feat(nubus): Bump verison

Version 0.61.0 of the nubus chart.

.gitlab-ci.yml

@@ -4,7 +4,7 @@
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.3"
+    ref: "v2.3.4"
     file:
       - "ci/common/automr.yml"
       - "ci/common/lint.yml"
@@ -159,7 +159,7 @@ variables:
       - "no"
   RUN_TESTS:
     description: "Triggers execution of E2E-tests."
-    value: "yes"
+    value: "no"
     options:
       - "yes"
       - "no"
@@ -181,6 +181,9 @@ variables:
     options:
       - "Regression"
       - "Smoke"
+  TESTS_GRACE_PERIOD:
+    description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail. GRACE_PERIOD is the period in seconds that should be waited before running the tests."
+    value: "0"
 
 .deploy-common:
   cache: {}
@@ -245,14 +248,6 @@ env-start:
   script:
     - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
     - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
-    - >
-      kubectl create secret
-      --namespace "${NAMESPACE}"
-      docker-registry external-registry
-      --docker-server "${EXTERNAL_REGISTRY}"
-      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
-      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
-      --dry-run=client -o yaml | kubectl apply -f -
   stage: "env"
 
 policies-deploy:
@@ -470,15 +465,11 @@ env-stop:
 
 .ums-default-password: &ums-default-password
   - |
-    UMS_PASSWORDS=$( \
-      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
-      | yq '.properties.password' > passwords.txt \
-    )
     DEFAULT_USER_PASSWORD=$( \
-      awk 'NR==1{print $1}' passwords.txt \
+       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
     )
     DEFAULT_ADMIN_PASSWORD=$(
-      awk 'NR==3{print $1}' passwords.txt \
+       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.administrator_password}' | base64 -d \
     )
 
 run-tests:
@@ -515,7 +506,8 @@ run-tests:
           \"testprofile\": \"Namespace\", \
           \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
           \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
-          \"gitlab_default_env_namespace\": \"values\" \
+          \"gitlab_default_env_namespace\": \"values\", \
+          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
         } \
       }" \
       "https://${TESTS_PROJECT_URL}/trigger/pipeline"
@@ -696,5 +688,4 @@ renovate:
   script:
     - "renovate ${RENOVATE_EXTRA_FLAGS}"
   stage: "renovate"
-
 ...

.reuse/dep5

@@ -1,16 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: openDesk - der Souveräne Arbeitsplatz
-Upstream-Contact: <opendesk@zendis.de>
-Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
-
-Files: helmfile/files/theme/*
-Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-License: Apache-2.0
-
-Files: helmfile/files/gpg-pubkeys/*
-Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-License: CC0-1.0
-
-Files: cspell.json
-Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-License: Apache-2.0

README.md

@@ -36,7 +36,7 @@ openDesk currently features the following functional main components:
 | Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.5.1](https://www.openproject.org/docs/release-notes/14-5-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 

REUSE.toml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+
+version = 1
+
+[[annotations]]
+path = "helmfile/files/theme/*"
+SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "cspell.json"
+SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "helmfile/files/gpg-pubkeys/*"
+SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG ZenDiS \"Projektgruppe für Aufbau ZenDiS\""
+SPDX-License-Identifier = "CC0-1.0"

dev/charts-local.py

@@ -25,7 +25,7 @@ script_path = os.path.dirname(os.path.realpath(__file__))
 log_path = script_path+'/../logs'
 charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml'
 base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
 helmfile_backup_extension = '.bak'
 
 Path(log_path).mkdir(parents=True, exist_ok=True)

docs/migrations.md

@@ -135,6 +135,21 @@ global:
     xwiki: "wiki"
 ```
 
+In case you would like to use the updated hostnames you at least have to apply some manual changes. But do this at
+your own risk. Be also aware that some of your user's bookmarks and links will stop working.
+
+- Update the affected portal tiles:
+  - All tiles in the "Files" category.
+  - The "Projects" tile in the "Management" category.
+- There are two options to change the link for the portal tiles:
+  - Use an admin account to access the portal's edit mode (on the bottom of the sidebar portal's menu).
+  - Utilize the UDM REST API to update the portal tile objects.
+- Update the hostnames for the OpenProject-Nextcloud integration using a functional admin user for both components:
+  - In OpenProject: *Administration* > *Files* > *External file storages* > Select `Nextcloud at [your_domain]`
+    Edit *Details* - *General Information* - *Storage provider* and update the *hostname* to `files.<your_domain>`.
+  - In Nextcloud: *Administration* > *OpenProject* > *OpenProject server* update the *OpenProject host* to
+    to `projects.<your_domain>`.
+
 #### Updated `global.imagePullSecrets`
 
 Without using a custom registry, you can pull all the openDesk images without authentication.

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -32,52 +32,6 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
-  - name: "synapse-create-account-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.synapseCreateAccount.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
-
-  # openDesk Matrix Widgets
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
-  - name: "matrix-user-verification-service-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
-  - name: "matrix-neoboard-widget-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
-  - name: "matrix-neochoice-widget-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
-  - name: "matrix-neodatefix-widget-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
-  - name: "matrix-neodatefix-bot-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
-
 
 releases:
   - name: "opendesk-element"
@@ -112,62 +66,6 @@ releases:
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
-  - name: "opendesk-matrix-user-verification-service-bootstrap"
-    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
-    version: "{{ .Values.charts.synapseCreateAccount.version }}"
-    values:
-      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "opendesk-matrix-user-verification-service"
-    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
-    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
-    values:
-      - "values-matrix-user-verification-service.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "matrix-neoboard-widget"
-    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
-    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
-    values:
-      - "values-matrix-neoboard-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "matrix-neochoice-widget"
-    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
-    values:
-      - "values-matrix-neochoice-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "matrix-neodatefix-widget"
-    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
-    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
-    values:
-      - "values-matrix-neodatefix-widget.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "matrix-neodatefix-bot-bootstrap"
-    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
-    version: "{{ .Values.charts.synapseCreateAccount.version }}"
-    values:
-      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
-  - name: "matrix-neodatefix-bot"
-    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
-    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
-    values:
-      - "values-matrix-neodatefix-bot.yaml.gotmpl"
-    installed: {{ .Values.element.enabled }}
-    timeout: 900
-
 commonLabels:
   deploy-stage: "component-1"
   component: "element"

helmfile/apps/element/values-element.yaml.gotmpl

@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 configuration:
   endToEndEncryption: true
   additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=opendesk-matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":
       config:
@@ -20,86 +20,6 @@ configuration:
           --cpd-color-bg-action-primary-rest: {{ .Values.theme.colors.primary | quote }}
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
 
-    "net.nordeck.element_web.module.widget_lifecycle":
-      widget_permissions:
-        "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
-          identity_approved: true
-        "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
-          preload_approved: true
-          capabilities_approved:
-            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
-            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
-            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
-            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
-            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
-            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
-            - org.matrix.msc2762.send.state_event:m.room.power_levels#
-            - org.matrix.msc2762.receive.state_event:m.room.power_levels#
-            - org.matrix.msc2762.receive.state_event:m.room.member
-            - org.matrix.msc2762.receive.state_event:m.room.name
-            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
-            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
-            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
-            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
-            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
-            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
-            - town.robin.msc3846.turn_servers
-            - org.matrix.msc4039.upload_file
-            - org.matrix.msc4039.download_file
-        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
-          preload_approved: true
-          capabilities_approved:
-            - org.matrix.msc2762.send.event:net.nordeck.poll.vote
-            - org.matrix.msc2762.receive.event:net.nordeck.poll.vote
-            - org.matrix.msc2762.send.state_event:net.nordeck.poll
-            - org.matrix.msc2762.receive.state_event:net.nordeck.poll
-            - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
-            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
-            - org.matrix.msc2762.receive.state_event:m.room.power_levels
-            - org.matrix.msc2762.receive.state_event:m.room.name
-            - org.matrix.msc2762.receive.state_event:m.room.member
-            - org.matrix.msc2762.send.state_event:net.nordeck.poll.group
-            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
-            - org.matrix.msc2762.send.event:net.nordeck.poll.start
-            - org.matrix.msc2762.receive.event:net.nordeck.poll.start
-        "https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
-          preload_approved: true
-          identity_approved: true
-          capabilities_approved:
-            - org.matrix.msc2931.navigate
-            - org.matrix.msc2762.timeline:*
-            - org.matrix.msc2762.receive.state_event:m.room.power_levels
-            - org.matrix.msc2762.receive.event:m.reaction
-            - org.matrix.msc2762.receive.state_event:m.room.create
-            - org.matrix.msc2762.receive.state_event:m.room.tombstone
-            - org.matrix.msc2762.receive.state_event:m.room.member
-            - org.matrix.msc2762.send.state_event:m.room.member
-            - org.matrix.msc2762.receive.state_event:m.room.name
-            - org.matrix.msc2762.receive.state_event:m.room.topic
-            - org.matrix.msc2762.receive.state_event:m.space.parent
-            - org.matrix.msc2762.receive.state_event:m.space.child
-            - org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
-            - org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
-            - org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
-            - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
-            - org.matrix.msc3973.user_directory_search
-
-  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
-
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -1,57 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoBoardWidget | toYaml | nindent 4 }}
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoBoardWidget.registry | quote }}
-  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
-  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-podAnnotations: {}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
-
-resources:
-  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
-...

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -1,57 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoChoiceWidget | toYaml | nindent 4 }}
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoChoiceWidget.registry | quote }}
-  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
-  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-podAnnotations: {}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
-resources:
-  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
-
-...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -1,46 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
-
-configuration:
-  username: "meetings-bot"
-  pod: "opendesk-synapse-0"
-  secretName: "matrix-neodatefix-bot-account"
-  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
-  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-fullnameOverride: "matrix-neodatefix-bot-bootstrap"
-
-podAnnotations: {}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
-
-...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -1,85 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-configuration:
-  bot:
-    username: "meetings-bot"
-    displayname: "Terminplaner Bot"
-  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
-  strings:
-    breakoutSessionWidgetName: "Breakoutsessions"
-    calendarRoomName: "Terminplaner"
-    calendarWidgetName: "Terminplaner"
-    cockpitWidgetName: "Meeting Steuerung"
-    jitsiWidgetName: "Videokonferenz"
-    matrixNeoBoardWidgetName: "Whiteboard"
-    matrixNeoChoiceWidgetName: "Abstimmungen"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoDateFixBot | toYaml | nindent 4 }}
-
-extraEnvVars:
-  - name: "ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "matrix-neodatefix-bot-account"
-        key: "access_token"
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixBot.registry | quote }}
-  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
-  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-livenessProbe:
-  enabled: true
-
-persistence:
-  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-podAnnotations: {}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-readinessProbe:
-  enabled: true
-
-replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
-
-resources:
-  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
-
-...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -1,62 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-configuration:
-  bot:
-    username: "meetings-bot"
-    homeserver: {{ .Values.global.matrixDomain | default .Values.global.domain }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixNeoDateFixWidget | toYaml | nindent 4 }}
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixWidget.registry | quote }}
-  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
-  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-podAnnotations: {}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
-
-resources:
-  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
-...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -1,45 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
-
-configuration:
-  username: "uvs"
-  pod: "opendesk-synapse-0"
-  secretName: "opendesk-matrix-user-verification-service-account"
-  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
-  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
-
-podAnnotations: {}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.synapseCreateUser | toYaml | nindent 4 }}
-...

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -1,56 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsGroup: 0
-  runAsNonRoot: false
-  runAsUser: 0
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.matrixUserVerificationService | toYaml | nindent 4 }}
-
-extraEnvVars:
-  - name: "UVS_ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "opendesk-matrix-user-verification-service-account"
-        key: "access_token"
-  - name: "UVS_DISABLE_IP_BLACKLIST"
-    value: "true"
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixUserVerificationService.registry | quote }}
-  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
-  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-
-podAnnotations: {}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
-
-resources:
-  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
-
-...

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -12,18 +12,7 @@ configuration:
     room_prejoin_state:
       additional_event_types:
         - "m.space.parent"
-        - "net.nordeck.meetings.metadata"
         - "m.room.power_levels"
-    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
-    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
-    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
-    rc_login:
-      account:
-        per_second: 2
-        burst_count: 8
-      address:
-        per_second: 2
-        burst_count: 12
 
   database:
     host: {{ .Values.databases.synapse.host | quote }}
@@ -33,25 +22,6 @@ configuration:
 
   homeserver:
     serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
-    appServiceConfigs:
-      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
-        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
-        id: intercom-service
-        namespaces:
-          users:
-            - exclusive: false
-              regex: "@.*"
-        url: null
-        sender_localpart: intercom-service
-      - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
-        hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
-        id: ox-appsuite
-        namespaces:
-          users:
-            - exclusive: false
-              regex: "@.*"
-        url: null
-        sender_localpart: ox-appsuite
 
     presence:
       enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
@@ -90,14 +60,6 @@ configuration:
           transport: {{ .Values.turn.transport | quote }}
         {{- end }}
 
-    guestModule:
-      enabled: true
-      image:
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }}
-        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
-        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
-
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl

@@ -5,7 +5,7 @@ repositories:
   # Intercom Service
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
     verify: {{ .Values.charts.intercomService.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -79,6 +79,25 @@ podSecurityContext:
   fsGroup: 1000
   fsGroupChangePolicy: "Always"
 
+provisioning:
+  enabled: true
+  config:
+    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
+    keycloak:
+      url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
+      username: "kcadmin"
+      realm: {{ .Values.platform.realm | quote }}
+      connection:
+        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+        baseUrl: "http://ums-keycloak:8080"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+    ics_client:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+      credentialSecret:
+        key: "ics_secret"
+
 replicaCount: {{ .Values.replicas.intercomService }}
 
 resources:

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -63,6 +63,8 @@ jitsi:
         - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
+    extraConfigJs:
+      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
     extraEnvs:
       TURN_ENABLE: "1"
     resources:

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -9,6 +9,9 @@ global:
     baseDn: {{ .Values.ldap.baseDn | quote }}
     domainName: {{ .Values.global.domain | quote }}
   domain: {{ .Values.global.domain | quote }}
+  subDomains:
+    portal: {{ .Values.global.hosts.nubus | quote }}
+    keycloak: {{ .Values.global.hosts.keycloak | quote }}
   ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
   certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
@@ -26,6 +29,30 @@ global:
     defaultUsers:
       defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
       defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
+      defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
+    portalConsumer:
+      minio:
+        accessKey: {{ .Values.objectstores.nubus.username | quote }}
+        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      provisioningApi:
+        password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
+    provisioning:
+      api:
+        adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
+        natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
+        prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
+        udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
+      dispatcher:
+        natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
+      nats:
+        adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
+      prefill:
+        natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
+      udmTransformer:
+        natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
+    selfserviceConsumer:
+      provisioningApi:
+        password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
 
   # -- Extensions to load. Add entries to load additional extensions into Nubus.
   extensions:
@@ -52,6 +79,61 @@ global:
         repository: {{ .Values.images.nubusPortalExtension.repository }}
         tag: {{ .Values.images.nubusPortalExtension.tag }}
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+  configUcr:
+    directory:
+      manager:
+        web:
+          modules:
+            users:
+              user:
+                add:
+                  default: cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}
+                properties:
+                  description:
+                    syntax: TextArea
+                  firstname:
+                    required: "true"
+                  mailPrimaryAddress:
+                    required: "true"
+                  username:
+                    syntax: uid
+                search:
+                  autosearch: "False"
+                wizard:
+                  property:
+                    invite:
+                      default: "True"
+                    overridePWLength:
+                      default: "False"
+                      visible: "False"
+                    pwdChangeNextLogin:
+                      default: "True"
+                      visible: "False"
+            wizard:
+              disabled: "No"
+
+    ucs:
+      web:
+        theme: light
+
+    umc:
+      cookie-banner:
+        show: "false"
+      login:
+        password-complexity-message:
+          de: "Das Passwort muss den folgenden Anforderungen entsprechen:<br><ul><li>Mindestlänge: 8 Zeichen</li></ul>Anmerkung: Wird befinden uns nicht in einer Produktivumgebung."
+          en: "Password must comply with the following rules:<br><ul><li>Minimum length: 8 characters</li></ul>Note: We are in a non production (dev/test/demo) system."
+      module:
+        udm:
+          oxmail:
+            oxcontext:
+              disabled: "True"
+          portals:
+            all:
+              disabled: "True"
+      self-service:
+        passwordreset:
+          token_validity_period: 172800
 
 ingress:
   certManager:
@@ -94,7 +176,13 @@ nubusGuardian:
   provisioning:
     enabled: false
     config:
+      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
       keycloak:
+        realm: {{ .Values.platform.realm | quote }}
+        username: "kcadmin"
+        connection:
+          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+          baseUrl: "http://ums-keycloak:8080"
         credentialSecret:
           name: "ums-opendesk-keycloak-credentials"
           key: "admin_password"
@@ -206,13 +294,17 @@ nubusPortalFrontend:
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusPortalListener:
-  portalListener:
+  enabled: false
+
+nubusPortalConsumer:
+  enabled: true
+  portalConsumer:
+    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
     objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
-    objectStorageCredentialSecret:
-      name: "ums-portal-listener-minio-opendesk-credentials"
-      accessKeyKey: "access-key-id"
-      secretKeyKey: "secret-key-id"
+  provisioningApi:
+    auth:
+      username: "portal-consumer"
 
 nubusPortalServer:
   portalServer:
@@ -240,15 +332,17 @@ nubusUdmRestApi:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-# NOTE: disabled until the next update.
 nubusProvisioning:
-  enabled: false
-nubusUdmListener:
-  enabled: false
-nubusSelfServiceListener:
   enabled: true
-  selfserviceListener:
-    umcAdminUser: "default.admin"
+
+nubusUdmListener:
+  enabled: true
+
+nubusSelfServiceListener:
+  enabled: false
+
+nubusSelfServiceConsumer:
+  enabled: true
 
 # Nubus services
 nubusStackDataUms:
@@ -262,7 +356,11 @@ nubusStackDataUms:
     umcMemcachedUsername: ""
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "openDesk Portal"
-    installUmcPolicies: true
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpPort: 25
+    smtpUser: ""
+    smtpStartTls: false
+    ldapBase: {{ .Values.ldap.baseDn }}
   templateContext:
     portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
     portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
@@ -279,6 +377,7 @@ nubusStackDataUms:
         password: {{ $password | quote }}
         lastname: "LDAP-Search-User"
       {{- end }}
+    ldapSystemUsers: []
     portaltileGroupUserStandard:
       - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
       - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
@@ -300,47 +399,21 @@ nubusStackDataUms:
       - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
     portaltileGroupLiveCollaboration:
       - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-
+    systemInformation:
+      enabled: true
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+      {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+      {{- else }}
+      deployDate: "not available"
+      {{- end }}
+  # In openDesk the external memcache does not expect a username to be set. Overwriting
+  # the default username of `selfservice` is part of the customizing:
   nubusUmcServer:
     memcached:
       auth:
         username: ""
 
-# TODO: Remove values when upstreaming fixes
-nubusStackDataSwp:
-  additionalAnnotations:
-    argocd.argoproj.io/hook: "Sync"
-    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
-  stackDataSwp:
-    systemInformation:
-    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-    {{- end }}
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-  stackDataContext:
-    ldapSearchUsers:
-      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
-      - username: {{ printf "ldapsearch_%s" $username | quote }}
-        password: {{ $password | quote }}
-        lastname: "LDAP-Search-User"
-      {{- end }}
-    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    smtpPort: 25
-    smtpUser: ""
-    smtpStartTls: false
-    ldapBase: {{ .Values.ldap.baseDn }}
-    # FIXME: Should be templated correctly in the future
-    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
-    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
-    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
-    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
-    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
-    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
-    portalTitleDE: "openDesk Portal"
-    portalTitleEN: "openDesk Portal"
-    oxDefaultContext: "1"
-
 nubusUmcServer:
   postgresql:
     bundled: false
@@ -441,10 +514,6 @@ extraSecrets:
     stringData:
       access-key-id: {{ .Values.objectstores.nubus.username | quote }}
       secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  - name: "ums-portal-listener-minio-opendesk-credentials"
-    stringData:
-      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
-      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: "ums-umc-server-smtp-credentials-custom"
     stringData:
       password: ""

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -87,15 +87,29 @@ nubusKeycloakExtensions:
     resources:
       {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
 
-nubusPortalListener:
+nubusPortalConsumer:
   podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-listener"
-  replicaCount: {{ .Values.replicas.umsPortalListener }}
+    intents.otterize.com/service-name: "ums-portal-consumer"
+  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
   resources:
-    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+  resourcesWaitForDependency:
+    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalListener | quote }}
+    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
+
+nubusPortalConsumer:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-portal-consumer"
+  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+  resources:
+    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+  resourcesWaitForDependency:
+    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
+  persistence:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
 
 nubusPortalServer:
   additionalAnnotations:
@@ -129,7 +143,59 @@ nubusLdapServer:
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-
+  extraVolumes:
+    - name: "migration-scripts"
+      secret:
+        secretName: "ums-ldap-server-migration"
+        defaultMode: 0555
+  extraVolumeMounts:
+    - name: "migration-scripts"
+      mountPath: "/entrypoint.d/30-purge.sh"
+      subPath: "30-purge.sh"
+    - name: "migration-scripts"
+      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
+      subPath: "95-slapadd-24-ldif.sh"
+  extraSecrets:
+    - name: "ums-ldap-server-migration"
+      stringData:
+        30-purge.sh: |
+          #!/usr/bin/env bash
+          me=$(basename "$0")
+          echo "- Running ${me}"
+          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+            echo "- Cleaning up /var/lib/univention-ldap."
+            cd /var/lib/univention-ldap
+            rm -rf internal
+            rm -rf ldap
+            ls -l
+          else
+            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
+          fi
+        95-slapadd-24-ldif.sh: |
+          #!/usr/bin/env bash
+          me=$(basename "$0")
+          echo "- Running ${me}"
+          ls -l /var/lib/univention-ldap
+          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
+            ls -l /var/lib/univention-ldap/
+            rm -rf /var/lib/univention-ldap/ldap
+            rm -rf /var/lib/univention-ldap/internal
+            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
+            ls -l /var/lib/univention-ldap/
+            mkdir /var/lib/univention-ldap/ldap
+            mkdir /var/lib/univention-ldap/internal
+            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
+            ls -l /var/lib/univention-ldap/
+            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
+            echo "- slapadd executed"
+            ls -l /var/lib/univention-ldap/
+            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
+            echo "- import file renamed"
+            ls -l /var/lib/univention-ldap/
+          else
+            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
+          fi
 nubusPortalFrontend:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-portal-frontend"
@@ -152,18 +218,12 @@ nubusStackDataUms:
   resources:
     {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
 
-nubusStackDataSwp:
-  additionalAnnotations:
-    intents.otterize.com/service-name: "ums-stack-data-swp"
-  resources:
-    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
-
-nubusSelfServiceListener:
+nubusSelfServiceConsumer:
   podAnnotations:
     intents.otterize.com/service-name: "ums-selfservice-listener"
   resources:
-    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
+    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
 
 nubusUdmRestApi:
   additionalAnnotations:
@@ -196,7 +256,9 @@ nubusProvisioning:
     annotations:
       intended.usage: "compliance"
   nats:
-    resources:
+    persistence:
+      size: {{ .Values.persistence.size.nubus.provisioningNats }}
+      resources:
       {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-nats"

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -51,15 +51,6 @@ nubusLdapServer:
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
 
-
-nubusPortalConsumer:
-  portalConsumer:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
-      repository: {{ .Values.images.nubusPortalConsumer.repository }}
-      tag: {{ .Values.images.nubusPortalConsumer.tag }}
-
-
 nubusNotificationsApi:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
@@ -72,11 +63,12 @@ nubusPortalFrontend:
     repository: {{ .Values.images.nubusPortalFrontend.repository }}
     tag: {{ .Values.images.nubusPortalFrontend.tag }}
 
-nubusPortalListener:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalListener.registry | quote }}
-    repository: {{ .Values.images.nubusPortalListener.repository }}
-    tag: {{ .Values.images.nubusPortalListener.tag }}
+nubusPortalConsumer:
+  portalConsumer:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
+      repository: {{ .Values.images.nubusPortalConsumer.repository }}
+      tag: {{ .Values.images.nubusPortalConsumer.tag }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -151,11 +143,6 @@ nubusUdmListener:
     tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
 
 nubusSelfServiceListener:
-  selfserviceListener:
-    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceListener.registry | quote }}
-      repository: {{ .Values.images.nubusSelfserviceListener.repository }}
-      tag: {{ .Values.images.nubusSelfserviceListener.tag }}
   selfserviceInvitation:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
@@ -225,9 +212,3 @@ nubusStackDataUms:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
     repository: {{ .Values.images.nubusDataLoader.repository }}
     tag: {{ .Values.images.nubusDataLoader.tag }}
-
-nubusStackDataSwp:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
-    repository: {{ .Values.images.nubusDataLoader.repository }}
-    tag: {{ .Values.images.nubusDataLoader.tag }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -29,7 +29,7 @@ config:
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
     # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
-    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -389,60 +389,6 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
-      - name: "opendesk-intercom"
-        clientId: "opendesk-intercom"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.revoke.offline.tokens: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
-        protocolMappers:
-          - name: "intercom-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "opendesk-intercom"
-              id.token.claim: false
-              access.token.claim: true
-          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
-          # it to `opendesk_useruuid` standard claim. For reference:
-          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
-          - name: "entryuuid_temp"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "entryUUID"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "entryuuid"
-              jsonType.label: "String"
-          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
-          # set it to `opendesk_username` standard claim. For reference:
-          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
-          - name: "phoenixusername_temp"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "phoenixusername"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "offline_access"
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
@@ -571,296 +517,6 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
-      - name: "guardian-management-api"
-        clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        protocol: "openid-connect"
-        publicClient: false
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
-        fullScopeAllowed: true
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: true
-        protocolMappers:
-          - name: "Client Host"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientHost"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientHost"
-              jsonType.label: "String"
-          - name: "Client ID"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "client_id"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "client_id"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              userinfo.token.claim: false
-              id.token.claim: false
-              access.token.claim: true
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-cli"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "Client IP Address"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientAddress"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientAddress"
-              jsonType.label: "String"
-      - name: "guardian-scripts"
-        clientId: "guardian-scripts"
-        description: ""
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        surrogateAuthRequired: false
-        enabled: true
-        alwaysDisplayInConsole: false
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
-        webOrigins:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        bearerOnly: false
-        consentRequired: false
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        publicClient: true
-        frontchannelLogout: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-scripts"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              aggregate.attrs: false
-              multivalued: false
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "web-origins"
-          - "acr"
-          - "roles"
-          - "profile"
-          - "email"
-        optionalClientScopes:
-          - "address"
-          - "phone"
-          - "offline_access"
-          - "microprofile-jwt"
-      - name: "guardian-ui"
-        clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
-        standardFlowEnabled: true
-        publicClient: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: "false"
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -231,7 +231,7 @@ appsuite:
       # Old capability can be used to toggle all integrations with a single switch
       com.openexchange.capability.public-sector: "true"
       # New capabilities in 2.0
-      com.openexchange.capability.public-sector-element: "true"
+      com.openexchange.capability.public-sector-element: "false"
       com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -16,6 +16,8 @@ cleanup:
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
+  debug:
+    enabled: {{ .Values.debug.enabled }}
   openproject:
     fileshareName: "Nextcloud at {{ .Values.global.domain }}"
     admin:

helmfile/apps/openproject/helmfile-child.yaml.gotmpl

@@ -21,7 +21,7 @@ releases:
     values:
       - "values.yaml.gotmpl"
     installed: {{ .Values.openproject.enabled }}
-    timeout: 900
+    timeout: 1500
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -8,6 +8,10 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+appInit:
+  resources:
+    {{ .Values.resources.openprojectAppInit | toYaml | nindent 4 }}
+
 containerSecurityContext:
   enabled: true
   privileged: false
@@ -24,6 +28,15 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 
+dbInit:
+  image:
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectDbInit.registry | quote }}
+    repository: {{ .Values.images.openprojectDbInit.repository | quote }}
+    tag: {{ .Values.images.openprojectDbInit.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
+
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -81,13 +94,6 @@ image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.openproject.tag | quote }}
 
-initdb:
-  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectInitDb.registry | quote }}
-    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
-    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
 memcached:
   bundled: false
   connection:
@@ -182,5 +188,12 @@ s3:
 seederJob:
   annotations:
     intents.otterize.com/service-name: "openproject-seeder"
+  resources:
+    {{ .Values.resources.openprojectSeederJob | toYaml | nindent 4 }}
+
+workers:
+  default:
+    resources:
+      {{ .Values.resources.openprojectWorkers | toYaml | nindent 6 }}
 
 ...

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -10,6 +10,16 @@ image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.oxConnector.tag | quote }}
 
+  waitForDependency:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
+    repository: {{ .Values.images.nubusWaitForDependency.repository }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+    pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
+
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
   - name: {{ . | quote }}
@@ -19,16 +29,8 @@ ingress:
   enabled: false
 
 oxConnector:
-  caCert: "ucctempldapstring"
-  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
-  ldapHost: "{{ .Values.ldap.host }}-primary"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  tlsMode: "off"
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   oxDefaultContext: "1"
   oxImapServer: "imap://127.0.0.1:143"
   oxLocalTimezone: "Europe/Berlin"
@@ -38,6 +40,13 @@ oxConnector:
   oxSmtpServer: "smtp://127.0.0.1:587"
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
 
+provisioningApi:
+  connection:
+    baseUrl: "http://ums-provisioning-api"
+  auth:
+    username: "ox-connector"
+    password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}
+
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 

helmfile/environments/default/charts.yaml

@@ -90,7 +90,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -100,7 +100,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -122,7 +122,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
-    version: "2.0.1"
+    version: "2.2.0"
     verify: true
   jitsi:
     # providerCategory: "Platform"
@@ -132,7 +132,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.11.3"
+    version: "1.12.1"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -144,56 +144,6 @@ charts:
     name: "mariadb"
     version: "2.3.1"
     verify: true
-  matrixNeoboardWidget:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
-    name: "matrix-neoboard-widget"
-    version: "3.5.0"
-    verify: true
-  matrixNeochoiseWidget:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
-    name: "matrix-neochoice-widget"
-    version: "3.5.0"
-    verify: true
-  matrixNeodatefixBot:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
-    name: "matrix-neodatefix-bot"
-    version: "3.5.0"
-    verify: true
-  matrixNeodatefixWidget:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
-    name: "matrix-neodatefix-widget"
-    version: "3.5.0"
-    verify: true
-  matrixUserVerificationService:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
-    name: "opendesk-matrix-user-verification-service"
-    version: "3.4.0"
-    verify: true
   memcached:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -212,7 +162,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.2.3"
+    version: "1.3.2"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -264,7 +214,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "0.39.2"
+    version: "0.62.0"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
@@ -274,7 +224,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.1.1"
+    version: "2.1.2"
     verify: true
   openproject:
     # providerCategory: "Supplier"
@@ -286,7 +236,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "7.0.0"
+    version: "8.0.0"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -340,7 +290,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ox-connector"
-    version: "0.4.2"
+    version: "0.14.3"
     verify: true
   postfix:
     # providerCategory: "Platform"
@@ -380,17 +330,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "3.4.0"
-    verify: true
-  synapseCreateAccount:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
-    name: "opendesk-synapse-create-account"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"
@@ -400,7 +340,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "3.4.0"
+    version: "3.4.1"
     verify: true
   xwiki:
     # providerCategory: "Supplier"

helmfile/environments/default/functional.yaml

@@ -79,6 +79,10 @@ functional:
       # Enable to allow information about the user presence status to be shared.
       # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
       enabled: false
+    jitsiRoomHistory:
+      # Enable to allow the room history to be stored in the user's browser local storage.
+      # Ref.:
+      enabled: false
 
   chat:
     matrix:

helmfile/environments/default/images.yaml

@@ -50,12 +50,10 @@ images:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
     # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "8", "0"]
+    # upstreamRepository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.11.1@sha256:6ed72fccd302fc5891f31157bcffd14358e1f90f8b60d649fd261ba0f5d5fb91"
+    repository: "bmi/opendesk/components/supplier/element/images/opendesk-element-web"
+    tag: "1.11.4-amd64@sha256:1785ca0dcb608939533ce50067fb17c2152ceff00ea4e17a4cd500930727687b"
   freshclam:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -75,13 +73,13 @@ images:
   intercom:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
-    # upstreamRegistry: "https://quay.io"
-    # upstreamRepository: "univention/intercom-service"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "6"]
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/intercom-service"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["2", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
+    tag: "2.2.0@sha256:6e02a3b06827d8f23615ea43ed87f510018b8ecf77b2a8404b1554077b1bdc6b"
   jibri:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -148,56 +146,6 @@ images:
     registry: "registry-1.docker.io"
     repository: "library/mariadb"
     tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
-  matrixNeoBoardWidget:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Nordeck"
-    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: "nordeck/matrix-neoboard-widget"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "4", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.17.0@sha256:f4e711473ba99159c878177f0f9e750fd6d9555b7d8c266ac7040f053be19513"
-  matrixNeoChoiceWidget:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Nordeck"
-    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: "nordeck/matrix-poll-widget"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "4", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-poll-widget"
-    tag: "1.4.0@sha256:216cb88aaa47449a15af9a531d60eee593cb1923c4e8fcc67c119982972911e5"
-  matrixNeoDateFixBot:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Nordeck"
-    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: "nordeck/matrix-meetings-bot"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["2", "7", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-bot"
-    tag: "2.8.0@sha256:db1d99c13a9facfd08a7da1d0a9c7c05715bad47110e93649ad6b389e462b42c"
-  matrixNeoDateFixWidget:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Nordeck"
-    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: "nordeck/matrix-meetings-widget"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "6", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-meetings-widget"
-    tag: "1.6.1@sha256:70bebd9293a977124a5da955e1a520381129d476d6414a083093c1b48a55dadd"
-  matrixUserVerificationService:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Element"
-    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: "matrixdotorg/matrix-user-verification-service"
-    # upstreamMirrorTagFilterRegEx: '^v(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["3", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/element/images-mirror/matrix-user-verification-service"
-    tag: "v3.0.0@sha256:25e685d595785e2a72e75a525dac78cf8c782445454f8ac090d3702431c38008"
   memcached:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -213,7 +161,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.2.2@sha256:32afdd71c5b8003ed1609e389494ce10c715c5db64d4ed32a74d65b0f0227e64"
+    tag: "1.3.9@sha256:dee06e4da27ff67cad12ba990aca58ca81eae89a02dfe4831bd3e9c67c08ddcf"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -271,7 +219,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f"
+    tag: "0.70.0@sha256:d1d916f11d3b035eb95b46fbc3da2f9c797f89d3f3ac56b9ab1c89482413bac6"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -311,7 +259,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.11.0@sha256:c691aecaf2074a9f1cc6ec5277a70792642bd677f0ff58a6278041b2d99c9d51"
+    tag: "0.14.0@sha256:91613f123f7e46b321002d4b2b86c4635b79621376e513d4bea1bb1d01aa99f8"
   nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -321,7 +269,7 @@ images:
     # upstreamMirrorStartFrom: ["22", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
-    tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
+    tag: "25.0.1-ucs1@sha256:61cb3e703672f6d8806af41bec8056ca84e295bbeb546fdb5349322d1174a43d"
   nubusKeycloakBootstrap:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -331,7 +279,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0"
+    tag: "0.3.0@sha256:2911e8d5409f4e302b5c8c073cc6bf3f3622582e6eef43c63672ac4551712750"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -341,7 +289,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.10.0@sha256:7aa5bac4821c9226fd74c6a2883f7c24d214b4610d516574866cf933ee1be080"
+    tag: "0.11.0@sha256:aaba6527f37a7302cf54b0a689a1c11cb439bdc471e01d101726a05902714b9c"
   nubusKeycloakExtensionProxy:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -351,7 +299,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.10.0@sha256:a5f6ae65732f7fb9d7ceae11f1c412b109d230e197075d8a8e1d989c87a0309d"
+    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
   nubusLdapNotifier:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -361,7 +309,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.20.0@sha256:d891fe11075740ff0fe1694b2c5fb72c43ac6d823904af8593e0ab359b9175e0"
+    tag: "0.25.2@sha256:9e29c7fb5c609d7e597f27e0384c4f932e6962cdf64012154d7b7c076755d86c"
   nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -371,7 +319,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.20.0@sha256:ad73addd9201378fd5c978ab6bfc64bbd23bb279fc065cade9cb2f8e48a9c85f"
+    tag: "0.25.2@sha256:2b9d53f93a93d0f3a659c81c0e44596da8941bd83c8e1f7301a24e46ca06dba2"
   nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -413,7 +361,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.33.0@sha256:0ddb81d4789b2f43b55ded46ff88db4b99a68e7b1006e35877f582aac875c9ad"
+    tag: "0.38.5@sha256:3c8be7a762cc2534f7fad3b8a350d906377dd3e35618f023a39f3c83ae159649"
   nubusOpendeskExtension:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -421,7 +369,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.2.1@sha256:479f072d8dd9fe445caa5fea4d882bf3aba24af0d22fc378a9839990c6f3a907"
+    tag: "1.5.0@sha256:2bfdf79028ec788162cf75bf80b08ed5aa3f747430bc85fd5e0427decc9994de"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -451,7 +399,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.32.0@sha256:7f38a8db34bfe67c9ad0711c0a2c615e278b20a1a7b66b77bd28faa339eaf897"
+    tag: "0.38.5@sha256:25fe68ee9e075e5686fbc99ff50674184b7190ef6e26900fa773a5f471493164"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -461,7 +409,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "28", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
+    tag: "0.38.0@sha256:aa6ec6b99810e05655d98fa1192bc2eabb855335f7a04aa4cd96ed5b5645d736"
   nubusPortalFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -471,17 +419,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.33.0@sha256:9cce16009cc478ece11704521347fc4938a3ac5ee4570ac439dd50b08452a3ff"
-  nubusPortalListener:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/portal-listener"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
+    tag: "0.38.5@sha256:1e5f364fa3a58ae82e0804069144ad07ad7e14ee86ed1ed5188ae7c49119375b"
   nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -491,7 +429,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.33.1@sha256:82e9002786a9d1ec524c0f386838ac4ee1fa9a581b66d2e353ea57cc01e26a95"
+    tag: "0.38.5@sha256:37b41ad73ad88e33bdb2f1021ff507dfe6fbfb87e7e392552828f1a746e4ea74"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -501,7 +439,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.36.0@sha256:34f03f48b4c9b470f9809b5fa6bfd6e96346e3f99ac0a2d7eaeac3cf9a4a633d"
+    tag: "0.41.0@sha256:03698135b4d8774466e7ad1fb7e8c45e4d30915cc37dd177462fa0fb21b23369"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -511,7 +449,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.36.0@sha256:69dd2946e7b05384304eeeca50dea645d20f7658d225e7c532381c3bdf2027ce"
+    tag: "0.41.0@sha256:62387632bc206c4f71e663ab7dc02965897eb242d8cb79cdc7be440383d628a3"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -521,7 +459,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.36.0@sha256:147406648848c068aacc2cb467633d51c65cddbcaa622c352e5fe5349bf92ce6"
+    tag: "0.41.0@sha256:f71bef33c8aa467ec52b3802bc1684b8f1fb7789606762e33ba66dc9648d27f8"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -531,7 +469,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.36.0@sha256:8a960db9ff94b3c8a63be1588e47ccc1f62f3071abdce7ee2ef89afbe2674eed"
+    tag: "0.41.0@sha256:3c7166970f1f8cb9e04eb5d622093a49dc0bc11ef525d0a1dffc13b648b333ac"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -541,7 +479,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.36.0@sha256:8080b55e705391aa2ac9b11db11dc1f984b5626271b2f175bfe26967b857b06d"
+    tag: "0.41.0@sha256:5b251667411c33137043e31ebf1befaa392ff100040485b7d8cce9daa9f32e8c"
   nubusSelfserviceInvitation:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -551,17 +489,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.6.5@sha256:5630c9df3da4134789d2ebafad7de9062375d21547a2074827b680debd7a909e"
-  nubusSelfserviceListener:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/selfservice-listener"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "3", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
-    tag: "0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d"
+    tag: "0.10.0@sha256:605d92c960111726366cf5be06516349876103b0cb676051cfc2afab8b43f476"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -571,7 +499,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.21.0@sha256:f3d189dd0ca619778c907569ddedbdf8772fba26f26cf9e6b8cde2a62618da63"
+    tag: "0.24.0@sha256:113251d8052f69ac0c7af721954d1711231ca72de1ce6565bb86cdadf53a0ad9"
   nubusUmcGateway:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -581,7 +509,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.27.1@sha256:50991e4b8e13fd1b1a07228192eadd1b43d8a3502aba16f129ee5ba794720392"
+    tag: "0.32.0@sha256:d47716784ea86659ef93b1e79b0edd72a69d5e8169704accaf6213f01d4e395e"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -591,7 +519,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.27.1@sha256:006680e0a7ffcec3119c85eb30eaa6bbf9b2df54a14dd3d41b6bb7ce71226557"
+    tag: "0.32.0@sha256:e2b28d54e9b9c0a3f0267a631dd0f2b18e04a8f8438986b570a9c8a5ccb06001"
   nubusWaitForDependency:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -601,7 +529,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.25.0@sha256:71a4d66fd67db6f92212b1936862b2b0d5a678d412213d74452a9195c2fe67f7"
+    tag: "0.26.0@sha256:a31fde86bf21c597a31356fe492ab7e7a03a89282ca215eb7100763d6eb96b6b"
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -619,7 +547,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.4.1@sha256:40a2ff3f3a75b9792f93da07e80a730941f783abc7ae3c1a988c7904cbc1f2a4"
+    tag: "14.5.1@sha256:b6f823a4f4ff6873a992506c5f5bd9fe54b89f5d4e0bfb60b5da7b6c3bff82e1"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -628,7 +556,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
-  openprojectInitDb:
+  openprojectDbInit:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"
     # upstreamRegistry: "https://registry-1.docker.io"
@@ -763,7 +691,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "4", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.4.2@sha256:308489c0c0e0436bbbedbd757f78875d44468992c46c8d371c584dc778b30770"
+    tag: "0.14.3@sha256:bda77d7889d396ab54242520cd9243f3101747dff8353bae2f24e0ab82806745"
   postfix:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -808,25 +736,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.108.0@sha256:0754a5c372f4cfb5f69f58ad4b70d05bc2e380354f1b0c9101611e9157082712"
-  synapseCreateUser:
-    # providerCategory: "Community"
-    # providerResponsible: "Nordeck"
-    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: "alpine/k8s"
-    registry: "registry-1.docker.io"
-    repository: "alpine/k8s"
-    tag: "1.30.0@sha256:d7a11b7032550e992667fd7725b039dcd639270fbceec368d7e66e3d9e41ee15"
-  synapseGuestModule:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Nordeck"
-    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: "nordeck/synapse-guest-module"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module"
-    tag: "1.0.0@sha256:6b3b17183a7d163148cc1bc5342604682ec67d898394fc743db2f339e61c722e"
+    tag: "v1.115.0@sha256:abf4a5b5b2030f7deb555a8ec7b945607db9e98b057eb06364e66ba8308bdd40"
   synapseWeb:
     # providerCategory: "Community"
     # providerResponsible: "Element"

helmfile/environments/default/persistence.yaml

@@ -19,7 +19,7 @@ persistence:
     nubus:
       ldapServerData: "1Gi"
       ldapServerShared: "1Gi"
-      portalListener: "1Gi"
-      selfserviceListener: "1Gi"
+      portalConsumer: "1Gi"
+      provisioningNats: "1Gi"
     xwiki: "1Gi"
 ...

helmfile/environments/default/replicas.yaml

@@ -93,12 +93,12 @@ replicas:
   umsNotificationsApi: 1
   # -- scalable: true
   umsPortalFrontend: 1
-  # -- scalable: tbd
-  umsPortalListener: 1
+  # -- scalable: false
+  umsPortalConsumer: 1
   # -- scalable: true
   umsPortalServer: 1
   # -- scalable: tbd
-  umsSelfserviceListener: 1
+  umsSelfserviceConsumer: 1
   # -- scalable: tbd
   umsStackGateway: 1
   # -- scalable: true

helmfile/environments/default/resources.yaml

@@ -275,6 +275,34 @@ resources:
     requests:
       cpu: 0.1
       memory: "768Mi"
+  openprojectDbInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectAppInit:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectSeederJob:
+    limits:
+      cpu: 99
+      memory: "768Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  openprojectWorkers:
+    limits:
+      cpu: 99
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "512Mi"
   openxchangeCoreDocumentConverter:
     limits:
       cpu: 99
@@ -471,14 +499,28 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsPortalListener:
+  umsPortalConsumer:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsPortalListenerDependencies:
+  umsPortalConsumerDependencies:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumer:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsPortalConsumerDependencies:
     limits:
       cpu: 99
       memory: "1Gi"
@@ -527,7 +569,7 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsSelfserviceListener:
+  umsSelfserviceConsumer:
     limits:
       cpu: 99
       memory: "1Gi"
@@ -548,13 +590,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsStackDataSwp:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
   umsStackGateway:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -19,6 +19,8 @@ secrets:
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
     synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
+  oxConnector:
+    provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
   nubus:
     ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
     ldapSearch:
@@ -34,21 +36,19 @@ secrets:
     systemAccounts:
       administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
       sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
-    storeDavUsers:
-      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
-      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+    portalConsumer:
+      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "provisioning-api" | sha1sum | quote }}
+    selfserviceConsumer:
+      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-consumer" "provisioning-api" | sha1sum | quote }}
     provisioning:
-      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
-      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
-      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
-      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
-      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
-      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      api:
+        adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+        natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+        prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+        udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
       dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
-      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
-      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
-      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
     guardian:
       udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
   nats:

helmfile/environments/default/selinux.yaml

@@ -41,7 +41,7 @@ seLinuxOptions:
   opendeskKeycloakBootstrap: ~
   openproject: ~
   openprojectBootstrap: ~
-  openprojectInitDb: ~
+  openprojectDbInit: ~
   openxchangeBootstrap: ~
   openxchangeCoreGuidedtours: ~
   openxchangeCoreMW: ~
@@ -77,7 +77,7 @@ seLinuxOptions:
   umsNotificationsApi: ~
   umsOpenPolicyAgent: ~
   umsPortalFrontend: ~
-  umsPortalListener: ~
+  umsPortalConsumer: ~
   umsPortalServer: ~
   umsProvisioningDispatcher: ~
   umsProvisioningEventsAndConsumerApi: ~
@@ -86,7 +86,7 @@ seLinuxOptions:
   umsProvisioningNatsReloader: ~
   umsProvisioningUdmListener: ~
   umsSelfserviceInvitation: ~
-  umsSelfserviceListener: ~
+  umsSelfserviceConsumer: ~
   umsStackGateway: ~
   umsStoreDav: ~
   umsUdmRestApi: ~

helmfile/environments/default/theme.gotmpl

@@ -15,7 +15,7 @@ theme:
   ## Define colors
   #
   colors:
-    # Element, OX AppSuite, Xwiki
+    # Element, OX AppSuite, Xwiki, Jitsi
     primary: "#5e27dd"
     # OX AppSuite
     primary15: "#e7dffa"
@@ -23,7 +23,7 @@ theme:
     black: "#000000"
     # OX AppSuite, Xwiki
     white: "#ffffff"
-    # OX AppSuite, Xwiki
+    # OX AppSuite, Xwiki, Jitsi
     secondaryGreyLight: "#f5f5f5"
 
     # Not in use yet