docs(groupware-migration.md): Update with more details

.gitlab-ci.yml

@@ -4,7 +4,7 @@
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.4.9"
+    ref: "v2.4.8"
     file:
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"

CHANGELOG.md

@@ -1,11 +1,3 @@
-## [1.3.2](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.3.1...v1.3.2) (2025-05-06)
-
-
-### Bug Fixes
-
-* **dovecot:** Update Helm chart to fix migration mode ([7ba84b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ba84b99caf61e5a4a35b71d875e9ede0f71423e))
-* **helmfile:** Explicitly template auth-modules in OX App Suite; Streamline name of OX App Suite EE image ([6cbb6b6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6cbb6b6922864467ca365bcc9b1cfa49182df050))
-
 ## [1.3.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.3.0...v1.3.1) (2025-04-24)
 
 

README.md

@@ -40,7 +40,7 @@ openDesk currently features the following functional main components:
 | File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | [8.35](https://documentation.open-xchange.com/appsuite/releases/8.35/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.9.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-9-1-2025-05-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | [1.8.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-8-0-2025-04-07) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | [15.5.1](https://www.openproject.org/docs/release-notes/15-5-1/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                         | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.13](https://www.collaboraoffice.com/code-24-04-release-notes/)                                                         | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |

docs/migrations.md

@@ -9,22 +9,19 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [v1.4.0+](#v140)
+  * [From v1.1.2](#from-v112)
-    * [Pre-upgrade to v1.4.0+](#pre-upgrade-to-v140)
+    * [Pre-upgrade from v1.1.2](#pre-upgrade-from-v112)
-      * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
-  * [v1.2.0+](#v120)
-    * [Pre-upgrade to v1.2.0+](#pre-upgrade-to-v120)
       * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
       * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
-  * [v1.1.2+](#v112)
+  * [From v1.1.1](#from-v111)
-    * [Pre-upgrade to v1.1.2+](#pre-upgrade-to-v112)
+    * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
       * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
-  * [v1.1.1+](#v111)
+  * [From v1.1.0](#from-v110)
-    * [Pre-upgrade to v1.1.1](#pre-upgrade-to-v111)
+    * [Pre-upgrade from v1.1.0](#pre-upgrade-from-v110)
       * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
       * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
-  * [v1.1.0+](#v110)
+  * [From v1.0.0](#from-v100)
-    * [Pre-upgrade to v1.1.0](#pre-upgrade-to-v110)
+    * [Pre-upgrade from v1.0.0](#pre-upgrade-from-v100)
       * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
       * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
       * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
@@ -34,10 +31,10 @@ SPDX-License-Identifier: Apache-2.0
       * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
       * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
       * [External requirements: Redis 7.4](#external-requirements-redis-74)
-    * [Post-upgrade to v1.1.0+](#post-upgrade-to-v110)
+    * [Post-upgrade from v1.0.0](#post-upgrade-from-v100)
       * [XWiki fix-ups](#xwiki-fix-ups)
-  * [v1.1.0](#v110-1)
+  * [From v0.9.0](#from-v090)
-    * [Pre-upgrade to v1.1.0](#pre-upgrade-to-v110-1)
+    * [Pre-upgrade from v0.9.0](#pre-upgrade-from-v090)
       * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
       * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
       * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
@@ -45,20 +42,20 @@ SPDX-License-Identifier: Apache-2.0
       * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
       * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
       * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
-    * [Post-upgrade to v1.0.0+](#post-upgrade-to-v100)
+    * [Post-upgrade from v0.9.0](#post-upgrade-from-v090)
       * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
       * [Optional Cleanup](#optional-cleanup)
-  * [v0.9.0](#v090)
+  * [From v0.8.1](#from-v081)
-    * [Pre-upgrade to v0.9.0](#pre-upgrade-to-v090)
+    * [Pre-upgrade from v0.8.1](#pre-upgrade-from-v081)
       * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
       * [Updated customizable template attributes](#updated-customizable-template-attributes)
       * [`migrations` S3 bucket](#migrations-s3-bucket)
 * [Automated migrations - Details](#automated-migrations---details)
-  * [v1.2.0+ (automated)](#v120-automated)
+  * [From v1.1.2 (automated)](#from-v112-automated)
     * [migrations-pre](#migrations-pre)
     * [migrations-post](#migrations-post)
-  * [v1.1.0+ (automated)](#v110-automated)
+  * [From v1.0.0 (automated)](#from-v100-automated)
-  * [v1.0.0+ (automated)](#v100-automated)
+  * [From v0.9.0 (automated)](#from-v090-automated)
   * [Related components and artifacts](#related-components-and-artifacts)
   * [Development](#development)
 <!-- TOC -->
@@ -100,35 +97,11 @@ If you would like more details about the automated migrations, please read secti
 
 # Manual checks/actions
 
-## v1.4.0+
+Be sure you check all the sections for the releases you are going to update your current deployment from.
 
-### Pre-upgrade to v1.4.0+
+## From v1.1.2
 
-#### Helmfile cleanup: `global.additionalMailDomains` as list
+### Pre-upgrade from v1.1.2
-
-**Target group:** Installations that have set `global.additionalMailDomains`.
-
-The `additionalMailDomains` had to be defined as a comma separated string. That now needs to change into a list of domains.
-
-For example the following config:
-
-```yaml
-global:
-  additionalMailDomains: "sub1.maildomain.de,sub2.maildomain.de"
-```
-
-Needs to change to:
-
-```yaml
-global:
-  additionalMailDomains:
-    - "sub1.maildomain.de"
-    - "sub2.maildomain.de"
-```
-
-## v1.2.0+
-
-### Pre-upgrade to v1.2.0+
 
 #### Helmfile cleanup: Do not configure OX provisioning when no OX installed
 
@@ -138,7 +111,7 @@ With openDesk 1.2.0 the OX provisioning consumer will not be registered when the
 
 We do not remove the consumer for existing installations, if you want to do that for your existing installation please perform the following steps:
 
-```shell
+```
 export NAMESPACE=<your_namespace>
 kubectl -n ${NAMESPACE} exec -it ums-provisioning-nats-0 -c nats-box -- sh -c 'nats consumer rm stream:ox-connector durable_name:ox-connector --user=admin --password=${NATS_PASSWORD} --force'
 kubectl -n ${NAMESPACE} exec -it ums-provisioning-nats-0 -c nats-box -- sh -c 'nats stream rm stream:ox-connector --user=admin --password=${NATS_PASSWORD} --force'
@@ -189,9 +162,9 @@ In case you are planning to migrate an existing instance from MariaDB to Postgre
   - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Backup#HUsingtheXWikiExportfeature
   - https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/ImportExport
 
-## v1.1.2+
+## From v1.1.1
 
-### Pre-upgrade to v1.1.2+
+### Pre-upgrade from v1.1.1
 
 #### Helmfile feature update: App settings wrapped in `apps.` element
 
@@ -203,7 +176,7 @@ If you have a deployment where you specify settings found in the aforementioned
 
 The following configuration:
 
-```yaml
+```
 certificates:
   enabled: false
 notes:
@@ -212,7 +185,7 @@ notes:
 
 Needs to be changed to:
 
-```yaml
+```
 apps:
   certificates:
     enabled: false
@@ -220,9 +193,9 @@ apps:
     enabled: true
 ```
 
-## v1.1.1+
+## From v1.1.0
 
-### Pre-upgrade to v1.1.1
+### Pre-upgrade from v1.1.0
 
 #### Helmfile feature update: Component specific `storageClassName`
 
@@ -275,9 +248,9 @@ persistence:
 
 A not yet templated secret was discovered in the Nubus deployment. It is now declared in [`secrets.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl) and can be defined using: `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the same value as the `MASTER_PASSWORD` environment variable used in your deployment.
 
-## v1.1.0+
+## From v1.0.0
 
-### Pre-upgrade to v1.1.0
+### Pre-upgrade from v1.0.0
 
 #### Helmfile cleanup: Restructured `/helmfile/files/theme` folder
 
@@ -440,7 +413,7 @@ The update from openDesk v1.0.0 contains Redis 7.4.1, like the other openDesk bu
 
 Please ensure the Redis you are using is updated to at least version 7.4 to support the requirement of OX App Suite.
 
-### Post-upgrade to v1.1.0+
+### Post-upgrade from v1.0.0
 
 #### XWiki fix-ups
 
@@ -466,9 +439,9 @@ Unfortunately XWiki does not upgrade itself as expected. The bug has been report
 
 You should have now a fully functional XWiki instance with single sign-on and full-text search.
 
-## v1.1.0
+## From v0.9.0
 
-### Pre-upgrade to v1.1.0
+### Pre-upgrade from v0.9.0
 
 #### Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus
 
@@ -650,7 +623,7 @@ The IAM admin account `Administrator` is the only member of this group by defaul
 
 If you need other accounts to use the API, please assign them to the aforementioned group.
 
-### Post-upgrade to v1.0.0+
+### Post-upgrade from v0.9.0
 
 #### Configuration Improvement: Separate user permission for using Video Conference component
 
@@ -680,9 +653,9 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
 kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 ```
 
-## v0.9.0
+## From v0.8.1
 
-### Pre-upgrade to v0.9.0
+### Pre-upgrade from v0.8.1
 
 #### Updated `cluster.networking.cidr`
 
@@ -705,7 +678,7 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 
 # Automated migrations - Details
 
-## v1.2.0+ (automated)
+## From v1.1.2 (automated)
 
 > **Note**<br>
 > Details can be found in [run_4.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_4.py).
@@ -719,7 +692,7 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 
 - Restarting Deployment `ums-provisioning-udm-transformer` and StatefulSet `ums-provisioning-udm-listener` as well as deleting the Nubus Provisioning consumer `durable_name:incoming` on stream `stream:incoming`: Due to a bug in Nubus 1.7.0 the `incoming` stream was blocked after the upgrade, the aforementioned measures unblock the stream.
 
-## v1.1.0+ (automated)
+## From v1.0.0 (automated)
 
 With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
 
@@ -730,7 +703,7 @@ creating the config map with the mentioned label.
 > **Note**<br>
 > Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
 
-## v1.0.0+ (automated)
+## From v0.9.0 (automated)
 
 The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
 

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -246,8 +246,6 @@ keycloak:
   extraEnvVars:
     - name: "KC_HTTPS_TRUST_STORE_FILE"
       value: "/etc/ssl/certs/truststore.jks"
-    - name: "KC_TRUSTSTORE_PATHS"
-      value: "/etc/ssl/certs/ca-certificates.crt"
     - name: "KC_HTTPS_TRUST_STORE_PASSWORD"
       value: {{ .Values.secrets.certificates.password | quote }}
     - name: "KC_HTTPS_TRUST_STORE_TYPE"
@@ -256,20 +254,6 @@ keycloak:
 
 nubusGuardian:
   authorizationApi:
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
@@ -288,6 +272,20 @@ nubusGuardian:
     replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
     resources:
       {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
   global:
     podAnnotations:
       {{ .Values.annotations.nubusGuardian.globalPod | toYaml | nindent 6 }}
@@ -350,20 +348,6 @@ nubusGuardian:
           # enabled: true
           secretName: ""
   managementApi:
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
@@ -382,8 +366,7 @@ nubusGuardian:
     replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
     resources:
       {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-  managementUi:
+    securityContext:
-    containerSecurityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
@@ -396,7 +379,8 @@ nubusGuardian:
       seccompProfile:
         type: RuntimeDefault
       seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
+  managementUi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
@@ -412,8 +396,7 @@ nubusGuardian:
     replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
     resources:
       {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-  openPolicyAgent:
+    securityContext:
-    containerSecurityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
@@ -425,8 +408,9 @@ nubusGuardian:
       runAsUser: 1000
       seccompProfile:
         type: RuntimeDefault
-    seLinuxOptions:
+      seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
+        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+  openPolicyAgent:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
       repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
@@ -442,6 +426,20 @@ nubusGuardian:
     replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
     resources:
       {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
   postgresql:
     connection:
       host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
@@ -449,29 +447,26 @@ nubusGuardian:
     auth:
       username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
       database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-      existingSecret:
+      credentialSecret:
         name: "ums-guardian-postgresql-opendesk-credentials"
-        keyMapping:
+        key: "guardianDatabasePassword"
-          password: "guardianDatabasePassword"
   provisioning:
     enabled: false
     config:
       nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
       keycloak:
+        realm: {{ .Values.platform.realm | quote }}
+        username: "kcadmin"
+        connection:
+          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+          baseUrl: "http://ums-keycloak:8080"
         credentialSecret:
           name: "ums-opendesk-keycloak-credentials"
           key: "admin_password"
-      realm: {{ .Values.platform.realm | quote }}
+      managementApi:
-      username: "kcadmin"
+        credentialSecret:
-    keycloak:
-      auth:
-        existingSecret:
           name: "ums-opendesk-guardian-client-secret"
-          keyMapping:
+          key: "managementApiClientSecret"
-            password: "managementApiClientSecret"
-      connection:
-        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "http://ums-keycloak:8080"
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
       repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
@@ -700,17 +695,6 @@ nubusKeycloakExtensions:
     resources:
       {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
     securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - "ALL"
-      enabled: true
-      runAsUser: 1000
-      runAsGroup: 1000
-      seccompProfile:
-        type: "RuntimeDefault"
-      readOnlyRootFilesystem: true
-      runAsNonRoot: true
       seccompProfile:
         type: "RuntimeDefault"
       seLinuxOptions:
@@ -801,15 +785,8 @@ nubusPortalConsumer:
     logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
   objectStorage:
     auth:
-      accessKeyId: {{ .Values.objectstores.nubus.username | quote }}
       accessKey: {{ .Values.objectstores.nubus.username | quote }}
-      secretAccessKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
       secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      existingSecret:
-        name: "{{ .Release.Name }}-portal-consumer-minio-credentials"
-        keyMapping:
-          accessKey: "accessKey"
-          secretKey: "secretKey"
     bucketName: {{ .Values.objectstores.nubus.bucket | quote }}
     endpoint: {{ printf "https://%s" (.Values.objectstores.nubus.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain)) | quote }}
   persistence:
@@ -841,7 +818,21 @@ nubusPortalConsumer:
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
       imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    {{- if .Values.certificate.selfSigned }}
+  {{- if .Values.certificate.selfSigned }}
+  extraVolumes:
+    - name: "trusted-cert-secret-volume"
+      secret:
+        secretName: "opendesk-certificates-ca-tls"
+        items:
+          - key: "ca.crt"
+            path: "ca-certificates.crt"
+          - key: "ca.crt"
+            path: "cacert.pem"
+  extraVolumeMounts:
+    - name: "trusted-cert-secret-volume"
+      mountPath: "/etc/ssl/certs/ca-certificates.crt"
+      subPath: "ca-certificates.crt"
+  waitForDependency:
     extraVolumeMounts:
       - name: "trusted-cert-secret-volume"
         readOnly: true
@@ -858,21 +849,6 @@ nubusPortalConsumer:
         value: "/etc/ssl/certs/ca-certificates.crt"
       - name: "SSL_CERT_FILE"
         value: "/etc/ssl/certs/ca-certificates.crt"
-    {{- end }}
-  {{- if .Values.certificate.selfSigned }}
-  extraVolumes:
-    - name: "trusted-cert-secret-volume"
-      secret:
-        secretName: "opendesk-certificates-ca-tls"
-        items:
-          - key: "ca.crt"
-            path: "ca-certificates.crt"
-          - key: "ca.crt"
-            path: "cacert.pem"
-  extraVolumeMounts:
-    - name: "trusted-cert-secret-volume"
-      mountPath: "/etc/ssl/certs/ca-certificates.crt"
-      subPath: "ca-certificates.crt"
   {{- end }}
 
 nubusPortalServer:
@@ -1578,12 +1554,12 @@ nubusUmcServer:
     capabilities:
       drop:
         - "ALL"
-    runAsUser: 999
+    runAsUser: 0
-    runAsGroup: 999
+    runAsGroup: 0
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
-    runAsNonRoot: true
+    runAsNonRoot: false
     seLinuxOptions:
       {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
   containerSecurityContextInit:
@@ -1619,12 +1595,12 @@ nubusUmcServer:
         - "MKNOD"
         - "NET_BIND_SERVICE"
         - "SYS_CHROOT"
-    runAsUser: 999
+    runAsUser: 0
-    runAsGroup: 999
+    runAsGroup: 0
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
-    runAsNonRoot: true
+    runAsNonRoot: false
     seLinuxOptions:
       {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
   image:
@@ -1769,7 +1745,7 @@ nubusKeycloakBootstrap:
     capabilities:
       drop:
         - "ALL"
-    readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: false
     runAsGroup: 1000
     runAsNonRoot: true
     runAsUser: 1000

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -23,8 +23,7 @@ imagePullSecrets:
   {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 
 dovecot:
-  mailDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}
+  mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  defaultMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password:
     value: {{ .Values.secrets.dovecot.doveadm | quote }}
   migration:

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -81,7 +81,7 @@ postfix:
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
   {{- end }}
-  virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}
+  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
   virtualTransport: "lmtps:dovecot:24"
 
 podAnnotations:

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -96,7 +96,7 @@ postfix:
   {{- end }}
   # Only deliver mail to Dovecot, if it is available
   {{- if .Values.apps.oxAppSuite.enabled }}
-  virtualMailboxDomains: {{ toYaml (prepend .Values.global.additionalMailDomains (.Values.global.mailDomain | default .Values.global.domain) | uniq) | nindent 4 }}
+  virtualMailboxDomains: {{ if .Values.global.additionalMailDomains }}{{ printf "%s,%s" (.Values.global.mailDomain | default .Values.global.domain) .Values.global.additionalMailDomains }}{{ else }}{{ .Values.global.mailDomain | default .Values.global.domain | quote }}{{ end }}
   virtualTransport: "lmtps:dovecot:24"
   {{- end }}
 

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "3.0.0"
+    version: "2.0.3"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default/charts.yaml.gotmpl

@@ -99,7 +99,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "3.0.0"
+    version: "2.0.0"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -303,7 +303,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "1.9.1"
+    version: "1.8.0"
     verify: true
   opendeskAlerts:
     # providerCategory: "Platform"
@@ -419,7 +419,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "4.0.0"
+    version: "3.0.1"
     verify: true
   postgresql:
     # providerCategory: "Platform"

helmfile/environments/default/global.generated.yaml.gotmpl

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v1.3.3"
+    releaseVersion: "v1.3.1"
 ...

helmfile/environments/default/global.yaml.gotmpl

@@ -19,7 +19,7 @@ global:
 
   ## Define additional mail domains, comma separated, e.g. domain1.de,domain2.de
   #
-  additionalMailDomains: []
+  additionalMailDomains: ""
 
   ## Define synapse host
   ## If this is unset the "domain" value above should be used in all references

helmfile/environments/default/images.yaml.gotmpl

@@ -108,6 +108,13 @@ images:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/groupsync"
     tag: "v0.14.0@sha256:a8cee92b9035d8cc80cc13194e4e0118c7dfbfcbc4c0ee5ac173582d0cd55846"
+  elementHaProxy:
+    # Enterprise Component
+    # providerCategory: "Supplier"
+    # providerResponsible: "Element"
+    registry: "registry.opencode.de"
+    repository: "zendis/opendesk-enterprise/components/supplier/element/images-mirror/haproxy"
+    tag: "3.0-alpine@sha256:c22c8710886104a48b920306f063401f0d11811858e3c6b9d87d88a7556b2e61"
   elementPipe:
     # Enterprise Component
     # providerCategory: "Supplier"
@@ -370,7 +377,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.90.0@sha256:a776ea84ca5d4f984a1ecf1f97d8c90cd98894c3568401be6858a8e955c7ed92"
+    tag: "0.89.0@sha256:3ed16810357ed01152e1e3f0d1cd66825bde53302f32d3caf700e324f7c1cffb"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -410,17 +417,17 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.19.1@sha256:9030841a136d9addc37b2b62d39d80b113b824e50bd9cdcd5cf2c22bad74eeb0"
+    tag: "0.17.0@sha256:56acfc53c3d3e0a20ff77fe427ae794adbf03ccc66972c95188e0da9e87c4a62"
   nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
     # upstreamRepository: "nubus/images/keycloak"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+).+$'
-    # upstreamMirrorStartFrom: ["0", "0", "1"]
+    # upstreamMirrorStartFrom: ["22", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak"
-    tag: "0.0.1@sha256:ce2397ac38920750b81a8a6065f7ed8a551641c6562a551963a2857fe6822beb"
+    tag: "25.0.6-ucs6@sha256:1db8af70741bca9badeb3d5b0b145244dde1a2579fe4f966e488ce730cb07d65"
   nubusKeycloakBootstrap:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -430,7 +437,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.11.0@sha256:55ad741e01dd91bb9b0332fd602a6262d3618abdf97a86c13f1e6148b36bd242"
+    tag: "0.10.2@sha256:7406bfee267dff6520b8b3c0db098a79e7f9fe1b45307ea6b1edf26a2bcfc1aa"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -460,7 +467,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.37.0@sha256:b148e15c268badc45db9a6ce12c97cce332d25b86e86fec47fc417b8fe74d0d2"
+    tag: "0.34.1@sha256:02d1a0d6ce7e154738f4a1c2323f901245b62c23c8e6c27ce19a57ab44cfdaa7"
   nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -470,7 +477,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.37.0@sha256:caf7de9e121e5500c52dc8338b80057acd3eaa1e3877b526a5ae944bb53fe876"
+    tag: "0.34.1@sha256:5bb7931393d2023dc63c1338632b01d4c50372cb83192cdb329512b93e109984"
   nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -488,7 +495,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "29", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server-elector"
-    tag: "0.37.0@sha256:c9580e33ea48ec5d7ab2d4816926ca1b2ef72787f7615f31b124119c376c4324"
+    tag: "0.33.0@sha256:c1304a156094b276199fb263baf93e3704ceece478d7f663061b1b1f05f5931c"
   nubusNats:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -522,7 +529,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.67.0@sha256:da28ce84d97b78027eafbe0bcf8286a333efffdfc52a8abe852caed9d8cde339"
+    tag: "0.63.0@sha256:4c2e01e609fb83df6d090c389b5c63d4b1477bdb133b910cacf2f2a1ce1c39e1"
   nubusOpendeskExtension:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -568,7 +575,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.67.1@sha256:580adf9079d27f53f6efd0c519252c7855f6907e3badc033b994165856b16126"
+    tag: "0.63.0@sha256:e331f87738e716b0a16199b6aeaec917509946ce7b7ee91e608e70091dd279cc"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -596,7 +603,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.67.0@sha256:d9418c7a1db7541ced1e3034f45683c190bf63270c6ba8f3d67c1fe0ac2edb1a"
+    tag: "0.63.0@sha256:04cff7bb6b565e4ff03ffd1a6b6ab6c76b98bb9ea0fb8e703551f1b586ea7c27"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -606,7 +613,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.51.0@sha256:f0cea25f788ff565b883e50c6138874c6f0338e0f91c5f8a32595323059930ef"
+    tag: "0.49.3@sha256:1089683a7e04259b335c79c13ceca2879d5d834a13d9c93ef62315f3086c9efd"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -616,7 +623,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.51.0@sha256:66fec83fd5033cf32cd759e9c73f7ae659a4ec45a433f13417a12e007b1d4db6"
+    tag: "0.49.3@sha256:56a5ca05a570f5a0f68ac67abbf8726541455f03bf0bada0495187d1a0fe963a"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -626,7 +633,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.51.0@sha256:ff04d8cec6ecc0b33cdea164e1ba1222c90ed9fe8370057a58329b4521e56de1"
+    tag: "0.49.3@sha256:761863e5499eb702d0a606e9a58d10055c637ed286ff18998125cb5f82a7c788"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -636,7 +643,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.51.0@sha256:5f0bba855945da2fa97d40b0fe51a14e3495b0b6da83562def6a6fcf4c21c059"
+    tag: "0.49.3@sha256:9bd8dd7531e3247761a6347a1889640821121c56435a96c286d1f6385a3152e7"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -646,7 +653,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.51.0@sha256:ce9c312699ebe42c2e1df0d6caf150dfda1e4cc3fc1aaebe62c9ea5de8c11780"
+    tag: "0.49.3@sha256:9ce6b3798fb6faba6ebfac1be19b51d12bc8b312decf87f482a2371cb961805e"
   nubusSelfServiceConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -656,7 +663,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.15.0@sha256:a7c4c097029de8903e3c2eee2082d740b5352dcc7a7a2a3c330bd9ebd7ad5b62"
+    tag: "0.14.0@sha256:999c50058a02f6006a8d1732b651a5c738c5ee91fc453dc8ae3fcdbb9d4192c0"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -666,7 +673,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.30.0@sha256:9503666bac5f44a1d7cb6f17c6fd11a7d6976bc9059938596b6ac9f7bb581ca5"
+    tag: "0.29.0@sha256:2b061d1cf244aeadcb790a08cac94804a32abe73dd442382355a6657b05c0ff2"
   nubusUmcGateway:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -676,7 +683,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.43.1@sha256:e1f23a199e1e35667e2ba6a45866bcb6d37bc2b13f3b8134e511ae95973c743b"
+    tag: "0.38.0@sha256:5abece086fc55cc318453a23634094bdf4e0f9922debce87fbb1aa4d55b9eac1"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -686,7 +693,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.43.1@sha256:1aef76db446164c3ffaeaf233e9ef6303ebb1609b47f918ac4ab6714abf95283"
+    tag: "0.38.0@sha256:2733c21900c8f861f53cff5f65ed20a21881180ff80472491c014e1e2a9c2a9d"
   nubusUmcServerProxy:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -704,7 +711,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.30.0@sha256:fa804c2a10aa42439bf3f388007d7e55c046d6da6dc8a74c27f5a989fd422c8d"
+    tag: "0.28.0@sha256:816ad27b76046be360398274ba3c1f1bcec8f58c2ea5a200b2fb675aab1a5ab8"
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -746,7 +753,7 @@ images:
     # upstreamRepository: "library/postgres"
     registry: "registry-1.docker.io"
     repository: "library/postgres"
-    tag: "16.9-alpine3.20@sha256:e5507c984377515b8c9922b0eb19f55aba2063fdc7bccf268cefd53133f97054"
+    tag: "16.8-alpine3.20@sha256:951d0626662c85a25e1ba0a89e64f314a2b99abced2c85b4423506249c2d82b0"
   openxchangeBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -882,7 +889,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "3.0.2@sha256:e65c6a70d2095a839c4337ef5dacefd42781641b7ac4dc202ff111881dae3716"
+    tag: "3.0.1@sha256:d2c6543b35b616ac3e6c8c27222d3154c0d35680813a8942ce0cc3fa9ea72a6d"
   postfixBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"