feat(helmfile): Add support for external secrets for PostgreSQL

Signed-off-by: Axel Lender <lender@b1-systems.de>

.gitlab-ci.yml

@@ -232,8 +232,8 @@ variables:
   extends: ".environments"
   environment:
     name: "${NAMESPACE}"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.3.1\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.3.2\
-          @sha256:de527f493044f06009045c369be831ababbc8dd74adaa378613c5acb1e654959"
+          @sha256:87358b39af7403c9a536d1b71fd87ee84394310497dc0fbc90f78b75a3057712"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD

README-EE.md

@@ -94,7 +94,7 @@ Details regarding the scope/limitation of the component's licenses:
 
 - Nextcloud: Enterprise license to enable [Nextcloud Enterprise](https://nextcloud.com/de/enterprise/) specific features, can be used across multiple installations until the licensed number of users is reached.
 - OpenProject: Domain specific enterprise license to enable [OpenProject's Enterprise feature set](https://www.openproject.org/enterprise-edition/), domain matching can use regular expressions.
-- XWiki: Deployment specific enterprise license (key pair) to activate the [XWiki Pro](https://xwiki.com/en/offerings/products/xwiki-pro) apps.
+- XWiki: Deployment specific enterprise license (key pair) to activate the [XWiki Pro](https://xwiki.com/en/offerings/products/xwiki-pro) apps. *Caution! XWiki needs these license keys as one-line strings. Multi-line strings result in installation failure*
 
 # Component overview
 

README.md

@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Collaborative notes  | Notes (aka Docs)            | [2.4.0](https://github.com/suitenumerique/docs/releases/tag/v2.4.0)                                                           | Online documentation/welcome document available in installed application                                                              |
 | Diagram editor       | CryptPad ft. diagrams.net   | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | [8.35](https://documentation.open-xchange.com/appsuite/releases/8.35/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | [8.36](https://documentation.open-xchange.com/appsuite/releases/8.36/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
 | Portal & IAM         | Nubus                       | [1.8.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-8-0-2025-04-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | [15.5.1](https://www.openproject.org/docs/release-notes/15-5-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |

docs/getting-started.md

@@ -70,6 +70,10 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                        |
 | _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                          |
 | default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional, DKIM settings                                           |
+| _caldavs._tcp.domain.tld      | SRV  | 10 1 443 dav.domain.tld.                           | Optional, CalDav auto discovery                                   |
+| _caldav._tcp.domain.tld       | SRV  | 10 1  80 dav.domain.tld.                           | Optional, CalDav auto discovery                                   |
+| _carddavs._tcp.domain.tld     | SRV  | 10 1 443 dav.domain.tld.                           | Optional, CardDav auto discovery                                  |
+| _carddav._tcp.domain.tld      | SRV  | 10 1  80 dav.domain.tld.                           | Optional, CardDav auto discovery                                  |
 
 ## Domain
 

docs/requirements.md

@@ -29,11 +29,13 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
-- [Helm](https://helm.sh/) >= v3.9.0
+- [Helm](https://helm.sh/) >= v3.17.3
-- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0-rc8
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0
-- [HelmDiff](https://github.com/databus23/helm-diff) >= v3.6.0
+- [HelmDiff](https://github.com/databus23/helm-diff) >= v3.11.0
 - Volume provisioner supporting RWO (read-write-once)[^1]
 - Certificate handling with [cert-manager](https://cert-manager.io/)
+
+**Additional openDesk Enterprise requirements**
 - [OpenKruise](https://openkruise.io/)[^2] >= v1.6
 
 # Hardware

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -1399,7 +1399,7 @@ nubusSelfServiceConsumer:
 nubusStackDataUms:
   additionalAnnotations:
     argocd.argoproj.io/hook: "Sync"
-    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
+    argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
     intents.otterize.com/service-name: "ums-stack-data-ums"
     {{- with .Values.annotations.nubusStackDataUms.additional }}
     {{ . | toYaml | nindent 4 }}
@@ -1732,6 +1732,7 @@ nubusUmcGateway:
 nubusKeycloakBootstrap:
   additionalAnnotations:
     argocd.argoproj.io/hook: "Sync"
+    argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
     {{- with .Values.annotations.nubusKeycloakBootstrapNubus.additional }}
     {{ . | toYaml | nindent 4 }}
     {{- end }}

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -108,8 +108,9 @@ appsuite:
       hosts:
         - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
     dav:
+      enabled: {{ .Values.functional.groupware.davSupport.enabled }}
       hosts:
-        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+        - "{{ .Values.global.hosts.openxchangeDav }}.{{ .Values.global.domain }}"
     routes:
       appsuite-base:
         annotations:
@@ -215,7 +216,7 @@ appsuite:
         host: "all"
         productName: {{ .Values.theme.texts.productName | quote }}
         oidcLogin: true
-        oidcPath: "/oidc"
+        oidcPath: "/oidc/"
     masterAdmin: "admin"
     masterPassword: {{ .Values.secrets.oxAppSuite.adminPassword | quote }}
     hzGroupName: "hzgroup"
@@ -278,17 +279,14 @@ appsuite:
       status:
         {{- if .Values.functional.migration.oxAppSuite.enabled }}
         open-xchange-oidc: "disabled"
-        open-xchange-authentication-oauth: "disabled"
         open-xchange-authentication-masterpassword: "enabled"
-        open-xchange-authentication-database: "disabled"
-        open-xchange-authentication-ldap: "disabled"
         {{- else }}
         open-xchange-oidc: "enabled"
-        open-xchange-authentication-oauth: "enabled"
         open-xchange-authentication-masterpassword: "disabled"
+        {{- end }}
+        open-xchange-authentication-oauth: "disabled"
         open-xchange-authentication-database: "disabled"
         open-xchange-authentication-ldap: "disabled"
-        {{- end }}
         # OX Documents (office-web) is not used in openDesk
         open-xchange-documents-backend: "disabled"
         open-xchange-documents-monitoring: "disabled"
@@ -323,18 +321,8 @@ appsuite:
       com.openexchange.oidc.startDefaultBackend: "true"
       com.openexchange.oidc.userLookupClaim: "opendesk_username"
       com.openexchange.oidc.userLookupNamePart: "full"
-      # OAUTH
+      com.openexchange.oidc.enablePasswordGrant: "true"
-      com.openexchange.oauth.provider.enabled: "true"
+      com.openexchange.oidc.passwordGrantUserNamePart: "local-part"
-      com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-      com.openexchange.oauth.provider.contextLookupClaim: "context"
-      com.openexchange.oauth.provider.contextLookupNamePart: "full"
-      com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
-      com.openexchange.oauth.provider.mode: "expect_jwt"
-      com.openexchange.oauth.provider.userLookupNamePart: "full"
-      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
-      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
-      com.openexchange.authentication.oauth.tokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
       # MAIL
       com.openexchange.mail.authType: "xoauth2"
       com.openexchange.mail.loginSource: "mail"
@@ -398,6 +386,15 @@ appsuite:
       # http = (await import('./io.ox/core/http.js')).default
       # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
       com.openexchange.smime.test: "true"
+      # DAV
+      {{- if .Values.functional.groupware.davSupport.enabled }}
+      com.openexchange.caldav.enabled: "true"
+      com.openexchange.caldav.url: {{ printf "https://%s.%s/caldav/[folderId]" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      com.openexchange.carddav.enabled: "true"
+      com.openexchange.carddav.url: {{ printf "https://%s.%s/carddav/[folderId]" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      com.openexchange.client.onboarding.caldav.url: {{ printf "https://%s.%s/" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      com.openexchange.client.onboarding.carddav.url: {{ printf "https://%s.%s/" .Values.global.hosts.openxchangeDav .Values.global.domain }}
+      {{- end }}
       # Other
       com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
       {{- if .Values.certificate.selfSigned }}

helmfile/apps/services-external/values-postgresql.yaml.gotmpl

@@ -18,8 +18,8 @@ containerSecurityContext:
       - "ALL"
   enabled: true
   privileged: false
-  runAsUser: 1001
+  runAsUser: 70
-  runAsGroup: 1001
+  runAsGroup: 70
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: true
@@ -29,7 +29,7 @@ containerSecurityContext:
 
 podSecurityContext:
   enabled: true
-  fsGroup: 1001
+  fsGroup: 70
   fsGroupChangePolicy: "OnRootMismatch"
 
 replicaCount: {{ .Values.replicas.postgres }}
@@ -49,37 +49,77 @@ image:
 job:
   users:
     - username: {{ .Values.databases.keycloak.username | quote }}
-      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.keycloakUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.keycloakUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.keycloakUser.key | quote }}
       connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.notes.username | quote }}
-      password: {{ .Values.secrets.postgresql.notesUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.notesUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.notesUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.notesUser.key | quote }}
       connectionLimit: {{ .Values.databases.notes.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.openproject.username | quote }}
-      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.openprojectUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.openprojectUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.openprojectUser.key | quote }}
       connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.keycloakExtension.username | quote }}
-      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.keycloakExtensionUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.keycloakExtensionUser.key | quote }}
       connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.synapse.username | quote }}
-      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.matrixUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.matrixUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.matrixUser.key | quote }}
       connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.umsNotificationsApiUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.umsNotificationsApiUser.key | quote }}
       connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.umsGuardianManagementApiUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.umsGuardianManagementApiUser.key | quote }}
       connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: {{ .Values.databases.umsSelfservice.username | quote }}
-      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.umsSelfserviceUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.umsSelfserviceUser.key | quote }}
       connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ if or (eq .Values.databases.nextcloud.type "postgresql") (eq .Values.databases.nextcloud.type "psql") }}
     - username: {{ .Values.databases.nextcloud.username | quote }}
-      password: {{ .Values.secrets.postgresql.nextcloudUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.nextcloudUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.nextcloudUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.nextcloudUser.key | quote }}
       connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
 {{ if eq .Values.databases.xwiki.type "postgresql" }}
     - username: {{ .Values.databases.xwiki.username | quote }}
-      password: {{ .Values.secrets.postgresql.xwikiUser | quote }}
+      password:
+        value: {{ .Values.secrets.postgresql.xwikiUser | quote }}
+        secret:
+          name: {{ .Values.external_secrets.postgresql.xwikiUser.name | quote }}
+          key: {{ .Values.external_secrets.postgresql.xwikiUser.key | quote }}
       connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
 {{ end }}
   databases:
@@ -125,7 +165,11 @@ podAnnotations:
 
 postgres:
   user: "postgres"
-  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
+  password:
+    value: {{ .Values.secrets.postgresql.postgresUser | quote }}
+    secret:
+      name: {{ .Values.external_secrets.postgresql.postgresUser.name | quote }}
+      key: {{ .Values.external_secrets.postgresql.postgresUser.key | quote }}
 
 resources:
   {{ .Values.resources.postgresql | toYaml | nindent 2 }}

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -5,7 +5,7 @@ images:
   collabora:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.13.3.1@sha256:7e9b63972415a5a8006ec6b7e904c2d78d9af467218ead7e578d0c8a5691f0bc"
+    tag: "24.04.13.4.1@sha256:4d4f88fa244280f6116b072a923ee7e5c183ab30ee9759952f9b6aa802802300"
   dovecot:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/dovecot-pro"

helmfile/environments/default/charts.yaml.gotmpl

@@ -56,7 +56,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.37"
+    version: "1.1.38"
     verify: true
   collaboraController:
     # Enterprise Component
@@ -241,7 +241,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "minio"
-    version: "14.10.1"
+    version: "16.0.10"
     verify: true
   nextcloud:
     # providerCategory: "Platform"
@@ -387,7 +387,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.17.164"
+    version: "2.18.36"
     verify: false
   oxAppSuiteBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -0,0 +1,41 @@
+{{/*
+SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+external_secrets:
+  postgresql:
+    postgresUser:
+      name: ~
+      key: ~
+    keycloakUser:
+      name: ~
+      key: ~
+    keycloakExtensionUser:
+      name: ~
+      key: ~
+    matrixUser:
+      name: ~
+      key: ~
+    nextcloudUser:
+      name: ~
+      key: ~
+    notesUser:
+      name: ~
+      key: ~
+    openprojectUser:
+      name: ~
+      key: ~
+    umsNotificationsApiUser:
+      name: ~
+      key: ~
+    umsGuardianManagementApiUser:
+      name: ~
+      key: ~
+    umsSelfserviceUser:
+      name: ~
+      key: ~
+    xwikiUser:
+      name: ~
+      key: ~
+...

helmfile/environments/default/functional.yaml.gotmpl

@@ -144,6 +144,10 @@ functional:
         versions: "auto"
         # yamllint enable rule:line-length
 
+  groupware:
+    davSupport:
+      enabled: true
+
   migration:
     oxAppSuite:
       # Note: Only available in openDesk Enterprise.

helmfile/environments/default/global.yaml.gotmpl

@@ -55,6 +55,7 @@ global:
     nubus: "portal"
     openproject: "projects"
     openxchange: "webmail"
+    openxchangeDav: "dav"
     static: "static"
     synapse: "matrix"
     synapseAdmin: "synapse-admin"

helmfile/environments/default/images.yaml.gotmpl

@@ -12,7 +12,7 @@ images:
     # upstreamRepository: "bitnami/os-shell"
     registry: "registry-1.docker.io"
     repository: "bitnami/os-shell"
-    tag: "12-debian-12-r34@sha256:41e0561b0f08011c24acc5e8ad4c0d09a36062cfab35d9ec7b3fdd4cfecc01e0"
+    tag: "12-debian-12-r44@sha256:6388c7c27a09472906e2f2094410c9ffdadf23b4b242293ce023d0314ec10920"
   cassandra:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -20,7 +20,7 @@ images:
     # upstreamRepository: "bitnami/cassandra"
     registry: "registry-1.docker.io"
     repository: "bitnami/cassandra"
-    tag: "5.0.2-debian-12-r1@sha256:9f5fd6fe3a24b7e5ea215a99a0e0d6a10d11a914d6eb8c511780271a9097f5ea"
+    tag: "5.0.4-debian-12-r3@sha256:af57aa07f866673d4f605bc555e2699dfa7615de216d6a2d0cc607c81831ec2f"
   cassandraExporter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -28,7 +28,7 @@ images:
     # upstreamRepository: "bitnami/cassandra-exporter"
     registry: "registry-1.docker.io"
     repository: "bitnami/cassandra-exporter"
-    tag: "2.3.8-debian-12-r31@sha256:ae861f6c8712dd32c2304c680e4564802df689a62dc4aed2f4e7cfcbba8a8051"
+    tag: "2.3.8-debian-12-r46@sha256:e44c65f08d85153041f68bcf180f948341d74018eef8b56e8869ed87fdfd34f0"
   clamd:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -36,7 +36,7 @@ images:
     # upstreamRepository: "clamav/clamav"
     registry: "registry-1.docker.io"
     repository: "clamav/clamav"
-    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    tag: "1.4.2-38_base@sha256:e7d108f30ea8f16935dbd12e4b58665f1bc148ce3dd59028cf04088330216910"
   collabora:
     # providerCategory: "Supplier"
     # providerResponsible: "Collabora"
@@ -44,7 +44,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.13.3.1@sha256:f04a31d72b2b12b530b4e88b3ecb81eb96ebd98112515db59499ff71a4ec905f"
+    tag: "24.04.14.3.1@sha256:b7085475740a4e92ad3611d52808b6d822478e52286d18d3272a9b685e049464"
   collaboraController:
     # Enterprise Component
     # providerCategory: "Supplier"
@@ -84,7 +84,7 @@ images:
     # upstreamRepository: "alpine/k8s"
     registry: "registry-1.docker.io"
     repository: "alpine/k8s"
-    tag: "1.32.3@sha256:eec3541331932d8613ce7b3283508063cba7f704302e9b4eda45e49b38a2a0f9"
+    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
   element:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
@@ -136,7 +136,7 @@ images:
     # upstreamRepository: "clamav/clamav"
     registry: "registry-1.docker.io"
     repository: "clamav/clamav"
-    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    tag: "1.4.2-38_base@sha256:e7d108f30ea8f16935dbd12e4b58665f1bc148ce3dd59028cf04088330216910"
   icap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -230,7 +230,7 @@ images:
     # upstreamRepository: "library/mariadb"
     registry: "registry-1.docker.io"
     repository: "library/mariadb"
-    tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
+    tag: "10.6.21@sha256:8a16204dc96c08ed0ee2c52c0f9324aa5d2dd0e43ad23a471d447a39f75765b5"
   matrixNeoBoardWidget:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -288,7 +288,7 @@ images:
     # upstreamRepository: "bitnami/memcached"
     registry: "registry-1.docker.io"
     repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+    tag: "1.6.38-debian-12-r3@sha256:3e548fba727578be9d996262471f5f3e07726d625702d26743a5e0f34684cb21"
   migrations:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -304,7 +304,7 @@ images:
     # upstreamRepository: "clamav/clamav"
     registry: "registry-1.docker.io"
     repository: "clamav/clamav"
-    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    tag: "1.4.2-38_base@sha256:e7d108f30ea8f16935dbd12e4b58665f1bc148ce3dd59028cf04088330216910"
   minio:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -312,7 +312,7 @@ images:
     # upstreamRepository: "bitnami/minio"
     registry: "registry-1.docker.io"
     repository: "bitnami/minio"
-    tag: "2024.12.13-debian-12-r0@sha256:2a258ab6876f6ed3cd5609836d065f20927955a2ae721fd9edde8ca388b52135"
+    tag: "2025.4.22-debian-12-r1@sha256:d7cd0e172c4cc0870f4bdc3142018e2a37be9acf04d68f386600daad427e0cab"
   nextcloud:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -336,7 +336,7 @@ images:
     # upstreamRepository: "nginxinc/nginx-s3-gateway"
     registry: "registry-1.docker.io"
     repository: "nginxinc/nginx-s3-gateway"
-    tag: "unprivileged-oss-20241111@sha256:20d6b6ec5fc987b18c3e345de33674374a8335c593d6d0841ac64eb49ae2dea4"
+    tag: "unprivileged-oss-20250512@sha256:064d14fc64ba968bd8123f2f25e446e597cfc5170124879b3834deac1a6d69fd"
   notesBackend:
     # providerCategory: "Supplier"
     # providerResponsible: "DINUM"
@@ -720,7 +720,7 @@ images:
     # upstreamRepository: "library/nginx"
     registry: "registry-1.docker.io"
     repository: "library/nginx"
-    tag: "1.27.3-alpine3.20@sha256:41523187cf7d7a2f2677a80609d9caa14388bf5c1fbca9c410ba3de602aaaab4"
+    tag: "1.28.0-alpine3.21@sha256:aed99734248e851764f1f2146835ecad42b5f994081fa6631cc5d79240891ec9"
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "OpenProject"
@@ -746,7 +746,7 @@ images:
     # upstreamRepository: "library/postgres"
     registry: "registry-1.docker.io"
     repository: "library/postgres"
-    tag: "16.8-alpine3.20@sha256:951d0626662c85a25e1ba0a89e64f314a2b99abced2c85b4423506249c2d82b0"
+    tag: "16.9-alpine3.20@sha256:e5507c984377515b8c9922b0eb19f55aba2063fdc7bccf268cefd53133f97054"
   openxchangeBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -754,7 +754,7 @@ images:
     # upstreamRepository: "alpine/k8s"
     registry: "registry-1.docker.io"
     repository: "alpine/k8s"
-    tag: "1.31.3@sha256:77812543abe5649b286d5f0dc17a7dbaa4056433225f6f695150f329cb4b6803"
+    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
   openxchangeCoreGuidedtours:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -764,7 +764,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "6", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.14@sha256:c00546144667d2d5036fa37b2e6185f1abb53c13e9eee7b0c78ec64ac8e5250a"
+    tag: "8.6.15@sha256:f8ea7b3f4003b518c43b12118980d26d1258396f55848af6a64e7a3e7e103c1d"
   openxchangeCoreMW:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -774,7 +774,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "51"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.35.83@sha256:5c4180c1ba255193059241921e6fe0a34555592aa29104a145a0e1beb91157d2"
+    tag: "8.36.51@sha256:db069f8e97f15081c6905f1c18fc1dde7a5b7a0caa9e61f80ea98e009339687b"
   openxchangeCoreUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -784,7 +784,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.35.2@sha256:658563b6ec4d3d5f2e06f2987cd8e730d91b8d0c65b0206495007d347f98965f"
+    tag: "8.36.2@sha256:3a718662355f64846fd99f515a325cf0bfe598eb3a2237bdce649bda0ea8f380"
   openxchangeCoreUIMiddleware:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -804,7 +804,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "799279"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.35.1292950@sha256:a6937222e3b07b42c7dc6a066aae0cd05b3b899325a4e4aee50ee91355c9b3b5"
+    tag: "8.36.1317070@sha256:7de0ced2a4d3f7ddb4bef3b001ae90e3b4a79d86b61ec5e767fe2d3068021558"
   openxchangeDocumentConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -814,7 +814,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.35.1671@sha256:0a7b9d7af9cd22562196b854ad11ca3fd477ddcc70f2ccd113e87ab3b7aad26c"
+    tag: "8.36.1706@sha256:6245f13f6f945121d1d224adab24090efbbe41510ee0de22ce0296c1e5059937"
   openxchangeGotenberg:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -834,7 +834,7 @@ images:
     # upstreamMirrorStartFrom: ["4", "2", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.32.0@sha256:5c9542f9112882e46c3b8cb6f0ca2bef61585abac0e640a4fafa7d7ef60a392b"
+    tag: "8.33.2@sha256:920b5ac87128f30c176c0ae75c6bedd32d226a97c6c5a822235606c39992ee9a"
   openxchangeImageConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -844,7 +844,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.35.77@sha256:fb67cbaf0771ea6c18b5a1b94aaec9bf72b930227613e70535d382be58940372"
+    tag: "8.36.2042@sha256:ac358a10149901f944ca9a21f66a41f267ac5e33b6cce6d6f92309a44cdc0875"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -854,7 +854,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "2", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/nextcloud-integration-ui"
-    tag: "1.4.0@sha256:4be267ab2dc8dbef6b8382e2de6b28f3851a7af7f68702f360d457898cb9011e"
+    tag: "1.4.1@sha256:423d596b52ab32778d7227d98ccc719f98395a00d95ff0bcac826665b59e1937"
   openxchangePublicSectorUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -864,7 +864,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "2", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.4.0@sha256:6513e948028ed98aca633d9943ef3be5fed890e4757eee6b527b7215206d2bd6"
+    tag: "2.4.1@sha256:c9f0f5425517e1740aaf9998c5944ce36ce26eda52329754e6b8ac733e2dacc5"
   oxConnector:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -890,7 +890,7 @@ images:
     # upstreamRepository: "alpine/k8s"
     registry: "registry-1.docker.io"
     repository: "alpine/k8s"
-    tag: "1.32.3@sha256:eec3541331932d8613ce7b3283508063cba7f704302e9b4eda45e49b38a2a0f9"
+    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
   postgresql:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -898,7 +898,7 @@ images:
     # upstreamRepository: "library/postgres"
     registry: "registry-1.docker.io"
     repository: "library/postgres"
-    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
+    tag: "15.13-alpine3.20@sha256:f7de0e2497b9a3b027d41377606f94bb0140a034ed303f6de690aa77637bfbc9"
   prosody:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -916,7 +916,7 @@ images:
     # upstreamRepository: "bitnami/redis"
     registry: "registry-1.docker.io"
     repository: "bitnami/redis"
-    tag: "7.4.1-debian-12-r2@sha256:3cfa11e8fef45c006a101ed7cfaae2cdaed7a5167c8ada2a3f76a1de54488cd0"
+    tag: "7.4.3-debian-12-r0@sha256:a25b5d07a14ec13730022c7cd9bab6308d55ccd86b74af7315553c17be884889"
   synapse:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
@@ -926,7 +926,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.127.1@sha256:0b0b933314ac9e1ba917a72c29d5b49c47828ab6e8df3aae3ac244ee947a89fc"
+    tag: "v1.129.0@sha256:13ac3293547d8c06e1e03fca4e02ef9a47f132acc2e2cdb4143a01495dd924cf"
   synapseCreateUser:
     # providerCategory: "Community"
     # providerResponsible: "Nordeck"
@@ -934,7 +934,7 @@ images:
     # upstreamRepository: "alpine/k8s"
     registry: "registry-1.docker.io"
     repository: "alpine/k8s"
-    tag: "1.32.0@sha256:6d49f7f37ae5f4c07bfe46edb44e3d3b6896974d1b87da76d8aa8d6e23b4d619"
+    tag: "1.33.0@sha256:60333a52c38e9a8df0a9b93a5a24a4870f0db2c7ea3266b185386bd0a500d7dc"
   synapseGuestModule:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
@@ -952,7 +952,7 @@ images:
     # upstreamRepository: "rapidfort/haproxy-official"
     registry: "registry-1.docker.io"
     repository: "rapidfort/haproxy-official"
-    tag: "2.6.15-bullseye@sha256:47b6ca4074347788cb414fbf3db35d0c51e9e47af33be46457f95c750540887c"
+    tag: "3.1.7-bookworm@sha256:ab50f196f66884f62fb379c40824036cd0dabb10df660097cff99b7ae22c2c44"
   wellKnown:
     # providerCategory: "Community"
     # providerResponsible: "Element"
@@ -960,7 +960,7 @@ images:
     # upstreamRepository: "library/nginx"
     registry: "registry-1.docker.io"
     repository: "library/nginx"
-    tag: "1.27.3-alpine3.20@sha256:41523187cf7d7a2f2677a80609d9caa14388bf5c1fbca9c410ba3de602aaaab4"
+    tag: "1.28.0-alpine3.21@sha256:aed99734248e851764f1f2146835ecad42b5f994081fa6631cc5d79240891ec9"
   xwikiMariadb:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"