fix(nc): Lenght must be medium for htpasswd

.gitlab-ci.yml

@@ -767,10 +767,6 @@ import-default-accounts:
     - "echo \"Starting default account import for ${DOMAIN}\""
     - "cd /app"
     - |
-      set +e
-      success=0
-      for i in {1..5}; do
-        echo "Attempt $i/5..."
       ./user_import_udm_rest_api.py \
         --import_domain ${DOMAIN} \
         --udm_api_password ${DEFAULT_ADMINISTRATOR_PASSWORD} \
@@ -782,18 +778,6 @@ import-default-accounts:
         --create_admin_accounts True \
         --create_maildomains True \
         --verify_certificate False
-        if [ $? -eq 0 ]; then
-          echo "Script succeeded on attempt $i."
-          success=1
-          break
-        fi
-        echo "Script failed. Waiting 60 seconds before retry..."
-        sleep 60
-      done
-      if [ "$success" -ne 1 ]; then
-        echo "Script failed after 5 attempts."
-        exit 1
-      fi
 
 run-tests:
   stage: "post-execute"

CHANGELOG.md

@@ -14,7 +14,7 @@
 * **open-xchange:** Template SASL security options ([684c6d4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/684c6d4f29dd447872ebe582eef43c04034896f7))
 * **open-xchange:** Update Dovecot configuration based on supplier's best practise review ([850761e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/850761e0475b2f281fb23f6972d5c74fbdaa3a61))
 * **opendesk-static-files:** [[#260](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/260)] Fix doublette creation of configmap `data` keys when the same file is referenced multiple times for a component ([b5a76be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b5a76bea57ef7b136c54d1bc95c40f0a0c3f9716))
-* **openproject:** Update from 16.6.0 to 16.6.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
+* **openproject:** Update from 16.1.0 to 16.1.1 ([62fae99](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/62fae9976a731c00700d56ce8fab198bb2531d20))
 * **xwiki:** Update XWiki from 17.4.4 to 17.4.7 ([02a3b77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02a3b7711490394690df70ca92bab58b253e34f5))
 
 

docs/getting-started.md

@@ -65,7 +65,7 @@ For your convenience, we recommend creating a `*.domain.tld` A-Record for your c
 | Record name                   | Type | Value                                              | Additional information                                            |
 |-------------------------------|------|----------------------------------------------------|-------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                   |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            | Optional                                                          |
+| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                   |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional, mail should directly be delivered to openDesk's Postfix |
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                   |

docs/migrations.md

@@ -11,11 +11,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
   * [Versions ≥ v1.11.0](#versions--v1110)
-    * [Pre-upgrade to versions ≥ v1.11.0](#pre-upgrade-to-versions--v1110)
-      * [Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)](#helmfile-new-option-annotations-for-external-services-dovecot-jitsi-jvb-postfix)
-  * [Versions ≥ v1.10.0](#versions--v1100)
     * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100)
-      * [Deployment cleanup: Collabora Controller](#deployment-cleanup-collabora-controller)
+      * [Helmfile new secret: `secrets.nextcloud.statusPassword`](#helmfile-new-secret-secretsnextcloudstatuspassword)
+  * [Versions ≥ v1.10.0](#versions--v1100)
+    * [Pre-upgrade to versions ≥ v1.10.0](#pre-upgrade-to-versions--v1100-1)
       * [Helmfile new secret: `secrets.nubus.ldapSearch.postfix`](#helmfile-new-secret-secretsnubusldapsearchpostfix)
       * [Helmfile new secret: `secrets.doveocot.sharedMailboxesMasterPassword`](#helmfile-new-secret-secretsdoveocotsharedmailboxesmasterpassword)
       * [New Helmfile default: Nubus provisioning debug container no longer deployed](#new-helmfile-default-nubus-provisioning-debug-container-no-longer-deployed)
@@ -187,56 +186,26 @@ If you would like more details about the automated migrations, please read secti
 
 ## Versions ≥ v1.11.0
 
-### Pre-upgrade to versions ≥ v1.11.0
+### Pre-upgrade to versions ≥ v1.10.0
 
-#### Helmfile new option: Annotations for external services (Dovecot, Jitsi JVB, Postfix)
+#### Helmfile new secret: `secrets.nextcloud.statusPassword`
 
-**Target group:** Existing deployments using `service` annotations.
+**Target group:** All existing deployments that use self-defined secrets and have deployed Nextcloud.
 
-The three non-HTTP external services support now explicit annotations.
+Access to Nextcloud's `/status.php` requires now BasicAuth. The related password is set in
-See [`annotations.yaml.gomtpl`](../helmfile/environments/default/annotations.yaml.gotmpl) for reference.
+[`secrets.yaml.gotmpl`](../helmfile/environments/default/secrets.yaml.gotmpl) by the key
+`secrets.nextcloud.statusPassword`.
 
-**Jitsi JVB**
+If you define your own secrets, please ensure that you provide a value for this secret, otherwise it will
+be derived from the `MASTER_PASSWORD`.
 
-The already existing annotation key `annotations.jitsiJVB.service` has been renamed to
+> [!note]
-`annotations.jitsiJVB.serviceExternal` be in line with the newly added ones for Postfix and Dovecot.
+> The username for the BasicAuth is hardcoded to "status-access"
-If you make use of the JVB service annotation please rename the attribute to the new `serviceExternal` standard.
-
-**Dovecot**
-
-Setting service annotation by `annotations.openxchangeDovecot.service` applied the annotations to the internal
-and external service. This key now only sets annotations for the internal service. If you want to set
-annotations for the external service use the newly introduced key `annotations.openxchangeDovecot.serviceExternal`.
-
-**Postfix**
-
-Setting service annotation by `annotations.openxchangePostfix.service` applied the annotations to the internal
-and external service. This key now only sets annotations for the internal service. If you want to set
-annotations for the external service use the newly introduced key `annotations.openxchangePostfix.serviceExternal`.
 
 ## Versions ≥ v1.10.0
 
 ### Pre-upgrade to versions ≥ v1.10.0
 
-#### Deployment cleanup: Collabora Controller
-
-**Target group:** Existing openDesk Enterprise deployments using Collabora Controller. Actually only long running
-deployments are affected, but following the instructions won't hurt.
-
-As per upstream release notes for [Collabora Online Controller 1.1.4](https://www.collaboraonline.com/cool-controller-release-notes/)
-you have to remove the existing leases of the Controller. You can do so by setting `<your_namespace>` and executing
-the commands below.
-
-```shell
-export NAMESPACE=<your_namespace>
-export COLLABORA_CONTROLLER_DEPLOYMENT_NAME=collabora-controller-cool-controller
-kubectl -n ${NAMESPACE} scale deployment/${COLLABORA_CONTROLLER_DEPLOYMENT_NAME} --replicas=0
-kubectl -n ${NAMESPACE} delete -n collabora leases.coordination.k8s.io collabora-online
-```
-
-> [!note]
-> The Collabora Online Controller is not scaled up again, as this would happen as part of the upgrade deployment.
-
 #### Helmfile new secret: `secrets.nubus.ldapSearch.postfix`
 
 **Target group:** All existing deployments that use self-defined secrets.

docs/monitoring.md

@@ -23,7 +23,8 @@ openDesk includes integration with Prometheus-based monitoring.
 
 Together with [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack), you can easily leverage the full potential of the open-source cloud-native observability stack.
 
-Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack repository which should at least include the Prometheus Operator.
+Before enabling the following options, you need to install the respective custom resource definitions (CRDs) from the kube-prometheus-stack
+repository or Prometheus operator.
 
 # Defaults
 
@@ -32,17 +33,15 @@ All configurable options and their defaults can be found in
 
 # Metrics
 
-To deploy `podMonitor` and `serviceMonitor` custom resources, enable them by:
+To deploy `podMonitor` and `serviceMonitor` custom resources, enable it by:
 
 ```yaml
-monitoring:
+prometheus:
-  prometheus:
   serviceMonitors:
     enabled: true
   podMonitors:
     enabled: true
 ```
-```
 
 # Alerts
 
@@ -52,21 +51,17 @@ Some of these are created by our partners while others are defined in [opendesk-
 All alert rules are deployed as [PrometheusRule](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.PrometheusRule) and can be enabled like this:
 
 ```yaml
-monitoring:
+prometheus:
-  prometheus:
   prometheusRules:
     enabled: true
 ```
 
 # Dashboards for Grafana
 
-If your Grafana instance is deployed via kube-prometheus-stack, or you have deployed the [Sidecar for datasources](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md#sidecar-for-datasources), openDesk can make dashboards available via ConfigMap resources. 
+To deploy optional Grafana dashboards with ConfigMaps, enable the functionality with:
-
-Enable the functionality with the following snippet:
 
 ```yaml
-monitoring:
+grafana:
-  grafana:
   dashboards:
     enabled: true
 ```

docs/requirements.md

@@ -29,14 +29,14 @@ openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s)
 - K8s cluster >= v1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX) >= [4.11.5/1.11.5](https://github.com/kubernetes/ingress-nginx/releases)
-- [Helm](https://helm.sh/) >= v3.17.3 (but not v3.18.0[^1]) and < v4[^2],
+- [Helm](https://helm.sh/) >= v3.17.3, but not v3.18.0[^1]
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= v1.0.0
 - [HelmDiff](https://github.com/databus23/helm-diff) >= v3.11.0
-- Volume provisioner supporting RWO (read-write-once)[^3]
+- Volume provisioner supporting RWO (read-write-once)[^2]
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 
 **Additional openDesk Enterprise requirements**
-- [OpenKruise](https://openkruise.io/)[^4] >= v1.6
+- [OpenKruise](https://openkruise.io/)[^3] >= v1.6
 
 # Hardware
 
@@ -138,11 +138,8 @@ Helmfile requires [HelmDiff](https://github.com/databus23/helm-diff) to compare
 
 # Footnotes
 
-[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm v3.18.0 is not supported.
+[^1]: Due to a [Helm bug](https://github.com/helm/helm/issues/30890) Helm 3.18.0 is not supported.
 
-[^2]: Helm v4 introduced stricter flag grouping that is not yet supported by the helmdiff plugin.
+[^2]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
-
-[^3]: Due to [restrictions on Kubernetes `emptyDir`](https://github.com/kubernetes/kubernetes/pull/130277) you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. E.g. the `local-path-provisioner` does not have sticky bit support.
-
-[^4]: Required for Dovecot Pro as part of openDesk Enterprise Edition.
 
+[^3]: Required for Dovecot Pro as part of openDesk Enterprise Edition.

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -248,9 +248,9 @@ jitsi:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: {{ coalesce .Values.service.type.jitsiVideoBridge .Values.cluster.service.type | quote }}
-    {{- if .Values.annotations.jitsiJvb.serviceExternal }}
+    {{- if .Values.annotations.jitsiJvb.service }}
       annotations:
-        {{ .Values.annotations.jitsiJvb.serviceExternal | toYaml | nindent 8 }}
+        {{ .Values.annotations.jitsiJvb.service | toYaml | nindent 8 }}
     {{- end }}
     securityContext:
       allowPrivilegeEscalation: false

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -118,6 +118,10 @@ aio:
           value: {{ .Values.databases.nextcloud.password | quote }}
           {{- end }}
     trustedProxy: {{ join " " .Values.cluster.networking.cidr | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
+
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -140,8 +140,6 @@ service:
     {{ .Values.annotations.openxchangeDovecot.service | toYaml | nindent 4 }}
   external:
     enabled: true
-    annotations:
-      {{ .Values.annotations.openxchangeDovecot.serviceExternal | toYaml | nindent 6 }}
     type: {{ coalesce .Values.service.type.dovecot .Values.cluster.service.type | quote }}
 {{- end }}
 

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -129,8 +129,6 @@ service:
     {{ .Values.annotations.openxchangePostfix.service | toYaml | nindent 4 }}
   external:
     enabled: true
-    annotations:
-      {{ .Values.annotations.openxchangePostfix.serviceExternal | toYaml | nindent 6 }}
     type: {{ coalesce .Values.service.type.postfix .Values.cluster.service.type | quote }}
 {{- end }}
 ...

helmfile/apps/opendesk-openproject-bootstrap/values.yaml.gotmpl

@@ -28,11 +28,15 @@ config:
       password:
         value: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   nextcloud:
+    hostUrl: {{ printf "http://%s.%s.svc.%s" "opendesk-nextcloud-aio" (.Values.apps.nextcloud.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
     admin:
       username:
         value: "nextcloud"
       password:
         value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+    status:
+      password:
+        value: {{ .Values.secrets.nextcloud.statusPassword | quote }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.3.0"
+    version: "3.2.1"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default-enterprise-overrides/images.yaml.gotmpl

@@ -13,7 +13,8 @@ images:
   nextcloud:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/nextcloud/images/opendesk-nextcloud"
-    tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
+    #tag: "1.6.11@sha256:79bab3b5745eb2c0fdd5a8858d277495deb7f6e43b42c7046d5bfbee039aed0a"
+    tag: "1.6.10-b1-boekhorst-fix-http-headers-and-extrafiles@sha256:95e4a615f0efe9ed9f7f68bd864d67c676bffcadef7a71d6c6c9406a8fae8196"
   openxchangeCoreMW:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/open-xchange/images-mirror/middleware-public-sector-pro"

helmfile/environments/default/annotations.yaml.gotmpl

@@ -95,7 +95,7 @@ annotations:
     serviceAccount: ~
   jitsiJvb:
     pod: ~
-    serviceExternal: ~
+    service: ~
     metricsPrometheus: ~
     metricsGrafana: ~
   jitsiProsody:
@@ -360,7 +360,6 @@ annotations:
     pod: ~
     service: ~
     serviceAccount: ~
-    serviceExternal: ~
   openxchangeEnterpriseContactPicker:
     appsuiteCoreMw:
     appsuiteCoreMwPod: ~
@@ -370,7 +369,6 @@ annotations:
   openxchangePostfix:
     pod: ~
     service: ~
-    serviceExternal: ~
   openxchangePublicSectorUi:
     pod: ~
   servicesExternalClamavDistributed:

helmfile/environments/default/charts.yaml.gotmpl

@@ -97,7 +97,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "3.3.0"
+    version: "3.2.1"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -249,7 +249,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "4.4.4"
+    version: "4.5.0-b1-boekhorst-combined-testing-encryption-bfp"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -259,7 +259,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "4.4.4"
+    version: "4.5.0-b1-boekhorst-combined-testing-encryption-bfp"
     verify: true
   nextcloudNotifyPush:
     # providerCategory: "Platform"
@@ -269,7 +269,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-notifypush"
-    version: "4.4.4"
+    version: "4.5.0-b1-boekhorst-combined-testing-encryption-bfp"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -383,7 +383,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "2.2.0"
+    version: "2.3.0-trossner-opt-nc-hostname"
     verify: true
   otterize:
     # providerCategory: "Platform"
@@ -405,7 +405,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.26.23"
+    version: "2.23.206"
     verify: false
   oxAppSuiteBootstrap:
     # providerCategory: "Platform"
@@ -437,7 +437,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "5.1.0"
+    version: "5.0.2"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/images.yaml.gotmpl

@@ -330,7 +330,8 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.10.12@sha256:8a4cd73fdceb1da2c58a22a85d605eba575a2b1487e3927ab1971c9f1120549a"
+    #tag: "2.11.0-b1-boekhorst-fix-basicauth-statusphp@sha256:fa02cfc19053b5c7e32a25d667bdd4b20b77b757b4a12c323d3e9d298bd0046d"
+    tag: "boekhorst_fix_nginx_basic_auth_4"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -770,7 +771,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
-    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
+    tag: "1.2.0-trossner-opt-nc-hostname@sha256:7e8fdee6280cf9672f760f8e476e52a0968e05432e35275c6b4e1c32f0699e00"
   openprojectDbInit:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"
@@ -796,7 +797,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "6", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.7.1@sha256:4b74178e71f843482584803edfb655cbb8f1f6966a50009e08fca344ad1efbe5"
+    tag: "8.6.21@sha256:71b4819d42a808d57951405ab6215ff9fafae43e3f10a9f388484b7fbe28849e"
   openxchangeCoreMW:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -806,7 +807,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "51"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.44.35@sha256:62d2fc1767a3073cb0451fe28cd9ca99326bba53771ba71d12a3a56c0af36a55"
+    tag: "8.41.58@sha256:a4c169d13a928d5532fc200be6c7c76c1d18f0579b8dbdb514583f62ac9fe8c7"
   openxchangeCoreUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -816,7 +817,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.45.0@sha256:496ecf7fa82c8d246bef53b7c0ebdce4a1df6a004534a473bd0b106e2b130cd4"
+    tag: "8.41.1@sha256:108974ea42a4cf22ea1b37b975928881b6c23a2949b51781812f5b1260873aa4"
   openxchangeCoreUIMiddleware:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -826,7 +827,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "0", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.3.0@sha256:5ed58f72ff7422b51c945b2a0d59894513f4cb66d3f8f33eab139707add80213"
+    tag: "2.1.8@sha256:1853e6e2b780936a18b11c208b4b39ce094e49d25830c22c5658c27274e5b7fc"
   openxchangeCoreUserGuide:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -836,7 +837,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "799279"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.45.2198459725@sha256:181ce7d1407f6fb5cbc8f6be79cc4eb8c3380390ea73ba1d6e70f4a7958f09f4"
+    tag: "8.41.1547156@sha256:fadee7a76ffa91e0be7ec643f3315806787ac2eea4b0bb271201a58580a5f456"
   openxchangeDocumentConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -846,7 +847,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.45.2035@sha256:1303907ba5379d5372ffdc378dc30c922383fc3f6a9bbbaa67bda979e09faa31"
+    tag: "8.41.1875@sha256:839d73bdc7b158beee5e157df4b49004c9f4f2df1afb65c1e4bae51f9f67a213"
   openxchangeGotenberg:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -866,7 +867,7 @@ images:
     # upstreamMirrorStartFrom: ["4", "2", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.33.6@sha256:23bf9c4156b34a6fe5db1e51c826884426b62d2440794369b8524cb8b745a003"
+    tag: "8.33.4@sha256:e73afec3d549943379fdb12dde1ab14d53c6fafac221e2512c6641ac71c65b3f"
   openxchangeImageConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -876,7 +877,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.45.2557@sha256:de20301cd84ea67204f061a4de6d7cd5230331a5a2a92f8c26bf9bde90e044d3"
+    tag: "8.41.2194@sha256:8b3085642fea2bc0ab64b6a8256ce4c00952e84d4c233edd05d458a8d82045f9"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"

helmfile/environments/default/secrets.yaml.gotmpl

@@ -101,6 +101,7 @@ secrets:
   nextcloud:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
     metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
+    statusPassword: {{ derivePassword 1 "medium" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_status_user" | sha1sum | quote }}
   openproject:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
     apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}