feat(postgresql): Add template support for existing secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>
feat(mariadb): Add template support for existing secrets
2025-12-06 07:21:36 +01:00 · 2025-12-03 21:26:07 +01:00 · 2025-12-03 21:18:21 +01:00 · 2025-11-27 14:03:07 +01:00 · 2025-11-13 11:15:16 +01:00 · 2025-11-13 11:15:16 +01:00
29 changed files with 1321 additions and 299 deletions
--- a/docs/existing-secrets.md
+++ b/docs/existing-secrets.md
@@ -0,0 +1,360 @@
 <!--
 SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Existing Secrets</h1>
 This document covers how to utilise existing secrets and special requirements. The examples documented here are mostly showing the format with the openDesk default values.
 <!-- TOC -->
 * [General](#general)
 * [Components](#components)
  * [Cassandra](#cassandra)
  * [Keycloak](#keycloak)
  * [MariaDB](#mariadb)
  * [MinIO](#minio)
  * [Notes](#notes)
  * [OpenProject](#openproject)
  * [PostgreSQL](#postgresql)
  * [XWiki](#xwiki)
 <!-- TOC -->
 # General
 ⚠ ATTENTION: This feature is still in early development. For now you can't simply replace plain secrets with existing secrets because some secrets are used several components where some maybe don't support existing secrets by now.
 For most components when set the existing secret will supersede e.g. a password in a `values.yaml` file.
 The file [`existing_secrets.yaml`](/helmfile/environments/default/existing_secrets.yaml.gotmpl) lists all possible references to existing secrets that are currently implemented in openDesk.
 # Components
 This section covers information and special requirements to existing secrets that some Helm Charts expect.
 ## Cassandra
 Cassandra is pre-populated with information regarding Dovecot with a `cql` script. The openDesk default `initDB` setting is configured as follows:
 ```yaml
  initUserData.cql: >
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
 ```
 This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.
 ## Keycloak
 Several existing secrets utilised by the Keycloak bootstrap chart are expected in a special format and/or key.
 ### Admin credentials
 ```yaml
 stringData:
  admin.yaml: |
    username: "kcadmin"
    password: "{{ .Values.secrets.keycloak.adminPassword }}"
 ```
 ### ox-connector
 The secret `openxchangeConnector.provisioningApiPassword` has to provide a JSON file. The value `.Values.secrets.oxConnector.provisioningApiPassword` is taken from the default openDesk install without existing secrets and has to be replaced by some secret value. The following format is expected:
 ```yaml
    stringData:
      ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
 ```
 ### LDAP Search
 The secret `nubus.ldapSearch.keycloak` has the requirement to use `password` as key.
 ### SSOFederation and Clients
 Values taken from those existing secrets will supersede secret values that are already present for the `client`/`IdP` in the configuration or add them accordingly. Further the secrets for the have to provide a `yaml` file in a special format. Both formats rely on the same key as used in the configuration respectively. The expected format for each configuration can be seen in the table below:
 |Section                                              |Format       |
 |-----------------------------------------------------|-------------|
 |`functional.authentication.clients`                  |1.           |
 |`functional.authentication.ssoFederation.idpDict`    |2.           |
 |`keycloak.clients`                                   |1.           |
 1. Expected format for the `clients` secrets:
    ```yaml
    opendesk-intercom:
      clientId: "opendesk-intercom"
      secret: "{{ .Values.secrets.keycloak.clientSecret.intercom }}"
    opendesk-notes:
      clientId: "opendesk-notes"
      secret: "{{ .Values.secrets.keycloak.clientSecret.notes }}"
    opendesk-dovecot:
      clientId: "opendesk-dovecot"
      secret: "{{ .Values.secrets.keycloak.clientSecret.dovecot }}"
    opendesk-oxappsuite:
      clientId: "opendesk-oxappsuite"
      secret: "{{ .Values.secrets.keycloak.clientSecret.as8oidc }}"
    opendesk-matrix:
      clientId: "opendesk-matrix"
      secret: "{{ .Values.secrets.keycloak.clientSecret.matrix }}"
    opendesk-nextcloud:
      clientId: "opendesk-nextcloud"
      secret: "{{ .Values.secrets.keycloak.clientSecret.ncoidc }}"
    opendesk-openproject:
      clientId: "opendesk-openproject"
      secret: "{{ .Values.secrets.keycloak.clientSecret.openproject }}"
    opendesk-xwiki:
      clientId: "opendesk-xwiki"
      secret: "{{ .Values.secrets.keycloak.clientSecret.xwiki }}"
    ```
 2. Expected format for the `ssoFederation` secret:
    ```yaml
    yourIdpDictEntry:
      clientId: "yourSecretValueHere"
      clientSecret: "yourSecretValueHere"
    ```
 ## MariaDB
 When initialising databases, users and credentials the Chart expects `.sql` files inside the secret to mount and feed them to the database client.
 The expected format for the databases is as follows:
 ```yaml
 stringData:
  init-db-open-xchange.sql: |
    CREATE DATABASE IF NOT EXISTS openxchange_dummy;
    GRANT ALL PRIVILEGES ON openxchange_dummy.* TO "openxchange_user"@"%";
    FLUSH PRIVILEGES;
  init-db-nextcloud.sql: |
    CREATE DATABASE IF NOT EXISTS nextcloud;
    GRANT ALL PRIVILEGES ON nextcloud.* TO "nextcloud_user"@"%";
    FLUSH PRIVILEGES;
  init-db-xwiki.sql: |
    CREATE DATABASE IF NOT EXISTS xwiki;
    GRANT ALL PRIVILEGES ON xwiki.* TO "xwiki_user"@"%";
    FLUSH PRIVILEGES;
 ```
 For the user and credentials the following format is expected:
 ```yaml
 stringData:
  init-user-open-xchange.sql: |
    CREATE USER IF NOT EXISTS "openxchange_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.openxchangeUser | quote }};
    ALTER USER "openxchange_user"@"%" WITH MAX_USER_CONNECTIONS 100;
    ALTER USER "openxchange_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.openxchangeUser | quote }};
  init-user-nextcloud.sql: |
    CREATE USER IF NOT EXISTS "nextcloud_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.nextcloudUser | quote }};
    ALTER USER "nextcloud_user"@"%" WITH MAX_USER_CONNECTIONS 100;
    ALTER USER "nextcloud_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.nextcloudUser | quote }};
  init-user-xwiki.sql: |
    CREATE USER IF NOT EXISTS "xwiki_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.xwikiUser | quote }};
    ALTER USER "xwiki_user"@"%" WITH MAX_USER_CONNECTIONS 100;
    ALTER USER "xwiki_user"@"%" IDENTIFIED BY {{ .Values.secrets.mariadb.xwikiUser | quote }};
 ```
 ## MinIO
 Like described in the [upstream `values.yaml`](https://github.com/bitnami/charts/blob/main/bitnami/minio/values.yaml#L1595) credentials and information about a user in existing secrets listed in `usersExistingSecrets` have to be formatted as follows:
 ```yaml
 stringData:
  username1: |
    username=test-username
    password=test-password
    disabled=false
    policies=readwrite,consoleAdmin,diagnostics
    setPolicies=false
 ```
 Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
 ## Notes
 There are some values that consist of more than just one secret part.
 ```yaml
 backend:
  configuration:
    django:
      superuserEmail:
        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
    redisUrl:
      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
 ```
 ## OpenProject
 Here we need a custom secret to inject confidential data into environment variables as expected by OpenProject.
 ```yaml
 stringData:
  OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
 ```
 ## PostgreSQL
 In order to initialise PostgreSQL with databases, users and credentials existing secrets are expected to contain `.sql` files.
 The expected format for the databases is as follows:
 ```yaml
 stringData:
  init-db-keycloak.sql: |
    SELECT 'CREATE DATABASE keycloak' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'keycloak')\gexec
    ALTER DATABASE keycloak OWNER TO keycloak_user;
    GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak_user;
  init-db-keycloakExtension.sql: |
    SELECT 'CREATE DATABASE keycloak_extensions' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'keycloak_extensions')\gexec
    ALTER DATABASE keycloak_extensions OWNER TO keycloak_extensions_user;
    GRANT ALL PRIVILEGES ON DATABASE keycloak_extensions TO keycloak_extensions_user;
  init-db-notes.sql.sql: |
    SELECT 'CREATE DATABASE notes' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'notes')\gexec
    ALTER DATABASE notes OWNER TO notes_user;
    GRANT ALL PRIVILEGES ON DATABASE notes TO notes_user;
  init-db-openproject.sql: |
    SELECT 'CREATE DATABASE openproject' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'openproject')\gexec
    ALTER DATABASE openproject OWNER TO openproject_user;
    GRANT ALL PRIVILEGES ON DATABASE openproject TO openproject_user;
  init-db-synapse.sql: |
    SELECT 'CREATE DATABASE matrix ENCODING ''UTF8'' LC_COLLATE=''C'' LC_CTYPE=''C'' template=template0' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'matrix')\gexec
    ALTER DATABASE matrix OWNER TO matrix_user;
    GRANT ALL PRIVILEGES ON DATABASE matrix TO matrix_user;
  init-db-umsGuardianManagementApi.sql: |
    SELECT 'CREATE DATABASE guardianmanagementapi' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'guardianmanagementapi')\gexec
    ALTER DATABASE guardianmanagementapi OWNER TO guardianmanagementapi_user;
    GRANT ALL PRIVILEGES ON DATABASE guardianmanagementapi TO guardianmanagementapi_user;
  init-db-umsNotificationsApi.sql: |
    SELECT 'CREATE DATABASE notificationsapi' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'notificationsapi')\gexec
    ALTER DATABASE notificationsapi OWNER TO notificationsapi_user;
    GRANT ALL PRIVILEGES ON DATABASE notificationsapi TO notificationsapi_user;
  init-db-umsSelfservice.sql: |
    SELECT 'CREATE DATABASE selfservice' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'selfservice')\gexec
    ALTER DATABASE selfservice OWNER TO selfservice_user;
    GRANT ALL PRIVILEGES ON DATABASE selfservice TO selfservice_user;
  init-db-nextcloud.sql: |
    SELECT 'CREATE DATABASE nextcloud' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'nextcloud')\gexec
    ALTER DATABASE nextcloud OWNER TO nextcloud_user;
    GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud_user;
  init-db-xwiki.sql: |
    SELECT 'CREATE DATABASE xwiki ENCODING ''UNICODE'' template=template0' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'xwiki')\gexec
    ALTER DATABASE xwiki OWNER TO xwiki_user;
    GRANT ALL PRIVILEGES ON DATABASE xwiki TO xwiki_user;
 ```
 For the user and credentials the following format is expected:
 ```yaml
 stringData:
  init-user-keycloak.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'keycloak_user') THEN
      ALTER ROLE "keycloak_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "keycloak_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-notes.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'notes_user') THEN
      ALTER ROLE "notes_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.notesUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "notes_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.notesUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-openproject.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'openproject_user') THEN
      ALTER ROLE "openproject_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.openprojectUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "openproject_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.openprojectUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-keycloakExtension.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'keycloak_extensions_user') THEN
      ALTER ROLE "keycloak_extensions_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakExtensionUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "keycloak_extensions_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.keycloakExtensionUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-synapse.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'matrix_user') THEN
      ALTER ROLE "matrix_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.matrixUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "matrix_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.matrixUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-umsNotificationsApi.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'notificationsapi_user') THEN
      ALTER ROLE "notificationsapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsNotificationsApiUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "notificationsapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsNotificationsApiUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-umsGuardianManagementApi.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'guardianmanagementapi_user') THEN
      ALTER ROLE "guardianmanagementapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "guardianmanagementapi_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-umsSelfservice.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'selfservice_user') THEN
      ALTER ROLE "selfservice_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsSelfserviceUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "selfservice_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.umsSelfserviceUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-nextcloud.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'nextcloud_user') THEN
      ALTER ROLE "nextcloud_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.nextcloudUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "nextcloud_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.nextcloudUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
  init-user-xwiki.sql: |
    DO $$BEGIN
    IF EXISTS (SELECT FROM pg_user WHERE usename = 'xwiki_user') THEN
      ALTER ROLE "xwiki_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.xwikiUser | squote }} CONNECTION LIMIT 100;
    ELSE
      CREATE ROLE "xwiki_user" WITH LOGIN ENCRYPTED PASSWORD {{ .Values.secrets.postgresql.xwikiUser | squote }} CONNECTION LIMIT 100;
    END IF;
    END$$
 ```
 ## XWiki
 Properties listed in the file of the existing secret will overwrite plain values.
 Licenses can also be given via properties and require the format `licenses=<EnterpriseLicense>,<Applicationslicense>`.
 Like described in the [upstream `values.yaml`](https://github.com/xwiki-contrib/xwiki-helm/blob/master/charts/xwiki/values.yaml#L435) credentials and information about a user in existing secrets listed in `propertiesSecret` have to be formatted as follows:
 ```yaml
 stringData:
  propertiesFile: |
    propertie1=propertie1Value
    propertie2=propertie2Value
    propertie3=propertie3Value
 ```
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -10,6 +10,7 @@ SPDX-License-Identifier: Apache-2.0
 * [Deprecation warnings](#deprecation-warnings)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
  * [external secrets](#external-secrets)
  * [v1.7.1+](#v171)
    * [Pre-upgrade to v1.7.1+](#pre-upgrade-to-v171)
      * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
@@ -137,6 +138,22 @@ If you would like more details about the automated migrations, please read secti
 # Manual checks/actions
 ## external secrets
 ### pre upgrade
 #### Changed structure in `functional.ssoFederation`
 **Target group:** All upgrade deployments with configured ssoFederation.
 The structure of the configuration for the usage of ssoFederation has changed, please see [`functional.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/environments/default/functional.yaml.gotmpl) for further details of the new structure of the ssoFederation configuration.
 #### Changed structure in `config.opendesk.clients` and `config.custom.clients`
 **Target group:** All upgrade deployments
 The configuration underneath the named sections has changed from a list to a dictionary. An example can be seen in [`values-opendesk-keycloak-bootstrap.yaml.gotmpl`](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/develop/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl?ref_type=heads) for the `opendesk.clients`.
 ## v1.7.1+
 ### Pre-upgrade to v1.7.1+
--- a/docs/security.md
+++ b/docs/security.md
@@ -1,4 +1,5 @@
 <!--
 SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -8,9 +9,10 @@ SPDX-License-Identifier: Apache-2.0
 This document covers the current status of security measures.
 <!-- TOC -->
-* [Helm chart trust chain](#helm-chart-trust-chain)
+* [Helm Chart Trust Chain](#helm-chart-trust-chain)
-* [Kubernetes security enforcements](#kubernetes-security-enforcements)
+* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
-* [Network policies](#network-policies)
+* [NetworkPolicies](#networkpolicies)
 * [Existing Secrets](#existing-secrets)
 <!-- TOC -->
 # Helm chart trust chain
@@ -49,3 +51,9 @@ security:
  otterizeIntents:
    enabled: true
 ```
 # Existing Secrets
 We urge you to use existing secrets for your confidential credentials.
 For further explanation and documentation please visit [Existing Secrets](./docs/existing-secrets.md).
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -86,7 +86,7 @@ The following naming scheme is applied for the deployment matrix:
  - *Secrets*: Master password based secrets based on `secrets.yaml.gotmpl`
  - *Certificates*: Letsencrypt-prod certificates are used.
  - *Deployment*: GitLab CI based deployment.
- `funct1`: Different configuration of `functional.yaml`, self-signed-certs [and when available external secrets].
+- `funct1`: Different configuration of `functional.yaml`, self-signed-certs [and when available existing secrets].
 - `extsrv`: External services (where possible).
 - `gitops`: Argo CD based deployment.
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -40,6 +40,13 @@ collabora:
    {{- end }}
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  {{- if .Values.existingSecrets.collabora.existingSecret.name }}
  existingSecret:
    enabled: true
    secretName: {{ .Values.existingSecrets.collabora.existingSecret.name | quote }}
    usernameKey: {{ .Values.existingSecrets.collabora.existingSecret.usernameKey | quote }}
    passwordKey: {{ .Values.existingSecrets.collabora.existingSecret.passwordKey | quote }}
  {{- end }}
 fullnameOverride: "collabora"
--- a/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-management.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -26,8 +26,14 @@ configuration:
    enabled: true
    username:
      value: "nextcloud"
      secret:
        name: {{ .Values.existingSecrets.nextcloud.admin.username.name | quote }}
        key: {{ .Values.existingSecrets.nextcloud.admin.username.key | quote }}
    password:
      value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
      secret:
        name: {{ .Values.existingSecrets.nextcloud.admin.password.name | quote }}
        key: {{ .Values.existingSecrets.nextcloud.admin.password.key | quote }}
  antivirus:
    {{- if .Values.antivirus.icap.host }}
@@ -47,8 +53,14 @@ configuration:
      enabled: true
      username:
        value: {{ .Values.cache.nextcloud.username }}
        secret:
          name: {{ .Values.existingSecrets.cache.nextcloud.username.name | quote }}
          key: {{ .Values.existingSecrets.cache.nextcloud.username.key | quote }}
      password:
        value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
        secret:
          name: {{ .Values.existingSecrets.cache.nextcloud.password.name | quote }}
          key: {{ .Values.existingSecrets.cache.nextcloud.password.key | quote }}
    host: {{ .Values.cache.nextcloud.host | quote }}
    port: {{ .Values.cache.nextcloud.port | quote }}
    tls: {{ .Values.cache.nextcloud.tls }}
@@ -93,6 +105,9 @@ configuration:
    auth:
      username:
        value: {{ .Values.databases.nextcloud.username | quote }}
        secret:
          name: {{ .Values.existingSecrets.databases.nextcloud.username.name | quote }}
          key: {{ .Values.existingSecrets.databases.nextcloud.username.key | quote }}
      password:
        {{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
        value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
@@ -101,6 +116,9 @@ configuration:
        {{- else }}
        value: {{ .Values.databases.nextcloud.password | quote }}
        {{- end }}
        secret:
          name: {{ .Values.existingSecrets.databases.nextcloud.password.name | quote }}
          key: {{ .Values.existingSecrets.databases.nextcloud.password.key | quote }}
  ldap:
    base: {{ .Values.ldap.baseDn | quote }}
@@ -108,14 +126,23 @@ configuration:
    dn: "uid=ldapsearch_nextcloud,cn=users,{{ .Values.ldap.baseDn }}"
    password:
      value: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
      secret:
        name: {{ .Values.existingSecrets.nubus.ldapSearch.nextcloud.name | quote }}
        key: {{ .Values.existingSecrets.nubus.ldapSearch.nextcloud.key | quote }}
    adminGroupName: "managed-by-attribute-FileshareAdmin"
  objectstore:
    auth:
      accessKey:
        value: {{ .Values.objectstores.nextcloud.username | quote }}
        secret:
          name: {{ .Values.existingSecrets.objectstores.nextcloud.accessKey.name | quote }}
          key: {{ .Values.existingSecrets.objectstores.nextcloud.accessKey.key | quote }}
      secretKey:
        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
        secret:
          name: {{ .Values.existingSecrets.objectstores.nextcloud.secretKey.name | quote }}
          key: {{ .Values.existingSecrets.objectstores.nextcloud.secretKey.key | quote }}
    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
    host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
    region: {{ .Values.objectstores.nextcloud.region | quote }}
@@ -129,6 +156,9 @@ configuration:
      value: "opendesk-nextcloud"
    password:
      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
      secret:
        name: {{ .Values.existingSecrets.keycloak.clientSecret.nextcloudOidc.name | quote }}
        key: {{ .Values.existingSecrets.keycloak.clientSecret.nextcloudOidc.key | quote }}
  opendeskIntegration:
    centralNavigation:
@@ -137,6 +167,9 @@ configuration:
        value: "opendesk_username"
      password:
        value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
        secret:
          name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
          key: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
    oxAppSuite:
      enabled: {{ .Values.apps.oxAppSuite.enabled }}
@@ -161,6 +194,9 @@ configuration:
        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
      password:
        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
        secret:
          name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
          key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
    port: 587
    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
@@ -177,6 +213,9 @@ configuration:
  serverinfo:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
      secret:
        name: {{ .Values.existingSecrets.nextcloud.metricsToken.name | quote }}
        key: {{ .Values.existingSecrets.nextcloud.metricsToken.key | quote }}
  forbiddenChars: {{ join " " .Values.functional.filestore.naming.forbiddenChars | quote }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -18,6 +18,9 @@ exporter:
    server: "http://opendesk-nextcloud-aio"
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
      secret:
        name: {{ .Values.existingSecrets.nextcloud.metricsToken.name | quote }}
        key: {{ .Values.existingSecrets.nextcloud.metricsToken.key | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -87,8 +90,14 @@ aio:
        enabled: true
        username:
          value: {{ .Values.cache.nextcloud.username }}
          secret:
            name: {{ .Values.existingSecrets.cache.nextcloud.username.name | quote }}
            key: {{ .Values.existingSecrets.cache.nextcloud.username.key | quote }}
        password:
          value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
          secret:
            name: {{ .Values.existingSecrets.cache.nextcloud.password.name | quote }}
            key: {{ .Values.existingSecrets.cache.nextcloud.password.key | quote }}
      host: {{ .Values.cache.nextcloud.host | quote }}
      port: {{ .Values.cache.nextcloud.port | quote }}
      tls: {{ .Values.cache.nextcloud.tls }}
@@ -106,6 +115,9 @@ aio:
      auth:
        username:
          value: {{ .Values.databases.nextcloud.username | quote }}
          secret:
            name: {{ .Values.existingSecrets.databases.nextcloud.username.name | quote }}
            key: {{ .Values.existingSecrets.databases.nextcloud.username.key | quote }}
        password:
          {{- if or (eq .Values.databases.nextcloud.type "mariadb") (eq .Values.databases.nextcloud.type "mysql") }}
          value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
@@ -114,6 +126,9 @@ aio:
          {{- else }}
          value: {{ .Values.databases.nextcloud.password | quote }}
          {{- end }}
          secret:
            name: {{ .Values.existingSecrets.databases.nextcloud.password.name | quote }}
            key: {{ .Values.existingSecrets.databases.nextcloud.password.key | quote }}
    trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
--- a/helmfile/apps/notes/values.yaml.gotmpl
+++ b/helmfile/apps/notes/values.yaml.gotmpl
@@ -4,12 +4,22 @@
 global:
  collaborationServerSecret:
    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.notes.collaborationSecret.name | quote }}
      key: {{ .Values.existingSecrets.notes.collaborationSecret.key | quote }}
  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
  yProviderApiKey:
    value: {{ .Values.secrets.notes.collaborationSecret | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.notes.collaborationSecret.name | quote }}
      key: {{ .Values.existingSecrets.notes.collaborationSecret.key | quote }}
  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
  fqdn: "{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}"
  tlsSecretName: {{ .Values.ingress.tls.secretName | quote }}
 backend:
  image:
@@ -36,14 +46,23 @@ backend:
    ai:
      apiKey:
        value: {{ .Values.ai.apiKey }}
        existingSecret:
          name: {{ .Values.existingSecrets.ai.apiKey.name | quote }}
          key: {{ .Values.existingSecrets.ai.apiKey.key | quote }}
      baseUrl: {{ .Values.ai.endpoint }}
      model: {{ .Values.ai.model | quote }}
    aws:
      endpointUrl: {{ printf "https://%s" (.Values.objectstores.notes.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
      s3AccessKeyId:
        value: {{ .Values.objectstores.notes.username }}
        existingSecret:
          name: {{ .Values.existingSecrets.objectstores.notes.s3AccessKeyId.name | quote }}
          key: {{ .Values.existingSecrets.objectstores.notes.s3AccessKeyId.key | quote }}
      s3SecretAccessKey:
        value: {{ .Values.objectstores.notes.secretKey | default .Values.secrets.minio.notesUser | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.objectstores.notes.s3SecretAccessKey.name | quote }}
          key: {{ .Values.existingSecrets.objectstores.notes.s3SecretAccessKey.key | quote }}
      storageBucketName: {{ .Values.objectstores.notes.bucket }}
    collaboration:
      apiUrl: {{ printf "https://%s.%s/collaboration/api/" .Values.global.hosts.notes .Values.global.domain | quote }}
@@ -53,9 +72,15 @@ backend:
      name: {{ .Values.databases.notes.name | quote }}
      password:
        value: {{ .Values.databases.notes.password | default .Values.secrets.postgresql.notesUser | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.databases.notes.password.name | quote  }}
          key: {{ .Values.existingSecrets.databases.notes.password.key | quote }}
      port: {{ .Values.databases.notes.port | quote }}
      user:
        value: {{ .Values.databases.notes.username | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.databases.notes.user.name | quote }}
          key: {{ .Values.existingSecrets.databases.notes.user.key | quote }}
    email:
      brandName: "openDesk"
      from: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.mailDomain | default .Values.global.domain }}"
@@ -64,14 +89,23 @@ backend:
      logoImage: {{ printf "https://%s.%s/univention/portal/icons/entries/swp.notes.svg" .Values.global.hosts.nubus .Values.global.domain | quote }}
      user:
        value: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
        existingSecret:
          name: {{ .Values.existingSecrets.postfix.opendeskSystem.username.name | quote }}
          key: {{ .Values.existingSecrets.postfix.opendeskSystem.username.key | quote }}
      password:
        value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
          key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
    oidc:
      enabled: true
      rpClientId:
        value: "opendesk-notes"
      rpClientSecret:
        value: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.keycloak.clientSecret.notes.name | quote }}
          key: {{ .Values.existingSecrets.keycloak.clientSecret.notes.key | quote }}
      opJWKSEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
@@ -88,14 +122,26 @@ backend:
    django:
      secretKey:
        value: {{ .Values.secrets.notes.djangoSecretKey }}
        existingSecret:
          name: {{ .Values.existingSecrets.notes.django.secretKey.name | quote }}
          key: {{ .Values.existingSecrets.notes.django.secretKey.key | quote }}
      createSuperuser: true
      superuserEmail:
        value: {{ printf "default.admin@%s" .Values.global.domain | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.notes.django.superuserEmail.name | quote }}
          key: {{ .Values.existingSecrets.notes.django.superuserEmail.key | quote }}
      superuserPassword:
        value: {{ .Values.secrets.notes.superuser }}
        existingSecret:
          name: {{ .Values.existingSecrets.notes.django.superuserPassword.name | quote }}
          key: {{ .Values.existingSecrets.notes.django.superuserPassword.key | quote }}
    frontendTheme: "openDesk"
    redisUrl:
      value: "redis://default:{{ .Values.cache.notes.password | default .Values.secrets.redis.password }}@{{ .Values.cache.notes.host }}:{{ .Values.cache.notes.port }}/7"
      existingSecret:
        name: {{ .Values.existingSecrets.notes.redisUrl.name | quote }}
        key: {{ .Values.existingSecrets.notes.redisUrl.key | quote }}
  extraEnvVars:
    - name: "FRONTEND_HOMEPAGE_FEATURE_ENABLED"
      value: "False"
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -53,6 +53,10 @@ global:
 ics:
  session:
    secret: {{ .Values.secrets.intercom.secret | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.nubus.ics.session.name | quote }}
      keyMapping:
        secret: {{ .Values.existingSecrets.nubus.ics.session.key | quote }}
  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  originRegex: "{{ .Values.global.domain }}"
  enableSessionCookie: true
@@ -66,21 +70,37 @@ ics:
  oidc:
    id: "opendesk-intercom"
    clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.keycloak.clientSecret.intercom.name | quote}}
      keyMapping:
        clientSecret: {{ .Values.existingSecrets.keycloak.clientSecret.intercom.key | quote }}
  matrix:
    subdomain: {{ .Values.global.hosts.synapse | quote }}
    serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
    auth:
      applicationServiceSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.nubus.ics.synapseAsToken.name | quote }}
        keyMapping:
          password: {{ .Values.existingSecrets.nubus.ics.synapseAsToken.key | quote }}
  nordeck:
    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
  portal:
    auth:
      sharedSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
        keyMapping:
          sharedSecret: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
  redis:
    host: {{ .Values.cache.intercomService.host | quote }}
    port: {{ .Values.cache.intercomService.port }}
    auth:
      password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.redis.existingSecret | quote }}
        keyMapping:
          password: {{ .Values.existingSecrets.redis.existingSecretPasswordKey | quote }}
  openxchange:
    oci: true
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
@@ -131,10 +151,9 @@ provisioning:
      auth:
        username: "kcadmin"
        existingSecret:
-          name: "ums-opendesk-keycloak-credentials"
+          name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
          keyMapping:
-            password: "admin_password"
+            passowrd: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
        key: "admin_password"
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
--- a/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nginx-s3-gateway.yaml.gotmpl
@@ -38,8 +38,14 @@ configuration:
  credentials:
    accessKey:
      value: {{ .Values.objectstores.nubus.username | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.objectstores.nubus.accessKey.name | quote }}
        key: {{ .Values.existingSecrets.objectstores.nubus.accessKey.key | quote }}
    secretKey:
      value: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.objectstores.nubus.secretKey.name | quote }}
        key: {{ .Values.existingSecrets.objectstores.nubus.secretKey.key | quote }}
 podAnnotations:
  {{ .Values.annotations.nubusNginxS3Gateway.pod | toYaml | nindent 2 }}
--- a/helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus-guardian.yaml.gotmpl
@@ -200,25 +200,25 @@ nubusGuardian:
      username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
      database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
      existingSecret:
-        name: "ums-guardian-postgresql-opendesk-credentials"
+        name: {{ .Values.existingSecrets.databases.umsGuardianManagementApi.password.name | default "ums-guardian-postgresql-opendesk-credentials" | quote }}
        keyMapping:
-          password: "guardianDatabasePassword"
+          password: {{ .Values.existingSecrets.databases.umsGuardianManagementApi.password.key | default "guardianDatabasePassword" | quote }}
  provisioning:
    enabled: false
    config:
      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
      keycloak:
        credentialSecret:
-          name: "ums-opendesk-keycloak-credentials"
+          name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
-          key: "admin_password"
+          key: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
      realm: {{ .Values.platform.realm | quote }}
      username: "kcadmin"
    keycloak:
      auth:
        existingSecret:
-          name: "ums-opendesk-guardian-client-secret"
+        name: {{ .Values.existingSecrets.keycloak.clientSecret.guardian.name | default "ums-opendesk-guardian-client-secret" | quote }}
-          keyMapping:
+        keyMapping:
-            password: "managementApiClientSecret"
+          password: {{ .Values.existingSecrets.keycloak.clientSecret.guardian.key | default "managementApiClientSecret" | quote }}
      connection:
        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        baseUrl: "http://ums-keycloak:8080"
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
@@ -192,11 +192,10 @@ keycloak:
  keycloak:
    auth:
      username: "kcadmin"
      # TODO: Pending secrets refactoring to be able to provide the value directly
      existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
+        name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
        keyMapping:
-          adminPassword: "admin_password"
+          adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
    login:
      messages:
        de:
@@ -219,11 +218,10 @@ keycloak:
    auth:
      username: {{ .Values.databases.keycloak.username | quote }}
      database: {{ .Values.databases.keycloak.name | quote }}
      # TODO: Pending secrets refactoring to be able to provide the value directly
      existingSecret:
-        name: "ums-keycloak-postgresql-opendesk-credentials"
+        name: {{ .Values.existingSecrets.databases.keycloak.password.name | default "ums-keycloak-postgresql-opendesk-credentials" | quote }}
        keyMapping:
-          password: keycloakDatabasePassword
+          password: {{ .Values.existingSecrets.databases.keycloak.password.key | default "keycloakDatabasePassword" | quote }}
  replicaCount: {{ .Values.replicas.keycloak }}
  resources:
    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
@@ -447,9 +445,9 @@ nubusKeycloakExtensions:
      # TODO: Pending secrets refactoring in component chart. This will refer to
      # the secret generated by the keycloak subchart.
      existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
+        name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
        keyMapping:
-          adminPassword: "admin_password"
+          adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
  proxy:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.proxyAdditional | toYaml | nindent 6 }}
@@ -527,11 +525,10 @@ nubusKeycloakExtensions:
    auth:
      database: {{ .Values.databases.keycloakExtension.name | quote }}
      username: {{ .Values.databases.keycloakExtension.username | quote }}
      # TODO: Pending secrets refactoring for this component chart
      existingSecret:
-        name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
+        name: {{ .Values.existingSecrets.databases.keycloakExtension.password.name | default "ums-keycloak-extensions-postgresql-opendesk-credentials" | quote }}
        keyMapping:
-          password: "umcKeycloakExtensionsDatabasePassword"
+          password: {{ .Values.existingSecrets.databases.keycloakExtension.password.key | default "umcKeycloakExtensionsDatabasePassword" | quote }}
  smtp:
    connection:
      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -544,9 +541,9 @@ nubusKeycloakExtensions:
      # TODO: Pending secrets refactoring in the component chart
      password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
      existingSecret:
-        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
+        name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | default "ums-keycloak-extensions-smtp-opendesk-credentials" | quote }}
        keyMapping:
-          password: "umcKeycloakExtensionsSmtpPassword"
+          password: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | default "umcKeycloakExtensionsSmtpPassword" | quote }}
  handler:
    additionalAnnotations:
      {{ .Values.annotations.nubusKeycloakExtensions.handlerAdditional | toYaml | nindent 6 }}
@@ -1110,9 +1107,9 @@ nubusProvisioning:
    createUsers:
      oxConsumer:
        existingSecret:
-          name: ums-provisioning-ox-credentials
+          name: {{ .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.name | default "ums-provisioning-ox-credentials" | quote }}
          keyMapping:
-            registration: "ox-connector.json"
+            registration: {{ .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.key | default "ox-connector.json" | quote }}
    {{- end }}
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
@@ -1604,16 +1601,14 @@ nubusKeycloakBootstrap:
    auth:
      username: "kcadmin"
      existingSecret:
-        name: "ums-opendesk-keycloak-credentials"
+        name: {{ .Values.existingSecrets.keycloak.adminPassword.name | default "ums-opendesk-keycloak-credentials" | quote }}
        keyMapping:
          adminPassword: {{ .Values.existingSecrets.keycloak.adminPassword.key | default "admin_password" | quote }}
  ldap:
    auth:
      bindDn: {{ printf "uid=ldapsearch_keycloak,cn=users,%s" .Values.ldap.baseDn }}
      existingSecret:
-        name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
+        name: {{ .Values.existingSecrets.nubus.ldapSearch.keycloak.name | default "ums-keycloak-bootstrap-ldap-opendesk-credentials" | quote }}
  oidc:
    rp:
      umcServer:
        password: {{ .Values.secrets.keycloak.clientSecret.portal | quote }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
    {{- with .Values.annotations.nubusKeycloakBootstrapNubus.pod }}
@@ -1636,27 +1631,50 @@ nubusKeycloakBootstrap:
 # Credential secrets for accessing customer supplied services
 extraSecrets:
  {{- if and (not .Values.existingSecrets.keycloak.clientSecret.guardian.name)
             (not .Values.existingSecrets.keycloak.clientSecret.guardian.key) }}
  - name: "ums-opendesk-guardian-client-secret"
    stringData:
      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.keycloak.adminPassword.name)
             (not .Values.existingSecrets.keycloak.adminPassword.key) }}
  - name: "ums-opendesk-keycloak-credentials"
    stringData:
      admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.databases.keycloak.password.name)
             (not .Values.existingSecrets.databases.keycloak.password.key) }}
  - name: "ums-keycloak-postgresql-opendesk-credentials"
    stringData:
      keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.databases.umsGuardianManagementApi.password.name)
             (not .Values.existingSecrets.databases.umsGuardianManagementApi.password.key) }}
  - name: "ums-guardian-postgresql-opendesk-credentials"
    stringData:
      guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.databases.keycloakExtension.password.name)
             (not .Values.existingSecrets.databases.keycloakExtension.password.key) }}
  - name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
    stringData:
      umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.postfix.opendeskSystem.password.name)
             (not .Values.existingSecrets.postfix.opendeskSystem.password.key) }}
  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
    stringData:
      umcKeycloakExtensionsSmtpPassword: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.nubus.ldapSearch.keycloak.name) }}
  - name: "ums-keycloak-bootstrap-ldap-opendesk-credentials"
    stringData:
      password: {{ .Values.secrets.nubus.ldapSearch.keycloak | quote }}
  {{- end }}
  {{- if and (not .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.name)
             (not .Values.existingSecrets.openxchangeConnector.provisioningApiPassword.key) }}
  - name: "ums-provisioning-ox-credentials"
    stringData:
      ox-connector.json: "{ \"name\": \"ox-connector\", \"realms_topics\": [{\"realm\": \"udm\", \"topic\": \"oxmail/oxcontext\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/accessprofile\"}, {\"realm\": \"udm\", \"topic\": \"users/user\"}, {\"realm\": \"udm\", \"topic\": \"oxresources/oxresources\"}, {\"realm\": \"udm\", \"topic\": \"groups/group\"}, {\"realm\": \"udm\", \"topic\": \"oxmail/functional_account\"}], \"request_prefill\": true, \"password\": \"{{ .Values.secrets.oxConnector.provisioningApiPassword }}\" }"
  {{- end }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -80,7 +80,11 @@ config:
    clientScopes:
      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
    clients:
-      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
+      value:
        {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 8 }}
      existingSecret:
        name: {{ .Values.existingSecrets.functional.authentication.clients.name | quote }}
        key: {{ .Values.existingSecrets.functional.authentication.clients.key | quote }}
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                    'offline_access', 'roles', 'address', 'phone' ]
@@ -92,6 +96,8 @@ config:
      values:
        username: "kcadmin"
        password: {{ .Values.secrets.keycloak.adminPassword | quote }}
      secret:
        name: {{ .Values.existingSecrets.keycloak.adminSecret.name | quote }}
    realm: {{ .Values.platform.realm | quote }}
    intraCluster:
      enabled: true
@@ -113,8 +119,10 @@ config:
  ssoFederation:
    enabled: {{ .Values.functional.authentication.ssoFederation.enabled }}
    enforceFederatedLogin: {{ .Values.functional.authentication.ssoFederation.enforceFederatedLogin }}
-    name: {{ .Values.functional.authentication.ssoFederation.name | quote }}
+    value: {{ .Values.functional.authentication.ssoFederation.idpDict | toYaml | nindent 8 }}
-    idpDetails: {{ .Values.functional.authentication.ssoFederation.idpDetails | toYaml | nindent 6 }}
+    existingSecret:
      name : {{ .Values.existingSecrets.functional.authentication.ssoFederation.name | quote }}
      key : {{ .Values.existingSecrets.functional.authentication.ssoFederation.key | quote }}
  twoFactorSettings:
    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups | toYaml | nindent 6 }}
  precreateGroups: [ 'Domain Admins', 'Domain Users', 'IAM API - Full Access',
@@ -517,233 +525,246 @@ config:
              jsonType.label: "String"
      {{ end }}
    clients:
-      - name: "opendesk-intercom"
+      value:
-        clientId: "opendesk-intercom"
+        opendesk-intercom:
-        protocol: "openid-connect"
+          name: "opendesk-intercom"
-        clientAuthenticatorType: "client-secret"
+          clientId: "opendesk-intercom"
-        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+          protocol: "openid-connect"
-        redirectUris:
+          clientAuthenticatorType: "client-secret"
-          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+          secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-        consentRequired: false
+          redirectUris:
-        frontchannelLogout: false
+            - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
-        publicClient: false
+          consentRequired: false
-        authorizationServicesEnabled: false
+          frontchannelLogout: false
-        attributes:
+          publicClient: false
-          use.refresh.tokens: true
+          authorizationServicesEnabled: false
-          backchannel.logout.session.required: true
+          attributes:
-          standard.token.exchange.enabled: true
+            use.refresh.tokens: true
-          standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
+            backchannel.logout.session.required: true
-          backchannel.logout.revoke.offline.tokens: true
+            standard.token.exchange.enabled: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+            standard.token.exchange.enableRefreshRequestedTokenType: "SAME_SESSION"
-        protocolMappers:
+            backchannel.logout.revoke.offline.tokens: true
-          - name: "intercom-audience"
+            backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
-            protocol: "openid-connect"
+          protocolMappers:
-            protocolMapper: "oidc-audience-mapper"
+            - name: "intercom-audience"
-            consentRequired: false
+              protocol: "openid-connect"
-            config:
+              protocolMapper: "oidc-audience-mapper"
-              included.client.audience: "opendesk-intercom"
+              consentRequired: false
-              id.token.claim: false
+              config:
-              access.token.claim: true
+                included.client.audience: "opendesk-intercom"
-          - name: "opendesk_username"
+                id.token.claim: false
-            protocol: "openid-connect"
+                access.token.claim: true
-            protocolMapper: "oidc-usermodel-attribute-mapper"
+            - name: "opendesk_username"
-            consentRequired: false
+              protocol: "openid-connect"
-            config:
+              protocolMapper: "oidc-usermodel-attribute-mapper"
-              userinfo.token.claim: true
+              consentRequired: false
-              user.attribute: "uid"
+              config:
-              id.token.claim: true
+                userinfo.token.claim: true
-              access.token.claim: true
+                user.attribute: "uid"
-              claim.name: "opendesk_username"
+                id.token.claim: true
-              jsonType.label: "String"
+                access.token.claim: true
-          - name: "opendesk_useruuid"
+                claim.name: "opendesk_username"
-            protocol: "openid-connect"
+                jsonType.label: "String"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
+            - name: "opendesk_useruuid"
-            consentRequired: false
+              protocol: "openid-connect"
-            config:
+              protocolMapper: "oidc-usermodel-attribute-mapper"
-              userinfo.token.claim: true
+              consentRequired: false
-              user.attribute: "entryUUID"
+              config:
-              id.token.claim: true
+                userinfo.token.claim: true
-              access.token.claim: true
+                user.attribute: "entryUUID"
-              claim.name: "opendesk_useruuid"
+                id.token.claim: true
-              jsonType.label: "String"
+                access.token.claim: true
-        defaultClientScopes:
+                claim.name: "opendesk_useruuid"
-          - "offline_access"
+                jsonType.label: "String"
-      {{ if .Values.apps.notes.enabled }}
+          defaultClientScopes:
-      - name: "opendesk-notes"
+            - "offline_access"
-        clientId: "opendesk-notes"
+        {{ if .Values.apps.notes.enabled }}
-        protocol: "openid-connect"
+        opendesk-notes:
-        clientAuthenticatorType: "client-secret"
+          name: "opendesk-notes"
-        secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
+          clientId: "opendesk-notes"
-        redirectUris:
+          protocol: "openid-connect"
-          - "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
+          clientAuthenticatorType: "client-secret"
-        standardFlowEnabled: true
+          secret: {{ .Values.secrets.keycloak.clientSecret.notes | quote }}
-        implicitFlowEnabled: false
+          redirectUris:
-        alwaysDisplayInConsole: false
+            - "https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/api/v1.0/callback/"
-        bearerOnly: false
+          standardFlowEnabled: true
-        directAccessGrantsEnabled: true
+          implicitFlowEnabled: false
-        serviceAccountsEnabled: false
+          alwaysDisplayInConsole: false
-        consentRequired: false
+          bearerOnly: false
-        frontchannelLogout: false
+          directAccessGrantsEnabled: true
-        publicClient: false
+          serviceAccountsEnabled: false
-        authorizationServicesEnabled: false
+          consentRequired: false
-        surrogateAuthRequired: false
+          frontchannelLogout: false
-        attributes:
+          publicClient: false
-          backchannel.logout.revoke.offline.tokens: false
+          authorizationServicesEnabled: false
-          backchannel.logout.session.required: false
+          surrogateAuthRequired: false
-          client.introspection.response.allow.jwt.claim.enabled: false
+          attributes:
-          client.use.lightweight.access.token.enabled: false
+            backchannel.logout.revoke.offline.tokens: false
-          client_credentials.use_refresh_token: false
+            backchannel.logout.session.required: false
-          display.on.consent.screen: false
+            client.introspection.response.allow.jwt.claim.enabled: false
-          oauth2.device.authorization.grant.enabled: false
+            client.use.lightweight.access.token.enabled: false
-          oidc.ciba.grant.enabled: false
+            client_credentials.use_refresh_token: false
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
+            display.on.consent.screen: false
-          require.pushed.authorization.requests: false
+            oauth2.device.authorization.grant.enabled: false
-          tls.client.certificate.bound.access.tokens: false
+            oidc.ciba.grant.enabled: false
-          token.response.type.bearer.lower-case: false
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.notes }}.{{ .Values.global.domain }}/*"
-          use.jwks.url: false
+            require.pushed.authorization.requests: false
-          use.refresh.tokens: false
+            tls.client.certificate.bound.access.tokens: false
-          # it is probably not even required to set this value explicitly.
+            token.response.type.bearer.lower-case: false
-          user.info.response.signature.alg: "RS256"
+            use.jwks.url: false
-        defaultClientScopes:
+            use.refresh.tokens: false
-          - "opendesk-notes-scope"
+            # it is probably not even required to set this value explicitly.
-      {{ end }}
+            user.info.response.signature.alg: "RS256"
-      {{ if .Values.apps.oxAppSuite.enabled }}
+          defaultClientScopes:
-      - name: "opendesk-dovecot"
+            - "opendesk-notes-scope"
-        clientId: "opendesk-dovecot"
+        {{ end }}
-        protocol: "openid-connect"
+        {{ if .Values.apps.oxAppSuite.enabled }}
-        clientAuthenticatorType: "client-secret"
+        opendesk-dovecot:
-        secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+          name: "opendesk-dovecot"
-        consentRequired: false
+          clientId: "opendesk-dovecot"
-        frontchannelLogout: false
+          protocol: "openid-connect"
-        publicClient: false
+          clientAuthenticatorType: "client-secret"
-        authorizationServicesEnabled: false
+          secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
-        attributes:
+          consentRequired: false
-          backchannel.logout.session.required: false
+          frontchannelLogout: false
-        defaultClientScopes:
+          publicClient: false
-          - "opendesk-dovecot-scope"
+          authorizationServicesEnabled: false
-      - name: "opendesk-oxappsuite"
+          attributes:
-        clientId: "opendesk-oxappsuite"
+            backchannel.logout.session.required: false
-        protocol: "openid-connect"
+          defaultClientScopes:
-        clientAuthenticatorType: "client-secret"
+            - "opendesk-dovecot-scope"
-        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        opendesk-oxappsuite:
-        redirectUris:
+          name: "opendesk-oxappsuite"
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          clientId: "opendesk-oxappsuite"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          protocol: "openid-connect"
-        consentRequired: false
+          clientAuthenticatorType: "client-secret"
-        frontchannelLogout: false
+          secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-        publicClient: false
+          redirectUris:
-        authorizationServicesEnabled: false
+            - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-        attributes:
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-          backchannel.logout.session.required: true
+          consentRequired: false
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          frontchannelLogout: false
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          publicClient: false
-        defaultClientScopes:
+          authorizationServicesEnabled: false
-          - "opendesk-oxappsuite-scope"
+          attributes:
-          - "read_contacts"
+            backchannel.logout.session.required: true
-          - "write_contacts"
+            backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-      {{ end }}
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-      {{ if .Values.apps.jitsi.enabled }}
+          defaultClientScopes:
-      - name: "opendesk-jitsi"
+            - "opendesk-oxappsuite-scope"
-        clientId: "opendesk-jitsi"
+            - "read_contacts"
-        protocol: "openid-connect"
+            - "write_contacts"
-        clientAuthenticatorType: "client-secret"
+        {{ end }}
-        redirectUris:
+        {{ if .Values.apps.jitsi.enabled }}
-          - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
+        opendesk-jitsi:
-        consentRequired: false
+          name: "opendesk-jitsi"
-        frontchannelLogout: false
+          clientId: "opendesk-jitsi"
-        publicClient: true
+          protocol: "openid-connect"
-        fullScopeAllowed: true
+          clientAuthenticatorType: "client-secret"
-        authorizationServicesEnabled: false
+          redirectUris:
-        defaultClientScopes:
+            - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
-          - "opendesk-jitsi-scope"
+          consentRequired: false
-      {{ end }}
+          frontchannelLogout: false
-      {{ if .Values.apps.element.enabled }}
+          publicClient: true
-      - name: "opendesk-matrix"
+          fullScopeAllowed: true
-        clientId: "opendesk-matrix"
+          authorizationServicesEnabled: false
-        protocol: "openid-connect"
+          defaultClientScopes:
-        clientAuthenticatorType: "client-secret"
+            - "opendesk-jitsi-scope"
-        secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
+        {{ end }}
-        redirectUris:
+        {{ if .Values.apps.element.enabled }}
-          - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
+        opendesk-matrix:
-          - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
+          name: "opendesk-matrix"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          clientId: "opendesk-matrix"
-        standardFlowEnabled: true
+          protocol: "openid-connect"
-        directAccessGrantsEnabled: true
+          clientAuthenticatorType: "client-secret"
-        serviceAccountsEnabled: true
+          secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
-        consentRequired: false
+          redirectUris:
-        frontchannelLogout: false
+            - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
-        publicClient: false
+            - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
-        authorizationServicesEnabled: false
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        attributes:
+          standardFlowEnabled: true
-          backchannel.logout.session.required: true
+          directAccessGrantsEnabled: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
+          serviceAccountsEnabled: true
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          consentRequired: false
-        defaultClientScopes:
+          frontchannelLogout: false
-          - "opendesk-matrix-scope"
+          publicClient: false
-      {{ end }}
+          authorizationServicesEnabled: false
-      {{ if .Values.apps.nextcloud.enabled }}
+          attributes:
-      - name: "opendesk-nextcloud"
+            backchannel.logout.session.required: true
-        clientId: "opendesk-nextcloud"
+            backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
-        protocol: "openid-connect"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        clientAuthenticatorType: "client-secret"
+          defaultClientScopes:
-        secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
+            - "opendesk-matrix-scope"
-        redirectUris:
+        {{ end }}
-          - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
+        {{ if .Values.apps.nextcloud.enabled }}
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        opendesk-nextcloud:
-        consentRequired: false
+          name: "opendesk-nextcloud"
-        frontchannelLogout: false
+          clientId: "opendesk-nextcloud"
-        publicClient: false
+          protocol: "openid-connect"
-        authorizationServicesEnabled: false
+          clientAuthenticatorType: "client-secret"
-        attributes:
+          secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
-          backchannel.logout.session.required: true
+          redirectUris:
-          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
+            - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
+          consentRequired: false
-          - "opendesk-nextcloud-scope"
+          frontchannelLogout: false
-          - "read_contacts"
+          publicClient: false
-          - "write_contacts"
+          authorizationServicesEnabled: false
-      {{ end }}
+          attributes:
-      {{ if .Values.apps.openproject.enabled }}
+            backchannel.logout.session.required: true
-      - name: "opendesk-openproject"
+            backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
-        clientId: "opendesk-openproject"
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        protocol: "openid-connect"
+          defaultClientScopes:
-        clientAuthenticatorType: "client-secret"
+            - "opendesk-nextcloud-scope"
-        secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+            - "read_contacts"
-        redirectUris:
+            - "write_contacts"
-          - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
+        {{ end }}
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        {{ if .Values.apps.openproject.enabled }}
-        consentRequired: false
+        opendesk-openproject:
-        frontchannelLogout: false
+          name: "opendesk-openproject"
-        publicClient: false
+          clientId: "opendesk-openproject"
-        serviceAccountsEnabled: true
+          protocol: "openid-connect"
-        authorizationServicesEnabled: false
+          clientAuthenticatorType: "client-secret"
-        attributes:
+          secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
-          backchannel.logout.session.required: true
+          redirectUris:
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
+            - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        defaultClientScopes:
+          consentRequired: false
-          - "opendesk-openproject-scope"
+          frontchannelLogout: false
-      {{ end }}
+          publicClient: false
-      {{ if .Values.apps.xwiki.enabled }}
+          serviceAccountsEnabled: true
-      - name: "opendesk-xwiki"
+          authorizationServicesEnabled: false
-        clientId: "opendesk-xwiki"
+          attributes:
-        protocol: "openid-connect"
+            backchannel.logout.session.required: true
-        clientAuthenticatorType: "client-secret"
+            backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
-        secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+            post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-        redirectUris:
+          defaultClientScopes:
-          - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
+            - "opendesk-openproject-scope"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        {{ end }}
-        consentRequired: false
+        {{ if .Values.apps.xwiki.enabled }}
-        frontchannelLogout: false
+        opendesk-xwiki:
-        publicClient: false
+          name: "opendesk-xwiki"
-        authorizationServicesEnabled: false
+          clientId: "opendesk-xwiki"
-        attributes:
+          protocol: "openid-connect"
-          backchannel.logout.session.required: false
+          clientAuthenticatorType: "client-secret"
-          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
+          secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+          redirectUris:
-        defaultClientScopes:
+            - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
-          - "opendesk-xwiki-scope"
+            - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
-      {{ end }}
+          consentRequired: false
          frontchannelLogout: false
          publicClient: false
          authorizationServicesEnabled: false
          attributes:
            backchannel.logout.session.required: false
            backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
            post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
          defaultClientScopes:
            - "opendesk-xwiki-scope"
        {{ end }}
      existingSecret:
        name: {{ .Values.existingSecrets.keycloak.clients.name | quote }}
        key: {{ .Values.existingSecrets.keycloak.clients.key | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl
@@ -24,6 +24,9 @@ dovecot:
    username: {{ .Values.databases.dovecotDictmap.username | quote }}
    password:
      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.dovecot.dictmapUser.name | quote }}
        key: {{ .Values.existingSecrets.dovecot.dictmapUser.key | quote }}
    keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
  sharedMailboxes:
    enabled: true
@@ -32,16 +35,28 @@ dovecot:
    username: {{ .Values.databases.dovecotACL.username | quote }}
    password:
      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.dovecot.aclUser.name | quote }}
        key: {{ .Values.existingSecrets.dovecot.aclUser.key | quote }}
    keyspace: {{ .Values.databases.dovecotACL.name | quote }}
  objectStorage:
    bucket: {{ .Values.objectstores.dovecot.bucket | quote }}
    encryption:
      privateKey:
        value: {{ requiredEnv "DOVECOT_CRYPT_PRIVATE_KEY" | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.privateKey.name | quote }}
          key: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.privateKey.key | quote }}
      publicKey:
        value: {{ requiredEnv "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
        existingSecret:
          name: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.publicKey.name | quote }}
          key: {{ .Values.existingSecrets.dovecot.objectStorage.encryption.publicKey.key | quote }}
    fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    username: {{ .Values.objectstores.dovecot.username | quote }}
    password:
      value: {{ .Values.objectstores.dovecot.secretKey | default .Values.secrets.minio.dovecotUser | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.objectstores.dovecotUser.name | quote }}
        key: {{ .Values.existingSecrets.objectstores.dovecotUser.key | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -25,10 +25,16 @@ dovecot:
  defaultMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  password:
    value: {{ .Values.secrets.dovecot.doveadm | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.dovecot.doveadm.name | quote }}
      key: {{ .Values.existingSecrets.dovecot.doveadm.key | quote }}
  migration:
    enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
    masterPassword:
      value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.oxAppSuite.migrationsMasterPassword.name | quote }}
        key: {{ .Values.existingSecrets.oxAppSuite.migrationsMasterPassword.key | quote }}
  ldap:
    enabled: true
    host: {{ .Values.ldap.host | quote }}
@@ -37,13 +43,20 @@ dovecot:
    dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
    password:
      value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.nubus.ldapSearch.dovecot.name | quote }}
        key: {{ .Values.existingSecrets.nubus.ldapSearch.dovecot.key | quote }}
  loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
  oidc:
    enabled: true
    clientID:
      value: "opendesk-dovecot"
    clientSecret:
      value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.keycloak.clientSecret.dovecot.name | quote }}
        key: {{ .Values.existingSecrets.keycloak.clientSecret.dovecot.key | quote }}
    introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
    usernameAttribute: "opendesk_username"
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -61,8 +61,14 @@ postfix:
    authentication:
      username:
        value: {{ .Values.smtp.username }}
        existingSecret:
          name: {{ .Values.existingSecrets.smtp.username.name | quote }}
          key: {{ .Values.existingSecrets.smtp.username.key | quote }}
      password:
        value: {{ .Values.smtp.password }}
        existingSecret:
          name: {{ .Values.existingSecrets.smtp.password.name | quote }}
          key: {{ .Values.existingSecrets.smtp.password.key | quote }}
  smtpSASLAuthEnable: "yes"
  {{- end }}
  allowRelayNets: false
--- a/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl
@@ -25,14 +25,26 @@ config:
    admin:
      username:
        value: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
        secret:
          name: {{ .Values.existingSecrets.openproject.apiAdmin.username.name | quote }}
          key: {{ .Values.existingSecrets.openproject.apiAdmin.username.key | quote }}
      password:
        value: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
        secret:
          name: {{ .Values.existingSecrets.openproject.apiAdmin.password.name | quote }}
          key: {{ .Values.existingSecrets.openproject.apiAdmin.password.key | quote }}
  nextcloud:
    admin:
      username:
        value: "nextcloud"
        secret:
          name: {{ .Values.existingSecrets.nextcloud.admin.username.name | quote }}
          key: {{ .Values.existingSecrets.nextcloud.admin.username.key | quote }}
      password:
        value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
        secret:
          name: {{ .Values.existingSecrets.nextcloud.admin.password.name | quote }}
          key: {{ .Values.existingSecrets.nextcloud.admin.password.key | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-certificates.yaml.gotmpl
@@ -71,6 +71,9 @@ selfSigned:
      enabled: true
      password:
        value: {{ .Values.secrets.certificates.password | quote }}
        secret:
          name: {{ .Values.existingSecrets.certificates.password.name | quote }}
          key: {{ .Values.existingSecrets.certificates.password.key | quote }}
 wildcard: {{ .Values.certificate.wildcard }}
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -36,9 +36,17 @@ dbInit:
    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
 environment:
-  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token }}
+  {{- if and (not .Values.existingSecrets.openproject.environment)
             (and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.openproject.token) }}
  OPENPROJECT_SEED__ENTERPRISE__TOKEN: {{ .Values.enterpriseKeys.openproject.token | quote }}
  {{- end }}
  {{- if not .Values.existingSecrets.openproject.environment }}
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
  {{- end }}
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
  OPENPROJECT_APP__TITLE: "Projekte - {{ .Values.theme.texts.productName }}"
@@ -52,7 +60,6 @@ environment:
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,{{ .Values.ldap.baseDn }}"
  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "{{ .Values.ldap.baseDn }}"
@@ -69,13 +76,9 @@ environment:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
  OPENPROJECT_SMTP__USER__NAME: {{ printf "%s@%s" "opendesk-system" ( .Values.global.mailDomain | default .Values.global.domain ) }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
  OPENPROJECT_SMTP__PORT: 587
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.apps.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
@@ -139,6 +142,10 @@ postgresql:
    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
    username: {{ .Values.databases.openproject.username | quote }}
    database: {{ .Values.databases.openproject.name | quote }}
    existingSecret: {{ .Values.existingSecrets.databases.openproject.name | quote }}
    secretKeys:
      adminPasswordKey: {{ .Values.existingSecrets.databases.openproject.adminPasswordKey | quote }}
      userPasswordKey: {{ .Values.existingSecrets.databases.openproject.userPasswordKey | quote }}
  connection:
    host: {{ .Values.databases.openproject.host | quote }}
    port: {{ .Values.databases.openproject.port }}
@@ -164,6 +171,9 @@ openproject:
    # Lock the admin user, preventing internal logins.
    # Switch to true once the NC filestore bootstrapping is optimized.
    locked: false
    secret: {{ .Values.existingSecrets.openproject.adminUserPassword.name | quote }}
    secretKeys:
      password: {{ .Values.existingSecrets.openproject.adminUserPassword.key | quote }}
  oidc:
    enabled: true
    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
@@ -173,6 +183,10 @@ openproject:
    provider: "keycloak"
    scope: "[openid,opendesk-openproject-scope]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    existingSecret: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.name | quote }}
    secretKeys:
      identifier: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.identifier | quote }}
      secret: {{ .Values.existingSecrets.keycloak.clientSecret.openproject.key | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
    attribute_map:
@@ -181,6 +195,7 @@ openproject:
  useTmpVolumes: true
  tmpVolumesAnnotations:
    {{ .Values.annotations.openproject.openprojectTempVolumes | toYaml | nindent 4 }}
  extraEnvVarsSecret: {{ .Values.existingSecrets.openproject.environment | quote }}
 serviceAccount:
  annotations:
@@ -224,6 +239,10 @@ s3:
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
    existingSecret: {{ .Values.existingSecrets.objectstores.openproject.name | quote }}
    secretKeys:
      accessKeyId: {{ .Values.existingSecrets.objectstores.openproject.accessKeyId | quote }}
      secretAccessKey: {{ .Values.existingSecrets.objectstores.openproject.secretAccessKey | quote }}
 seederJob:
  annotations:
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -20,7 +20,10 @@ containerSecurityContext:
 dbUser:
  user: "root"
  password: {{ .Values.secrets.cassandra.rootPassword | quote }}
-
+  existingSecret:
    name: {{ .Values.existingSecrets.cassandra.existingSecret.name | quote }}
    keyMapping:
      cassandra-password: {{ .Values.existingSecrets.cassandra.existingSecret.passwordKey | quote }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -35,6 +38,7 @@ ingress:
  annotations:
    {{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
 {{- if not .Values.existingSecrets.cassandra.initDBSecret }}
 initDB:
  initUserData.cql: >
    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -45,6 +49,9 @@ initDB:
    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
 {{- end }}
 initDBSecret: {{ .Values.existingSecrets.cassandra.initDBSecret | quote }}
 # Will print a warning if unset but is automatically calculated:
 jvm:
--- a/helmfile/apps/services-external/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-mariadb.yaml.gotmpl
@@ -53,6 +53,7 @@ job:
      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
  usersExistingSecret: {{ .Values.existingSecrets.mariadb.users | quote }}
  databases:
    # OX uses root user and auto automanages the database, we add a dummy user and create a dummy/empty database.
    - name: "openxchange_dummy"
@@ -66,10 +67,14 @@ job:
    - name: {{ .Values.databases.xwiki.name | quote }}
      user: "xwiki_user"
 {{ end }}
  databasesExistingSecret: {{ .Values.existingSecrets.mariadb.databases | quote }}
 mariadb:
  rootPassword:
    value: {{ .Values.secrets.mariadb.rootPassword | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.mariadb.rootPassword.name | quote }}
      key: {{ .Values.existingSecrets.mariadb.rootPassword.key | quote }}
 persistence:
  size: {{ .Values.persistence.storages.mariadb.size | quote }}
--- a/helmfile/apps/services-external/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-minio.yaml.gotmpl
@@ -19,6 +19,9 @@ apiIngress:
 auth:
  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
  existingSecret: {{ .Values.existingSecrets.minio.existingSecret | quote }}
  rootUserSecretKey: {{ .Values.existingSecrets.minio.rootUserSecretKey | quote }}
  rootPasswordSecretKey: {{ .Values.existingSecrets.minio.rootPasswordSecretKey | quote }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalMinio.common | toYaml | nindent 2 }}
@@ -222,6 +225,7 @@ provisioning:
          actions:
            - "s3:*"
    {{- end }}
  {{- if not .Values.existingSecrets.minio.usersExistingSecrets }}
  users:
    - username: {{ .Values.objectstores.migrations.username | quote }}
      password: {{ .Values.secrets.minio.migrationsUser | quote }}
@@ -267,6 +271,9 @@ provisioning:
        - "dovecot-bucket-policy"
      setPolicies: true
    {{- end }}
  {{- else }}
  usersExistingSecrets: {{ .Values.existingSecrets.minio.usersExistingSecrets }}
  {{- end }}
  resources:
    {{ .Values.resources.minio | toYaml | nindent 4 }}
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -66,8 +66,14 @@ postfix:
    authentication:
      username:
        value: {{ .Values.smtp.username }}
        existingSecret:
          name: {{ .Values.existingSecrets.smtp.username.name | quote }}
          key: {{ .Values.existingSecrets.smtp.username.key | quote }}
      password:
        value: {{ .Values.smtp.password }}
        existingSecret:
          name: {{ .Values.existingSecrets.smtp.password.name | quote }}
          key: {{ .Values.existingSecrets.smtp.password.key | quote }}
  smtpSASLAuthEnable: "yes"
  {{- end }}
  # Warning: This setting allows unauthenticated mail relay from relayNets!
@@ -88,8 +94,14 @@ postfix:
    enabled: true
    username:
      value: "opendesk-system"
      existingSecret:
        name: {{ .Values.existingSecrets.postfix.opendeskSystem.username.name | quote }}
        key: {{ .Values.existingSecrets.postfix.opendeskSystem.username.key | quote }}
    password:
      value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
      existingSecret:
        name: {{ .Values.existingSecrets.postfix.opendeskSystem.password.name | quote }}
        key: {{ .Values.existingSecrets.postfix.opendeskSystem.password.key | quote }}
  {{- if .Values.antivirus.milter.host }}
  smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"
--- a/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postgresql.yaml.gotmpl
@@ -80,6 +80,7 @@ job:
      password: {{ .Values.secrets.postgresql.xwikiUser | quote }}
      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
  usersExistingSecret: {{ .Values.existingSecrets.postgresql.users | quote }}
  databases:
    - name: {{ .Values.databases.keycloak.name | quote }}
      user: {{ .Values.databases.keycloak.username | quote }}
@@ -107,6 +108,7 @@ job:
      user: {{ .Values.databases.xwiki.username | quote }}
      additionalParams: "ENCODING 'UNICODE' template=template0"
 {{ end }}
  databasesExistingSecret: {{ .Values.existingSecrets.postgresql.databases | quote }}
 persistence:
  size: {{ .Values.persistence.storages.postgresql.size | quote }}
@@ -123,7 +125,11 @@ podAnnotations:
 postgres:
  user: "postgres"
-  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
+  password:
    value: {{ .Values.secrets.postgresql.postgresUser | quote }}
    existingSecret:
      name: {{ .Values.existingSecrets.postgresql.rootPassword.name | quote }}
      key: {{ .Values.existingSecrets.postgresql.rootPassword.key | quote }}
 resources:
  {{ .Values.resources.postgresql | toYaml | nindent 2 }}
--- a/helmfile/apps/services-external/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-redis.yaml.gotmpl
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -6,6 +6,8 @@ architecture: "standalone"
 auth:
  password: {{ .Values.secrets.redis.password | quote }}
  existingSecret: {{ .Values.existingSecrets.redis.existingSecret | quote }}
  existingSecretPasswordKey: {{ .Values.existingSecrets.redis.existingSecretPasswordKey | quote }}
 commonAnnotations:
  {{ .Values.annotations.servicesExternalRedis.common | toYaml | nindent 2 }}
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -20,13 +20,19 @@ imagePullSecrets:
  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 javaOpts:
  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
  - "-Dlicenses={{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
  {{- end }}
  {{- if .Values.certificate.selfSigned }}
  - "-Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks"
  - "-Djavax.net.ssl.trustStoreType=jks"
-  - {{ printf "%s=%s" "-Djavax.net.ssl.trustStorePassword" .Values.secrets.certificates.password | quote }}
+  {{- end }}
 javaOptsSecrets:
  {{- if .Values.certificate.selfSigned }}
  trustStorePassword:
    option: "-Djavax.net.ssl.trustStorePassword="
    value: {{ .Values.secrets.certificates.password }}
    secret:
      name: {{ .Values.existingSecrets.certificates.password.name | quote }}
      key: {{ .Values.existingSecrets.certificates.password.key | quote }}
  {{- end }}
 externalDB:
@@ -39,7 +45,13 @@ externalDB:
  user: {{ .Values.databases.xwiki.username | quote }}
  host: {{ printf "%s:%d" .Values.databases.xwiki.host .Values.databases.xwiki.port | quote }}
  customKeyRef:
    {{- if .Values.existingSecrets.databases.xwiki.password.name }}
    enabled: true
    name: {{ .Values.existingSecrets.databases.xwiki.password.name | quote }}
    key: {{ .Values.existingSecrets.databases.xwiki.password.key | quote }}
    {{- else }}
    enabled: false
    {{- end }}
 securityContext:
  enabled: true
@@ -70,16 +82,11 @@ customConfigs:
    xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
    ## Enable the synchronization of the LDAP profile picture
    xwiki.authentication.ldap.update_photo: 1
    {{ if .Values.debug.enabled }}
    ## Password of "superadmin" user, disables account if not password is set
    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
    {{ end }}
    ## LDAP Server configuration
    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,{{ .Values.ldap.baseDn }}"
    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
    xwiki.authentication.ldap.base_DN: "{{ .Values.ldap.baseDn }}"
    ## Allow short update cycles of the LDAP group cache
@@ -99,7 +106,6 @@ customConfigs:
    oidc.logoutMechanism: "rpInitiated"
    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
    oidc.scope: "openid,opendesk-xwiki-scope"
    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    oidc.skipped: false
    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
@@ -111,12 +117,38 @@ customConfigs:
    url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
    workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    openoffice.serverType: "0"
    openoffice.autoStart: "false"
    openoffice.homePath: "/tmp"
    notifications.emails.live.graceTime: "5"
 customConfigsSecrets:
  xwiki.cfg:
    {{ if .Values.debug.enabled }}
    ## Password of "superadmin" user, disables account if not password is set
    xwiki.superadminpassword:
      value: {{ .Values.secrets.xwiki.superadminpassword | quote }}
      secret:
        name: {{ .Values.existingSecrets.xwiki.xwikiSuperadminpassword.name | quote }}
        key: {{ .Values.existingSecrets.xwiki.xwikiSuperadminpassword.key | quote }}
    {{ end }}
    xwiki.authentication.ldap.bind_pass:
      value: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
      secret:
        name: {{ .Values.existingSecrets.nubus.ldapSearch.xwiki.name | quote }}
        key: {{ .Values.existingSecrets.nubus.ldapSearch.xwiki.key | quote }}
  xwiki.properties:
    oidc.secret:
      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
      secret:
        name: {{ .Values.existingSecrets.keycloak.clientSecret.xwiki.name | quote }}
        key: {{ .Values.existingSecrets.keycloak.clientSecret.xwiki.key | quote }}
    workplaceServices.portalSecret:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
      secret:
        name: {{ .Values.existingSecrets.centralnavigation.apiKey.name | quote }}
        key: {{ .Values.existingSecrets.centralnavigation.apiKey.key | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
@@ -218,6 +250,14 @@ properties:
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.title": "Wissen - $!tdoc.displayTitle - {{ .Values.theme.texts.productName }}"
  {{- if and (eq (env "OPENDESK_ENTERPRISE") "true") .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense .Values.enterpriseKeys.xwiki.proApplicationslicense }}
  "licenses": "{{ .Values.enterpriseKeys.xwiki.opendeskEnterpriseLicense }},{{ .Values.enterpriseKeys.xwiki.proApplicationslicense }}"
  {{- end }}
 ## Properties listed in the secret file will overwrite plain values
 propertiesSecret:
  name: {{ .Values.existingSecrets.xwiki.propertiesSecret.name | quote }}
  key: {{ .Values.existingSecrets.xwiki.propertiesSecret.key | quote }}
 cluster:
  replicas: {{ .Values.replicas.xwiki }}
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -535,6 +535,6 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
    name: "xwiki"
-    version: "1.4.4"
+    version: "1.5.4"
    verify: false
 ...
--- a/helmfile/environments/default/existing_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/existing_secrets.yaml.gotmpl
@@ -0,0 +1,273 @@
 {{/*
 SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 existingSecrets:
  ai:
    apiKey:
      name: ~
      key: ~
  cache:
    intercom:
      password:
        name: ~
        key: ~
    nextcloud:
      username:
        name: ~
        key: ~
      password:
        name: ~
        key: ~
  cassandra:
    initDBSecret: ~
    existingSecret:
      name: ~
      passwordKey: ~
  centralnavigation:
    apiKey:
      name: ~
      key: ~
  certificates:
    password:
      name: ~
      key: ~
  collabora:
    existingSecret:
      name: ~
      passwordKey: ~
      usernameKey: ~
  databases:
    keycloak:
      password:
        name: ~
        key: ~
    keycloakExtension:
      password:
        name: ~
        key: ~
    nextcloud:
      password:
        name: ~
        key: ~
      username:
        name: ~
        key: ~
    notes:
      password:
        name: ~
        key: ~
      user:
        name: ~
        key: ~
    openproject:
      name: ~
      adminPasswordKey: ~
      userPasswordKey: ~
    umsGuardianManagementApi:
      password:
        name: ~
        key: ~
    xwiki:
      password:
        name:  ~
        key: ~
  dovecot:
    doveadm:
      name: ~
      key: ~
    aclUser:
      name: ~
      key: ~
    dictmapUser:
      name: ~
      key: ~
    objectStorage:
      encryption:
        privateKey:
          name: ~
          key: ~
        publicKey:
          name: ~
          key: ~
  functional:
    authentication:
      clients:
        name: ~
        key: ~
      ssoFederation:
        name: ~
        key: ~
  keycloak:
    adminSecret:
      name: ~
    adminPassword:
      name: ~
      key: ~
    clientSecret:
      dovecot:
        name: ~
        key: ~
      guardian:
        name: ~
        key: ~
      intercom:
        name: ~
        key: ~
      nextcloudOidc:
        name: ~
        key: ~
      notes:
        name: ~
        key: ~
      openproject:
        name: ~
        key: ~
        identifier: ~
      xwiki:
        name: ~
        key: ~
    clients:
      name: ~
      key: ~
  mariadb:
    rootPassword:
      name: ~
      key: ~
    databases: ~
    users: ~
  minio:
    existingSecret: ~
    rootUserSecretKey: ~
    rootPasswordSecretKey: ~
    usersExistingSecrets: []
  nextcloud:
    admin:
      password:
        name: ~
        key: ~
      username:
        name: ~
        key: ~
    metricsToken:
      name: ~
      key: ~
  notes:
    collaborationSecret:
      name: ~
      key: ~
    django:
      secretKey:
        name: ~
        key: ~
      superuserEmail:
        name: ~
        key: ~
      superuserPassword:
        name: ~
        key: ~
    redisUrl:
      name: ~
      key: ~
  nubus:
    ics:
      session:
        name: ~
        key: ~
      synapseAsToken:
        name: ~
        key: ~
    ldapSearch:
      dovecot:
        name: ~
        key: ~
      keycloak:
        name: ~
      nextcloud:
        name: ~
        key: ~
      xwiki:
        name: ~
        key: ~
  objectstores:
    dovecotUser:
      name: ~
      key: ~
    nextcloud:
      accessKey:
        name: ~
        key: ~
      secretKey:
        name: ~
        key: ~
    notes:
      s3AccessKeyId:
        name: ~
        key: ~
      s3SecretAccessKey:
        name: ~
        key: ~
    nubus:
      accessKey:
        name: ~
        key: ~
      secretKey:
        name: ~
        key: ~
    openproject:
      name: ~
      accessKeyId: ~
      secretAccessKey: ~
  openproject:
    adminUserPassword:
      name: ~
      key: ~
    apiAdmin:
      password:
        name: ~
        key: ~
      username:
        name: ~
        key: ~
    environment: ~
  openxchangeConnector:
    provisioningApiPassword:
      name: ~
      key: ~
  oxAppSuite:
    migrationsMasterPassword:
      name: ~
      key: ~
  postgresql:
    rootPassword:
      name: ~
      key: ~
    databases: ~
    users: ~
  postfix:
    opendeskSystem:
      password:
        name: ~
        key: ~
      username:
        name: ~
        key: ~
  redis:
    existingSecret: ~
    existingSecretPasswordKey: ~
  smtp:
    username:
      name: ~
      key: ~
    password:
      name: ~
      key: ~
  xwiki:
    xwikiSuperadminpassword:
      name: ~
      key: ~
    propertiesSecret:
      name: ~
      key: ~
 ...
--- a/helmfile/environments/default/functional.yaml.gotmpl
+++ b/helmfile/environments/default/functional.yaml.gotmpl
@@ -22,11 +22,11 @@ functional:
        - "Domain Admins"
    oidc:
      # Define additional/custom OIDC clients to be created in the 'opendesk' realm within Keycloak.
-      clients: ~
+      clients: {}
      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm within Keycloak.
-      clientScopes: ~
+      clientScopes: {}
-    # Global settings of the 'opendesk' realm within Keycloak. The values are used to set Keycloak's realm attributes
+    # Configure global settings of the 'opendesk' realm within Keycloak. The values are directly
-    # of the same name and are applied by `opendesk-keycloak-bootstrap`.
+    # passed into the `realmSettings` section of the `opendesk-keycloak-bootstrap` chart.
    # Ref.: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap
    # Note: Global settings can potentially be overridden on a client level.
    # Note: All numeric "Lifespan" values are defined in seconds.
@@ -75,12 +75,12 @@ functional:
      # Enabling SSO federation requires an upstream IdP specific configuration in `idpDetails` below.
      enabled: false
      # When enforcing the federated login all users are immediately redirected to the federated IdP when a login
-      # is requested or required.
+      # is requested or required. This has to be the exact key like configured in the 'idpDetails' dictionary.
-      enforceFederatedLogin: false
+      enforceFederatedLogin: ""
-      # Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select
+      # A dictionary with configured IdPs containing:
      # 1. Name of the SSO federation, if you do not enforce the login the name is shown as a login option the user can select
      # within the openDesk login dialog.
-      name: "My upstream IdP"
+      # 2. Configuration details underneath 'idpDetails' for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for
      # Configuration details for your upstream IdP, when you configured them manually in the Keycloak UI e.g. for
      # testing the setup, you can get them from a Keycloak realm export in the `identityProviders` list.
      # Notes:
      # - You have to convert the configuration into YAML to apply it below.
@@ -90,8 +90,54 @@ functional:
      #  - `alias`
      #  - `firstBrokerLoginFlowAlias`
      #  - `internalId`
-      idpDetails: {}
+      # Example:
-
+      # myUpstreamIdP:
      #   name: "My upstream IdP"
      #   idpDetails:
      #     providerId: "oidc"
      #     enabled: true
      #     updateProfileFirstLoginMode: 'on'
      #     trustEmail: true
      #     storeToken: true
      #     addReadTokenRoleOnCreate: false
      #     authenticateByDefault: false
      #     linkOnly: false
      #     config:
      #       userInfoUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/userinfo
      #       validateSignature: 'true'
      #       clientId: "yourSecretValueHere"
      #       clientSecret: "yourSecretValueHere"
      #       tokenUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/token
      #       jwksUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/certs
      #       issuer: https://id.yourDomainHere/realms/opendesk
      #       useJwksUrl: 'true'
      #       metadataDescriptorUrl: https://id.yourDomainHere/realms/opendesk/.well-known/openid-configuration
      #       pkceEnabled: 'false'
      #       authorizationUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/auth
      #       clientAuthMethod: client_secret_post
      #       logoutUrl: https://id.yourDomainHere/realms/opendesk/protocol/openid-connect/logout
      #       syncMode: LEGACY
      #       guiOrder: ''
      #       clientAssertionSigningAlg: ''
      #       loginHint: 'false'
      #       passMaxAge: 'false'
      #       uiLocales: 'false'
      #       backchannelSupported: 'true'
      #       sendIdTokenOnLogout: 'true'
      #       sendClientIdOnLogout: 'false'
      #       disableUserInfo: 'false'
      #       disableNonce: 'false'
      #       defaultScope: ''
      #       prompt: ''
      #       acceptsPromptNoneForwardFromClient: 'false'
      #       allowedClockSkew: 0
      #       forwardParameters: ''
      #       isAccessTokenJWT: 'false'
      #       hideOnLoginPage: 'false'
      #       filteredByClaim: 'false'
      #       caseSensitiveOriginalUsername: 'true'
      #     postBrokerLoginFlowAlias: ''
      idpDict: {}
  chat:
    matrix:
      profile:
Author	SHA1	Message	Date
Axel Lender	1ec6f794e6	feat(postgresql): Add template support for existing secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-12-03 21:26:07 +01:00
Axel Lender	c656786bc0	feat(mariadb): Add template support for existing secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-12-03 21:18:21 +01:00
Axel Lender	3890df064e	fix(gotmpl): Refactor from external to existing secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-11-27 14:03:07 +01:00
Axel Lender	3f2cf149e7	feat(openproject): Template external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-11-13 11:15:16 +01:00
Axel Lender	c98aa3a0cd	fix(intercom-service): Correct key for external secret mapping Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-11-13 11:15:16 +01:00
Axel Lender	e687444765	feat(migrations): Add documentation about the changes regarding oD keycloak-bootstrap Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-11-13 11:15:16 +01:00
Axel Lender	b92e776585	feat(keycloak-bootstrap): Adapt to oD-keycloak-bootstrap changes Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-11-13 11:15:16 +01:00
Axel Lender	bb67fd9641	fix(lint): Satisfy linter Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:44:49 +02:00
Axel Lender	c6a0caeac5	feat(nubus): Template external secrets for keycloak-bootstrap Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:44:49 +02:00
Axel Lender	369242181f	feat(nubus): Templating for external secrets to supersede extraSecrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:44:49 +02:00
Axel Lender	1fb1c9892b	fix(helmfile): Remove testing values from external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:44:48 +02:00
Axel Lender	7367d16287	feat(notes): Add templating for Notes in oD Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:44:48 +02:00
Axel Lender	602f3b659d	feat(openxchange): Templating external secrets for Dovecot and Postfix also SMTP credentials Co-Author: Thomas Kaltenbrunner <tom@kaltenbrunner.it> Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:44:48 +02:00
Axel Lender	66a5a8a484	fix(helmfile): Streamline naming in externalSecrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	1fd7cd7d34	feat(nubus): Add templating support for Nubus Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	cac1e9850d	fix(gotmpl): Structure of the externalSecrets dictionary Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	03bb231e44	fix(helmfile): Unify database credentials Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	0187c2571a	feat(documentation): Fix, reorder docs regarding external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	70bc05055e	feat(helm): Update upstream version Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	ed0096a919	feat(helm): Template support for XWiki external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	3c0487dc58	feat(helmfile): Add support for external secrets in XWiki Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:43:00 +02:00
Axel Lender	76229cf35d	feat(helmfile): Add external secrets template support for OpenProject bootstrap Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	9a17064eb7	feat(helmfile): Add external secrets template support for Nextcloud Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	6a3c73a09d	feat(helmfile): Add templating support for Cassandra external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	42773e62eb	feat(helmfile): Add templating support for collabora external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	7352e48221	feat(helmfile): Add template support for external secrets for opendesk-services Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	38c5ca436b	feat(helmfile): Add external secrets support for Redis Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	311c05c420	feat(docs): Add initial documentation for external secrets Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00
Axel Lender	2c13b9672e	feat(helmfile): Add external secrets support for minio Signed-off-by: Axel Lender <lender@b1-systems.de>	2025-10-10 12:42:59 +02:00