
-
   jitsi:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-jitsi/opendesk-jitsi
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-jitsi/opendesk-jitsi'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
     version: "1.7.8"
     verify: true
-    # @supplier: "openDesk"
-
   mariadb:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-mariadb/mariadb
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-mariadb/mariadb'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
     name: "mariadb"
     version: "2.2.1"
     verify: true
-    # @supplier: "openDesk"
-
   matrixNeoboardWidget:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
-    # @supplier: "openDesk"
-
   matrixNeochoiseWidget:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
-    # @supplier: "openDesk"
-
   matrixNeodatefixBot:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
-    # @supplier: "openDesk"
-
   matrixNeodatefixWidget:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
-    version: "3.4.1"
+    version: "3.5.0"
     verify: true
-    # @supplier: "openDesk"
-
   matrixUserVerificationService:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "2.6.6"
+    version: "2.7.1"
     verify: true
-    # @supplier: "openDesk"
-
   memcached:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=bitnamicharts/memcached
-    # dependencyType=external
+    # providerCategory: 'Community'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'bitnamicharts/memcached'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "memcached"
     version: "6.7.1"
     verify: true
-    # @supplier: "openDesk"
-
   minio:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=bitnamicharts/minio
-    # dependencyType=external
+    # providerCategory: 'Community'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'bitnamicharts/minio'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "minio"
     version: "12.10.11"
     verify: true
-    # @supplier: "openDesk"
-
   nextcloud:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "1.5.0"
+    version: "1.5.2"
     verify: true
-    # @supplier: "openDesk"
-
   nextcloudManagement:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
     # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
-    # dependencyType=platform
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "1.5.0"
+    version: "1.5.2"
     verify: true
-    # @supplier: "openDesk"
-
   nginx:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=bitnamicharts/nginx
-    # dependencyType=external
+    # providerCategory: 'Community'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'bitnamicharts/nginx'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "nginx"
     version: "15.9.3"
     verify: true
-    # @supplier: "openDesk"
-
   opendeskKeycloakBootstrap:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
     version: "1.0.7"
     verify: true
-    # @supplier: "openDesk"
-
   openproject:
-    # renovate:
-    # upstreamRegistry=ghcr.io
-    # upstreamRepository=opf/helm-charts/openproject
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'openProject'
+    # upstreamRegistry: 'ghcr.io'
+    # upstreamRepository: 'opf/helm-charts/openproject'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['3', '0', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
     version: "4.2.1"
     verify: true
-    # @supplier: "openProject"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['3', '0', '2']
-
   openprojectBootstrap:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
     version: "1.3.0"
     verify: true
-    # @supplier: "openDesk"
-
   openXchangeAppSuite:
-    # renovate:
-    # upstreamRegistry=registry.open-xchange.com
-    # upstreamRepository=appsuite-public-sector/charts/appsuite-public-sector
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Open-Xchange'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['2', '2', '37']
+    # upstreamRegistry: 'registry.open-xchange.com'
+    # upstreamRepository: 'appsuite-public-sector/charts/appsuite-public-sector'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.2.37"
-    # @supplier: "Open-Xchange"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['2', '2', '37']
-
+    version: "2.5.3"
+    verify: false
   openXchangeAppSuiteBootstrap:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
     version: "1.3.4"
     verify: true
-    # @supplier: "openDesk"
-
   otterize:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-otterize/opendesk-otterize
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-otterize/opendesk-otterize'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "1.7.3"
+    version: "2.0.1"
     verify: true
-    # @supplier: "openDesk"
-
   oxConnector:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/ox-connector
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRepository: 'souvap/tooling/charts/univention/ox-connector'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['0', '4', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ox-connector"
     version: "0.4.2"
     verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '4', '2']
-
   postfix:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-postfix/postfix
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-postfix/postfix'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
     version: "2.0.5"
     verify: true
-    # @supplier: "openDesk"
-
   postgresql:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-postgresql/postgresql
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-postgresql/postgresql'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql"
     name: "postgresql"
     version: "2.0.5"
     verify: true
-    # @supplier: "openDesk"
-
   redis:
-    # renovate:
-    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=bitnamicharts/redis
-    # dependencyType=external
+    # providerCategory: 'Community'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'bitnamicharts/redis'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "redis"
     version: "18.6.1"
     verify: true
-    # @supplier: "openDesk"
-
   synapse:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "2.6.6"
+    version: "2.7.1"
     verify: true
-    # @supplier: "openDesk"
-
   synapseCreateAccount:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "2.6.6"
+    version: "2.7.1"
     verify: true
-    # @supplier: "openDesk"
-
   synapseWeb:
-    # renovate:
-    # upstreamRegistry=registry.opencode.de
-    # upstreamRepository=bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-web
-    # dependencyType=platform
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-web'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "2.6.6"
+    version: "2.7.1"
     verify: true
-    # @supplier: "openDesk"
-
-  umsGuardianAuthorizationApi:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/guardian-authorization-api
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "guardian-authorization-api"
-    version: "0.1.0"
+  ums:
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRepository: 'souvap/tooling/charts/univention/ums'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['0', '0', '1']
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "registry.souvap-univention.de"
+    repository: "souvap/tooling/charts/univention"
+    name: "ums"
+    version: "0.12.0"
     verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '0', '1']
-
-  umsGuardianManagementApi:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/guardian-management-api
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "guardian-management-api"
-    version: "0.1.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '0', '1']
-
-  umsGuardianManagementUi:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/guardian-management-ui
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "guardian-management-ui"
-    version: "0.1.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '0', '1']
-
-  umsKeycloak:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention-keycloak/ums-keycloak
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ums-keycloak"
-    version: "1.0.3"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['1', '0', '3']
-
   umsKeycloakBootstrap:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRepository: 'souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['1', '0', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ums-keycloak-bootstrap"
     version: "1.0.1"
     verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['1', '0', '1']
-
-  umsKeycloakExtensions:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/keycloak-extensions
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "keycloak-extensions"
-    version: "0.1.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '0', '3']
-
-  umsLdapNotifier:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/ldap-notifier
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ldap-notifier"
-    version: "0.8.2"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '7', '2']
-
-  umsLdapServer:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/ldap-server
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ldap-server"
-    version: "0.8.2"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '7', '2']
-
-  umsNotificationsApi:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/notifications-api
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "notifications-api"
-    version: "0.9.2"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '2']
-
-  umsOpenPolicyAgent:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/open-policy-agent
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "open-policy-agent"
-    version: "0.1.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '0', '1']
-
-  umsPortalFrontend:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/portal-frontend
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "portal-frontend"
-    version: "0.14.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '2']
-
-  umsPortalListener:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/portal-listener
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "portal-listener"
-    version: "0.14.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '2']
-
-  umsPortalServer:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/portal-server
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "portal-server"
-    version: "0.14.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '2']
-
-  umsProvisioning:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/provisioning
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "provisioning"
-    version: "0.9.5"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '9', '5']
-
-  umsSelfserviceListener:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/selfservice-listener
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "selfservice-listener"
-    version: "0.3.1"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '3', '1']
-
-  umsStackDataSwp:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/stack-data-swp
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "stack-data-swp"
-    version: "0.44.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '41', '8']
-
-  umsStackDataUms:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/stack-data-ums
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "stack-data-ums"
-    version: "0.44.0"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '41', '8']
-
-  umsUdmRestApi:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/udm-rest-api
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "udm-rest-api"
-    version: "0.5.2"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '4', '3']
-
-  umsUmcGateway:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/umc-gateway
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "umc-gateway"
-    version: "0.6.4"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '6', '4']
-
-  umsUmcServer:
-    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/charts/univention/umc-server
-    # dependencyType=supplier
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "umc-server"
-    version: "0.6.4"
-    verify: true
-    # @supplier: "Univention"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '6', '4']
-
   xwiki:
-    # renovate:
-    # upstreamRegistry=git.xwikisas.com:5050/xwikisas/swp/xwiki/contrib-xwiki-helm
-    # upstreamRepository=xwiki
-    # dependencyType=supplier
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'XWiki'
+    # upstreamRegistry: 'git.xwikisas.com:5050/xwikisas/swp/xwiki/contrib-xwiki-helm'
+    # upstreamRepository: 'xwiki'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['1', '2', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
     version: "1.3.0"
     verify: false
-    # @supplier: "XWiki"
-    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['1', '2', '4']
 ...

helmfile/environments/default/debug.yaml

@@ -14,6 +14,6 @@ debug:
   # should activate debug output in all components and even allow e.g. successfully executed jobs
   # to stay available. This is going to be implemented on a case by case basis when we actually
   # need debugging in a component.
-  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}`
   enabled: false
 ...

helmfile/environments/default/global.generated.yaml

@@ -1,7 +1,7 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.5.78"
+    releaseVersion: "v0.7.0"
 ...

helmfile/environments/default/global.gotmpl

@@ -11,6 +11,14 @@ global:
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
 
+  ## Define mail host
+  #
+  mailDomain: {{ env "MAIL_DOMAIN" | quote }}
+
+  ## Define synapse host
+  #
+  synapseDomain: {{ env "SYNAPSE_DOMAIN" | quote }}
+
   ## Define docker registry address.
   #
   helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}

helmfile/environments/default/global.yaml

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
@@ -9,9 +10,7 @@ global:
   hosts:
     collabora: "collabora"
     cryptpad: "cryptpad"
-    dimension: "integration"
     element: "chat"
-    etherpad: "etherpad"
     intercomService: "ics"
     jitsi: "meet"
     keycloak: "id"

helmfile/environments/default/istio.gotmpl

@@ -1,15 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-istio:
-  enabled: true
-  domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" | quote }}
-  virtualService:
-    enabled: false
-  gateway:
-    enabled: true
-  issuerRef:
-    name: "letsencrypt-istio-prod"
-...

helmfile/environments/default/objectstore.gotmpl

@@ -4,20 +4,28 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
+  nextcloud:
+    bucket: "nextcloud"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "nextcloud_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
   openproject:
-    backend: "minio"
     bucket: "openproject"
     endpoint: ""
-    region: ""
-    secret: ""
+    region: "eu-west-1"
+    secretKey: ""
     username: "openproject_user"
+    pathStyle: true
     useIAMProfile: ""
   univentionManagementStack:
-    backend: "minio"
     bucket: "ums"
     endpoint: ""
-    region: ""
-    secret: ""
+    region: "eu-west-1"
+    secretKey: ""
     username: "ums_user"
-    useIAMProfile: ""
 ...

helmfile/environments/default/replicas.yaml

@@ -44,9 +44,19 @@ replicas:
   redis: 1
   synapse: 1
   synapseWeb: 1
+  umsKeycloakExtensionsHandler: 1
+  umsKeycloakExtensionsProxy: 1
+  umsLdapNotifier: 1
+  umsLdapServer: 1
+  umsNotificationsApi: 1
   umsPortalFrontend: 1
+  umsPortalListener: 1
   umsPortalServer: 1
+  umsSelfserviceListener: 1
+  umsStackGateway: 1
   umsUdmRestApi: 1
+  umsUmcGateway: 1
+  umsUmcServer: 1
   wellKnown: 1
   xwiki: 1
 ...

helmfile/environments/default/resources.yaml

@@ -396,6 +396,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsLdapServerInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsNotificationsApi:
     limits:
       cpu: 99
@@ -431,7 +438,35 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsProvisioning:
+  umsProvisioningEventsAndConsumerApi:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningDispatcher:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningPrefill:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningUdmListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsProvisioningNats:
     limits:
       cpu: 99
       memory: "1Gi"
@@ -466,6 +501,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsStackGateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
   umsUdmRestApi:
     limits:
       cpu: 99
@@ -473,6 +515,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsUmcGateway:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -1,5 +1,6 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -29,6 +30,21 @@ secrets:
     storeDavUsers:
       portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
       portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+    provisioning:
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+  nats:
+    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
+
   postgresql:
     postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
     keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
@@ -77,10 +93,8 @@ secrets:
     jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
     jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
     jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
-  etherpad:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
   whiteboard:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
   centralnavigation:
     apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
   redis:

helmfile/environments/default/security.yaml

@@ -7,4 +7,9 @@ security:
   clusterPostfix:
     enabled: false
     namespace: ""
+  ingressController:
+    podSelector:
+      matchLabels:
+        app.kubernetes.io/name: "ingress-nginx"
+    namespace: "ingress-nginx"
 ...

helmfile/environments/default/selinux.yaml

@@ -7,6 +7,7 @@
 ---
 seLinuxOptions:
   clamavSimple: ~
+  clamav: ~
   clamd: ~
   collabora: ~
   cryptpad: ~

helmfile/environments/default/workplace.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -15,12 +16,12 @@ dovecot:
   enabled: true
 element:
   enabled: true
+home:
+  enabled: true
 intercom:
   enabled: true
 jitsi:
   enabled: true
-keycloak:
-  enabled: true
 mariadb:
   enabled: true
 memcached:

helmfile/environments/test/values.yaml.gotmpl

@@ -75,9 +75,19 @@ replicas:
   redis: 42
   synapse: 42
   synapseWeb: 42
+  umsKeycloakExtensionsHandler: 42
+  umsKeycloakExtensionsProxy: 42
+  umsLdapNotifier: 42
+  umsLdapServer: 42
+  umsNotificationsApi: 42
   umsPortalFrontend: 42
+  umsPortalListener: 42
   umsPortalServer: 42
+  umsSelfserviceListener: 42
+  umsStackGateway: 42
   umsUdmRestApi: 42
+  umsUmcGateway: 42
+  umsUmcServer: 42
   wellKnown: 42
   xwiki: 42
 ...