fix(nubus): Fix udm-rest-api extended_attributes

fix(nubus): Better logging and fixes for keycloak-extensions
fix(provisioning): Point OX Connector to LDAP Server Primaries
2025-12-06 15:31:38 +01:00 · 2024-08-01 22:01:27 +02:00 · 2024-08-01 10:12:58 +02:00 · 2024-08-01 10:05:04 +02:00 · 2024-08-01 00:06:32 +02:00 · 2024-07-31 18:12:49 +02:00
127 changed files with 1624 additions and 2818 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,11 +6,7 @@
 # Ignore changes to sample environments
 helmfile/environments/dev/*.yaml.gotmpl
 helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
 !helmfile/environments/dev/sample.yaml.gotmpl
 !helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
 # Ignore in CI generated files
 .kyverno/opendesk.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.4"
+    ref: "v2.3.3"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
@@ -159,7 +159,7 @@ variables:
      - "no"
  RUN_TESTS:
    description: "Triggers execution of E2E-tests."
-    value: "no"
+    value: "yes"
    options:
      - "yes"
      - "no"
@@ -171,26 +171,14 @@ variables:
      - "no"
  TESTS_BRANCH:
    description: "Branch of E2E-tests on which the test pipeline is triggered"
-    value: "develop"
+    value: "main"
  TESTS_PROJECT_URL:
    description: "Project url for e2e-tests (`<domain of gitlab>/api/v4/projects/<id>`)"
    value: "gitlab.opencode.de/api/v4/projects/1506"
  TESTS_TESTSET:
    description: "Selects testset for E2E-tests"
    value: "Smoke"
    options:
      - "Regression"
      - "Smoke"
  TESTS_GRACE_PERIOD:
    description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail. GRACE_PERIOD is the period in seconds that should be waited before running the tests."
    value: "0"
 .deploy-common:
  cache: {}
  dependencies: []
  extends: ".environments"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.1.0\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
-          @sha256:74f349066ac5d20e3afaa6abd28781b4c8dc086f67e3d3c1b8345e4a9c3371b1"
+          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -248,6 +236,14 @@ env-start:
  script:
    - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
    - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
    - >
      kubectl create secret
      --namespace "${NAMESPACE}"
      docker-registry external-registry
      --docker-server "${EXTERNAL_REGISTRY}"
      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
      --dry-run=client -o yaml | kubectl apply -f -
  stage: "env"
 policies-deploy:
@@ -311,7 +307,7 @@ provisioning-deploy:
  variables:
    COMPONENT: "provisioning"
-nubus-deploy:
+ums-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  rules:
@@ -465,11 +461,15 @@ env-stop:
 .ums-default-password: &ums-default-password
  - |
    UMS_PASSWORDS=$( \
      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
      | yq '.properties.password' > passwords.txt \
    )
    DEFAULT_USER_PASSWORD=$( \
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.user_password}' | base64 -d \
+      awk 'NR==1{print $1}' passwords.txt \
    )
    DEFAULT_ADMIN_PASSWORD=$(
-       kubectl -n ${NAMESPACE} get secret ums-nubus-credentials -o jsonpath='{.data.admin_password}' | base64 -d \
+      awk 'NR==3{print $1}' passwords.txt \
    )
 run-tests:
@@ -481,11 +481,6 @@ run-tests:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
      when: "on_success"
  parallel:
    matrix:
      - LANGUAGE:
          - "de"
          - "en"
  script:
    - *ums-default-password
    - |
@@ -495,29 +490,27 @@ run-tests:
        \"ref\": \"${TESTS_BRANCH}\", \
        \"token\": \"${CI_JOB_TOKEN}\", \
        \"variables\": { \
-          \"operator\": \"${OPERATOR}\", \
+          \"url\": \"https://portal.${DOMAIN}\", \
          \"cluster\": \"${CLUSTER}\", \
          \"namespace\": \"${NAMESPACE}\", \
          \"url\": \"https://portal.${DOMAIN}/\", \
          \"language\": \"${LANGUAGE}\", \
          \"user_name\": \"${DEFAULT_USER_NAME}\", \
          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
-          \"screenshot_test\": \"yes\", \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
-          \"screenshot_before_step\": \"yes\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
-          \"screenshot_after_step\": \"yes\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
-          \"screenshot_redirect_step\": \"yes\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
-          \"testset\": \"${TESTS_TESTSET}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
-          \"testprofile\": \"Namespace\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
-          \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
-          \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
-          \"gitlab_default_env_namespace\": \"values\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
-          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
        } \
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
  retry: 1
 avscan-prepare:
  stage: ".pre"
@@ -694,4 +687,5 @@ renovate:
  script:
    - "renovate ${RENOVATE_EXTRA_FLAGS}"
  stage: "renovate"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.0\
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.4\
-    @sha256:630e102edc70c9e730a46180e79ff278fd8b5039eb336110e0df89fe415225ef"
+    @sha256:4120fe717071876f4c9ff128f26019d089fda158a4fb1912911e09af2fd3875f"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.6\
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.5\
-    @sha256:0a8997876a0c3f5a3c73eb6bd75c5cde63757bc31b983bfd92cfcb17389d536f"
+    @sha256:60870adb64b0503d4a6efd16cef4e074b91a4ca52b48811cfcea057bcccd07e4"
 .common:
  cache: {}
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -26,9 +26,6 @@ lint-kyverno:
          - "xwiki"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
      -d ${CI_PROJECT_DIR}/helmfile/environments
    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -0,0 +1,16 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: openDesk - der Souveräne Arbeitsplatz
 Upstream-Contact: <opendesk@zendis.de>
 Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
 Files: helmfile/files/theme/*
 Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 License: Apache-2.0
 Files: helmfile/files/gpg-pubkeys/*
 Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 License: CC0-1.0
 Files: cspell.json
 Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 License: Apache-2.0
--- a/README.md
+++ b/README.md
@@ -33,12 +33,12 @@ openDesk currently features the following functional main components:
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
-| Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.5.1](https://www.openproject.org/docs/release-notes/14-5-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.3.0](https://www.openproject.org/docs/release-notes/14-3-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
-| Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
+| Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.5.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -1,19 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 version = 1
 [[annotations]]
 path = "helmfile/files/theme/*"
 SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
 [[annotations]]
 path = "cspell.json"
 SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
 SPDX-License-Identifier = "Apache-2.0"
 [[annotations]]
 path = "helmfile/files/gpg-pubkeys/*"
 SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG ZenDiS \"Projektgruppe für Aufbau ZenDiS\""
 SPDX-License-Identifier = "CC0-1.0"
--- a/cspell.json
+++ b/cspell.json
@@ -73,8 +73,7 @@
        "Addressbooks",
        "filestore",
        "trashbin",
-        "bootstrap",
+        "bootstrap"
        "configurability"
    ],
    "ignoreWords": [],
    "import": []
--- a/dev/charts-local.py
+++ b/dev/charts-local.py
@@ -25,7 +25,7 @@ script_path = os.path.dirname(os.path.realpath(__file__))
 log_path = script_path+'/../logs'
 charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml'
 base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml'
 helmfile_backup_extension = '.bak'
 Path(log_path).mkdir(parents=True, exist_ok=True)
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -33,11 +33,10 @@ You might want to set credential variables in the GitLab project at `Settings` >
 # Tests
 The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-To select the current testset, use the variable `TESTS_TESTSET`. Default: `Smoke`.
+
 If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.
 The variable `testprofile` within the job is set to `Namespace`, which tells the e2e tests to use environment specific settings that will be read from the cluster and namespace specific file in the opendesk-env repository.
--- a/docs/components.md
+++ b/docs/components.md
@@ -33,7 +33,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
 | dkimpy-milter               | DKIM milter for Postfix        | Eval       |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -52,7 +52,7 @@ Below you will find some wrap-up notes when it comes to debugging openDesk by ad
 You can add a container by editing and updating an existing deployment, which is quite comfortable with tools like [Lens](https://k8slens.dev/).
- Select the container you want to make use of as debugging container, in the example below it is `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest`.
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest`.
 - Ensure the `shareProcessNamespace` option is enabled for the Pod.
 - Reference the selected container within the `containers` array of the deployment.
 - In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
@@ -121,7 +121,7 @@ Now you can add the ephemeral container with:
 ```
 kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
 ```
-and open its interactive terminal with
+and open it's interactive terminal with
 ```
 kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
 ```
--- a/docs/development.md
+++ b/docs/development.md
@@ -138,9 +138,6 @@ configured to pull artifacts that do not originate from Open CoDE into projects
 The mirror script takes the information on what artifacts to mirror from the annotation inside the two yaml files:
 - `# upstreamRegistry` *required*: To identify the source registry
 - `# upstreamRegistryCredentialId`: *optional*: In case the source registry is not public the access credentials have to be specified as ENV variables containing the value of this key in their name, so you want to specific that key all uppercase:
  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_USERNAME`
  - `MIRROR_CREDENTIALS_SRC_<upstreamRegistryCredentialId>_PASSWORT`
 - `# upstreamRepository` *required*: To identify the source repository
 - `# upstreamMirrorTagFilterRegEx` *required*: If this annotation is set it activates the mirror for the component. Only tags are being mirrored that match the given regular expression. **Note:** You have to use single quotes for this attribute's value in case you use backslash leading regex notation like `\d`.
 - `# upstreamMirrorStartFrom` *optional*: Array of numeric values in case you want to mirror only artifacts beginning with a specific version. You must use capturing groups
--- a/docs/enhanced-configuration/idp-federation.md
+++ b/docs/enhanced-configuration/idp-federation.md
@@ -44,9 +44,9 @@ We will provide additional documents regarding user provisioning in the future,
  - UDM REST API:
    - Build a provisioning solution by yourself using the [UDM REST API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html).
    - The API gives you full control over the contents of the IAM in order to create, update or delete users and groups.
-  - Nubus Directory Importer:
+  - Directory Connector:
    - It is based on a Python one-way directory synchronization for users and groups.
-    - Please find more details in the [upstream product's documentation](https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/howto-connect-external-iam.html).
+    - We will provide more details on this approach soon one the tool is made publicly available.
 - Ad-hoc provisioning (AHP)
  - This feature is currently not available in the openDesk Keycloak, but there are plans by the Supplier Univention to make it available.
  - Ad-hoc provisioning creates an user account on the fly during a users first login.
--- a/docs/enhanced-configuration/separate-mail-matrix-domain.md
+++ b/docs/enhanced-configuration/separate-mail-matrix-domain.md
@@ -9,10 +9,6 @@ SPDX-License-Identifier: Apache-2.0
 * [Example configuration](#example-configuration)
  * [Mail domain](#mail-domain)
  * [Matrix domain](#matrix-domain)
    * [DNS](#dns)
    * [Webserver](#webserver)
      * [Content Security Policy](#content-security-policy)
      * [.well-known](#well-known)
 # Use case
@@ -63,9 +59,7 @@ or via environment variable
 export MATRIX_DOMAIN=my_organization.tld
 ```
-### DNS
+This setup requires also a different DNS setup:
 The following changes apply to the standard DNS:
 | Record name                      | Type | Value                                  | Comment                                                                            |
 | -------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
@@ -73,14 +67,6 @@ The following changes apply to the standard DNS:
 *Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.
 ### Webserver
 #### Content Security Policy
 The webserver of `my_organization.tld` should add `*.opendesk.domain.tld` to its CSP header.
 #### .well-known
 If you want to use other Matrix clients,
 e.g., Element Messenger for [iOS](https://apps.apple.com/de/app/element-messenger/id1083446067)
 or [Android](https://play.google.com/store/apps/details?id=im.vector.app),
@@ -96,4 +82,4 @@ you need to create a JSON file with the following contents that is served from
 ```
 This ensures clients know where to find the Matrix protocol endpoint when users specify `my_organization.tld`
-as their homeserver.
+as their homeserver.
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -52,7 +52,7 @@ files.
 > All configuration options and their default values can be found in files at `helmfile/environments/default/`
 For the following guide, we will use `dev` as environment, where variables can be set in
-`helmfile/environments/dev/values.yaml.gotmpl`.
+`helmfile/environments/dev/values.yaml`.
 ## DNS
@@ -60,16 +60,16 @@ The deployment is designed to deploy each application/service under a dedicated
 For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
 otherwise you need to create an A-Record for each subdomain.
-| Record name                   | Type | Value                                              | Additional information                                           |
+| Record name             | Type | Value                                              | Additional information                                                             |
-|-------------------------------|------|----------------------------------------------------|------------------------------------------------------------------|
+| ----------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
-| *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                  |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                    |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                  |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                    |
-| mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
-| mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
-| domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                  |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                    |
-| domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                       |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                         |
-| _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                         |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                           |
-| default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional DKIM settings                                           |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
 ## Domain
@@ -115,13 +115,13 @@ All available apps and their default value can be found in `helmfile/environment
 | Memcached            | `memcached.enabled`         | `true`  | Cache Database                 |
 | MinIO                | `minio.enabled`             | `true`  | Object Storage                 |
 | Nextcloud            | `nextcloud.enabled`         | `true`  | File share                     |
 | Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
 | OpenProject          | `openproject.enabled`       | `true`  | Project management             |
 | OX Appsuite          | `oxAppsuite.enabled`        | `true`  | Groupware                      |
 | Provisioning         | `oxConnector.enabled`       | `true`  | Backend provisioning           |
 | Postfix              | `postfix.enabled`           | `true`  | MTA                            |
 | PostgreSQL           | `postgresql.enabled`        | `true`  | Database                       |
 | Redis                | `redis.enabled`             | `true`  | Cache Database                 |
 | Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
 | XWiki                | `xwiki.enabled`             | `true`  | Knowledge management           |
 Exemplary, Jitsi can be disabled like:
@@ -157,15 +157,6 @@ alternatively you can use an environment variable:
 export PRIVATE_IMAGE_REGISTRY_URL=my_private_registry.domain.tld
 ```
 or control repository override fine-granular per registry:
 ```yaml
 repositories:
  image:
    dockerHub: "my_private_registry.domain.tld/docker.io/"
    registryOpencodeDe: "my_private_registry.domain.tld/registry.opencode.de/"
 ```
 If authentication is required, you can reference imagePullSecrets as following:
 ```yaml
@@ -208,27 +199,18 @@ cluster:
      - "127.0.0.0/8"
 ```
 If your load balancer / reverse proxy IPs are not already covered by the above `cidr` you need to
 explicitly configure the related IPs or IP ranges:
 ```yaml
 cluster:
  networking:
    incomingCIDR:
      - "172.16.0.0/12"
 ```
 ### Ingress
-By default, the `ingressClassName` is empty to choose your default ingress controller. You may want to customize it by
+By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
-setting the following attribute to the name of the currently only supported ingress controller `ingress-nginx` (see
+setting:
 [requirements.md](./requirements.md)) for reference) within your deployment if that is not the clusters default ingress.
 ```yaml
 ingress:
-  ingressClassName: "name-of-my-nginx-ingress"
+  ingressClassName: "cilium"
 ```
 **Note:** Please check the [requirements.md](./requirements.md) for the supported Ingress controllers.
 ### Container runtime
 Some apps require specific configuration for the container runtime. You can set your container runtime like `cri-o`,
@@ -272,8 +254,6 @@ To use the openDesk functionality with its web based user interface you need to
 | Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
 | openDesk           | Kubernetes Ingress      |    80 |  TCP |
 | openDesk           | Kubernetes Ingress      |   443 |  TCP |
 | Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
 #### Mail clients
@@ -299,20 +279,6 @@ smtp:
  password: "secret"
 ```
 Enabling DKIM signing of emails helps to reduce spam and increases trust.
 openDesk ships dkimpy-milter as Postfix milter for signing mails.
 ```yaml
 dkimpy:
  enable: true
  dkim:
    key:
      value: |
        HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E=
    selector: "default"
    useED25519: true # when false, RSA is used
 ```
 ### TURN configuration
 Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -6,23 +6,15 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Upgrade migrations</h1>
 * [Disclaimer](#disclaimer)
-* [Releases upgrades](#releases-upgrades)
+* [From v0.9.0](#from-v090)
-  * [From v0.9.0](#from-v090)
+  * [Manual migrations](#manual-migrations)
-    * [Changed openDesk defaults](#changed-opendesk-defaults)
+  * [Automated migrations](#automated-migrations)
-      * [MatrixID localpart update](#matrixid-localpart-update)
+    * [Updated IAM component Nubus](#updated-iam-component-nubus)
-      * [File-share configurability](#file-share-configurability)
+* [From v0.8.1](#from-v081)
-      * [Updated default subdomains in `global.hosts`](#updated-default-subdomains-in-globalhosts)
+  * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
-      * [Updated `global.imagePullSecrets`](#updated-globalimagepullsecrets)
+  * [Nubus LDAP PVCs](#nubus-ldap-pvcs)
-    * [Automated migrations](#automated-migrations)
+  * [Updated customizable template attributes](#updated-customizable-template-attributes)
-      * [Local Postfix as Relay](#local-postfix-as-relay)
+  * [`migrations` S3 bucket](#migrations-s3-bucket)
      * [Updated IAM component Nubus](#updated-iam-component-nubus)
        * [Manual cleanup](#manual-cleanup)
  * [From v0.8.1](#from-v081)
    * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
    * [Updated customizable template attributes](#updated-customizable-template-attributes)
    * [`migrations` S3 bucket](#migrations-s3-bucket)
 * [Related components and artefacts](#related-components-and-artefacts)
  * [Development](#development)
 # Disclaimer
@@ -30,181 +22,145 @@ We do not offer support for upgrades before we reach openDesk 1.0.
 Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.
-**Limitations:**
+# From v0.9.0
 - We assume that the PV reclaim policy is set to `delete`, so expect that PVs get deleted as soon as the related PVC was
  deleted and will cover an explicit delete for PVs.
-# Releases upgrades
+## Manual migrations
-## From v0.9.0
+None.
-### Changed openDesk defaults
+## Automated migrations
-#### MatrixID localpart update
+### Updated IAM component Nubus
-Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's MatrixID. Due to restrictions of the
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
-Matrix protocol, an update of a MatrixID is not possible, therefore, it was technically convenient to use the UUID
+upgrade migrations executes the following steps
 as it is immutable (see https://de.wikipedia.org/wiki/Universally_Unique_Identifier for more details on UUIDs.)
-From the user experience perspective, that was a bad approach, so from now on, by default, the username which
+- Stage PRE:
-is also used for logging into openDesk is used to define the localpart of the MatrixID.
+  - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier`.
 For existing installations: The changed setting only affects users that login to Element the first time. Existing
 user accounts will not be harmed. If you want existing users to get new MatrixIDs based on the new setting, you
 need to update their external ID in Synapse and deactivate the old user afterward. The user will get a new
 Matrix account from scratch, losing the existing contacts, chats and rooms.
 The following Admin API calls are helpful:
 - GET /_synapse/admin/v2/users/@<entryuuid>:<matrixdomain> get the user's existing external_id (auth_provider: "oidc")
 - PUT /_synapse/admin/v2/users/@<entryuuid>:<matrixdomain> update user's external_id with JSON payload:
  `{ "external_ids": [ { "auth_provider": "oidc", "external_id": "<old_id>+deprecated" } ] }`
 - POST /_synapse/admin/v1/deactivate/@<entryuuid>:<matrixdomain> deactivate old user with JSON payload:
  `{ "erase": true }`
 For more details, check the Admin API documentation:
 https://element-hq.github.io/synapse/latest/usage/administration/admin_api/index.html
 You can enforce the old standard with the following setting:
 ```
 functional:
  chat:
    matrix:
      profile:
        useImmutableIdentifierForLocalpart: true
 ```
 #### File-share configurability
 Now we provide some configurability regarding the sharing capabilities of the Nextcloud component.
 The new default is different from the standard until now.
 To keep the current state after the upgrade from 0.9.0, you have to provide the following settings:
 ```
 functional:
  filestore:
    sharing:
      external:
        enabled: true
 ```
 Please also check the other new options available at `functional.filestore.sharing`.
 #### Updated default subdomains in `global.hosts`
 We have streamlined the subdomain names used by openDesk to be more user-friendly and to avoid the use of specific
 product names.
 This results in following change of default subdomain naming:
 - **collabora**: `collabora` → `office`
 - **cryptpad**: `cryptpad` → `pad`
 - **minioApi**: `minio` → `objectstore`
 - **minioConsole**: `minio-console` → `objectstore-ui`
 - **nextcloud**: `fs` → `files`
 - **openproject**: `project` → `projects`
 During upgrade, any existing environment needs to keep the old subdomains,
 cause url/link changes are not every supported and not tested at all.
 If you have not already defined the entire `global.hosts` dictionary in your custom environments values, please set it
 to the defaults that were used before the upgrade:
 ```yaml
 global:
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
    element: "chat"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
    matrixNeoBoardWidget: "matrix-neoboard-widget"
    matrixNeoChoiceWidget: "matrix-neochoice-widget"
    matrixNeoDateFixBot: "matrix-neodatefix-bot"
    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
    minioApi: "minio"
    minioConsole: "minio-console"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    synapse: "matrix"
    synapseFederation: "matrix-federation"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
 ```
 In case you would like to use the updated hostnames you at least have to apply some manual changes. But do this at
 your own risk. Be also aware that some of your user's bookmarks and links will stop working.
 - Update the affected portal tiles:
  - All tiles in the "Files" category.
  - The "Projects" tile in the "Management" category.
 - There are two options to change the link for the portal tiles:
  - Use an admin account to access the portal's edit mode (on the bottom of the sidebar portal's menu).
  - Utilize the UDM REST API to update the portal tile objects.
 - Update the hostnames for the OpenProject-Nextcloud integration using a functional admin user for both components:
  - In OpenProject: *Administration* > *Files* > *External file storages* > Select `Nextcloud at [your_domain]`
    Edit *Details* - *General Information* - *Storage provider* and update the *hostname* to `files.<your_domain>`.
  - In Nextcloud: *Administration* > *OpenProject* > *OpenProject server* update the *OpenProject host* to
    to `projects.<your_domain>`.
 #### Updated `global.imagePullSecrets`
 Without using a custom registry, you can pull all the openDesk images without authentication.
 Thus defining not existing imagePullSecrets creates unnecessary errors, so we removed them.
 You can keep the current settings by setting the `external-registry` in your custom environment values:
 ```yaml
 global:
  imagePullSecrets:
    - "external-registry"
 ```
 ### Automated migrations
 #### Local Postfix as Relay
 All components relay outgoing mails to the local Postfix. In order for the configuration to be picked up by all components the following restarts are triggered in the migrations `POST` stage:
 - Deployments:
  - `opendesk-nextcloud-php`
  - `ums-umc-server`
 - Stateful Sets:
  - `ums-selfservice-listener`
  - `opendesk-synapse`
 #### Updated IAM component Nubus
 openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The now redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
 upgrade migrations executes the following steps:
 - Stage `PRE`:
  - Delete service `ums-keycloak`, as it will be recreated headless.
  - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier` in preparation or the next step:
  - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
- Stage `POST`:
+- Stage POST:
  - Delete the no longer used `shared-data-ums-ldap-server-0`.
  - Restart Keycloak.
-##### Manual cleanup
+**Note:** You should ensure you have a backup of the contents of `shared-data-ums-ldap-server-0` if something goes wrong during the
 upgrade migration.
-Currently we do not execute possible cleanup steps as part of the migrations POST stage. So you might want to remove the no longer used PVCs after successful upgrade:
+# From v0.8.1
 ```
 NAMESPACE=<your_namespace>
 kubectl -n ${NAMESPACE} delete pvc shared-data-ums-ldap-server-0
 kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
 ```
-## From v0.8.1
+## Updated `cluster.networking.cidr`
 ### Updated `cluster.networking.cidr`
 - Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1), please update your setup accordingly if you explicitly set this value.
 - Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
-### Updated customizable template attributes
+## Nubus LDAP PVCs
 openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires some manual action to upgrade from 0.8.1:
 - Action: Before the upgrade you have to prepare the PVCs for the LDAP primary Pods. First scale down the 0.8.1 LDAP Pod and pre-create and pre-populate the new PVCs with the data from the current LDAP PVC. You can do all this by running the following snippet on your commandline, after setting `NAMESPACE` to the appropriate value. The LDAP secondaries get sync'd from the primary to fill their own PVCs data.
 ```
 export NAMESPACE=YOUR_NAMESPACE
 kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-notifier
 kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-server
 kubectl -n $NAMESPACE apply -f - <<EOF
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  # Target PVC name
  name: shared-data-ums-ldap-server-primary-0
 spec:
  dataSource:
    # Source PVC name
    name: shared-data-ums-ldap-server-0
    kind: PersistentVolumeClaim
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      # Target PVC size (deployments default to 1Gi)
      storage: 1Gi
 ...
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  # Target PVC name
  name: shared-data-ums-ldap-server-primary-1
 spec:
  dataSource:
    # Source PVC name
    name: shared-data-ums-ldap-server-0
    kind: PersistentVolumeClaim
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      # Target PVC size (deployments default to 1Gi)
      storage: 1Gi
 ...
 EOF
 ```
 - Once you have verified that your upgrade was successful, you can delete the previous LDAP's PVC:
 ```
 kubectl -n $NAMESPACE delete pvc shared-data-ums-ldap-server-0
 ```
 ## Nubus LDAP PVCs
 openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires some manual action to upgrade from 0.8.1:
 - Action: Before the upgrade you have to prepare the PVCs for the LDAP primary Pods. First scale down the 0.8.1 LDAP Pod and pre-create and pre-populate the new PVCs with the data from the current LDAP PVC. You can do all this by running the following snippet on your commandline, after setting `NAMESPACE` to the appropriate value. The LDAP secondaries get sync'd from the primary to fill their own PVCs data.
 ```
 export NAMESPACE=YOUR_NAMESPACE
 kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-notifier
 kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-server
 kubectl -n $NAMESPACE apply -f - <<EOF
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  # Target PVC name
  name: shared-data-ums-ldap-server-primary-0
 spec:
  dataSource:
    # Source PVC name
    name: shared-data-ums-ldap-server-0
    kind: PersistentVolumeClaim
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      # Target PVC size (deployments default to 1Gi)
      storage: 1Gi
 ...
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  # Target PVC name
  name: shared-data-ums-ldap-server-primary-1
 spec:
  dataSource:
    # Source PVC name
    name: shared-data-ums-ldap-server-0
    kind: PersistentVolumeClaim
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      # Target PVC size (deployments default to 1Gi)
      storage: 1Gi
 ...
 EOF
 ```
 - Once you have verified that your upgrade was successful, you can delete the previous LDAP's PVC:
 ```
 kubectl -n $NAMESPACE delete pvc shared-data-ums-ldap-server-0
 ```
 ## Updated customizable template attributes
 - Action: Please ensure you update you custom deployment values according with the updated default value structure.
 - References:
@@ -213,28 +169,7 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
-### `migrations` S3 bucket
+## `migrations` S3 bucket
 - Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
 - Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
 # Related components and artefacts
 openDesk comes with two upgrade steps as part of the deployment, they can be found in the folder [/helmfile/apps](../helmfile/apps/) as all other components:
 - `migrations-pre`: Is the very first app that gets deployed.
 - `migrations-post`: Is the last app that gets deployed.
 Both migrations have to be deployed exclusively at their first/last position and not in parallel with other components.
 The status of the upgrade migrations is tracked in the ConfigMap `migrations-status`, more details can be found in the [README.md of the related container image](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/README.md).
 ## Development
 When a new upgrade migration is required, ensure to address the following list:
 - Update the generated release version file [`global.generated.yaml`](../helmfile/environments/default/global.generated.yaml) at least on the patch level to test the upgrade in your feature branch as well as trigger it in the `develop` branch after the feature branch was merged. The set value gets overwritten during the release process with the release's actual version number.
 - You have to implement the migration logic as a runner script in the [`opendesk-migrations`](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations) image. Please find more instructions in the linked repository.
 - You most likely have to update the [`opendesk-migrations` Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations) within the `rules` section of the [`role.yaml`](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/main/charts/opendesk-migrations/templates/role.yaml) to provide the permissions required for the execution of your migration's logic.
 - You have to set the runner's ID you want to execute in the [migrations.yaml.gotmpl](../helmfile/shared/migrations.yaml.gotmpl). See also the `migrations.*` section of [the Helm chart's README.md](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/main/charts/opendesk-migrations/README.md).
 - Update the [`charts.yaml`](../helmfile/environments/default/charts.yaml) and [`images.yaml`](../helmfile/environments/default/images.yaml) to reflect the newer releases of the `opendesk-migrations` Helm chart and container image.
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -24,7 +24,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc.5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
@@ -39,8 +39,6 @@ The following minimal requirements are thought for initial evaluation deployment
 | RAM  | 32 GB, more recommended                               |
 | Disk | HDD or SSD, >10 GB                                    |
 Check [`scaling.md`](./scaling.md) for more details on resource requirements and scalability.
 # Kubernetes
 Any self-hosted or managed K8s cluster >= 1.24 listed in
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -7,17 +7,55 @@ SPDX-License-Identifier: Apache-2.0
 This document should cover the abilities to scale apps.
-# Horizontal scalability
+<!-- TOC -->
 * [Replicas](#replicas)
 <!-- TOC -->
-We are working on generating this document automatically based on the file
+# Replicas
 [`replicas.yaml`](../helmfile/environments/default/replicas.yaml) that contains necessary annotations.
 In the meantime this file can be used to check the components scaling support / capabilities.
-# Upstream information
+The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
 apps with a check-mark in `Scaling (effective)` column.
-While scaling services horizontally is the ideal solution, information about vertical scaling is helpful
+Verified positive effects are marked with a check-mark in `Scaling (verified)` column, apps which are not yet tested are
-when it comes to defining the applications resources, see [`resources.yaml`](../helmfile/environments/default/resources.yaml) for references.
+marked with a gear.
 Please find below links to the application's upstream resources about scaling:
- [OpenProject system requirements](https://www.openproject.org/docs/installation-and-operations/system-requirements/)
+| Component                   | Name                                     | Scaling (effective) | Scaling (verified) |
 |-----------------------------|------------------------------------------|:-------------------:|:------------------:|
 | ClamAV                      | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.freshclam`                     |         :x:         |        :x:         |
 |                             | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
 | Collabora                   | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
 | CryptPad                    | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
 | Dovecot                     | `replicas.dovecot`                       |         :x:         |       :gear:       |
 | Element                     | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
 |                             | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
 |                             | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
 |                             | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
 |                             | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
 |                             | `replicas.synapse`                       |         :x:         |       :gear:       |
 |                             | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
 | Intercom Service            | `replicas.intercomService`               | :white_check_mark:  | :white_check_mark: |
 | Jitsi                       | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
 |                             | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
 |                             | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
 |                             | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
 |                             | `replicas.jvb `                          |         :x:         |        :x:         |
 | Keycloak                    | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
 | Memcached                   | `replicas.memcached`                     |       :gear:        |       :gear:       |
 | Minio                       | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
 | Nextcloud                   | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
 | OpenProject                 | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
 | Postfix                     | `replicas.postfix`                       |         :x:         |       :gear:       |
 | Redis                       | `replicas.redis`                         |       :gear:        |       :gear:       |
 | Univention Management Stack |                                          |       :gear:        |       :gear:       |
 |                             | `replicas.umsPortalFrontend`             | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.umsPortalServer`               | :white_check_mark:  | :white_check_mark: |
 |                             | `replicas.umsUdmRestApi`                 | :white_check_mark:  | :white_check_mark: |
 | XWiki                       | `replicas.xwiki`                         |         :x:         |       :gear:       |
--- a/helmfile.yaml.gotmpl
+++ b/helmfile.yaml.gotmpl
@@ -15,7 +15,7 @@ environments:
 ---
 # yamllint disable
 helmfiles:
-  - path: "./helmfile_generic.yaml.gotmpl"
+  - path: "./helmfile_generic.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 # {{/*
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
      {{ .Values.charts.collabora.repository }}"
 releases:
  - name: "collabora-online"
@@ -18,7 +19,6 @@ releases:
    version: "{{ .Values.charts.collabora.version }}"
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.collaboraOnline | default "additionalValues: false" }}
    installed: {{ .Values.collabora.enabled }}
 commonLabels:
--- a/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -8,7 +7,7 @@ autoscaling:
  enabled: false
 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/richdocuments/settings/fonts.json"
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0"
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
@@ -25,7 +24,7 @@ grafana:
      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}
 image:
-  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
  tag: {{ .Values.images.collabora.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -84,8 +83,6 @@ ingress:
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 podAnnotations: {}
 podSecurityContext:
  fsGroup: 100
--- a/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
      {{ .Values.charts.cryptpad.repository }}"
 releases:
  - name: "cryptpad"
@@ -18,7 +19,6 @@ releases:
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.cryptpad | default "additionalValues: false" }}
    installed: {{ .Values.cryptpad.enabled }}
 commonLabels:
--- a/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 # https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
 # https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
@@ -26,7 +23,7 @@ enableEmbedding: true
 fullnameOverride: "cryptpad"
 image:
-  repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
  tag: {{ .Values.images.cryptpad.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -53,8 +50,6 @@ ingress:
 persistence:
  enabled: false
 podAnnotations: {}
 podSecurityContext:
  fsGroup: 4001
--- a/helmfile/apps/element/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile-child.yaml.gotmpl
@@ -10,35 +10,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
      {{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
      {{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
      {{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
      {{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
      {{ .Values.charts.synapseCreateAccount.repository }}"
  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -48,35 +53,40 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/{{ .Values.charts.matrixUserVerificationService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
      {{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
      {{ .Values.charts.matrixNeodatefixBot.repository }}"
 releases:
@@ -85,7 +95,6 @@ releases:
    version: "{{ .Values.charts.element.version }}"
    values:
      - "values-element.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskElement | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -94,7 +103,6 @@ releases:
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
      - "values-well-known.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskWellKnown | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -103,7 +111,6 @@ releases:
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
      - "values-synapse-web.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskSynapseWeb | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -112,7 +119,6 @@ releases:
    version: "{{ .Values.charts.synapse.version }}"
    values:
      - "values-synapse.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskSynapse | default "additionalValues: false" }}
    installed: {{ .Values.element.enabled }}
    timeout: 900
--- a/helmfile/apps/element/helmfile.yaml.gotmpl
+++ b/helmfile/apps/element/helmfile.yaml.gotmpl
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -1,13 +1,11 @@
-{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  endToEndEncryption: true
  additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/ logout?client_id=opendesk-matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
    "net.nordeck.element_web.module.opendesk":
      config:
@@ -44,8 +42,6 @@ configuration:
            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
            - town.robin.msc3846.turn_servers
            - org.matrix.msc4039.upload_file
            - org.matrix.msc4039.download_file
        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
          preload_approved: true
          capabilities_approved:
@@ -125,7 +121,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.element.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
  repository: {{ .Values.images.element.repository | quote }}
  tag: {{ .Values.images.element.tag | quote }}
@@ -137,8 +133,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -29,7 +26,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoBoardWidget.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoBoardWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
@@ -40,8 +37,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -29,7 +26,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoChoiceWidget.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoChoiceWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
@@ -40,8 +37,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
@@ -19,15 +16,13 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "matrix-neodatefix-bot-bootstrap"
 podAnnotations: {}
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
@@ -50,7 +47,7 @@ extraEnvVars:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixBot.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
@@ -68,8 +65,6 @@ persistence:
  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  bot:
@@ -34,7 +31,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixNeoDateFixWidget.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
@@ -45,8 +42,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
@@ -19,15 +16,13 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseCreateUser.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
 podAnnotations: {}
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -38,12 +35,10 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.matrixUserVerificationService.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 clusterDomain: {{ .Values.cluster.networking.domain }}
@@ -32,7 +29,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.synapseWeb.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseWeb.registry | quote }}
  repository: {{ .Values.images.synapseWeb.repository | quote }}
  tag: {{ .Values.images.synapseWeb.tag | quote }}
@@ -51,8 +48,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  additionalConfiguration:
@@ -14,8 +11,8 @@ configuration:
        - "m.space.parent"
        - "net.nordeck.meetings.metadata"
        - "m.room.power_levels"
-    # To allow intercom service logins for the users and also allow proper testautomation we want to raise the
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
-    # ratelimit in a reasonable manner.
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
    rc_login:
      account:
@@ -43,36 +40,20 @@ configuration:
              regex: "@.*"
        url: null
        sender_localpart: intercom-service
-      - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+    presence: 
        hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
        id: ox-appsuite
        namespaces:
          users:
            - exclusive: false
              regex: "@.*"
        url: null
        sender_localpart: ox-appsuite
    presence:
      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
-
+    
    profile:
      allowUsersToUpdateDisplayname: {{ .Values.functional.chat.matrix.profile.allowUsersToUpdateDisplayname }}
    smtp:
-      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ .Values.smtp.host | quote }}
-      port: 25
+      port: {{ .Values.smtp.port }}
-      tls: false
+      username: {{ .Values.smtp.username | quote }}
-      starttls: false
+      password: {{ .Values.smtp.password | quote }}
      username: ""
      password: ""
    oidc:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      matrixIdLocalpart: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
      scopes:
        - "openid"
        - "opendesk-matrix-scope"
@@ -94,7 +75,7 @@ configuration:
      enabled: true
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapseGuestModule.registry | quote }}
+        registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
@@ -133,7 +114,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.synapse.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
  repository: {{ .Values.images.synapse.repository | quote }}
  tag: {{ .Values.images.synapse.tag | quote }}
@@ -141,8 +122,6 @@ persistence:
  size: {{ .Values.persistence.size.synapse | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 10991
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  e2ee:
@@ -33,7 +30,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.wellKnown.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.wellKnown.registry | quote }}
  repository: {{ .Values.images.wellKnown.repository | quote }}
  tag: {{ .Values.images.wellKnown.tag | quote }}
@@ -45,8 +42,6 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
--- a/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl
@@ -5,12 +5,13 @@ repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
      {{ .Values.charts.intercomService.repository }}"
 releases:
  - name: "intercom-service"
@@ -18,7 +19,6 @@ releases:
    version: "{{ .Values.charts.intercomService.version }}"
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.intercomService | default "additionalValues: false" }}
    installed: {{ .Values.intercom.enabled }}
 commonLabels:
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -6,7 +6,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -55,12 +52,10 @@ ics:
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    audience: "opendesk-oxappsuite"
  nextcloud:
    origin: {{ .Values.global.hosts.nextcloud | quote }}
    subdomain: {{ .Values.global.hosts.nextcloud | quote }}
    audience: "opendesk-nextcloud"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.intercom.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.intercom.registry | quote }}
  repository: {{ .Values.images.intercom.repository | quote }}
  tag: {{ .Values.images.intercom.tag | quote }}
@@ -72,47 +67,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
 provisioning:
  enabled: true
  config:
    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
    keycloak:
      url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
      username: "kcadmin"
      realm: {{ .Values.platform.realm | quote }}
      connection:
        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        baseUrl: "http://ums-keycloak:8080"
      credentialSecret:
        name: "ums-opendesk-keycloak-credentials"
        key: "admin_password"
    ics_client:
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
      credentialSecret:
        key: "ics_secret"
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository | quote }}
    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
  provisioningImage:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }}
  securityContext:
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.intercom | toYaml | nindent 6 }}
 replicaCount: {{ .Values.replicas.intercomService }}
 resources:
--- a/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
      {{ .Values.charts.jitsi.repository }}"
 releases:
  - name: "jitsi"
@@ -18,7 +19,6 @@ releases:
    version: "{{ .Values.charts.jitsi.version }}"
    values:
      - "values-jitsi.yaml.gotmpl"
      - {{ .Values.customization.release.jitsi | default "additionalValues: false" }}
    installed: {{ .Values.jitsi.enabled }}
    timeout: 900
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/jitsi/helmfile.yaml.gotmpl
+++ b/helmfile/apps/jitsi/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -10,7 +9,6 @@ global:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations: {}
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -33,7 +31,7 @@ cleanup:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsiKeycloakAdapter.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiKeycloakAdapter.registry | quote }}
  repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
@@ -50,9 +48,8 @@ jitsi:
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
      tag: {{ .Values.images.jitsi.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
      ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -64,8 +61,6 @@ jitsi:
        - secretName: {{ .Values.ingress.tls.secretName | quote }}
          hosts:
            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    extraConfigJs:
      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
    extraEnvs:
      TURN_ENABLE: "1"
    resources:
@@ -84,9 +79,8 @@ jitsi:
        {{ .Values.seLinuxOptions.jitsi | toYaml | nindent 8 }}
  prosody:
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
      tag: {{ .Values.images.prosody.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
@@ -134,9 +128,8 @@ jitsi:
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
      tag: {{ .Values.images.jicofo.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
@@ -157,9 +150,8 @@ jitsi:
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
      tag: {{ .Values.images.jvb.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
    resources:
@@ -181,9 +173,8 @@ jitsi:
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
-      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
      tag: {{ .Values.images.jibri.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    recorder:
      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
    xmpp:
@@ -220,12 +211,9 @@ patchJVB:
      {{ .Values.seLinuxOptions.jitsiPatchJVB | toYaml | nindent 6 }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.jitsiPatchJVB.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
 resources:
--- a/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
      {{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-post"
@@ -21,7 +22,6 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
      - {{ .Values.customization.release.migrationsPost | default "additionalValues: false" }}
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
--- a/helmfile/apps/migrations-post/helmfile.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/helmfile.yaml.gotmpl
@@ -5,7 +5,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-post/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-post/values.yaml.gotmpl
@@ -3,8 +3,6 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podAnnotations: {}
 migrations:
  stage: "POST"
 ...
--- a/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/{{ .Values.charts.migrations.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
      {{ .Values.charts.migrations.repository }}"
 releases:
  - name: "opendesk-migrations-pre"
@@ -21,7 +22,6 @@ releases:
    values:
      - "values.yaml.gotmpl"
      - "../../shared/migrations.yaml.gotmpl"
      - {{ .Values.customization.release.migrationsPre | default "additionalValues: false" }}
    installed: {{ .Values.migrations.enabled }}
    timeout: 900
--- a/helmfile/apps/migrations-pre/helmfile.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/helmfile.yaml.gotmpl
@@ -5,7 +5,7 @@ bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
-  - path: "./helmfile-child.yaml.gotmpl"
+  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/migrations-pre/values.yaml.gotmpl
+++ b/helmfile/apps/migrations-pre/values.yaml.gotmpl
@@ -3,8 +3,6 @@
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podAnnotations: {}
 migrations:
  stage: "PRE"
 ...
--- a/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl
@@ -10,14 +10,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
      {{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
      {{ .Values.charts.nextcloud.repository }}"
 releases:
  - name: "opendesk-nextcloud-management"
@@ -25,7 +27,6 @@ releases:
    version: "{{ .Values.charts.nextcloudManagement.version }}"
    values:
      - "values-nextcloud-mgmt.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskNextcloudManagement | default "additionalValues: false" }}
    waitForJobs: true
    wait: true
    installed: {{ .Values.nextcloud.enabled }}
@@ -35,7 +36,6 @@ releases:
    version: "{{ .Values.charts.nextcloud.version }}"
    values:
      - "values-nextcloud.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskNextcloud | default "additionalValues: false" }}
    needs:
      - "opendesk-nextcloud-management"
    installed: {{ .Values.nextcloud.enabled }}
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -37,7 +37,7 @@ configuration:
    port: {{ .Values.cache.nextcloud.port | quote }}
  collabora:
    # internalWopiUrl: ""
-    wopiAllowlist: {{ join ", " ( concat .Values.cluster.networking.cidr .Values.cluster.networking.incomingCIDR ) | quote }}
+    wopiAllowlist: {{ join " " .Values.cluster.networking.cidr | quote }}
  database:
    host: {{ .Values.databases.nextcloud.host | quote }}
    port: {{ .Values.databases.nextcloud.port | quote }}
@@ -73,31 +73,16 @@ configuration:
      value: "opendesk_username"
    password:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  sharing:
    allowLinks: {{ .Values.functional.filestore.sharing.external.enabled }}
    allowMailNotification: {{ .Values.functional.filestore.sharing.external.enabled }}
    allowPublicUpload: {{ .Values.functional.filestore.sharing.external.enabled }}
    enforceLinksPassword: {{ .Values.functional.filestore.sharing.external.enforcePasswords }}
    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.external.enforcePasswords }}
    defaultInternalExpireEnabled: {{ .Values.functional.filestore.sharing.internal.expiry.activeByDefault }}
    defaultInternalExpireEnforced: {{ .Values.functional.filestore.sharing.internal.expiry.enforced }}
    defaultInternalExpireDays: {{ .Values.functional.filestore.sharing.internal.expiry.defaultDays | quote }}
    defaultExternalExpireEnabled: {{ .Values.functional.filestore.sharing.external.expiry.activeByDefault }}
    defaultExternalExpireEnforced: {{ .Values.functional.filestore.sharing.external.expiry.enforced }}
    defaultExternalExpireDays: {{ .Values.functional.filestore.sharing.external.expiry.defaultDays | quote }}
  smtp:
    auth:
      enabled: false
      username:
-        value: ""
+        value: {{ .Values.smtp.username | quote }}
      password:
-        value: ""
+        value: {{ .Values.smtp.password | quote }}
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ .Values.smtp.host | quote }}
-    port: 25
+    port: {{ .Values.smtp.port | quote }}
    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
-    mailDomain: "{{ .Values.global.domain }}"
+    mailDomain: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    security: ""
    skipVerifyPeer: true
  quota:
    default: "{{ .Values.functional.filestore.quota.default }} GB"
    retentionObligation:
@@ -127,7 +112,7 @@ debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudManagement.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
  repository: {{ .Values.images.nextcloudManagement.repository | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloudManagement.tag | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -28,11 +28,10 @@ exporter:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.nextcloudExporter | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudExporter.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  podAnnotations: {}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -88,11 +87,10 @@ php:
  debug:
    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudPHP.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  podAnnotations: {}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
@@ -140,11 +138,10 @@ apache2:
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudApache2.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudApache2.registry | quote }}
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
  podAnnotations: {}
  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
      {{ .Values.charts.nubus.repository }}"
  # OpenDesk Keycloak Bootstrap Chart
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -18,7 +19,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/{{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
 releases:
  # Univention Management Stack Umbrella Chart
@@ -29,7 +31,6 @@ releases:
      - "values-nubus.yaml.gotmpl"
      - "values-opendesk-customization.yaml.gotmpl"
      - "values-opendesk-images.yaml.gotmpl"
      - {{ .Values.customization.release.ums | default "additionalValues: false" }}
    installed: {{ .Values.nubus.enabled }}
    timeout: 900
  # OpenDesk Keycloak Bootstrap Chart
@@ -38,7 +39,6 @@ releases:
    version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
    values:
      - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskKeycloakBootstrap | default "additionalValues: false" }}
    needs:
      - "ums"
    installed: {{ .Values.nubus.enabled }}
--- a/helmfile/apps/nubus/helmfile.yaml
+++ b/helmfile/apps/nubus/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/nubus/helmfile.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  nubusDeployment: true
@@ -9,11 +7,8 @@ global:
    baseDn: {{ .Values.ldap.baseDn | quote }}
    domainName: {{ .Values.global.domain | quote }}
  domain: {{ .Values.global.domain | quote }}
  subDomains:
    portal: {{ .Values.global.hosts.nubus | quote }}
    keycloak: {{ .Values.global.hosts.keycloak | quote }}
  ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
-  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
+  certManagerIssuer: "letsencrypt-prod-dns"
  nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
  keycloak:
    realm: {{ .Values.platform.realm | quote }}
@@ -29,118 +24,8 @@ global:
    defaultUsers:
      defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
      defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
      defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
    portalConsumer:
      minio:
        accessKey: {{ .Values.objectstores.nubus.username | quote }}
        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
      provisioningApi:
        password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
    provisioning:
      api:
        adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
        natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
        prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
        udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
      dispatcher:
        natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
      nats:
        adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
      prefill:
        natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
      udmTransformer:
        natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
    selfserviceConsumer:
      provisioningApi:
        password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
  # -- Extensions to load. Add entries to load additional extensions into Nubus.
  extensions:
    - name: "ox"
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOxExtension.registry | quote }}
        repository: {{ .Values.images.nubusOxExtension.repository }}
        tag: {{ .Values.images.nubusOxExtension.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
    - name: "opendesk"
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpendeskExtension.registry | quote }}
        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
  # -- Allows to configure the system extensions to load. This is intended for
  # internal usage, prefer to use `global.extensions` for user configured
  # extensions.
  systemExtensions:
    - name: "portal"
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalExtension.registry | quote }}
        repository: {{ .Values.images.nubusPortalExtension.repository }}
        tag: {{ .Values.images.nubusPortalExtension.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
  configUcr:
    directory:
      manager:
        web:
          modules:
            users:
              user:
                add:
                  default: cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}
                properties:
                  description:
                    syntax: TextArea
                  firstname:
                    required: "true"
                  mailPrimaryAddress:
                    required: "true"
                  username:
                    syntax: uid
                search:
                  autosearch: "False"
                wizard:
                  property:
                    invite:
                      default: "True"
                    overridePWLength:
                      default: "False"
                      visible: "False"
                    pwdChangeNextLogin:
                      default: "True"
                      visible: "False"
            wizard:
              disabled: "No"
    ucs:
      web:
        theme: light
    umc:
      cookie-banner:
        show: "false"
      login:
        password-complexity-message:
          de: "Das Passwort muss den folgenden Anforderungen entsprechen:<br><ul><li>Mindestlänge: 8 Zeichen</li></ul>Anmerkung: Wird befinden uns nicht in einer Produktivumgebung."
          en: "Password must comply with the following rules:<br><ul><li>Minimum length: 8 characters</li></ul>Note: We are in a non production (dev/test/demo) system."
      module:
        udm:
          oxmail:
            oxcontext:
              disabled: "True"
          portals:
            all:
              disabled: "True"
      self-service:
        passwordreset:
          token_validity_period: 172800
 ingress:
  certManager:
    enabled: false
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 # Nubus bundled services
 postgresql:
@@ -162,7 +47,7 @@ keycloak:
  postgresql:
    connection:
      host: {{ .Values.databases.keycloak.host | quote }}
-      port: {{ .Values.databases.keycloak.port | quote }}
+      port: {{ .Values.databases.keycloak.port }}
    auth:
      username: {{ .Values.databases.keycloak.username | quote }}
      database: {{ .Values.databases.keycloak.name | quote }}
@@ -174,15 +59,9 @@ keycloak:
 nubusGuardian:
  provisioning:
-    enabled: false
+    enabled: true
    config:
      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
      keycloak:
        realm: {{ .Values.platform.realm | quote }}
        username: "kcadmin"
        connection:
          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
          baseUrl: "http://ums-keycloak:8080"
        credentialSecret:
          name: "ums-opendesk-keycloak-credentials"
          key: "admin_password"
@@ -190,12 +69,7 @@ nubusGuardian:
        credentialSecret:
          name: "ums-opendesk-guardian-client-secret"
          key: "managementApiClientSecret"
-  ingress:
+
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  postgresql:
    connection:
      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
@@ -216,80 +90,7 @@ nubusNotificationsApi:
      username: {{ .Values.databases.umsNotificationsApi.username | quote }}
      database: {{ .Values.databases.umsNotificationsApi.name | quote }}
      existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusPortalFrontend:
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName }}
    # TODO: Remove the block "items" once the "redirects" section has been
    # corrected.
    #
    # This does override the path configuration of the ingress
    # "ums-portal-frontend-redirects" to avoid that "/univention/*" is
    # redirected to "/univention/portal/".
    items:
      - name: rewrites
        # -- Define the Fully Qualified Domain Name (FQDN) where application should be reachable.
        host: ""
        # -- Define the Ingress paths.
        paths:
          - path: /univention/(portal|selfservice)/
            pathType: ImplementationSpecific
          - path: /univention/(portal|selfservice)/index.html
            pathType: ImplementationSpecific
          - path: /univention/(portal|selfservice)/(css|fonts|i18n|media|js|oidc|custom)(/.*)
            pathType: ImplementationSpecific
          - path: /univention/(portal)/(icons)(/.*)$
            pathType: ImplementationSpecific
        # -- The Ingress controller class name.
        ingressClassName: ""
        # -- Define custom ingress annotations.
        # annotations:
        #   nginx.ingress.kubernetes.io/rewrite-target: /
        annotations:
          nginx.ingress.kubernetes.io/rewrite-target: "/$2$3"
          nginx.ingress.kubernetes.io/use-regex: "true"
        # -- Secure an Ingress by specifying a Secret that contains a TLS private key and certificate.
        #
        # Ref.: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
        tls:
          # enabled: true
          # Set to override the global secretName
          secretName: ""
      - name: redirects
        host: ""
        paths:
          - pathType: Exact
            path: /$
          - pathType: Exact
            path: /univention$
          - pathType: Exact
            path: /univention/$
          - pathType: Exact
            path: /univention/portal$
          - pathType: Exact
            path: /univention/selfservice$
        ingressClassName: ""
        annotations:
          nginx.ingress.kubernetes.io/permanent-redirect: "/univention/portal/"
        tls:
          # enabled: true
          # Set to override the global secretName
          secretName: ""
 nubusKeycloakExtensions:
  keycloak:
@@ -313,11 +114,6 @@ nubusKeycloakExtensions:
          path: "/resources/"
        - pathType: "Prefix"
          path: "/fingerprintjs"
      certManager:
        enabled: false
      tls:
        enabled: {{ .Values.ingress.tls.enabled }}
        secretName: {{ .Values.ingress.tls.secretName | quote }}
  postgresql:
@@ -332,13 +128,10 @@ nubusKeycloakExtensions:
        key: "umcKeycloakExtensionsDatabasePassword"
  smtp:
    connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ .Values.smtp.host | quote }}
-      port: 25
+      port: {{ .Values.smtp.port | quote }}
      ssl: false
      starttls: false
    auth:
-      enabled: false
+      username: {{ .Values.smtp.username | quote }}
      username: ""
      credentialSecret:
        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
        key: "umcKeycloakExtensionsSmtpPassword"
@@ -346,20 +139,16 @@ nubusKeycloakExtensions:
    appConfig:
      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
 nubusPortalListener:
-  enabled: false
+  portalListener:
 nubusPortalConsumer:
  enabled: true
  portalConsumer:
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
-  provisioningApi:
+    objectStorageCredentialSecret:
-    auth:
+      name: "ums-portal-listener-minio-opendesk-credentials"
-      username: "portal-consumer"
+      accessKeyKey: "access-key-id"
      secretKeyKey: "secret-key-id"
 nubusPortalServer:
  portalServer:
@@ -372,38 +161,17 @@ nubusPortalServer:
    centralNavigation:
      enabled: true
      authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusUdmRestApi:
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 # NOTE: disabled until the next update.
 nubusProvisioning:
  enabled: true
 nubusUdmListener:
  enabled: true
 nubusSelfServiceListener:
  enabled: false
-
+nubusUdmListener:
-nubusSelfServiceConsumer:
+  enabled: false
 nubusSelfServiceListener:
  enabled: true
 # Nubus services
 nubusStackDataUms:
  additionalAnnotations:
    argocd.argoproj.io/hook: "Sync"
    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
  stackDataContext:
    umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
    umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
@@ -411,12 +179,27 @@ nubusStackDataUms:
    umcMemcachedUsername: ""
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
    umcHtmlTitle: "openDesk Portal"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    installUmcPolicies: true
-    smtpPort: 25
+  nubusUmcServer:
-    smtpUser: ""
+    memcached:
-    smtpStartTls: false
+      auth:
        username: ""
 # TODO: Remove values when upstreaming fixes
 nubusStackDataSwp:
  stackDataContext:
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
        password: {{ $password | quote }}
        lastname: "LDAP-Search-User"
      {{- end }}
    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
    smtpHost: {{ .Values.smtp.host | quote }}
    smtpPort: {{ .Values.smtp.port | quote }}
    smtpUser: {{ .Values.smtp.username | quote }}
    ldapBase: {{ .Values.ldap.baseDn }}
-  templateContext:
+    # FIXME: Should be templated correctly in the future
    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
@@ -425,49 +208,6 @@ nubusStackDataUms:
    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
    portalTitleDE: "openDesk Portal"
    portalTitleEN: "openDesk Portal"
    oxDefaultContext: "1"
    ldapSearchUsers:
      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
      - username: {{ printf "ldapsearch_%s" $username | quote }}
        password: {{ $password | quote }}
        lastname: "LDAP-Search-User"
      {{- end }}
    ldapSystemUsers: []
    portaltileGroupUserStandard:
      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupUserAdmin:
      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
      - 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupUserAll:
      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupGroupware:
      - 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupFileshare:
      - 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupManagementProject:
      - 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupManagementKnowledge:
      - 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupManagementLearn:
      - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
    portaltileGroupLiveCollaboration:
      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
    systemInformation:
      enabled: true
      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
      {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
      {{- else }}
      deployDate: "not available"
      {{- end }}
  # In openDesk the external memcache does not expect a username to be set. Overwriting
  # the default username of `selfservice` is part of the customizing:
  nubusUmcServer:
    memcached:
      auth:
        username: ""
 nubusUmcServer:
  postgresql:
@@ -491,35 +231,12 @@ nubusUmcServer:
  smtp:
    credentialSecret:
      name: "ums-umc-server-smtp-credentials-custom"
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 nubusUmcGateway:
  umcGateway:
    umcHtmlTitle: "openDesk Portal"
  ingress:
    certManager:
      enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
    # TODO: Remove the block "paths" once it has been corrected upstream.
    paths:
        - path: /()(univention/)(languages.json|meta.json|theme.css)
          pathType: ImplementationSpecific
        - path: /()(univention/)((js|management|themes)/.*)
          pathType: ImplementationSpecific
        - path: /()(univention/login/)(dialog.js|main.js|LoginDialog.js|i18n/.*?/main.json)
          pathType: ImplementationSpecific
 nubusKeycloakBootstrap:
  additionalAnnotations:
    argocd.argoproj.io/hook: "Sync"
  keycloak:
    auth:
      username: "kcadmin"
@@ -533,11 +250,6 @@ nubusKeycloakBootstrap:
    twoFactorAuthentication:
      enabled: true
      group: "2fa-users"
  ldap:
    auth:
      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
      credentialSecret:
        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
 # Credential secrets for accessing customer supplied services
 extraSecrets:
@@ -570,14 +282,15 @@ extraSecrets:
      umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
    stringData:
-      umcKeycloakExtensionsSmtpPassword: ""
+      umcKeycloakExtensionsSmtpPassword: {{ .Values.smtp.password | quote }}
  - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
    stringData:
      password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
  - name: "ums-portal-server-minio-opendesk-credentials"
    stringData:
      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
  - name: "ums-portal-listener-minio-opendesk-credentials"
    stringData:
      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
  - name: "ums-umc-server-smtp-credentials-custom"
    stringData:
-      password: ""
+      password: {{ .Values.smtp.password | quote }}
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -1,130 +1,35 @@
-{{/*
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 keycloak:
  enabled: true
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
  replicaCount: {{ .Values.replicas.keycloak }}
  resources:
    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
-nubusGuardian:
+guardian:
  authorizationApi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-authorization-api"
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
    resources:
      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
  managementApi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-api"
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
    resources:
      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
  managementUi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-ui"
    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
    resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
  openPolicyAgent:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    podAnnotations:
      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
    resources:
      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
  provisioning:
    # Using openDesk keycloak provisioning
    enabled: false
@@ -132,24 +37,9 @@ nubusGuardian:
 nubusNotificationsApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
-    create: true
+    annotations:
      intended.usage: "compliance"
  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
  resources:
    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
@@ -157,40 +47,7 @@ nubusNotificationsApi:
 nubusUmcServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-umc-server"
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  containerSecurityContextInit:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  proxy:
    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
  replicaCount: {{ .Values.replicas.umsUmcServer }}
  resources:
    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
  selfService:
@@ -212,118 +69,39 @@ nubusUmcServer:
 nubusKeycloakExtensions:
  handler:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
    resources:
      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
    securityContext:
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
  proxy:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
    securityContext:
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
-nubusPortalConsumer:
+nubusPortalListener:
  portalConsumer:
    image:
      pullSecrets:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
  podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
+    intents.otterize.com/service-name: "ums-portal-listener"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
  resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
  resourcesWaitForDependency:
    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
+    size: {{ .Values.persistence.size.nubus.portalListener | quote }}
  securityContext:
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
 nubusUdmListener:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 102
    runAsGroup: 65534
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmListener }}
  resources:
    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
 nubusPortalServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-server"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
-    create: true
+    annotations:
      intended.usage: "compliance"
  replicaCount: {{ .Values.replicas.umsPortalServer }}
  resources:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 nubusLdapNotifier:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 101
    runAsGroup: 102
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-ldap-notifier"
  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
@@ -331,95 +109,43 @@ nubusLdapNotifier:
    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
 nubusLdapServer:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  highAvailabilityMode: false
  replicaCountPrimary: 1
  replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
  replicaCountProxy: 0 # {{ .Values.replicas.umsLdapServerProxy }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-ldap-server"
  serviceAccount:
-    create: true
+    annotations:
      intended.usage: "compliance"
  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
  extraVolumes:
-    - name: "migration-scripts"
+    - name: "opendesk-schemas"
-      secret:
+      configMap:
-        secretName: "ums-ldap-server-migration"
+        name: "{{ .Release.Name }}-stack-data-swp-schemas"
        defaultMode: 0555
  extraVolumeMounts:
-    - name: "migration-scripts"
+    - name: "opendesk-schemas"
-      mountPath: "/entrypoint.d/30-purge.sh"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
-      subPath: "30-purge.sh"
+      subPath: "opendeskFileshare.schema"
-    - name: "migration-scripts"
+    - name: "opendesk-schemas"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
-      subPath: "95-slapadd-24-ldif.sh"
+      subPath: "opendeskKnowledgemanagement.schema"
-  extraSecrets:
+    - name: "opendesk-schemas"
-    - name: "ums-ldap-server-migration"
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
-      stringData:
+      subPath: "opendeskLearnmanagement.schema"
-        30-purge.sh: |
+    - name: "opendesk-schemas"
-          #!/usr/bin/env bash
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
-          me=$(basename "$0")
+      subPath: "opendeskLivecollaboration.schema"
-          echo "- Running ${me}"
+    - name: "opendesk-schemas"
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
+      mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
-            echo "- Cleaning up /var/lib/univention-ldap."
+      subPath: "opendeskProjectmanagement.schema"
-            cd /var/lib/univention-ldap
+
            rm -rf internal
            rm -rf ldap
            ls -l
          else
            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
          fi
        95-slapadd-24-ldif.sh: |
          #!/usr/bin/env bash
          me=$(basename "$0")
          echo "- Running ${me}"
          ls -l /var/lib/univention-ldap
          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
            ls -l /var/lib/univention-ldap/
            rm -rf /var/lib/univention-ldap/ldap
            rm -rf /var/lib/univention-ldap/internal
            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
            ls -l /var/lib/univention-ldap/
            mkdir /var/lib/univention-ldap/ldap
            mkdir /var/lib/univention-ldap/internal
            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
            ls -l /var/lib/univention-ldap/
            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
            echo "- slapadd executed"
            ls -l /var/lib/univention-ldap/
            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
            echo "- import file renamed"
            ls -l /var/lib/univention-ldap/
          else
            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
          fi
 nubusPortalFrontend:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-frontend"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
-    create: true
+    annotations:
      intended.usage: "compliance"
  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
  resources:
    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
@@ -431,69 +157,27 @@ nubusPortalFrontend:
      backgroundImage: {{ .Values.theme.imagery.logoPortalBackgroundSvgB64 | toJson }}
 nubusStackDataUms:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-stack-data-ums"
  resources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
-nubusSelfServiceConsumer:
+nubusStackDataSwp:
-  containerSecurityContext:
+  additionalAnnotations:
-    allowPrivilegeEscalation: false
+    intents.otterize.com/service-name: "ums-stack-data-swp"
-    capabilities:
+  resources:
-      drop:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
-        - "ALL"
+
-    enabled: true
+nubusSelfServiceListener:
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
  resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
+    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
 nubusUdmRestApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-udm-rest-api"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
    annotations:
      intended.usage: "compliance"
@@ -502,45 +186,42 @@ nubusUdmRestApi:
  initResources:
    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
  extraVolumes:
    - name: "attribute-to-group-mapper-hook"
      configMap:
        name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
  extraVolumeMounts:
    - name: "attribute-to-group-mapper-hook"
      mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
      subPath: "AttributeToGroupMapper.py"
    - name: "attribute-to-group-mapper-hook"
      mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
      subPath: "flag_to_group_mapping.json"
 nubusUmcGateway:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  resources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
  extraVolumes:
    - name: "entrypoint-swp-patches"
      configMap:
        name: "ums-stack-data-swp-umc-gateway-entrypoint"
        defaultMode: 0555
    - name: "announcements-customization"
      configMap:
        name: "ums-stack-data-swp-umc-server-announcements"
        defaultMode: 0444
  extraVolumeMounts:
    - name: "entrypoint-swp-patches"
      mountPath: "/entrypoint.d/90-swp.sh"
      subPath: "90-swp.sh"
    - name: "announcements-customization"
      mountPath:
        "/usr/share/univention-management-console-frontend/js/dijit/themes\
        /umc/icons/16x16/udm-portals-announcement.png"
      subPath: "udm-portals-announcement.png"
 nubusKeycloakBootstrap:
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: false
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
  serviceAccount:
@@ -550,81 +231,39 @@ nubusKeycloakBootstrap:
    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
 nubusProvisioning:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount:
    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
    api: {{ .Values.replicas.umsProvisioningApi }}
  serviceAccount:
-    create: true
+    annotations:
      intended.usage: "compliance"
  nats:
    config:
      cluster:
        replicas: {{ .Values.replicas.umsProvisioningNats }}
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      enabled: true
      runAsUser: 1000
      runAsGroup: 1000
      seccompProfile:
        type: "RuntimeDefault"
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    persistence:
      size: {{ .Values.persistence.size.nubus.provisioningNats }}
    resources:
-      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-nats"
    serviceAccount:
-      create: true
+      annotations:
        intended.usage: "compliance"
  api:
    resources:
-      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-api"
  dispatcher:
    resources:
-      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
  prefill:
    resources:
-      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-prefill"
  registerConsumers:
    resources:
      {{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
  udmTransformer:
    resources:
-      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
  resources:
    registerConsumers:
      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -1,260 +1,230 @@
-{{/*
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 keycloak:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
+    registry: {{ .Values.images.nubusKeycloak.registry }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusKeycloakBootstrap:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
+    registry: {{ .Values.images.nubusKeycloakBootstrap.registry }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusKeycloakExtensions:
    handler:
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
+        registry: {{ .Values.images.nubusKeycloakExtensionHandler.registry }}
        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    
    proxy:
      image:
-        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
+        registry: {{ .Values.images.nubusKeycloakExtensionProxy.registry }}
        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapNotifier:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
+    registry: {{ .Values.images.nubusLdapNotifier.registry }}
    repository: {{ .Values.images.nubusLdapNotifier.repository }}
    tag: {{ .Values.images.nubusLdapNotifier.tag }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapServer:
  ldapServer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
+      registry: {{ .Values.images.nubusLdapServer.registry }}
      repository: {{ .Values.images.nubusLdapServer.repository }}
      tag: {{ .Values.images.nubusLdapServer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  dhInitcontainer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
+      registry: {{ .Values.images.nubusLdapServerDhInitContainer.registry }} 
      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      
 nubusNotificationsApi:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
    repository: {{ .Values.images.nubusNotificationsApi.repository }}
    tag: {{ .Values.images.nubusNotificationsApi.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalFrontend:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalConsumer:
  portalConsumer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
+      registry: {{ .Values.images.nubusPortalConsumer.registry }}
      repository: {{ .Values.images.nubusPortalConsumer.repository }}
      tag: {{ .Values.images.nubusPortalConsumer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      
 nubusNotificationsApi:
  image:
    registry: {{ .Values.images.nubusNotificationsApi.registry }}
    repository: {{ .Values.images.nubusNotificationsApi.repository }}
    tag: {{ .Values.images.nubusNotificationsApi.tag }}
 nubusPortalFrontend:
  image:
    registry: {{ .Values.images.nubusPortalFrontend.registry }}
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}
 nubusPortalListener:
  image:
    registry: {{ .Values.images.nubusPortalListener.registry }}
    repository: {{ .Values.images.nubusPortalListener.repository }}
    tag: {{ .Values.images.nubusPortalListener.tag }}
  waitForDependency:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalServer:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
+    registry: {{ .Values.images.nubusPortalServer.registry }}
    repository: {{ .Values.images.nubusPortalServer.repository }}
    tag: {{ .Values.images.nubusPortalServer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioning:
  api:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  dispatcher:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningDispatcher.registry }}
      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  udmTransformer:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningUdmTransformer.registry }}
      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  prefill:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
+      registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registerConsumers:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  nats:
    nats:
-      image:
+        image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
+            registry: {{ .Values.images.nubusNats.registry }}
-        repository: {{ .Values.images.nubusNats.repository }}
+            repository: {{ .Values.images.nubusNats.repository }}
-        tag: {{ .Values.images.nubusNats.tag }}
+            tag: {{ .Values.images.nubusNats.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    reloader:
-      image:
+        image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
+            registry: {{ .Values.images.nubusNatsReloader.registry }}
-        repository: {{ .Values.images.nubusNatsReloader.repository }}
+            repository: {{ .Values.images.nubusNatsReloader.repository }}
-        tag: {{ .Values.images.nubusNatsReloader.tag }}
+            tag: {{ .Values.images.nubusNatsReloader.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    natsBox:
-      image:
+        image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
+            registry: {{ .Values.images.nubusNatsBox.registry }}
-        repository: {{ .Values.images.nubusNatsBox.repository }}
+            repository: {{ .Values.images.nubusNatsBox.repository }}
-        tag: {{ .Values.images.nubusNatsBox.tag }}
+            tag: {{ .Values.images.nubusNatsBox.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioningEventsAndConsumerApi:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
+    registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioningPrefill:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
+    registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUdmListener:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
+    registry: {{ .Values.images.nubusProvisioningUdmListener.registry }}
    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-nubusSelfServiceConsumer:
+nubusSelfServiceListener:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
+    registry: {{ .Values.images.nubusSelfserviceInvitation.registry }}
-    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
+    repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
-    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
+    tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUdmRestApi:
  # oxPlugin:
  #   image:
  #     registry: \{\{ .Values.images.nubusUdmRestApiOxPlugin.registry }}
  #     repository: \{\{ .Values.images.nubusUdmRestApiOxPlugin.repository }}
  #     tag: \{\{ .Values.images.nubusUdmRestApiOxPlugin.tag }}
  # portalPlugin:
  #   image:
  #     registry: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.registry }}
  #     repository: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.repository }}
  #     tag: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.tag }}
  udmRestApi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
+      registry: {{ .Values.images.nubusUdmRestApi.registry }}
      repository: {{ .Values.images.nubusUdmRestApi.repository }}
      tag: {{ .Values.images.nubusUdmRestApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUmcGateway:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
+    registry: {{ .Values.images.nubusUmcGateway.registry }}
    repository: {{ .Values.images.nubusUmcGateway.repository }}
    tag: {{ .Values.images.nubusUmcGateway.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUmcServer:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
+    registry: {{ .Values.images.nubusUmcServer.registry }}
    repository: {{ .Values.images.nubusUmcServer.repository }}
    tag: {{ .Values.images.nubusUmcServer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  proxy:
    image:
      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusWaitForDependency:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
+    registry: {{ .Values.images.nubusWaitForDependency.registry }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    tag: {{ .Values.images.nubusWaitForDependency.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusGuardian:
  provisioning:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianProvisioning.registry }}
      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  authorizationApi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianAuthorizationApi.registry }}
      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  managementApi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianManagementApi.registry }}
      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  managementUi:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
+      registry: {{ .Values.images.nubusGuardianManagementUi.registry }}
      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  openPolicyAgent:
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
+      registry: {{ .Values.images.nubusOpenPolicyAgent.registry }}
      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusStackDataUms:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    registry: {{ .Values.images.nubusDataLoader.registry }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
 nubusStackDataSwp:
  image:
    registry: {{ .Values.images.nubusDataLoader.registry }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -1,5 +1,5 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -11,7 +11,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.opendeskKeycloakBootstrap.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }}
  repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }}
  tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -26,10 +26,6 @@ config:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
    clients:
      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
    # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -43,7 +39,8 @@ config:
    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
    # to LDAP group membership to ensure a user cannot access an application without the required
    # group membership.
-    # ToDo: Ensure all applications verify the token's signature to ensure it is not tampered.
+    # ToDo:
    # - Jitsi does currently not care if it gets scopes/claims as long as the user is authenticated.
    clientScopes:
      - name: "read_contacts"
        protocol: "openid-connect"
@@ -389,6 +386,60 @@ config:
          backchannel.logout.session.required: false
        defaultClientScopes:
          - "opendesk-dovecot-scope"
      - name: "opendesk-intercom"
        clientId: "opendesk-intercom"
        protocol: "openid-connect"
        clientAuthenticatorType: "client-secret"
        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
        redirectUris:
          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.revoke.offline.tokens: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
        protocolMappers:
          - name: "intercom-audience"
            protocol: "openid-connect"
            protocolMapper: "oidc-audience-mapper"
            consentRequired: false
            config:
              included.client.audience: "opendesk-intercom"
              id.token.claim: false
              access.token.claim: true
          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
          # it to `opendesk_useruuid` standard claim. For reference:
          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
          - name: "entryuuid_temp"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "entryuuid"
              jsonType.label: "String"
          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
          # set it to `opendesk_username` standard claim. For reference:
          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
          - name: "phoenixusername_temp"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "phoenixusername"
              jsonType.label: "String"
        defaultClientScopes:
          - "offline_access"
      - name: "opendesk-jitsi"
        clientId: "opendesk-jitsi"
        protocol: "openid-connect"
--- a/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
      {{ .Values.charts.dovecot.repository }}"
  # Open-Xchange
  - name: "open-xchange-repo"
@@ -19,7 +20,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
      {{ .Values.charts.openXchangeAppSuite.repository }}"
  # openDesk Open-Xchange Bootstrap
  # Source:
@@ -30,7 +32,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 releases:
  - name: "dovecot"
@@ -38,7 +41,6 @@ releases:
    version: "{{ .Values.charts.dovecot.version }}"
    values:
      - "values-dovecot.yaml.gotmpl"
      - {{ .Values.customization.release.dovecot | default "additionalValues: false" }}
    installed: {{ .Values.dovecot.enabled }}
    timeout: 900
@@ -48,7 +50,6 @@ releases:
    values:
      - "values-openxchange.yaml.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
      - {{ .Values.customization.release.openXchange | default "additionalValues: false" }}
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
@@ -57,7 +58,6 @@ releases:
    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
    values:
      - "values-openxchange-bootstrap.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskOpenXchangeBootstrap | default "additionalValues: false" }}
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -1,17 +1,18 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.dovecot.registry | quote }}
  repository: {{ .Values.images.dovecot.repository | quote }}
  tag: {{ .Values.images.dovecot.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
-  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+{{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 dovecot:
  mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
@@ -35,7 +36,7 @@ dovecot:
  submission:
    enabled: true
    ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "postfix:25"
 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -66,9 +67,6 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.dovecot | toYaml | nindent 4 }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -8,22 +7,14 @@ cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions:
    {{ .Values.seLinuxOptions.openxchangeBootstrap | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openxchangeBootstrap.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
  tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
-  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+{{- range .Values.global.imagePullSecrets }}
-
+  - name: {{ . | quote }}
-podAnnotations:
+{{- end }}
  argocd.argoproj.io/hook: "Sync"
  argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 appsuite:
  core-mw:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -20,15 +19,13 @@ global:
 nextcloud-integration-ui:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  podAnnotations: {}
  replicaCount: {{ .Values.replicas.openxchangeNextcloudIntegrationUI }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
  securityContext:
@@ -49,17 +46,14 @@ nextcloud-integration-ui:
 public-sector-ui:
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangePublicSectorUI.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }}
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  replicaCount: {{ .Values.replicas.openxchangePublicSectorUI }}
  podAnnotations: {}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
@@ -122,7 +116,6 @@ appsuite:
    jolokiaLogin: "jolokia"
    jolokiaPassword: {{ .Values.secrets.oxAppsuite.jolokiaPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    podAnnotations: {}
    serviceAccount:
      create: true
    features:
@@ -138,11 +131,9 @@ appsuite:
        - name: {{ . | quote }}
      {{- end }}
      image:
-        repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
+        repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      replicaCount: {{ .Values.replicas.openxchangeGotenberg }}
      podAnnotations: {}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
@@ -250,11 +241,6 @@ appsuite:
      com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
      com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
      # Element integration
      com.openexchange.conference.element.enabled: "true"
      com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot
      com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login
      com.openexchange.conference.element.matrixUuidClaimName: opendesk_useruuid
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
@@ -273,7 +259,6 @@ appsuite:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
      com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
    propertiesFiles:
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
@@ -341,16 +326,15 @@ appsuite:
      oxguardpass: |
        {{ .Values.secrets.oxAppsuite.oxguardMC }}
        {{ .Values.secrets.oxAppsuite.oxguardRC }}
-    redis: &redisConfiguration
+    redis:
      enabled: true
      mode: "standalone"
      hosts:
-        - "redis-master:6379"
+        - "redis-master"
      auth:
        enabled: true
        password: {{ .Values.secrets.redis.password | quote }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreMW.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -365,7 +349,6 @@ appsuite:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    replicas: {{ .Values.replicas.openxchangeCoreMW }}
    resources:
      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
@@ -376,12 +359,10 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreUI.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    replicaCount: {{ .Values.replicas.openxchangeCoreUI }}
    podAnnotations: {}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
@@ -410,14 +391,20 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
-    podAnnotations: {}
+    redis:
-    redis: *redisConfiguration
+      mode: "standalone"
-    replicaCount: {{ .Values.replicas.openxchangeCoreUIMiddleware }}
+      hosts:
        - "redis-master:6379"
      auth:
        enabled: true
        password: {{ .Values.secrets.redis.password | quote }}
        # Workaround for a bug in 8.23
        ca: ""
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
    updater:
@@ -451,12 +438,9 @@ appsuite:
        remoteCache:
          enabled: false
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeDocumentConverter.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    podAnnotations: {}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
    securityContext:
@@ -498,12 +482,10 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreGuidedtours.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    podAnnotations: {}
    replicaCount: {{ .Values.replicas.openxchangeCoreGuidedtours }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
    securityContext:
@@ -528,7 +510,7 @@ appsuite:
    basicAuthLogin: "oxlogin"
    basicAuthPassword: {{ .Values.secrets.oxAppsuite.basicAuthPassword | quote }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeImageConverter.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
    objectCache:
@@ -537,9 +519,6 @@ appsuite:
          endpoint: "."
          accessKey: "."
          secretKey: "."
    podAnnotations: {}
    redis: *redisConfiguration
    replicaCount: {{ .Values.replicas.openxchangeCoreImageConverter }}
    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
    securityContext:
@@ -566,12 +545,9 @@ appsuite:
      - name: {{ . | quote }}
    {{- end }}
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeGuardUI.registry | quote }}
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
      repository: {{ .Values.images.openxchangeGuardUI.repository | quote }}
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    podAnnotations: {}
    replicaCount: {{ .Values.replicas.openxchangeGuardUI }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
    securityContext:
@@ -594,7 +570,7 @@ appsuite:
  core-user-guide:
    enabled: true
    image:
-      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeCoreUserGuide.registry | quote }}
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -602,8 +578,6 @@ appsuite:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    podAnnotations: {}
    replicaCount: {{ .Values.replicas.openxchangeCoreUserGuide }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
    securityContext:
--- a/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
      {{ .Values.charts.openprojectBootstrap.repository }}"
 releases:
  - name: "opendesk-openproject-bootstrap"
@@ -20,7 +21,6 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskOpenprojectBootstrap | default "additionalValues: false" }}
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -16,8 +15,6 @@ cleanup:
  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 config:
  debug:
    enabled: {{ .Values.debug.enabled }}
  openproject:
    fileshareName: "Nextcloud at {{ .Values.global.domain }}"
    admin:
@@ -45,7 +42,7 @@ containerSecurityContext:
    {{ .Values.seLinuxOptions.openprojectBootstrap | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openprojectBootstrap.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
@@ -53,8 +50,6 @@ image:
 job:
  enabled: true
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
--- a/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
      {{ .Values.charts.openproject.repository }}"
 releases:
  - name: "openproject"
@@ -20,9 +21,8 @@ releases:
    waitForJobs: true
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.openproject | default "additionalValues: false" }}
    installed: {{ .Values.openproject.enabled }}
-    timeout: 1500
+    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/openproject/helmfile.yaml.gotmpl
+++ b/helmfile/apps/openproject/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -8,10 +7,6 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 appInit:
  resources:
    {{ .Values.resources.openprojectAppInit | toYaml | nindent 4 }}
 containerSecurityContext:
  enabled: true
  privileged: false
@@ -28,15 +23,6 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 dbInit:
  image:
    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectDbInit.registry | quote }}
    repository: {{ .Values.images.openprojectDbInit.repository | quote }}
    tag: {{ .Values.images.openprojectDbInit.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  resources:
    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -45,6 +31,7 @@ environment:
  OPENPROJECT_USER__DEFAULT__TIMEZONE: "Europe/Berlin"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
@@ -72,15 +59,15 @@ environment:
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: ""
+  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
-  OPENPROJECT_SMTP__PASSWORD: ""
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
-  OPENPROJECT_SMTP__PORT: 25
+  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
-  OPENPROJECT_SMTP__AUTHENTICATION: "none"
+  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
-  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
+  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
@@ -89,11 +76,18 @@ environment:
  {{- end }}
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openproject.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}
 initdb:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 memcached:
  bundled: false
  connection:
@@ -103,8 +97,6 @@ memcached:
 persistence:
  enabled: false
 podAnnotations: {}
 postgresql:
  bundled: false
  auth:
@@ -188,12 +180,5 @@ s3:
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
  resources:
    {{ .Values.resources.openprojectSeederJob | toYaml | nindent 4 }}
 workers:
  default:
    resources:
      {{ .Values.resources.openprojectWorkers | toYaml | nindent 6 }}
 ...
--- a/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile-child.yaml.gotmpl
@@ -7,7 +7,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
      {{ .Values.charts.oxConnector.repository }}"
 releases:
  - name: "ox-connector"
@@ -15,7 +16,6 @@ releases:
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
      - "values-oxconnector.yaml.gotmpl"
      - {{ .Values.customization.release.oxConnector | default "additionalValues: false" }}
    installed: {{ .Values.oxConnector.enabled }}
 commonLabels:
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/provisioning/helmfile.yaml.gotmpl
+++ b/helmfile/apps/provisioning/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -1,25 +1,12 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.oxConnector.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
  waitForDependency:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
    pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
@@ -29,8 +16,16 @@ ingress:
  enabled: false
 oxConnector:
  caCert: "ucctempldapstring"
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  ldapHost: "{{ .Values.ldap.host | quote }}-primary"
  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
  tlsMode: "off"
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  oxDefaultContext: "1"
  oxImapServer: "imap://127.0.0.1:143"
  oxLocalTimezone: "Europe/Berlin"
@@ -40,21 +35,12 @@ oxConnector:
  oxSmtpServer: "smtp://127.0.0.1:587"
  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
 provisioningApi:
  connection:
    baseUrl: "http://ums-provisioning-api"
  auth:
    username: "ox-connector"
    password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}
 resources:
  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podAnnotations: {}
 ## Container deployment probes
 probes:
  liveness:
--- a/helmfile/apps/services/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
      {{ .Values.charts.otterize.repository }}"
  # openDesk Home
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
@@ -20,7 +21,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/{{ .Values.charts.home.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
      {{ .Values.charts.home.repository }}"
  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -30,7 +32,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
      {{ .Values.charts.certificates.repository }}"
  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -40,7 +43,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
      {{ .Values.charts.postgresql.repository }}"
  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -50,17 +54,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
-
+      {{ .Values.charts.mariadb.repository }}"
  # openDesk dkimpy-milter
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
  - name: "dkimpy-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dkimpy.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/{{ .Values.charts.dkimpy.repository }}"
  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -70,7 +65,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
      {{ .Values.charts.postfix.repository }}"
  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -80,14 +76,16 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
      {{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
      {{ .Values.charts.clamavSimple.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -97,21 +95,24 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
      {{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
      {{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
      {{ .Values.charts.minio.repository }}"
 releases:
  - name: "opendesk-otterize"
@@ -119,7 +120,6 @@ releases:
    version: "{{ .Values.charts.otterize.version }}"
    values:
      - "values-otterize.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskOtterize | default "additionalValues: false" }}
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
@@ -128,7 +128,6 @@ releases:
    version: "{{ .Values.charts.home.version }}"
    values:
      - "values-home.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskHome | default "additionalValues: false" }}
    installed: {{ .Values.home.enabled }}
  - name: "opendesk-certificates"
@@ -136,7 +135,6 @@ releases:
    version: "{{ .Values.charts.certificates.version }}"
    values:
      - "values-certificates.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskCertificates | default "additionalValues: false" }}
    installed: {{ .Values.certificates.enabled }}
    timeout: 900
@@ -145,7 +143,6 @@ releases:
    version: "{{ .Values.charts.redis.version }}"
    values:
      - "values-redis.yaml.gotmpl"
      - {{ .Values.customization.release.redis | default "additionalValues: false" }}
    installed: {{ .Values.redis.enabled }}
    timeout: 900
@@ -154,7 +151,6 @@ releases:
    version: "{{ .Values.charts.memcached.version }}"
    values:
      - "values-memcached.yaml.gotmpl"
      - {{ .Values.customization.release.memcached | default "additionalValues: false" }}
    installed: {{ .Values.memcached.enabled }}
    timeout: 900
@@ -163,7 +159,6 @@ releases:
    version: "{{ .Values.charts.postgresql.version }}"
    values:
      - "values-postgresql.yaml.gotmpl"
      - {{ .Values.customization.release.postgresql | default "additionalValues: false" }}
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900
@@ -172,7 +167,6 @@ releases:
    version: "{{ .Values.charts.mariadb.version }}"
    values:
      - "values-mariadb.yaml.gotmpl"
      - {{ .Values.customization.release.mariadb | default "additionalValues: false" }}
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900
@@ -181,25 +175,14 @@ releases:
    version: "{{ .Values.charts.postfix.version }}"
    values:
      - "values-postfix.yaml.gotmpl"
      - {{ .Values.customization.release.postfix | default "additionalValues: false" }}
    installed: {{ .Values.postfix.enabled }}
    timeout: 900
  - name: "opendesk-dkimpy-milter"
    chart: "dkimpy-repo/{{ .Values.charts.dkimpy.name }}"
    version: "{{ .Values.charts.dkimpy.version }}"
    values:
      - "values-dkimpy.yaml.gotmpl"
      - {{ .Values.customization.release.opendeskDkimpyMilter | default "additionalValues: false" }}
    installed: {{ .Values.dkimpy.enabled }}
    timeout: 900
  - name: "clamav"
    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
    version: "{{ .Values.charts.clamav.version }}"
    values:
      - "values-clamav-distributed.yaml.gotmpl"
      - {{ .Values.customization.release.clamav | default "additionalValues: false" }}
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900
@@ -208,7 +191,6 @@ releases:
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
      - "values-clamav-simple.yaml.gotmpl"
      - {{ .Values.customization.release.clamavSimple | default "additionalValues: false" }}
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900
@@ -217,7 +199,6 @@ releases:
    version: "{{ .Values.charts.minio.version }}"
    values:
      - "values-minio.yaml.gotmpl"
      - {{ .Values.customization.release.minio | default "additionalValues: false" }}
    installed: {{ .Values.minio.enabled }}
    timeout: 900
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/services/helmfile.yaml.gotmpl
+++ b/helmfile/apps/services/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -1,5 +1,4 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
@@ -7,48 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
-    {{- if .Values.collabora.enabled }}
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
    collabora: {{ .Values.global.hosts.collabora }}
    {{- end }}
    {{- if .Values.cryptpad.enabled }}
    cryptpad: {{ .Values.global.hosts.cryptpad }}
    {{- end }}
    {{- if .Values.element.enabled }}
    element: {{ .Values.global.hosts.element }}
    matrixNeoBoardWidget: {{ .Values.global.hosts.matrixNeoBoardWidget }}
    matrixNeoChoiceWidget: {{ .Values.global.hosts.matrixNeoChoiceWidget }}
    matrixNeoDateFixBot: {{ .Values.global.hosts.matrixNeoDateFixBot }}
    matrixNeoDateFixWidget: {{ .Values.global.hosts.matrixNeoDateFixWidget }}
    synapse: {{ .Values.global.hosts.synapse }}
    synapseFederation: {{ .Values.global.hosts.synapseFederation }}
    whiteboard: {{ .Values.global.hosts.whiteboard }}
    {{- end }}
    {{- if .Values.intercom.enabled }}
    intercomService: {{ .Values.global.hosts.intercomService }}
    {{- end }}
    {{- if .Values.jitsi.enabled }}
    jitsi: {{ .Values.global.hosts.jitsi }}
    {{- end }}
    {{- if .Values.minio.enabled }}
    minioApi: {{ .Values.global.hosts.minioApi }}
    minioConsole: {{ .Values.global.hosts.minioConsole }}
    {{- end }}
    {{- if .Values.nextcloud.enabled }}
    nextcloud: {{ .Values.global.hosts.nextcloud }}
    {{- end }}
    {{- if .Values.openproject.enabled }}
    openproject: {{ .Values.global.hosts.openproject }}
    {{- end }}
    {{- if .Values.oxAppsuite.enabled }}
    openxchange: {{ .Values.global.hosts.openxchange }}
    {{- end }}
    {{- if .Values.nubus.enabled }}
    keycloak: {{ .Values.global.hosts.keycloak }}
    nubus: {{ .Values.global.hosts.nubus }}
    {{- end }}
    {{- if .Values.xwiki.enabled }}
    xwiki: {{ .Values.global.hosts.xwiki }}
    {{- end }}
 issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 clamd:
  containerSecurityContext:
@@ -21,11 +18,10 @@ clamd:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.clamd | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.clamd.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -66,11 +62,10 @@ freshclam:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.freshclam | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.freshclam.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -78,15 +73,7 @@ freshclam:
  replicaCount: {{ .Values.replicas.freshclam }}
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
-  settings:
+
    database:
      auth:
        {{ .Values.repositories.clamav.auth | toYaml | nindent 8 }}
      mirror:
        scheme: {{ .Values.repositories.clamav.mirror.scheme | quote }}
        url: {{ .Values.repositories.clamav.mirror.url | quote }}
      customURLs:
        {{ .Values.repositories.clamav.customURLs | toYaml | nindent 8 }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -108,11 +95,10 @@ icap:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.icap | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.icap.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
@@ -138,11 +124,10 @@ milter:
    seLinuxOptions:
      {{ .Values.seLinuxOptions.milter | toYaml | nindent 6 }}
  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.milter.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  podAnnotations: {}
  podSecurityContext:
    enabled: true
    fsGroup: 101
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -26,12 +23,12 @@ global:
 image:
  clamav:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.clamd.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  icap:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.icap.registry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -40,8 +37,6 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.clamav | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 101
@@ -52,14 +47,4 @@ replicaCount: {{ .Values.replicas.clamav }}
 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}
 settings:
  freshclam:
    database:
      auth:
        {{ .Values.repositories.clamav.auth | toYaml | nindent 8 }}
      mirror:
        scheme: {{ .Values.repositories.clamav.mirror.scheme | quote }}
        url: {{ .Values.repositories.clamav.mirror.url | quote }}
      customURLs:
        {{ .Values.repositories.clamav.customURLs | toYaml | nindent 8 }}
 ...
--- a/helmfile/apps/services/values-dkimpy.yaml.gotmpl
+++ b/helmfile/apps/services/values-dkimpy.yaml.gotmpl
@@ -1,47 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: true
  capabilities: {}
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  privileged: false
  seLinuxOptions:
    {{ .Values.seLinuxOptions.dkimpy | toYaml | nindent 4 }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dkimpy.registry | quote }}
  repository: {{ .Values.images.dkimpy.repository | quote }}
  tag: {{ .Values.images.dkimpy.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
 configuration:
  domain: "{{ .Values.global.domain }}{{ if .Values.global.mailDomain }}, {{ .Values.global.mailDomain }}{{ end }}"
  key:
    {{ .Values.smtp.dkim.key | toYaml | nindent 4 }}
  mode: "s"
  selector: {{ .Values.smtp.dkim.selector }}
  useED25519: {{ .Values.smtp.dkim.useED25519 }}
 replicaCount: {{ .Values.replicas.dkimpy }}
 resources:
  {{ .Values.resources.dkimpy | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -1,12 +1,8 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
@@ -29,7 +25,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.mariadb.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
  repository: {{ .Values.images.mariadb.repository | quote }}
  tag: {{ .Values.images.mariadb.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -39,32 +35,19 @@ job:
  retries: 10
  wait: 30
  users:
    - username: {{ .Values.databases.nextcloud.username | quote }}
      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
      connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
    # users for the moment.
    - username: "openxchange_user"
    # - username: {{ .Values.databases.xwiki.username | quote }}
      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
      connectionLimit: {{ .Values.databases.oxAppsuite.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
    - username: "xwiki_user"
    # - username: {{ .Values.databases.oxAppsuite.username | quote }}
      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
-      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "openxchange_user"
      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
    - username: "nextcloud_user"
      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
  databases:
    - name: {{ .Values.databases.nextcloud.name | quote }}
      user: {{ .Values.databases.nextcloud.username | quote }}
    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
    # users for the moment.
    - name: "openxchange"
      user: "openxchange_user"
    # - name: {{ .Values.databases.oxAppsuite.name | quote }}
    #   user: {{ .Values.databases.oxAppsuite.username | quote }}
    - name: "xwiki"
      user: "xwiki_user"
-    # - name: {{ .Values.databases.xwiki.name | quote }}
+    - name: "nextcloud"
-    #   user: {{ .Values.databases.xwiki.username | quote }}
+      user: "nextcloud_user"
    - name: "openxchange"
      user: "openxchange_user"
 mariadb:
  rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
@@ -73,8 +56,6 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.mariadb | quote }}
 podAnnotations: {}
 podSecurityContext:
  enabled: true
  fsGroup: 1001
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }}
@@ -27,13 +24,11 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.memcached.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.memcached.registry | quote }}
  repository: {{ .Values.images.memcached.repository | quote }}
  tag: {{ .Values.images.memcached.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.memcached }}
 resources:
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 apiIngress:
  enabled: {{ .Values.ingress.enabled }}
@@ -42,7 +39,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.minio.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
  repository: "{{ .Values.images.minio.repository }}"
  tag: "{{ .Values.images.minio.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
@@ -88,8 +85,7 @@ persistence:
 provisioning:
  enabled: true
  cleanupAfterFinished:
-    enabled: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    enabled: true
    seconds: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
@@ -182,8 +178,6 @@ provisioning:
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
 podAnnotations: {}
 readinessProbe:
  enabled: true
  initialDelaySeconds: 5
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -28,7 +25,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.postfix.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.postfix.registry | quote }}
  repository: {{ .Values.images.postfix.repository | quote }}
  tag: {{ .Values.images.postfix.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -52,9 +49,6 @@ postfix:
    - fileName: "sasl_passwd.map"
      content:
        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
  {{- if .Values.dkimpy.enabled }}
  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
  {{- end }}
  rspamdHost: ""
  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
@@ -76,8 +70,6 @@ postfix:
  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  virtualTransport: "lmtps:dovecot:24"
 podAnnotations: {}
 replicaCount: {{ .Values.replicas.postfix }}
 resources:
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -1,13 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -24,6 +17,8 @@ containerSecurityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
 job:
 podSecurityContext:
  enabled: true
  fsGroup: 1001
@@ -39,7 +34,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.postgresql.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.postgresql.registry | quote }}
  repository: {{ .Values.images.postgresql.repository | quote }}
  tag: {{ .Values.images.postgresql.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -48,50 +43,41 @@ image:
 job:
  users:
-    - username: {{ .Values.databases.keycloak.username | quote }}
+    - username: "keycloak_user"
      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
-      connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "openproject_user"
    - username: {{ .Values.databases.openproject.username | quote }}
      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
-      connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "keycloak_extensions_user"
    - username: {{ .Values.databases.keycloakExtension.username | quote }}
      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
-      connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "matrix_user"
    - username: {{ .Values.databases.synapse.username | quote }}
      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
-      connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "notificationsapi_user"
    - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-      connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "guardianmanagementapi_user"
    - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-      connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "selfservice_user"
    - username: {{ .Values.databases.umsSelfservice.username | quote }}
      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
      connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
  databases:
-    - name: {{ .Values.databases.keycloak.name | quote }}
+    - name: "keycloak"
-      user: {{ .Values.databases.keycloak.username | quote }}
+      user: "keycloak_user"
-    - name: {{ .Values.databases.keycloakExtension.name | quote }}
+    - name: "keycloak_extensions"
-      user: {{ .Values.databases.keycloakExtension.username | quote }}
+      user: "keycloak_extensions_user"
-    - name: {{ .Values.databases.openproject.name | quote }}
+    - name: "openproject"
-      user: {{ .Values.databases.openproject.username | quote }}
+      user: "openproject_user"
-    - name: {{ .Values.databases.synapse.name | quote }}
+    - name: "matrix"
-      user: {{ .Values.databases.synapse.username | quote }}
+      user: "matrix_user"
      additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
-    - name: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+    - name: "guardianmanagementapi"
-      user: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+      user: "guardianmanagementapi_user"
-    - name: {{ .Values.databases.umsNotificationsApi.name | quote }}
+    - name: "notificationsapi"
-      user: {{ .Values.databases.umsNotificationsApi.username | quote }}
+      user: "notificationsapi_user"
-    - name: {{ .Values.databases.umsSelfservice.name | quote }}
+    - name: "selfservice"
-      user: {{ .Values.databases.umsSelfservice.username | quote }}
+      user: "selfservice_user"
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.postgresql | quote }}
 podAnnotations: {}
 postgres:
  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -1,8 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 architecture: "standalone"
@@ -15,7 +12,7 @@ global:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 image:
-  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.redis.registry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.redis.registry | quote }}
  repository: {{ .Values.images.redis.repository | quote }}
  tag: {{ .Values.images.redis.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -38,7 +35,6 @@ master:
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
  podAnnotations: {}
  resources:
    {{ .Values.resources.redis | toYaml | nindent 4 }}
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -10,7 +10,8 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/\
      {{ .Values.charts.xwiki.repository }}"
 releases:
  - name: "xwiki"
@@ -19,7 +20,6 @@ releases:
    wait: true
    values:
      - "values.yaml.gotmpl"
      - {{ .Values.customization.release.xwiki | default "additionalValues: false" }}
    installed: {{ .Values.xwiki.enabled }}
    timeout: 900
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/xwiki/helmfile.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile.yaml.gotmpl
@@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 helmfiles:
  - path: "./helmfile-child.yaml.gotmpl"
    values:
      - {{ toYaml .Values | nindent 8 }}
 ...
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -1,11 +1,10 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  name: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.xwiki.registry }}/{{ .Values.images.xwiki.repository }}"
+  name: "{{ .Values.global.imageRegistry | default .Values.images.xwiki.registry }}/{{ .Values.images.xwiki.repository }}"
  tag: {{ .Values.images.xwiki.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -137,13 +136,13 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
  ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.smtp.password | quote }}
  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true"
  ## Link LDAP users and users authenticated through OIDC
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jaime Conde	2427389207	fix(nubus): Fix udm-rest-api extended_attributes	2024-08-01 22:01:27 +02:00
Jaime Conde	2767ff1923	fix(nubus): Better logging and fixes for keycloak-extensions	2024-08-01 10:12:58 +02:00
Jaime Conde	1805a6bce5	fix(provisioning): Point OX Connector to LDAP Server Primaries	2024-08-01 10:05:04 +02:00
Jaime Conde	66561d9a25	fix(nubus): Keycloak Extensions wrong sender email	2024-08-01 00:06:32 +02:00
Jaime Conde	ed144c2be2	fix(nubus): Keycloak Extensions bump python-keycloak	2024-07-31 18:12:49 +02:00
Thorsten Roßner	aae2dc3344	fix(migrations): Properly handle pre-existing configmaps when adding a value.	2024-07-31 17:50:07 +02:00
Thorsten Roßner	8b1f1c1380	fix(nubus): Theming	2024-07-31 17:50:07 +02:00
Thorsten Roßner	ba8366301b	fix(helmfile): Re-add `services` app to `helmfile_generic.yaml`.	2024-07-31 17:50:07 +02:00
Thorsten Roßner	8b7cb04765	fix(nubus): Update component name.	2024-07-31 17:50:07 +02:00
Thorsten Roßner	a33efe6160	fix(migrations): Support Nubus MR upgrade.	2024-07-31 17:50:07 +02:00
Thorsten Roßner	b361b57dae	fix(migrations): Support Nubus MR upgrade.	2024-07-31 17:50:06 +02:00
Carlos García-Mauriño	dc8ec1f5f9	feat(nubus): Update ums-stack	2024-07-31 17:43:26 +02:00
Carlos García-Mauriño	b06faf8616	fix(nubus): UMC policies Might want to replace this commit and just use the same change from `ums-stack`.	2024-07-31 17:43:26 +02:00
Carlos García-Mauriño	4db56e2833	fix(nubus): Enable selfservice listener	2024-07-31 17:43:26 +02:00
Carlos García-Mauriño	eef32033f6	feat(nubus): Update upstream charts and images	2024-07-31 17:43:26 +02:00
Carlos García-Mauriño	613302ddbf	feat(nubus): Move theme customization to this repo	2024-07-31 17:43:26 +02:00
Carlos García-Mauriño	30cb62bf05	feat(nubus): Update nubus to 0.28.0.	2024-07-31 17:43:26 +02:00
Jaime Conde	1c0a329866	fix(nubus): Keycloak admin console only when debug is set	2024-07-31 17:43:26 +02:00
Thorsten Roßner	150b222c88	fix(docs): Update migration.md with LDAP PVC update information.	2024-07-31 17:43:25 +02:00
Jaime Conde	663bb3f344	fix(nubus): Disable provisioning	2024-07-31 17:42:09 +02:00
Jaime Conde	97f55f40d0	fix(nubus): Portal title	2024-07-31 17:42:09 +02:00
Jaime Conde	795d4f14bb	fix(nubus): Disable keycloak admin console unless debug is set	2024-07-31 17:42:09 +02:00
Jaime Conde	cae20a56d9	fix(nubus): OX ldap mappers	2024-07-31 17:42:09 +02:00
Jaime Conde	22d984e71f	fix(nubus): Rebase images	2024-07-31 17:42:07 +02:00
Jaime Conde	f626b81c53	fix(nubus): Drop old files	2024-07-31 17:40:57 +02:00
Jaime Conde	c15fb90ef3	fix(nubus): Boostrap new file	2024-07-31 17:40:57 +02:00
Jaime Conde	ecfd051521	fix(nubus): Bump nubus to include fixes	2024-07-31 17:40:57 +02:00
Jaime Conde	02f708c0d9	fix(nubus): Central navigation	2024-07-31 17:40:57 +02:00
Jaime Conde	7b01ffa57f	fix(nubus): Portal title	2024-07-31 17:40:57 +02:00
Jaime Conde	19f0ed87a3	fix(nubus): Keycloak wrong credentials	2024-07-31 17:40:57 +02:00
Daniel Troeder	f084bbf840	fix(nubus): Support for customization/templating of password reset email.	2024-07-31 17:40:57 +02:00
Jaime Conde	d9a248e06b	fix(nubus): Fix tile links to use templated links	2024-07-31 17:40:57 +02:00
Jaime Conde	ef346d4b57	fix(nubus): Drop guardian provisioning	2024-07-31 17:40:57 +02:00
Jaime Conde	9dfbadfac5	fix(nubus): Missing ldapBase caused by extra quoting	2024-07-31 17:40:57 +02:00
Jaime Conde	b75273089a	fix(nubus): Missing secret mapping for keycloak-boostrap	2024-07-31 17:40:57 +02:00
Jaime Conde	1d652f2d4e	fix(nubus): Rollback secret derivation change	2024-07-31 17:40:57 +02:00
Jaime Conde	a33a7bcf00	fix(nubus): Use Keycloak credentials	2024-07-31 17:40:57 +02:00
Thorsten Roßner	1956fafd79	fix(nubus): Reorder images.yaml for opendesk Linter.	2024-07-31 17:40:55 +02:00
Jaime Conde	0680bc97cb	fix(nubus): Quote port for keycloak-extensions	2024-07-31 17:38:01 +02:00
Jaime Conde	7ef6aa07f6	fix(nubus): Bump nubus version	2024-07-31 17:38:01 +02:00
Jaime Conde	065dface91	fix(nubus): Map helmfile default account secrets to Nubus	2024-07-31 17:38:01 +02:00
Andreas Niemann	eedece7699	chore(nubus): Switch to mainline Nubus branch	2024-07-31 17:38:01 +02:00
Andreas Niemann	181a67e7be	feat(nubus): Introduce credentialOverride usage	2024-07-31 17:38:01 +02:00
Carlos García-Mauriño	80b4a62c1b	feat: Customize nubus images	2024-07-31 17:38:01 +02:00
Carlos García-Mauriño	55692d407e	feat: Update pinned images	2024-07-31 17:38:01 +02:00
Andreas Niemann	2d52fac18c	chore(nubus): Change stack-gateway ingress hostname to read .Values.global.domain	2024-07-31 17:38:01 +02:00
Jaime Conde	a76cf0abaf	fix(nubus): Stack-gateway ingress namespace repeated twice	2024-07-31 17:38:01 +02:00
Thorsten Roßner	403714afcc	fix(nubus): Some cleanup.	2024-07-31 17:38:01 +02:00
Thorsten Roßner	99712f1594	fix(nubus): Set OpenCoDE as registry for Nubus umbrella chart.	2024-07-31 17:38:01 +02:00
Andreas Niemann	283fcf9626	chore(nubus): Change stack-gateway ingress hostname to read .Values.global.domain	2024-07-31 17:38:01 +02:00
Andreas Niemann	31fdc63a63	chore(nubus): Drop unneeded univnetion-management-stack app	2024-07-31 17:38:01 +02:00
Andreas Niemann	b00a7b59c0	fix(nubus): Use otterize feature branch feat(nubus): Use nubus umbrella	2024-07-31 17:38:01 +02:00