feat(element): Update the Matrix NeoBoard Widget to v1.19.1

Signed-off-by: Milton Moura <miltonmoura@gmail.com>

.gitignore

@@ -6,10 +6,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/*.yaml.gotmpl
-helmfile/environments/test/*.yaml.gotmpl
 helmfile/environments/prod/*.yaml.gotmpl
 !helmfile/environments/dev/sample.yaml.gotmpl
-!helmfile/environments/test/sample.yaml.gotmpl
 !helmfile/environments/prod/sample.yaml.gotmpl
 
 # Ignore in CI generated files

.gitlab-ci.yml

@@ -4,7 +4,7 @@
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.4.2"
+    ref: "v2.3.3"
     file:
       - "ci/common/automr.yml"
       - "ci/common/lint.yml"
@@ -97,6 +97,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_PROVISIONING:
+    description: "Enable Provisioning Components."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_COLLABORA:
     description: "Enable Collabora deployment."
     value: "no"
@@ -121,6 +127,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_ICS:
+    description: "Enable ICS deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_XWIKI:
     description: "Enable XWiki deployment."
     value: "no"
@@ -147,7 +159,7 @@ variables:
       - "no"
   RUN_TESTS:
     description: "Triggers execution of E2E-tests."
-    value: "no"
+    value: "yes"
     options:
       - "yes"
       - "no"
@@ -169,16 +181,13 @@ variables:
     options:
       - "Regression"
       - "Smoke"
-  TESTS_GRACE_PERIOD:
-    description: "A new deployment sometimes needs a few minutes to sort itself. If tested too early tests may fail. GRACE_PERIOD is the period in seconds that should be waited before running the tests."
-    value: "0"
 
 .deploy-common:
   cache: {}
   dependencies: []
   extends: ".environments"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.1.0\
-          @sha256:74f349066ac5d20e3afaa6abd28781b4c8dc086f67e3d3c1b8345e4a9c3371b1"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
+          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -236,6 +245,14 @@ env-start:
   script:
     - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
     - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
+    - >
+      kubectl create secret
+      --namespace "${NAMESPACE}"
+      docker-registry external-registry
+      --docker-server "${EXTERNAL_REGISTRY}"
+      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
+      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
+      --dry-run=client -o yaml | kubectl apply -f -
   stage: "env"
 
 policies-deploy:
@@ -287,6 +304,18 @@ services-deploy:
   variables:
     COMPONENT: "services"
 
+provisioning-deploy:
+  stage: "component-deploy-stage-2"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "provisioning"
+
 nubus-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -312,6 +341,18 @@ ox-deploy:
   variables:
     COMPONENT: "open-xchange"
 
+ics-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ICS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "intercom-service"
+
 xwiki-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -429,11 +470,15 @@ env-stop:
 
 .ums-default-password: &ums-default-password
   - |
-    DEFAULT_ADMINISTRATOR_PASSWORD=$(
-       kubectl \
-         -n ${NAMESPACE} \
-         get secret ums-nubus-credentials \
-         -o jsonpath='{.data.administrator_password}' | base64 -d \
+    UMS_PASSWORDS=$( \
+      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+      | yq '.properties.password' > passwords.txt \
+    )
+    DEFAULT_USER_PASSWORD=$( \
+      awk 'NR==1{print $1}' passwords.txt \
+    )
+    DEFAULT_ADMIN_PASSWORD=$(
+      awk 'NR==3{print $1}' passwords.txt \
     )
 
 run-tests:
@@ -445,11 +490,6 @@ run-tests:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
       when: "on_success"
-  parallel:
-    matrix:
-      - LANGUAGE:
-          - "de"
-          - "en"
   script:
     - *ums-default-password
     - |
@@ -463,9 +503,10 @@ run-tests:
           \"cluster\": \"${CLUSTER}\", \
           \"namespace\": \"${NAMESPACE}\", \
           \"url\": \"https://portal.${DOMAIN}/\", \
-          \"language\": \"${LANGUAGE}\", \
-          \"udm_api_username\": \"Administrator\", \
-          \"udm_api_password\": \"${DEFAULT_ADMINISTRATOR_PASSWORD}\", \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
           \"screenshot_test\": \"yes\", \
           \"screenshot_before_step\": \"yes\", \
           \"screenshot_after_step\": \"yes\", \
@@ -474,8 +515,7 @@ run-tests:
           \"testprofile\": \"Namespace\", \
           \"gitlab_functional_yaml\": \"https://gitlab.opencode.de/api/v4/projects/1317/repository/files/helmfile%2Fenvironments%2Fdefault%2Ffunctional.yaml?ref=develop\", \
           \"gitlab_env_namespace_template\": \"https://gitlab.opencode.de/api/v4/projects/1564/repository/files/environments%2F{operator}%2F{cluster}%2F{namespace}.yaml.gotmpl?ref=main\", \
-          \"gitlab_default_env_namespace\": \"values\", \
-          \"GRACE_PERIOD\": \"${TESTS_GRACE_PERIOD}\" \
+          \"gitlab_default_env_namespace\": \"values\" \
         } \
       }" \
       "https://${TESTS_PROJECT_URL}/trigger/pipeline"
@@ -656,4 +696,5 @@ renovate:
   script:
     - "renovate ${RENOVATE_EXTRA_FLAGS}"
   stage: "renovate"
+
 ...

.gitlab/common/common.yml

@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.0\
-    @sha256:630e102edc70c9e730a46180e79ff278fd8b5039eb336110e0df89fe415225ef"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.6\
-    @sha256:0a8997876a0c3f5a3c73eb6bd75c5cde63757bc31b983bfd92cfcb17389d536f"
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.4\
+    @sha256:4120fe717071876f4c9ff128f26019d089fda158a4fb1912911e09af2fd3875f"
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.5\
+    @sha256:60870adb64b0503d4a6efd16cef4e074b91a4ca52b48811cfcea057bcccd07e4"
 
 .common:
   cache: {}

.gitlab/lint/lint-kyverno.yml

@@ -14,32 +14,19 @@ lint-kyverno:
           - "collabora"
           - "cryptpad"
           - "element"
+          - "intercom-service"
           - "jitsi"
           - "nextcloud"
           - "nubus"
           - "open-xchange"
           - "openproject"
           - "openproject-bootstrap"
+          - "provisioning"
           - "services"
           - "xwiki"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
-    - >
-      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
-      -d ${CI_PROJECT_DIR}/helmfile/environments
-    - "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "cd ${CI_PROJECT_DIR}/.kyverno"
-    # Test optional
-    - >
-      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
-      -d ${CI_PROJECT_DIR}/.kyverno
-      -t optional
-      -s manifest
-      -f opendesk.yaml
-      --skip-tests true
-      ${APP}
-    - "kyverno test . || true"
-    # Test required
+    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
     - >
       node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
       -d ${CI_PROJECT_DIR}/.kyverno
@@ -48,5 +35,8 @@ lint-kyverno:
       -f opendesk.yaml
       --skip-tests true
       ${APP}
+    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "cd ${CI_PROJECT_DIR}/.kyverno"
     - "kyverno test ."
+
 ...

.kyverno/policies/_policies.yaml

@@ -13,7 +13,7 @@ pod:
       - "DaemonSet"
   - name: "disallow-default-serviceaccount"
     rule: "disallow-default-serviceAccountName"
-    type: "optional"
+    type: "required"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -58,7 +58,7 @@ pod:
       - "DaemonSet"
   - name: "require-health-and-liveness-check"
     rule: "require-health-and-liveness-check"
-    type: "optional"
+    type: "required"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -158,7 +158,7 @@ pod:
       - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-seccomp-profile"
-    type: "optional"
+    type: "required"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -176,7 +176,7 @@ pod:
       - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-empty-seLinuxOptions"
-    type: "optional"
+    type: "required"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -285,7 +285,7 @@ pod:
       - "Ingress"
   - name: "template-replicas"
     rule: "template-replicas"
-    type: "optional"
+    type: "required"
     kinds:
       - "StatefulSet"
       - "Deployment"

.kyverno/policies/require-requests-limits.yaml

@@ -27,20 +27,6 @@ spec:
         message: "CPU and memory resource requests and limits are required."
         pattern:
           spec:
-            =(ephemeralContainers):
-              - resources:
-                  limits:
-                    memory: "?*"
-                  requests:
-                    cpu: "?*"
-                    memory: "?*"
-            =(initContainers):
-              - resources:
-                  limits:
-                    memory: "?*"
-                  requests:
-                    cpu: "?*"
-                    memory: "?*"
             containers:
               - resources:
                   limits:

.reuse/dep5

@@ -0,0 +1,16 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk - der Souveräne Arbeitsplatz
+Upstream-Contact: <opendesk@zendis.de>
+Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
+
+Files: helmfile/files/theme/*
+Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+License: Apache-2.0
+
+Files: helmfile/files/gpg-pubkeys/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: CC0-1.0
+
+Files: cspell.json
+Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+License: Apache-2.0

README.md

@@ -32,11 +32,11 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
-| File management      | Nextcloud                   | [29.0.7](https://nextcloud.com/de/changelog/#29-0-7)                                  | [SNextcloud 29](https://docs.nextcloud.com/)                                                                                                  |
+| File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
-| Portal & IAM         | Nubus                       | [1.0]                                                                                 | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                                    |
-| Project management   | OpenProject                 | [14.6.1](https://www.openproject.org/docs/release-notes/14-6-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
+| Project management   | OpenProject                 | [14.4.1](https://www.openproject.org/docs/release-notes/14-4-1/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [24.04.7.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 

REUSE.toml

@@ -1,24 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
-
-version = 1
-
-[[annotations]]
-path = "cspell.json"
-SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
-SPDX-License-Identifier = "Apache-2.0"
-
-[[annotations]]
-path = "helmfile/files/gpg-pubkeys/*"
-SPDX-FileCopyrightText = "2023 Bundesministerium des Innern und für Heimat, PG ZenDiS \"Projektgruppe für Aufbau ZenDiS\""
-SPDX-License-Identifier = "CC0-1.0"
-
-[[annotations]]
-path = "helmfile/files/theme/*"
-SPDX-FileCopyrightText = "2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH"
-SPDX-License-Identifier = "Apache-2.0"
-
-[[annotations]]
-path = "helmfile/files/portal-tiles/*"
-SPDX-FileCopyrightText = "2024 Google LLC"
-SPDX-License-Identifier = "Apache-2.0"

dev/charts-local.py

@@ -25,7 +25,7 @@ script_path = os.path.dirname(os.path.realpath(__file__))
 log_path = script_path+'/../logs'
 charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml'
 base_repo_path = script_path+'/..'
-base_helmfile = base_repo_path+'/helmfile_generic.yaml.gotmpl'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml'
 helmfile_backup_extension = '.bak'
 
 Path(log_path).mkdir(parents=True, exist_ok=True)

docs/components.md

@@ -35,18 +35,20 @@ they need to be replaced in production deployments.
 | CryptPad                    | Weboffice                      | Functional |
 | dkimpy-milter               | DKIM milter for Postfix        | Eval       |
 | Element                     | Secure communications platform | Functional |
+| Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
 | MariaDB                     | Database                       | Eval       |
 | Memcached                   | Cache Database                 | Eval       |
 | MinIO                       | Object Storage                 | Eval       |
 | Nextcloud                   | File share                     | Functional |
-| Nubus (UMS)                 | Identity Management & Portal   | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
 | OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
+| Univention Management Stack | Identity Management & Portal   | Functional |
 | XWiki                       | Knowledge Management           | Functional |
 
 # Component integration
@@ -73,9 +75,9 @@ Most details can be found in the upstream documentation that is linked in the re
 
 ## Intercom Service / Silent Login
 
-The Intercom Service is deployed in context of Nubus/UMS. Its role is to enable cross-application integration
-based on the user's browser interaction as handling authentication when the frontend of an application has to call
-the API from another application is often a challenge.
+The Intercom Service's role is to enable cross-application integration based on the user's browser interaction as handling
+authentication when the frontend of an application has to call the API from another application is often a
+challenge.
 
 To establish a session with the Intercom Service an application can use the silent login feature within an iframe.
 

docs/debugging.md

@@ -36,9 +36,6 @@ component's log level to debug and it get some features like:
 - An ingress for `http://minio-console.<your_domain>` is configured.
 and set the log level for components to "Debug".
 
-**Note**: When enabling debug and running upgrades you must manually delete all jobs before the upgrade. As with debug
-we keep the jobs and some job fields are immutable it could otherwise lead into an upgrade failure.
-
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 
 # Adding containers to a pod for debugging purposes
@@ -156,7 +153,7 @@ OpenProject is a Ruby on Rails application. Therefore you can make use of the Ra
 and run debug code like this:
 
 ```
-uri = URI('https://nextcloud.url/apps/integration_openproject/check-config')
+uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
 Net::HTTP.start(uri.host, uri.port,
   :use_ssl => uri.scheme == 'https') do |http|
   request = Net::HTTP::Get.new uri

docs/getting-started.md

@@ -109,6 +109,7 @@ All available apps and their default value can be found in `helmfile/environment
 | CryptPad             | `cryptpad.enabled`          | `true`  | Weboffice                      |
 | Dovecot              | `dovecot.enabled`           | `true`  | Mail backend                   |
 | Element              | `element.enabled`           | `true`  | Secure communications platform |
+| Intercom Service     | `intercom.enabled`          | `true`  | Cross service data exchange    |
 | Jitsi                | `jitsi.enabled`             | `true`  | Videoconferencing              |
 | MariaDB              | `mariadb.enabled`           | `true`  | Database                       |
 | Memcached            | `memcached.enabled`         | `true`  | Cache Database                 |
@@ -117,6 +118,7 @@ All available apps and their default value can be found in `helmfile/environment
 | Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
 | OpenProject          | `openproject.enabled`       | `true`  | Project management             |
 | OX Appsuite          | `oxAppsuite.enabled`        | `true`  | Groupware                      |
+| Provisioning         | `oxConnector.enabled`       | `true`  | Backend provisioning           |
 | Postfix              | `postfix.enabled`           | `true`  | MTA                            |
 | PostgreSQL           | `postgresql.enabled`        | `true`  | Database                       |
 | Redis                | `redis.enabled`             | `true`  | Cache Database                 |

docs/migrations.md

@@ -9,12 +9,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Releases upgrades](#releases-upgrades)
   * [From v0.9.0](#from-v090)
     * [Changed openDesk defaults](#changed-opendesk-defaults)
-      * [Removal of unnecessary OX-Profiles in Nubus](#removal-of-unnecessary-ox-profiles-in-nubus)
       * [MatrixID localpart update](#matrixid-localpart-update)
       * [File-share configurability](#file-share-configurability)
       * [Updated default subdomains in `global.hosts`](#updated-default-subdomains-in-globalhosts)
       * [Updated `global.imagePullSecrets`](#updated-globalimagepullsecrets)
-      * [Dedicated group for access of the UDM REST API](#dedicated-group-for-access-of-the-udm-rest-api)
     * [Automated migrations](#automated-migrations)
       * [Local Postfix as Relay](#local-postfix-as-relay)
       * [Updated IAM component Nubus](#updated-iam-component-nubus)
@@ -42,33 +40,6 @@ Though we try to ease the pain when it comes to 0.x upgrades. That is what this
 
 ### Changed openDesk defaults
 
-
-#### Removal of unnecessary OX-Profiles in Nubus
-
-**Warning: If you do not address this section with your current deployment the upgrade will fail.**
-
-The update will remove unnecessary OX-Profiles in Nubus, but can't as long as these profiles are in use.
-
-So please ensure that only the following two supported profiles are assigned to your users:
-- `opendesk_standard`: "opendesk Standard"
-- `none`: "Login disabled"
-
-You can review and update other accounts as follows:
-- Login as IAM admin.
-- Open the user module.
-- Open the extended search by clicking the funnel (Trichter) icon next to the search input field.
-- Open the "Property" (Eigenschaft) list and select "OX Access" (OX-Berechtigung).
-- In the input field right next to the list enter an asterisk (*).
-- Start the search by clicking once more on the funnel icon.
-- Sort the result list for the "OX Access" column
-- Edit every user that has a value different to `opendesk_standard` or `none`:
-  - Open the user.
-  - Go to section "OX App Suite".
-  - Change the value in the dropdown "OX Access" to either:
-    - "openDesk Standard" if the user should be able to use the Groupware module or
-    - "Login disabled" if the user should not user the Groupware module.
-    - Update the user account with the green "SAVE" button on top of the page.
-
 #### MatrixID localpart update
 
 Until 0.9.0 openDesk used the LDAP entryUUID of a user to generate the user's MatrixID. Due to restrictions of the
@@ -164,21 +135,6 @@ global:
     xwiki: "wiki"
 ```
 
-In case you would like to use the updated hostnames you at least have to apply some manual changes. But do this at
-your own risk. Be also aware that some of your user's bookmarks and links will stop working.
-
-- Update the affected portal tiles:
-  - All tiles in the "Files" category.
-  - The "Projects" tile in the "Management" category.
-- There are two options to change the link for the portal tiles:
-  - Use an admin account to access the portal's edit mode (on the bottom of the sidebar portal's menu).
-  - Utilize the UDM REST API to update the portal tile objects.
-- Update the hostnames for the OpenProject-Nextcloud integration using a functional admin user for both components:
-  - In OpenProject: *Administration* > *Files* > *External file storages* > Select `Nextcloud at [your_domain]`
-    Edit *Details* - *General Information* - *Storage provider* and update the *hostname* to `files.<your_domain>`.
-  - In Nextcloud: *Administration* > *OpenProject* > *OpenProject server* update the *OpenProject host* to
-    to `projects.<your_domain>`.
-
 #### Updated `global.imagePullSecrets`
 
 Without using a custom registry, you can pull all the openDesk images without authentication.
@@ -192,25 +148,6 @@ global:
     - "external-registry"
 ```
 
-#### Dedicated group for access of the UDM REST API
-
-Prerequisite: You allow the use of the [IAM's API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html)
-with the following settings:
-
-```
-functional:
-  externalServices:
-    nubus:
-      udmRestApi:
-        enabled: true
-```
-
-With 0.9.0 all members of the group "Domain Admins" were able to successfully authenticate with the API.
-
-This has been changed and there is now a dedicated group required for using the API: `IAM API - Full Access`
-
-If you need specific accounts to make use of the API, please go ahead and assign them to the aforementioned group.
-
 ### Automated migrations
 
 #### Local Postfix as Relay

docs/requirements.md

@@ -24,7 +24,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - Domain and DNS Service
 - Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
-- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v1.0.0-rc.5**
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)

docs/security-context.md

@@ -158,6 +158,7 @@ This list gives you an overview of templated security settings and if they compl
 | **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
 | **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
+| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
@@ -182,7 +183,7 @@ This list gives you an overview of templated security settings and if they compl
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
+| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
 | **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
@@ -195,7 +196,6 @@ This list gives you an overview of templated security settings and if they compl
 | **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
 | **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums/keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |

docs/workflow.md

@@ -355,7 +355,7 @@ Commit messages must adhere to the [Conventional Commit standard](https://www.co
   │       │              |
   │       │              └─> Issue reference (optional)
   │       │
-  │       └─> Commit Scope: helmfile, docs, collabora, nextcloud, open-xhcange etc.
+  │       └─> Commit Scope: helmfile, docs, collabora, intercom-service, ...
   │
   └─> Commit Type: chore, ci, docs, feat, fix
 ```

helmfile/apps/collabora/helmfile-child.yaml.gotmpl

@@ -18,7 +18,6 @@ releases:
     version: "{{ .Values.charts.collabora.version }}"
     values:
       - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.collaboraOnline | default "additionalValues: false" }}
     installed: {{ .Values.collabora.enabled }}
 
 commonLabels:

helmfile/apps/collabora/values.yaml.gotmpl

@@ -8,13 +8,7 @@ autoscaling:
   enabled: false
 
 collabora:
-  extra_params: >
-    --o:ssl.enable=false
-    --o:ssl.termination=true
-    --o:fetch_update_check=0
-    --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
-    --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
-
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/richdocuments/settings/fonts.json"
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
@@ -124,9 +118,17 @@ securityContext:
       - "ALL"
     add:
       - "CHOWN"
+      - "DAC_OVERRIDE"
       - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
       - "SYS_CHROOT"
-
+      - "MKNOD"
   seLinuxOptions:
     {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }}
 serviceAccount:

helmfile/apps/cryptpad/helmfile-child.yaml.gotmpl

@@ -18,7 +18,6 @@ releases:
     version: "{{ .Values.charts.cryptpad.version }}"
     values:
       - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.cryptpad | default "additionalValues: false" }}
     installed: {{ .Values.cryptpad.enabled }}
 
 commonLabels:

helmfile/apps/element/helmfile-child.yaml.gotmpl

@@ -32,7 +32,6 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
-
   - name: "synapse-create-account-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.synapseCreateAccount.verify }}
@@ -79,13 +78,13 @@ repositories:
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 
+
 releases:
   - name: "opendesk-element"
     chart: "element-repo/{{ .Values.charts.element.name }}"
     version: "{{ .Values.charts.element.version }}"
     values:
       - "values-element.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskElement | default "additionalValues: false" }}
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -94,7 +93,6 @@ releases:
     version: "{{ .Values.charts.elementWellKnown.version }}"
     values:
       - "values-well-known.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskWellKnown | default "additionalValues: false" }}
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -103,7 +101,6 @@ releases:
     version: "{{ .Values.charts.synapseWeb.version }}"
     values:
       - "values-synapse-web.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskSynapseWeb | default "additionalValues: false" }}
     installed: {{ .Values.element.enabled }}
     timeout: 900
 
@@ -112,7 +109,6 @@ releases:
     version: "{{ .Values.charts.synapse.version }}"
     values:
       - "values-synapse.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskSynapse | default "additionalValues: false" }}
     installed: {{ .Values.element.enabled }}
     timeout: 900
 

helmfile/apps/element/values-element.yaml.gotmpl

@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 configuration:
   endToEndEncryption: true
   additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=opendesk-matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":
       config:

helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -14,7 +14,7 @@ global:
 configuration:
   bot:
     username: "meetings-bot"
-    display name: "Terminplaner Bot"
+    displayname: "Terminplaner Bot"
   openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
   strings:
     breakoutSessionWidgetName: "Breakoutsessions"
@@ -61,7 +61,7 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-liveness sample:
+livenessProbe:
   enabled: true
 
 persistence:

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{/*
-SPDX-FileCopyrightText: 2024 Center for Digital Sovereignty of Public Administration (ZenDiS) GmbH
-SPDX-FileCopyrightText: 2023 Federal Ministry of the Interior and Community, PG ZenDiS "Project group for the development of ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -14,8 +14,8 @@ configuration:
         - "m.space.parent"
         - "net.nordeck.meetings.metadata"
         - "m.room.power_levels"
-    # To allow intercom service logins for the users and also allow proper testautomation we want to raise the
-    # ratelimit in a reasonable manner.
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
     # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
     rc_login:
       account:

helmfile/apps/intercom-service/helmfile-child.yaml.gotmpl

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # Intercom Service
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
+  - name: "intercom-service-repo"
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.intercomService.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+
+releases:
+  - name: "intercom-service"
+    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
+    version: "{{ .Values.charts.intercomService.version }}"
+    values:
+      - "values.yaml.gotmpl"
+    installed: {{ .Values.intercom.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "intercom-service"
+...

helmfile/apps/intercom-service/helmfile.yaml.gotmpl

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml.gotmpl"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -31,7 +31,6 @@ ics:
   secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   originRegex: "{{ .Values.global.domain }}"
-  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"phoenixusername"{{ end }}
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
   default:
@@ -80,40 +79,6 @@ podSecurityContext:
   fsGroup: 1000
   fsGroupChangePolicy: "Always"
 
-provisioning:
-  enabled: true
-  config:
-    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
-    keycloak:
-      url: "http://ums-keycloak:8080/realms/{{ .Values.platform.realm }}/"
-      username: "kcadmin"
-      realm: {{ .Values.platform.realm | quote }}
-      connection:
-        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "http://ums-keycloak:8080"
-      credentialSecret:
-        name: "ums-opendesk-keycloak-credentials"
-        key: "admin_password"
-    ics_client:
-      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-      credentialSecret:
-        key: "ics_secret"
-  image:
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.nubusWaitForDependency.repository | quote }}
-    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
-  provisioningImage:
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
-    repository: {{ .Values.images.nubusKeycloakBootstrap.repository | quote }}
-    tag: {{ .Values.images.nubusKeycloakBootstrap.tag | quote }}
-  securityContext:
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.intercom | toYaml | nindent 6 }}
-
 replicaCount: {{ .Values.replicas.intercomService }}
 
 resources:

helmfile/apps/jitsi/helmfile-child.yaml.gotmpl

@@ -18,7 +18,6 @@ releases:
     version: "{{ .Values.charts.jitsi.version }}"
     values:
       - "values-jitsi.yaml.gotmpl"
-      - {{ .Values.customization.release.jitsi | default "additionalValues: false" }}
     installed: {{ .Values.jitsi.enabled }}
     timeout: 900
 

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -52,7 +52,6 @@ jitsi:
     image:
       repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
       tag: {{ .Values.images.jitsi.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     ingress:
       enabled: {{ .Values.ingress.enabled }}
       ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -64,8 +63,6 @@ jitsi:
         - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    extraConfigJs:
-      doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
     extraEnvs:
       TURN_ENABLE: "1"
     resources:
@@ -86,7 +83,6 @@ jitsi:
     image:
       repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
       tag: {{ .Values.images.prosody.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
@@ -136,7 +132,6 @@ jitsi:
     image:
       repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
       tag: {{ .Values.images.jicofo.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     xmpp:
       password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
       componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
@@ -159,7 +154,6 @@ jitsi:
     image:
       repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
       tag: {{ .Values.images.jvb.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     xmpp:
       password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
     resources:
@@ -183,7 +177,6 @@ jitsi:
     image:
       repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
       tag: {{ .Values.images.jibri.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     recorder:
       password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
     xmpp:

helmfile/apps/migrations-post/helmfile-child.yaml.gotmpl

@@ -21,7 +21,6 @@ releases:
     values:
       - "values.yaml.gotmpl"
       - "../../shared/migrations.yaml.gotmpl"
-      - {{ .Values.customization.release.migrationsPost | default "additionalValues: false" }}
     installed: {{ .Values.migrations.enabled }}
     timeout: 900
 

helmfile/apps/migrations-pre/helmfile-child.yaml.gotmpl

@@ -21,7 +21,6 @@ releases:
     values:
       - "values.yaml.gotmpl"
       - "../../shared/migrations.yaml.gotmpl"
-      - {{ .Values.customization.release.migrationsPre | default "additionalValues: false" }}
     installed: {{ .Values.migrations.enabled }}
     timeout: 900
 

helmfile/apps/nextcloud/helmfile-child.yaml.gotmpl

@@ -25,7 +25,6 @@ releases:
     version: "{{ .Values.charts.nextcloudManagement.version }}"
     values:
       - "values-nextcloud-mgmt.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskNextcloudManagement | default "additionalValues: false" }}
     waitForJobs: true
     wait: true
     installed: {{ .Values.nextcloud.enabled }}
@@ -35,7 +34,6 @@ releases:
     version: "{{ .Values.charts.nextcloud.version }}"
     values:
       - "values-nextcloud.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskNextcloud | default "additionalValues: false" }}
     needs:
       - "opendesk-nextcloud-management"
     installed: {{ .Values.nextcloud.enabled }}

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -18,10 +18,8 @@ cleanup:
 
 configuration:
   administrator:
-    username:
-      value: "nextcloud"
-    password:
-      value: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+    username: "nextcloud"
+    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
     host: "clamav-icap"
@@ -50,8 +48,7 @@ configuration:
         value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
   ldap:
     host: {{ .Values.ldap.host | quote }}
-    password:
-      value: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
+    password: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
     adminGroupName: "managed-by-attribute-FileshareAdmin"
   objectstore:
     auth:
@@ -117,30 +114,28 @@ containerSecurityContext:
       - "ALL"
   enabled: true
   privileged: false
-  runAsUser: 101
-  runAsGroup: 101
+  runAsUser: 65532
+  runAsGroup: 65532
   seccompProfile:
     type: "RuntimeDefault"
   readOnlyRootFilesystem: false
   runAsNonRoot: true
   seLinuxOptions:
     {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
-podSecurityContext:
-  fsGroup: 101
 
 debug:
   loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
 
 image:
-  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
-  repository: {{ .Values.images.nextcloud.repository | quote }}
+  registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudManagement.registry | quote }}
+  repository: {{ .Values.images.nextcloudManagement.repository | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.nextcloud.tag | quote }}
+  tag: {{ .Values.images.nextcloudManagement.tag | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}
 
 resources:
-  {{ .Values.resources.nextcloud | toYaml | nindent 4 }}
+  {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
 
 ...

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -46,9 +46,9 @@ exporter:
   resources:
     {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
 
-aio:
+php:
   additionalAnnotations:
-    intents.otterize.com/service-name: "opendesk-nextcloud"
+    intents.otterize.com/service-name: "opendesk-nextcloud-php"
   configuration:
     cache:
       auth:
@@ -75,23 +75,57 @@ aio:
         - "ALL"
     enabled: true
     privileged: false
-    runAsUser: 101
-    runAsGroup: 101
+    runAsUser: 65532
+    runAsGroup: 65532
     seccompProfile:
       type: "RuntimeDefault"
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     seLinuxOptions:
-      {{ .Values.seLinuxOptions.nextcloud | toYaml | nindent 6 }}
+      {{ .Values.seLinuxOptions.nextcloudPHP | toYaml | nindent 6 }}
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
   debug:
     loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
   image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloud.registry | quote }}
-    repository: "{{ .Values.images.nextcloud.repository }}"
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudPHP.registry | quote }}
+    repository: "{{ .Values.images.nextcloudPHP.repository }}"
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.nextcloud.tag | quote }}
+    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
+  podAnnotations: {}
+  prometheus:
+    serviceMonitor:
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
+      labels:
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+    prometheusRule:
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
+      additionalLabels:
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+  replicaCount: {{ .Values.replicas.nextcloudPHP }}
+  resources:
+    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
+
+apache2:
+  configuration:
+    php:
+      host: "opendesk-nextcloud-php.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
+    trustedProxies: {{ join " " .Values.cluster.networking.cidr | quote }}
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    privileged: false
+    runAsUser: 65532
+    runAsGroup: 65532
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seLinuxOptions:
+      {{ .Values.seLinuxOptions.nextcloudApache2 | toYaml | nindent 6 }}
   ingress:
     enabled: {{ .Values.ingress.enabled }}
     annotations:
@@ -105,20 +139,14 @@ aio:
     host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
     tls:
       secretName: {{ .Values.ingress.tls.secretName | quote }}
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nextcloudApache2.registry | quote }}
+    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
   podAnnotations: {}
-  podSecurityContext:
-    fsGroup: 101
-  prometheus:
-    serviceMonitor:
-      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
-      labels:
-        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
-    prometheusRule:
-      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
-      additionalLabels:
-        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
-  replicaCount: {{ .Values.replicas.nextcloud }}
+  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
   resources:
-    {{ .Values.resources.nextcloud | toYaml | nindent 4 }}
+    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 
 ...

helmfile/apps/nubus/helmfile-child.yaml.gotmpl

@@ -11,16 +11,7 @@ repositories:
     oci: true
     url:
       "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/{{ .Values.charts.nubus.repository }}"
-  # Intercom Service
-  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
-  - name: "intercom-service-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.intercomService.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
-  # openDesk Keycloak Bootstrap Chart
+  # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -38,25 +29,14 @@ releases:
       - "values-nubus.yaml.gotmpl"
       - "values-opendesk-customization.yaml.gotmpl"
       - "values-opendesk-images.yaml.gotmpl"
-      - {{ .Values.customization.release.ums | default "additionalValues: false" }}
     installed: {{ .Values.nubus.enabled }}
     timeout: 900
-  # Intercom-Service
-  - name: "intercom-service"
-    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
-    version: "{{ .Values.charts.intercomService.version }}"
-    values:
-      - "values-intercom-service.yaml.gotmpl"
-      - {{ .Values.customization.release.intercomService | default "additionalValues: false" }}
-    installed: {{ .Values.nubus.enabled }}
-
-  # openDesk Keycloak Bootstrap Chart
+  # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
     chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
     version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
     values:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskKeycloakBootstrap | default "additionalValues: false" }}
     needs:
       - "ums"
     installed: {{ .Values.nubus.enabled }}

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -9,9 +9,6 @@ global:
     baseDn: {{ .Values.ldap.baseDn | quote }}
     domainName: {{ .Values.global.domain | quote }}
   domain: {{ .Values.global.domain | quote }}
-  subDomains:
-    portal: {{ .Values.global.hosts.nubus | quote }}
-    keycloak: {{ .Values.global.hosts.keycloak | quote }}
   ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
   certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
@@ -29,30 +26,6 @@ global:
     defaultUsers:
       defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
       defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
-      defaultAdministratorPassword: {{ .Values.secrets.nubus.systemAccounts.administratorPassword | quote}}
-    portalConsumer:
-      minio:
-        accessKey: {{ .Values.objectstores.nubus.username | quote }}
-        secretKey: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-      provisioningApi:
-        password: {{ .Values.secrets.nubus.portalConsumer.provisioningApiPassword | quote}}
-    provisioning:
-      api:
-        adminPassword: {{ .Values.secrets.nubus.provisioning.api.adminPassword | quote}}
-        natsPassword: {{ .Values.secrets.nubus.provisioning.api.natsPassword | quote}}
-        prefillPassword: {{ .Values.secrets.nubus.provisioning.api.prefillPassword | quote}}
-        udmTransformerPassword: {{ .Values.secrets.nubus.provisioning.api.udmTransformerPassword | quote}}
-      dispatcher:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.dispatcherNatsPassword | quote}}
-      nats:
-        adminPassword: {{ .Values.secrets.nats.natsAdminPassword | quote}}
-      prefill:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.prefillNatsPassword | quote}}
-      udmTransformer:
-        natsPassword: {{ .Values.secrets.nubus.provisioning.udmTransformerNatsPassword | quote}}
-    selfserviceConsumer:
-      provisioningApi:
-        password: {{ .Values.secrets.nubus.selfserviceConsumer.provisioningApiPassword | quote}}
 
   # -- Extensions to load. Add entries to load additional extensions into Nubus.
   extensions:
@@ -79,69 +52,6 @@ global:
         repository: {{ .Values.images.nubusPortalExtension.repository }}
         tag: {{ .Values.images.nubusPortalExtension.tag }}
         imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-  configUcr:
-    directory:
-      manager:
-        rest:
-          authorized-groups:
-            domain-admins: __DELETE_KEY__
-            iam-api-full-access: "cn=IAM API - Full Access,cn=groups,{{ .Values.ldap.baseDn }}"
-        web:
-          modules:
-            users:
-              user:
-                add:
-                  default: "cn=openDesk User,cn=templates,cn=univention,{{ .Values.ldap.baseDn }}"
-                properties:
-                  description:
-                    syntax: "TextArea"
-                  firstname:
-                    required: "true"
-                  mailPrimaryAddress:
-                    required: "true"
-                  username:
-                    syntax: "uid"
-                search:
-                  autosearch: "True"
-                wizard:
-                  property:
-                    invite:
-                      default: "True"
-                    overridePWLength:
-                      default: "False"
-                      visible: "False"
-                    pwdChangeNextLogin:
-                      default: "True"
-                      visible: "False"
-            wizard:
-              disabled: "No"
-
-    ucs:
-      web:
-        theme: "light"
-
-    umc:
-      cookie-banner:
-        show: "false"
-      login:
-        password-complexity-message:
-          de: "Das Passwort muss den folgenden Anforderungen entsprechen:<br><ul><li>Mindestlänge: 8 Zeichen</li></ul>Anmerkung: Wird befinden uns nicht in einer Produktivumgebung."
-          en: "Password must comply with the following rules:<br><ul><li>Minimum length: 8 characters</li></ul>Note: We are in a non production (dev/test/demo) system."
-      module:
-        udm:
-          oxmail:
-            oxcontext:
-              disabled: "True"
-          portals:
-            all:
-              disabled: "True"
-      self-service:
-        account-registration:
-          usertemplate: __DELETE_KEY__
-        passwordreset:
-          token_validity_period: 172800
-          blacklist:
-            groups: __DELETE_KEY__
 
 ingress:
   certManager:
@@ -184,13 +94,7 @@ nubusGuardian:
   provisioning:
     enabled: false
     config:
-      nubusBaseUrl: {{ printf "https://%s.%s" .Values.global.hosts.nubus .Values.global.domain }}
       keycloak:
-        realm: {{ .Values.platform.realm | quote }}
-        username: "kcadmin"
-        connection:
-          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-          baseUrl: "http://ums-keycloak:8080"
         credentialSecret:
           name: "ums-opendesk-keycloak-credentials"
           key: "admin_password"
@@ -233,8 +137,6 @@ nubusNotificationsApi:
 
 nubusPortalFrontend:
   ingress:
-    certManager:
-      enabled: false
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName }}
@@ -296,18 +198,21 @@ nubusKeycloakExtensions:
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
       mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
 
-nubusPortalListener:
-  enabled: false
+nubusPortalFrontend:
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
-nubusPortalConsumer:
-  enabled: true
-  portalConsumer:
-    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+nubusPortalListener:
+  portalListener:
     objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
-  provisioningApi:
-    auth:
-      username: "portal-consumer"
+    objectStorageCredentialSecret:
+      name: "ums-portal-listener-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"
 
 nubusPortalServer:
   portalServer:
@@ -335,17 +240,15 @@ nubusUdmRestApi:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+# NOTE: disabled until the next update.
 nubusProvisioning:
-  enabled: true
-
-nubusUdmListener:
-  enabled: true
-
-nubusSelfServiceListener:
   enabled: false
-
-nubusSelfServiceConsumer:
+nubusUdmListener:
+  enabled: false
+nubusSelfServiceListener:
   enabled: true
+  selfserviceListener:
+    umcAdminUser: "default.admin"
 
 # Nubus services
 nubusStackDataUms:
@@ -359,16 +262,8 @@ nubusStackDataUms:
     umcMemcachedUsername: ""
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "openDesk Portal"
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
-    smtpPort: 25
-    smtpUser: ""
-    smtpStartTls: false
-    ldapBase: {{ .Values.ldap.baseDn }}
+    installUmcPolicies: true
   templateContext:
-    # creates the default.user and default.admin
-    loadDevData: true
-    portalHeaderLogo: {{ toYaml .Values.theme.imagery.logoHeaderSvgB64 | quote }}
-    portalTiles: {{ toYaml .Values.theme.portalTiles | nindent 6 }}
     portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
     portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
     portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
@@ -384,7 +279,6 @@ nubusStackDataUms:
         password: {{ $password | quote }}
         lastname: "LDAP-Search-User"
       {{- end }}
-    ldapSystemUsers: []
     portaltileGroupUserStandard:
       - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
       - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
@@ -406,22 +300,47 @@ nubusStackDataUms:
       - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
     portaltileGroupLiveCollaboration:
       - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
-    portaltileGroupVideoconference:
-      - 'cn=managed-by-attribute-Videoconference,cn=groups,{{ .Values.ldap.baseDn }}'
-    systemInformation:
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-      {{- if .Values.functional.admin.portal.deploymentTimestamp.enabled }}
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-      {{- else }}
-      deployDate: false
-      {{- end }}
-  # In openDesk the external memcache does not expect a username to be set. Overwriting
-  # the default username of `selfservice` is part of the customizing:
+
   nubusUmcServer:
     memcached:
       auth:
         username: ""
 
+# TODO: Remove values when upstreaming fixes
+nubusStackDataSwp:
+  additionalAnnotations:
+    argocd.argoproj.io/hook: "Sync"
+    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
+  stackDataSwp:
+    systemInformation:
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+    {{- end }}
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+  stackDataContext:
+    ldapSearchUsers:
+      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
+      - username: {{ printf "ldapsearch_%s" $username | quote }}
+        password: {{ $password | quote }}
+        lastname: "LDAP-Search-User"
+      {{- end }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpPort: 25
+    smtpUser: ""
+    smtpStartTls: false
+    ldapBase: {{ .Values.ldap.baseDn }}
+    # FIXME: Should be templated correctly in the future
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+
 nubusUmcServer:
   postgresql:
     bundled: false
@@ -522,6 +441,10 @@ extraSecrets:
     stringData:
       access-key-id: {{ .Values.objectstores.nubus.username | quote }}
       secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-portal-listener-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: "ums-umc-server-smtp-credentials-custom"
     stringData:
       password: ""

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -5,126 +5,37 @@ SPDX-License-Identifier: Apache-2.0
 ---
 keycloak:
   enabled: true
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: false
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-keycloak"
   replicaCount: {{ .Values.replicas.keycloak }}
   resources:
     {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
 
-nubusGuardian:
+guardian:
   authorizationApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-authorization-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
     replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
     resources:
       {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
   managementApi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-management-api"
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
     replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
     resources:
       {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
   managementUi:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-guardian-management-ui"
     replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
     resources:
-      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
   openPolicyAgent:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    podSecurityContext:
-      fsGroup: 1000
-      fsGroupChangePolicy: "Always"
     podAnnotations:
       intents.otterize.com/service-name: "ums-ums-open-policy-agent"
     replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
     resources:
       {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - ALL
-      privileged: false
-      readOnlyRootFilesystem: true
-      runAsGroup: 1000
-      runAsNonRoot: true
-      runAsUser: 1000
-      seccompProfile:
-        type: RuntimeDefault
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
   provisioning:
     # Using openDesk keycloak provisioning
     enabled: false
@@ -132,24 +43,9 @@ nubusGuardian:
 nubusNotificationsApi:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-notifications-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   replicaCount: {{ .Values.replicas.umsNotificationsApi }}
   resources:
     {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
@@ -157,67 +53,7 @@ nubusNotificationsApi:
 nubusUmcServer:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-umc-server"
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextInit:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  containerSecurityContextSssd:
-    enabled: true
-    allowPrivilegeEscalation: true
-    capabilities:
-      drop:
-        - "ALL"
-      add:
-        - "DAC_OVERRIDE"
-        - "SETGID"
-        - "AUDIT_WRITE"
-        - "SETUID"
-        - "CHOWN"
-        - "SETPCAP"
-        - "FOWNER"
-        - "FSETID"
-        - "KILL"
-        - "MKNOD"
-        - "NET_BIND_SERVICE"
-        - "SYS_CHROOT"
-    runAsUser: 0
-    runAsGroup: 0
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: false
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  proxy:
-    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
   replicaCount: {{ .Values.replicas.umsUmcServer }}
-
   resources:
     {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
   selfService:
@@ -239,118 +75,39 @@ nubusUmcServer:
 
 nubusKeycloakExtensions:
   handler:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
     resources:
       {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
   proxy:
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
     replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
     podAnnotations:
       intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
     resources:
       {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
 
-nubusPortalConsumer:
-  portalConsumer:
-    image:
-      pullSecrets:
-        {{- range .Values.global.imagePullSecrets }}
-        - name: {{ . | quote }}
-        {{- end }}
+nubusPortalListener:
   podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
+    intents.otterize.com/service-name: "ums-portal-listener"
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
   resources:
-    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
-  resourcesWaitForDependency:
-    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
-  securityContext:
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
-
-nubusUdmListener:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 102
-    runAsGroup: 65534
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsUdmListener }}
-  resources:
-    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
+    size: {{ .Values.persistence.size.nubus.portalListener | quote }}
 
 nubusPortalServer:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-portal-server"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   replicaCount: {{ .Values.replicas.umsPortalServer }}
   resources:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 
 nubusLdapNotifier:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 101
-    runAsGroup: 102
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-ldap-notifier"
   replicaCount: {{ .Values.replicas.umsLdapNotifier }}
@@ -358,8 +115,6 @@ nubusLdapNotifier:
     {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
 
 nubusLdapServer:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   highAvailabilityMode: false
   replicaCountPrimary: 1
   replicaCountSecondary: 0 # {{ .Values.replicas.umsLdapServerSecondary }}
@@ -367,86 +122,20 @@ nubusLdapServer:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-ldap-server"
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
   resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
     size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
-  extraVolumes:
-    - name: "migration-scripts"
-      secret:
-        secretName: "ums-ldap-server-migration"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/30-purge.sh"
-      subPath: "30-purge.sh"
-    - name: "migration-scripts"
-      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
-      subPath: "95-slapadd-24-ldif.sh"
-  extraSecrets:
-    - name: "ums-ldap-server-migration"
-      stringData:
-        30-purge.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- Cleaning up /var/lib/univention-ldap."
-            cd /var/lib/univention-ldap
-            rm -rf internal
-            rm -rf ldap
-            ls -l
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
-        95-slapadd-24-ldif.sh: |
-          #!/usr/bin/env bash
-          me=$(basename "$0")
-          echo "- Running ${me}"
-          ls -l /var/lib/univention-ldap
-          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
-            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
-            ls -l /var/lib/univention-ldap/
-            rm -rf /var/lib/univention-ldap/ldap
-            rm -rf /var/lib/univention-ldap/internal
-            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            mkdir /var/lib/univention-ldap/ldap
-            mkdir /var/lib/univention-ldap/internal
-            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
-            ls -l /var/lib/univention-ldap/
-            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
-            echo "- slapadd executed"
-            ls -l /var/lib/univention-ldap/
-            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
-            echo "- import file renamed"
-            ls -l /var/lib/univention-ldap/
-          else
-            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
-          fi
+
 nubusPortalFrontend:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-portal-frontend"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   replicaCount: {{ .Values.replicas.umsPortalFrontend }}
   resources:
     {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
@@ -458,69 +147,27 @@ nubusPortalFrontend:
       backgroundImage: {{ .Values.theme.imagery.logoPortalBackgroundSvgB64 | toJson }}
 
 nubusStackDataUms:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
-  pullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-stack-data-ums"
   resources:
     {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
 
-nubusSelfServiceConsumer:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+nubusStackDataSwp:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-swp"
+  resources:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
+
+nubusSelfServiceListener:
   podAnnotations:
     intents.otterize.com/service-name: "ums-selfservice-listener"
   resources:
-    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
-  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
+    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
 
 nubusUdmRestApi:
   additionalAnnotations:
     intents.otterize.com/service-name: "ums-udm-rest-api"
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   serviceAccount:
     annotations:
       intended.usage: "compliance"
@@ -531,43 +178,11 @@ nubusUdmRestApi:
   replicaCount: {{ .Values.replicas.umsUdmRestApi }}
 
 nubusUmcGateway:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   replicaCount: {{ .Values.replicas.umsUmcGateway }}
   resources:
     {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
 
 nubusKeycloakBootstrap:
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    readOnlyRootFilesystem: false
-    runAsGroup: 1000
-    runAsNonRoot: true
-    runAsUser: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
   podAnnotations:
     intents.otterize.com/service-name: "ums-keycloak-bootstrap"
   serviceAccount:
@@ -577,81 +192,39 @@ nubusKeycloakBootstrap:
     {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
 
 nubusProvisioning:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  replicaCount:
-    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
-    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
-    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
-    api: {{ .Values.replicas.umsProvisioningApi }}
-
   serviceAccount:
-    create: true
+    annotations:
+      intended.usage: "compliance"
   nats:
-    config:
-      cluster:
-        replicas: {{ .Values.replicas.umsProvisioningNats }}
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-          - "ALL"
-      enabled: true
-      runAsUser: 1000
-      runAsGroup: 1000
-      seccompProfile:
-        type: "RuntimeDefault"
-      readOnlyRootFilesystem: true
-      runAsNonRoot: true
-      seLinuxOptions:
-        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
-    imagePullSecrets:
-      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
-    persistence:
-      size: {{ .Values.persistence.size.nubus.provisioningNats }}
     resources:
-      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-nats"
     serviceAccount:
-      create: true
+      annotations:
+        intended.usage: "compliance"
   api:
     resources:
-      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-api"
   dispatcher:
     resources:
-      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-dispatcher"
   prefill:
     resources:
-      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-prefill"
   registerConsumers:
+    resources:
+      {{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-register-consumers"
   udmTransformer:
     resources:
-      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
+      {{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }}
     additionalAnnotations:
       intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
-  resources:
-    registerConsumers:
-      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -3,22 +3,17 @@ SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlic
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-global:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
 keycloak:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
     repository: {{ .Values.images.nubusKeycloak.repository }}
     tag: {{ .Values.images.nubusKeycloak.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusKeycloakBootstrap:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
     repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
     tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusKeycloakExtensions:
     handler:
@@ -26,21 +21,18 @@ nubusKeycloakExtensions:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
         repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
         tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
     proxy:
       image:
         registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
         repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
         tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusLdapNotifier:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
     repository: {{ .Values.images.nubusLdapNotifier.repository }}
     tag: {{ .Values.images.nubusLdapNotifier.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusLdapServer:
   ldapServer:
@@ -48,33 +40,17 @@ nubusLdapServer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
       repository: {{ .Values.images.nubusLdapServer.repository }}
       tag: {{ .Values.images.nubusLdapServer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   dhInitcontainer:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
       repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
       tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-nubusNotificationsApi:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
-    repository: {{ .Values.images.nubusNotificationsApi.repository }}
-    tag: {{ .Values.images.nubusNotificationsApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-nubusPortalFrontend:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
-    repository: {{ .Values.images.nubusPortalFrontend.repository }}
-    tag: {{ .Values.images.nubusPortalFrontend.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusPortalConsumer:
   portalConsumer:
@@ -82,20 +58,36 @@ nubusPortalConsumer:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
       repository: {{ .Values.images.nubusPortalConsumer.repository }}
       tag: {{ .Values.images.nubusPortalConsumer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+
+nubusNotificationsApi:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
+    repository: {{ .Values.images.nubusNotificationsApi.repository }}
+    tag: {{ .Values.images.nubusNotificationsApi.tag }}
+
+nubusPortalFrontend:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
+    repository: {{ .Values.images.nubusPortalFrontend.repository }}
+    tag: {{ .Values.images.nubusPortalFrontend.tag }}
+
+nubusPortalListener:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalListener.registry | quote }}
+    repository: {{ .Values.images.nubusPortalListener.repository }}
+    tag: {{ .Values.images.nubusPortalListener.tag }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusPortalServer:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
     repository: {{ .Values.images.nubusPortalServer.repository }}
     tag: {{ .Values.images.nubusPortalServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusProvisioning:
   api:
@@ -103,84 +95,77 @@ nubusProvisioning:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
       tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   dispatcher:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
       tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   udmTransformer:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
       tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   prefill:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
       repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
       tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   registerConsumers:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   nats:
     nats:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
-        repository: {{ .Values.images.nubusNats.repository }}
-        tag: {{ .Values.images.nubusNats.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        image:
+            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
+            repository: {{ .Values.images.nubusNats.repository }}
+            tag: {{ .Values.images.nubusNats.tag }}
     reloader:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
-        repository: {{ .Values.images.nubusNatsReloader.repository }}
-        tag: {{ .Values.images.nubusNatsReloader.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        image:
+            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
+            repository: {{ .Values.images.nubusNatsReloader.repository }}
+            tag: {{ .Values.images.nubusNatsReloader.tag }}
     natsBox:
-      image:
-        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
-        repository: {{ .Values.images.nubusNatsBox.repository }}
-        tag: {{ .Values.images.nubusNatsBox.tag }}
-        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        image:
+            registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
+            repository: {{ .Values.images.nubusNatsBox.repository }}
+            tag: {{ .Values.images.nubusNatsBox.tag }}
 
 nubusProvisioningEventsAndConsumerApi:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
     tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusProvisioningPrefill:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
     tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUdmListener:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
     repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
     tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
-nubusSelfServiceConsumer:
-  image:
-    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
-    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
-    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+nubusSelfServiceListener:
+  selfserviceListener:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceListener.registry | quote }}
+      repository: {{ .Values.images.nubusSelfserviceListener.repository }}
+      tag: {{ .Values.images.nubusSelfserviceListener.tag }}
+  selfserviceInvitation:
+    image:
+      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfserviceInvitation.registry | quote }}
+      repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
+      tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
   waitForDependency:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUdmRestApi:
   udmRestApi:
@@ -188,36 +173,24 @@ nubusUdmRestApi:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
       repository: {{ .Values.images.nubusUdmRestApi.repository }}
       tag: {{ .Values.images.nubusUdmRestApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUmcGateway:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
     repository: {{ .Values.images.nubusUmcGateway.repository }}
     tag: {{ .Values.images.nubusUmcGateway.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusUmcServer:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
     repository: {{ .Values.images.nubusUmcServer.repository }}
     tag: {{ .Values.images.nubusUmcServer.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  proxy:
-    image:
-      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
-      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
-      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusWaitForDependency:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
     repository: {{ .Values.images.nubusWaitForDependency.repository }}
     tag: {{ .Values.images.nubusWaitForDependency.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 
 nubusGuardian:
@@ -226,35 +199,35 @@ nubusGuardian:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
       repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
       tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   authorizationApi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
       tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   managementApi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
       tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   managementUi:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
       repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
       tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   openPolicyAgent:
     image:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
       repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
       tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
-      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 nubusStackDataUms:
   image:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
     repository: {{ .Values.images.nubusDataLoader.repository }}
     tag: {{ .Values.images.nubusDataLoader.tag }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+nubusStackDataSwp:
+  image:
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -29,7 +29,7 @@ config:
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
     # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
-    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -389,6 +389,60 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.revoke.offline.tokens: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
+          # it to `opendesk_useruuid` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
+          - name: "entryuuid_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "entryuuid"
+              jsonType.label: "String"
+          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
+          # set it to `opendesk_username` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
+          - name: "phoenixusername_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "phoenixusername"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "offline_access"
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"
@@ -454,7 +508,7 @@ config:
         authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/opendesk"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-nextcloud-scope"
@@ -517,6 +571,296 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
+      - name: "guardian-management-api"
+        clientId: "guardian-management-api"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        protocol: "openid-connect"
+        publicClient: false
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        fullScopeAllowed: true
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: true
+        protocolMappers:
+          - name: "Client Host"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientHost"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientHost"
+              jsonType.label: "String"
+          - name: "Client ID"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "client_id"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "client_id"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              userinfo.token.claim: false
+              id.token.claim: false
+              access.token.claim: true
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-cli"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "Client IP Address"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            consentRequired: false
+            config:
+              user.session.note: "clientAddress"
+              userinfo.token.claim: true
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "clientAddress"
+              jsonType.label: "String"
+      - name: "guardian-scripts"
+        clientId: "guardian-scripts"
+        description: ""
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        surrogateAuthRequired: false
+        enabled: true
+        alwaysDisplayInConsole: false
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
+        webOrigins:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        bearerOnly: false
+        consentRequired: false
+        standardFlowEnabled: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: false
+        publicClient: true
+        frontchannelLogout: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian-scripts"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              aggregate.attrs: false
+              multivalued: false
+              userinfo.token.claim: false
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "web-origins"
+          - "acr"
+          - "roles"
+          - "profile"
+          - "email"
+        optionalClientScopes:
+          - "address"
+          - "phone"
+          - "offline_access"
+          - "microprofile-jwt"
+      - name: "guardian-ui"
+        clientId: "guardian-ui"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+        standardFlowEnabled: true
+        publicClient: true
+        implicitFlowEnabled: false
+        directAccessGrantsEnabled: false
+        serviceAccountsEnabled: false
+        protocol: "openid-connect"
+        fullScopeAllowed: true
+        protocolMappers:
+          - name: "uid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "uid"
+              jsonType.label: "String"
+          - name: "username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "username"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "preferred_username"
+              jsonType.label: "String"
+          - name: "dn"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: "false"
+              user.attribute: "LDAP_ENTRY_DN"
+              id.token.claim: false
+              access.token.claim: true
+              claim.name: "dn"
+              jsonType.label: "String"
+          - name: "audiencemap"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-property-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "guardian-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "guardian"
+              id.token.claim: false
+              access.token.claim: true
+              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -534,10 +878,6 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.opendeskKeycloakBootstrap | toYaml | nindent 4 }}
 
-additionalAnnotations:
-    argocd.argoproj.io/hook: "Sync"
-    argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
-
 podAnnotations:
   intents.otterize.com/service-name: "ums-keycloak-bootstrap"
 

helmfile/apps/open-xchange/helmfile-child.yaml.gotmpl

@@ -32,20 +32,12 @@ repositories:
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/{{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 
-  # OX Connector
-  - name: "ox-connector-repo"
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
-
 releases:
   - name: "dovecot"
     chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
     version: "{{ .Values.charts.dovecot.version }}"
     values:
       - "values-dovecot.yaml.gotmpl"
-      - {{ .Values.customization.release.dovecot | default "additionalValues: false" }}
     installed: {{ .Values.dovecot.enabled }}
     timeout: 900
 
@@ -55,7 +47,6 @@ releases:
     values:
       - "values-openxchange.yaml.gotmpl"
       - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
-      - {{ .Values.customization.release.openXchange | default "additionalValues: false" }}
     installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
@@ -64,20 +55,9 @@ releases:
     version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
     values:
       - "values-openxchange-bootstrap.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskOpenXchangeBootstrap | default "additionalValues: false" }}
     installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
-  - name: "ox-connector"
-    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
-    version: "{{ .Values.charts.oxConnector.version }}"
-    values:
-      - "values-oxconnector.yaml.gotmpl"
-      - {{ .Values.customization.release.oxConnector | default "additionalValues: false" }}
-    installed: {{ .Values.oxAppsuite.enabled }}
-    needs:
-      - "open-xchange"
-
 commonLabels:
   deploy-stage: "component-1"
   component: "open-xchange"

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -8,17 +8,16 @@ image:
   registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.dovecot.registry | quote }}
   repository: {{ .Values.images.dovecot.repository | quote }}
   tag: {{ .Values.images.dovecot.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
-  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
 
 dovecot:
   mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
-  migration:
-    enabled: {{ .Values.functional.migration.oxAppsuite.enabled }}
-    masterPassword: {{ .Values.secrets.oxAppsuite.migrationsMasterPassword | quote }}
   ldap:
     enabled: true
     host: {{ .Values.ldap.host | quote }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl

@@ -8,20 +8,6 @@ cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
   deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.openxchangeBootstrap | toYaml | nindent 4 }}
-
 image:
   registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openxchangeBootstrap.registry | quote }}
   url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
@@ -29,9 +15,11 @@ image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
-  {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
 
-additionalAnnotations:
+podAnnotations:
   argocd.argoproj.io/hook: "Sync"
   argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
 ...

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -23,7 +23,6 @@ nextcloud-integration-ui:
     registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
     repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
     tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
@@ -47,8 +46,6 @@ nextcloud-integration-ui:
       type: "RuntimeDefault"
     seLinuxOptions:
       {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI | toYaml | nindent 6 }}
-  serviceAccount:
-    create: false
 
 public-sector-ui:
   image:
@@ -80,8 +77,6 @@ public-sector-ui:
       type: "RuntimeDefault"
     seLinuxOptions:
       {{ .Values.seLinuxOptions.openxchangePublicSectorUI | toYaml | nindent 6 }}
-  serviceAccount:
-    create: false
 
 appsuite:
   appsuite-toolkit:
@@ -165,8 +160,6 @@ appsuite:
           type: "RuntimeDefault"
         seLinuxOptions:
           {{ .Values.seLinuxOptions.openxchangeGotenberg | toYaml | nindent 10 }}
-      serviceAccount:
-        create: false
     hooks:
       beforeAppsuiteStart:
         create-guard-dir.sh: |
@@ -174,17 +167,9 @@ appsuite:
           chown open-xchange:open-xchange /opt/open-xchange/guard-files
     packages:
       status:
-        {{- if .Values.functional.migration.oxAppsuite.enabled }}
-        open-xchange-authentication-masterpassword: "enabled"
-        open-xchange-authentication-ldap: "disabled"
-        open-xchange-authentication-oauth: "disabled"
-        open-xchange-oidc: "disabled"
-        {{- else }}
         open-xchange-oidc: "enabled"
         open-xchange-authentication-database: "disabled"
         open-xchange-authentication-oauth: "enabled"
-        open-xchange-authentication-ldap: "disabled"
-        {{- end }}
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
       com.openexchange.showAdmin: "false"
@@ -235,9 +220,6 @@ appsuite:
       com.openexchange.mail.transport.authType: "xoauth2"
       com.openexchange.mail.transportServer: "postfix"
       com.openexchange.mail.transportServerSource: "global"
-      # Requirements for OX-Connector
-      com.openexchange.user.enforceUniqueDisplayName: "false"
-      com.openexchange.folderstorage.database.preferDisplayName: "false"
       # Mailfilter
       com.openexchange.mail.filter.loginType: "global"
       com.openexchange.mail.filter.credentialSource: "mail"
@@ -265,7 +247,7 @@ appsuite:
       com.openexchange.mail.secondary.authType: "XOAUTH2"
       com.openexchange.mail.transport.secondary.authType: "xoauth2"
       # Nextcloud integration
-      com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-aio/"
+      com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
       com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
       com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
       # Element integration
@@ -293,8 +275,6 @@ appsuite:
       com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
       com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
     propertiesFiles:
-      /opt/open-xchange/etc/masterpassword-authentication.properties:
-        com.openexchange.authentication.masterpassword.password: {{ .Values.secrets.oxAppsuite.migrationsMasterPassword | quote }}
       /opt/open-xchange/etc/AdminDaemon.properties:
         MASTER_ACCOUNT_OVERRIDE: "true"
       /opt/open-xchange/etc/AdminUser.properties:
@@ -418,8 +398,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreUI | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
 
   core-ui-middleware:
     enabled: true
@@ -459,9 +437,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
-
   core-cacheservice:
     enabled: false
 
@@ -479,7 +454,6 @@ appsuite:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeDocumentConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     podAnnotations: {}
     redis: *redisConfiguration
     replicaCount: {{ .Values.replicas.openxchangeCoreDocumentConverter }}
@@ -501,8 +475,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeDocumentConverter | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
 
   core-documents-collaboration:
     enabled: false
@@ -548,8 +520,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
 
   core-imageconverter:
     enabled: true
@@ -561,7 +531,6 @@ appsuite:
       registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.openxchangeImageConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     objectCache:
       s3ObjectStores:
         - id: -1
@@ -589,8 +558,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeImageConverter | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
 
   guard-ui:
     enabled: true
@@ -621,8 +588,6 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeGuardUI | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
   core-spellcheck:
     enabled: false
 
@@ -655,6 +620,4 @@ appsuite:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.openxchangeCoreUserGuide | toYaml | nindent 8 }}
-    serviceAccount:
-      create: false
 ...

helmfile/apps/openproject-bootstrap/helmfile-child.yaml.gotmpl

@@ -20,7 +20,6 @@ releases:
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskOpenprojectBootstrap | default "additionalValues: false" }}
     installed: {{ .Values.openproject.enabled }}
     timeout: 900
 

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -16,8 +16,6 @@ cleanup:
   keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
-  debug:
-    enabled: {{ .Values.debug.enabled }}
   openproject:
     fileshareName: "Nextcloud at {{ .Values.global.domain }}"
     admin:
@@ -53,6 +51,8 @@ image:
 job:
   enabled: true
 
+podAnnotations: {}
+
 podSecurityContext:
   enabled: true
   fsGroup: 1000

helmfile/apps/openproject/helmfile-child.yaml.gotmpl

@@ -20,9 +20,8 @@ releases:
     waitForJobs: true
     values:
       - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.openproject | default "additionalValues: false" }}
     installed: {{ .Values.openproject.enabled }}
-    timeout: 1800
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/openproject/values.yaml.gotmpl

@@ -8,10 +8,6 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-appInit:
-  resources:
-    {{ .Values.resources.openprojectAppInit | toYaml | nindent 4 }}
-
 containerSecurityContext:
   enabled: true
   privileged: false
@@ -28,15 +24,6 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.openproject | toYaml | nindent 4 }}
 
-dbInit:
-  image:
-    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectDbInit.registry | quote }}
-    repository: {{ .Values.images.openprojectDbInit.repository | quote }}
-    tag: {{ .Values.images.openprojectDbInit.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  resources:
-    {{ .Values.resources.openprojectDbInit | toYaml | nindent 4 }}
-
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -94,6 +81,13 @@ image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.openproject.tag | quote }}
 
+initdb:
+  image:
+    registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.openprojectInitDb.registry | quote }}
+    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
+    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
 memcached:
   bundled: false
   connection:
@@ -188,14 +182,5 @@ s3:
 seederJob:
   annotations:
     intents.otterize.com/service-name: "openproject-seeder"
-    argocd.argoproj.io/hook: "Sync"
-    argocd.argoproj.io/hook-delete-policy: "HookSucceeded"
-  resources:
-    {{ .Values.resources.openprojectSeederJob | toYaml | nindent 4 }}
-
-workers:
-  default:
-    resources:
-      {{ .Values.resources.openprojectWorkers | toYaml | nindent 6 }}
 
 ...

helmfile/apps/provisioning/helmfile-child.yaml.gotmpl

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # OX Connector
+  - name: "ox-connector-repo"
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+
+releases:
+  - name: "ox-connector"
+    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
+    version: "{{ .Values.charts.oxConnector.version }}"
+    values:
+      - "values-oxconnector.yaml.gotmpl"
+    installed: {{ .Values.oxConnector.enabled }}
+
+commonLabels:
+  deploy-stage: "component-2"
+  component: "provisioning"
+...

helmfile/apps/provisioning/helmfile.yaml.gotmpl

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml.gotmpl"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -10,16 +10,6 @@ image:
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.oxConnector.tag | quote }}
 
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.nubusWaitForDependency.repository }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-    pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-    tag: {{ .Values.images.nubusWaitForDependency.tag | quote }}
-
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
   - name: {{ . | quote }}
@@ -29,8 +19,16 @@ ingress:
   enabled: false
 
 oxConnector:
+  caCert: "ucctempldapstring"
+  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  ldapHost: "{{ .Values.ldap.host }}-primary"
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  tlsMode: "off"
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
   oxDefaultContext: "1"
   oxImapServer: "imap://127.0.0.1:143"
   oxLocalTimezone: "Europe/Berlin"
@@ -40,13 +38,6 @@ oxConnector:
   oxSmtpServer: "smtp://127.0.0.1:587"
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
 
-provisioningApi:
-  connection:
-    baseUrl: "http://ums-provisioning-api"
-  auth:
-    username: "ox-connector"
-    password: {{ .Values.secrets.oxConnector.provisioningApiPassword | quote }}
-
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 
@@ -90,6 +81,7 @@ securityContext:
       - "SETUID"
       - "SETPCAP"
       - "NET_BIND_SERVICE"
+      - "NET_RAW"
       - "SYS_CHROOT"
   privileged: false
   seccompProfile:

helmfile/apps/services/helmfile-child.yaml.gotmpl

@@ -119,7 +119,6 @@ releases:
     version: "{{ .Values.charts.otterize.version }}"
     values:
       - "values-otterize.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskOtterize | default "additionalValues: false" }}
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
@@ -128,7 +127,6 @@ releases:
     version: "{{ .Values.charts.home.version }}"
     values:
       - "values-home.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskHome | default "additionalValues: false" }}
     installed: {{ .Values.home.enabled }}
 
   - name: "opendesk-certificates"
@@ -136,7 +134,6 @@ releases:
     version: "{{ .Values.charts.certificates.version }}"
     values:
       - "values-certificates.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskCertificates | default "additionalValues: false" }}
     installed: {{ .Values.certificates.enabled }}
     timeout: 900
 
@@ -145,7 +142,6 @@ releases:
     version: "{{ .Values.charts.redis.version }}"
     values:
       - "values-redis.yaml.gotmpl"
-      - {{ .Values.customization.release.redis | default "additionalValues: false" }}
     installed: {{ .Values.redis.enabled }}
     timeout: 900
 
@@ -154,7 +150,6 @@ releases:
     version: "{{ .Values.charts.memcached.version }}"
     values:
       - "values-memcached.yaml.gotmpl"
-      - {{ .Values.customization.release.memcached | default "additionalValues: false" }}
     installed: {{ .Values.memcached.enabled }}
     timeout: 900
 
@@ -163,7 +158,6 @@ releases:
     version: "{{ .Values.charts.postgresql.version }}"
     values:
       - "values-postgresql.yaml.gotmpl"
-      - {{ .Values.customization.release.postgresql | default "additionalValues: false" }}
     installed: {{ .Values.postgresql.enabled }}
     timeout: 900
 
@@ -172,7 +166,6 @@ releases:
     version: "{{ .Values.charts.mariadb.version }}"
     values:
       - "values-mariadb.yaml.gotmpl"
-      - {{ .Values.customization.release.mariadb | default "additionalValues: false" }}
     installed: {{ .Values.mariadb.enabled }}
     timeout: 900
 
@@ -181,7 +174,6 @@ releases:
     version: "{{ .Values.charts.postfix.version }}"
     values:
       - "values-postfix.yaml.gotmpl"
-      - {{ .Values.customization.release.postfix | default "additionalValues: false" }}
     installed: {{ .Values.postfix.enabled }}
     timeout: 900
 
@@ -190,7 +182,6 @@ releases:
     version: "{{ .Values.charts.dkimpy.version }}"
     values:
       - "values-dkimpy.yaml.gotmpl"
-      - {{ .Values.customization.release.opendeskDkimpyMilter | default "additionalValues: false" }}
     installed: {{ .Values.dkimpy.enabled }}
     timeout: 900
 
@@ -199,7 +190,6 @@ releases:
     version: "{{ .Values.charts.clamav.version }}"
     values:
       - "values-clamav-distributed.yaml.gotmpl"
-      - {{ .Values.customization.release.clamav | default "additionalValues: false" }}
     installed: {{ .Values.clamavDistributed.enabled }}
     timeout: 900
 
@@ -208,7 +198,6 @@ releases:
     version: "{{ .Values.charts.clamavSimple.version }}"
     values:
       - "values-clamav-simple.yaml.gotmpl"
-      - {{ .Values.customization.release.clamavSimple | default "additionalValues: false" }}
     installed: {{ .Values.clamavSimple.enabled }}
     timeout: 900
 
@@ -217,7 +206,6 @@ releases:
     version: "{{ .Values.charts.minio.version }}"
     values:
       - "values-minio.yaml.gotmpl"
-      - {{ .Values.customization.release.minio | default "additionalValues: false" }}
     installed: {{ .Values.minio.enabled }}
     timeout: 900
 

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -23,7 +23,7 @@ global:
     synapseFederation: {{ .Values.global.hosts.synapseFederation }}
     whiteboard: {{ .Values.global.hosts.whiteboard }}
     {{- end }}
-    {{- if .Values.nubus.enabled }}
+    {{- if .Values.intercom.enabled }}
     intercomService: {{ .Values.global.hosts.intercomService }}
     {{- end }}
     {{- if .Values.jitsi.enabled }}

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -73,9 +73,7 @@ persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.mariadb | quote }}
 
-podAnnotations:
-  argocd.argoproj.io/hook: "PostSync"
-  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
+podAnnotations: {}
 
 podSecurityContext:
   enabled: true

helmfile/apps/services/values-otterize.yaml.gotmpl

@@ -16,6 +16,8 @@ apps:
     enabled: {{ .Values.dovecot.enabled }}
   element:
     enabled: {{ .Values.element.enabled }}
+  intercom:
+    enabled: {{ .Values.intercom.enabled }}
   jitsi:
     enabled: {{ .Values.jitsi.enabled }}
   mariadb:
@@ -30,6 +32,8 @@ apps:
     enabled: {{ .Values.openproject.enabled }}
   oxAppsuite:
     enabled: {{ .Values.oxAppsuite.enabled }}
+  oxConnector:
+    enabled: {{ .Values.oxConnector.enabled }}
   postfix:
     enabled: {{ .Values.postfix.enabled }}
   postgresql:
@@ -44,6 +48,7 @@ apps:
 ingressController:
   {{ .Values.security.ingressController | toYaml | nindent 2 }}
 
+
 extraApps:
   clusterPostfix:
     enabled: {{ .Values.security.clusterPostfix.enabled }}

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -29,6 +29,9 @@ podSecurityContext:
   fsGroup: 1001
   fsGroupChangePolicy: "OnRootMismatch"
 
+postgres:
+  user: "postgres"
+
 replicaCount: {{ .Values.replicas.postgres }}
 
 global:
@@ -87,12 +90,9 @@ persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.postgresql | quote }}
 
-podAnnotations:
-  argocd.argoproj.io/hook: "PostSync"
-  argocd.argoproj.io/hook-delete-policy: "BeforeHookCreation"
+podAnnotations: {}
 
 postgres:
-  user: "postgres"
   password: {{ .Values.secrets.postgresql.postgresUser | quote }}
 
 resources:

helmfile/apps/xwiki/helmfile-child.yaml.gotmpl

@@ -19,9 +19,8 @@ releases:
     wait: true
     values:
       - "values.yaml.gotmpl"
-      - {{ .Values.customization.release.xwiki | default "additionalValues: false" }}
     installed: {{ .Values.xwiki.enabled }}
-    timeout: 1800
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -88,8 +88,6 @@ customConfigs:
     workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
     workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     openoffice.serverType: "0"
-    openoffice.autoStart: "false"
-    openoffice.homePath: "/tmp"
     notifications.emails.live.graceTime: "5"
 
 ingress:
@@ -139,8 +137,6 @@ properties:
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
-  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
   ## SMTP settings
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
   "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}

helmfile/environments/default/charts.yaml

@@ -58,7 +58,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "cryptpad"
-    version: "0.0.20"
+    version: "0.0.19"
     verify: true
   dkimpy:
     # providerCategory: "Platform"
@@ -80,7 +80,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "1.4.0"
+    version: "1.3.10"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -90,7 +90,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -100,7 +100,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -122,7 +122,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
-    version: "2.4.0"
+    version: "2.0.1"
     verify: true
   jitsi:
     # providerCategory: "Platform"
@@ -132,7 +132,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.12.3"
+    version: "1.11.3"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -212,7 +212,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
     name: "opendesk-migrations"
-    version: "1.3.5"
+    version: "1.2.3"
     verify: true
   minio:
     # providerCategory: "Community"
@@ -232,7 +232,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "3.4.1"
+    version: "3.2.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -242,7 +242,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "3.4.1"
+    version: "3.2.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -264,7 +264,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "0.64.2"
+    version: "0.39.2"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
@@ -274,7 +274,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.1.3"
+    version: "2.1.1"
     verify: true
   openproject:
     # providerCategory: "Supplier"
@@ -286,7 +286,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "8.0.0"
+    version: "7.0.0"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -296,7 +296,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
-    version: "2.1.1"
+    version: "2.0.0"
     verify: true
   openXchangeAppSuite:
     # providerCategory: "Supplier"
@@ -308,7 +308,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.10.9"
+    version: "2.8.78"
     verify: false
   openXchangeAppSuiteBootstrap:
     # providerCategory: "Platform"
@@ -318,7 +318,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
-    version: "2.1.2"
+    version: "2.0.0"
     verify: true
   otterize:
     # providerCategory: "Platform"
@@ -340,7 +340,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ox-connector"
-    version: "0.14.5"
+    version: "0.4.2"
     verify: true
   postfix:
     # providerCategory: "Platform"
@@ -380,7 +380,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   synapseCreateAccount:
     # providerCategory: "Platform"
@@ -390,7 +390,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"
@@ -400,7 +400,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "3.4.1"
+    version: "3.4.0"
     verify: true
   xwiki:
     # providerCategory: "Supplier"
@@ -412,6 +412,6 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.4.0"
+    version: "1.3.1"
     verify: false
 ...

helmfile/environments/default/cluster.yaml

@@ -29,8 +29,6 @@ cluster:
     # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
     # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
     loadBalancerStatusField: "ip"
-    # Network protocol options: "IPv4", "IPv6", "DualStack"
-    ipFamilies: "DualStack"
 
   container:
     # Used container engine in kubernetes cluster.

helmfile/environments/default/customization.yaml

@@ -1,57 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-# This variable allows customization of helmfile releases by loading custom values file.
-# Example:
-# customization:
-#   release:
-#     collaboraOnline: /path/to/additional/file.yaml
-customization:
-  release:
-    # collabora
-    collaboraOnline: ~
-    # cryptpad
-    cryptpad: ~
-    # element
-    opendeskElement: ~
-    opendeskWellKnown: ~
-    opendeskSynapseWeb: ~
-    opendeskSynapse: ~
-    # jitsi
-    jitsi: ~
-    # migrations-post
-    migrationsPost: ~
-    # migrations-pre
-    migrationsPre: ~
-    # nextcloud
-    opendeskNextcloudManagement: ~
-    opendeskNextcloud: ~
-    # nubus
-    ums: ~
-    intercomService: ~
-    opendeskKeycloakBootstrap: ~
-    # open-xchange
-    dovecot: ~
-    openXchange: ~
-    opendeskOpenXchangeBootstrap: ~
-    oxConnector: ~
-    # openproject
-    openproject: ~
-    # openproject-bootstrap
-    opendeskOpenprojectBootstrap: ~
-    # services
-    opendeskOtterize: ~
-    opendeskHome: ~
-    opendeskCertificates: ~
-    redis: ~
-    memcached: ~
-    postgresql: ~
-    mariadb: ~
-    postfix: ~
-    opendeskDkimpyMilter: ~
-    clamav: ~
-    clamavSimple: ~
-    minio: ~
-    # xwiki
-    xwiki: ~
-...

helmfile/environments/default/functional.yaml

@@ -4,9 +4,8 @@
 functional:
   admin:
     portal:
-      deploymentTimestamp:
-        # Set to `false` to disable to not provide and update openDesk deployment timestamp for admins in the portal.
-        # This is helpful in GitOps deployments as with the timestamp there will always be a change detected.
+      deploymentInformation:
+        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
         enabled: true
 
   authentication:
@@ -80,10 +79,6 @@ functional:
       # Enable to allow information about the user presence status to be shared.
       # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
       enabled: false
-    jitsiRoomHistory:
-      # Enable to allow the room history to be stored in the user's browser local storage.
-      # Ref.:
-      enabled: false
 
   chat:
     matrix:
@@ -98,11 +93,4 @@ functional:
         # If the LDAP entryUUID should be used for the localpart of user's MatrixIDs following setting must be `true`.
         useImmutableIdentifierForLocalpart: false
 
-  migration:
-    oxAppsuite:
-      # Note: Only available in openDesk Enterprise.
-      # Turn on temporary for migration purposes only. Will enable master password auth in OX AppSuite and Dovecot using
-      # `secrets.oxAppsuite.migrationsMasterPassword`.
-      enabled: false
-
 ...

helmfile/environments/default/images.yaml

@@ -48,12 +48,14 @@ images:
     tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
   element:
     # providerCategory: "Supplier"
-    # providerResponsible: "Nordeck"
+    # providerResponsible: "Element"
     # upstreamRegistry: "https://registry.opencode.de"
     # upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "8", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.11.2@sha256:faf57be74ff715e0f7c833a977f9f7b974ed3230d5d4e30733be7ed01b295a4c"
+    tag: "1.11.1@sha256:6ed72fccd302fc5891f31157bcffd14358e1f90f8b60d649fd261ba0f5d5fb91"
   freshclam:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -73,13 +75,13 @@ images:
   intercom:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/intercom-service"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["2", "1", "0"]
+    # upstreamRegistry: "https://quay.io"
+    # upstreamRepository: "univention/intercom-service"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "6"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.4.0@sha256:df743b7ea30077dc941815ccc60198820d67bbba94853fa7a6f939c0f36af335"
+    tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
   jibri:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -155,7 +157,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "4", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.20.0@sha256:e72bca018af1c0087587f6bcd1748c820ff520c8cf2a042b9b58354cdc878345"
+    tag: "1.19.1@sha256:ef2ed9bfcc3d276c2f12fd29d543c578dd024adb2901ce29b5a8aaf6ed7ff1f9"
   matrixNeoChoiceWidget:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -211,7 +213,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.3.18@sha256:d7f13322cc9cc7ab157f926280070850b0dfc6169c93a306ec4c3cf7c21eff69"
+    tag: "1.2.2@sha256:32afdd71c5b8003ed1609e389494ce10c715c5db64d4ed32a74d65b0f0227e64"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -228,14 +230,14 @@ images:
     registry: "registry-1.docker.io"
     repository: "bitnami/minio"
     tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
-  nextcloud:
+  nextcloudApache2:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud"
-    tag: "2.2.2@sha256:90f8e64ef9156c87dbd9befef99c6e3222f87daa393231d393d728c5b64506ee"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
+    tag: "1.2.2@sha256:c8d12747649ca4c686f75f6318f2b10e324260678214a04332a21e591ed80735"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -244,6 +246,22 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-exporter"
     tag: "1.0.1@sha256:63e63c7420e37d3989fa0ffdbcf18a07b2a603ab9b2a849c2e7e44342dd82af0"
+  nextcloudManagement:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
+    tag: "1.6.3@sha256:e048bccfb166bebf2ff97a3b7a473631c17893e544f549534a7e329abdaa772a"
+  nextcloudPHP:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
+    tag: "1.12.3@sha256:72e574b5862bb0bd6798754931bc9a5d1092d802c14cb69e40fa5f3b23ba9674"
   nubusDataLoader:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -253,7 +271,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.73.0@sha256:9babbdd0879aed7da928bf5034bf5f311511a8d07c242d2b10d067cc5dc0fd41"
+    tag: "0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -293,7 +311,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.14.0@sha256:91613f123f7e46b321002d4b2b86c4635b79621376e513d4bea1bb1d01aa99f8"
+    tag: "0.11.0@sha256:c691aecaf2074a9f1cc6ec5277a70792642bd677f0ff58a6278041b2d99c9d51"
   nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -303,7 +321,7 @@ images:
     # upstreamMirrorStartFrom: ["22", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
-    tag: "25.0.1-ucs1@sha256:61cb3e703672f6d8806af41bec8056ca84e295bbeb546fdb5349322d1174a43d"
+    tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
   nubusKeycloakBootstrap:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -313,7 +331,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.3.0@sha256:2911e8d5409f4e302b5c8c073cc6bf3f3622582e6eef43c63672ac4551712750"
+    tag: "0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -323,7 +341,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.11.0@sha256:aaba6527f37a7302cf54b0a689a1c11cb439bdc471e01d101726a05902714b9c"
+    tag: "0.10.0@sha256:7aa5bac4821c9226fd74c6a2883f7c24d214b4610d516574866cf933ee1be080"
   nubusKeycloakExtensionProxy:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -333,7 +351,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "0", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.11.0@sha256:9b2079ed4078daee00d95ac2de4d72497131e699b967943db5be1c655048edb0"
+    tag: "0.10.0@sha256:a5f6ae65732f7fb9d7ceae11f1c412b109d230e197075d8a8e1d989c87a0309d"
   nubusLdapNotifier:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -343,7 +361,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.25.2@sha256:9e29c7fb5c609d7e597f27e0384c4f932e6962cdf64012154d7b7c076755d86c"
+    tag: "0.20.0@sha256:d891fe11075740ff0fe1694b2c5fb72c43ac6d823904af8593e0ab359b9175e0"
   nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -353,7 +371,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.25.2@sha256:2b9d53f93a93d0f3a659c81c0e44596da8941bd83c8e1f7301a24e46ca06dba2"
+    tag: "0.20.0@sha256:ad73addd9201378fd5c978ab6bfc64bbd23bb279fc065cade9cb2f8e48a9c85f"
   nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -395,7 +413,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.42.2@sha256:ff744b2d5388bfc413a4d25108f37ba086d2a08cb14ceb02d17e93de003a1078"
+    tag: "0.33.0@sha256:0ddb81d4789b2f43b55ded46ff88db4b99a68e7b1006e35877f582aac875c9ad"
   nubusOpendeskExtension:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -403,7 +421,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.7.0@sha256:be8d1ec76e0d87a96fd08cf18fcec4afef2a5388567da866c482da6cf2c594ab"
+    tag: "1.2.1@sha256:479f072d8dd9fe445caa5fea4d882bf3aba24af0d22fc378a9839990c6f3a907"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -433,7 +451,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.42.2@sha256:5afee47e4d3d5f8bf51ffca66578a98318f49ee41e8f4b306cb75826b66a1804"
+    tag: "0.32.0@sha256:7f38a8db34bfe67c9ad0711c0a2c615e278b20a1a7b66b77bd28faa339eaf897"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -443,7 +461,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "28", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    tag: "0.38.0@sha256:aa6ec6b99810e05655d98fa1192bc2eabb855335f7a04aa4cd96ed5b5645d736"
+    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
   nubusPortalFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -453,7 +471,17 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.42.2@sha256:0339694a2b1a657a77bef2a65c85270cfec9c08e965550695b18c2360440cb65"
+    tag: "0.33.0@sha256:9cce16009cc478ece11704521347fc4938a3ac5ee4570ac439dd50b08452a3ff"
+  nubusPortalListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
+    tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
   nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -463,7 +491,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.42.2@sha256:00b45c354c421ad6bc0ee046444cc0a2caf633787c770cad60e7c06c4307a248"
+    tag: "0.33.1@sha256:82e9002786a9d1ec524c0f386838ac4ee1fa9a581b66d2e353ea57cc01e26a95"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -473,7 +501,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.44.0@sha256:b7b9ee59c008bd8850bcfb6cb009ae47e6be43ed117116928374c721711b09ca"
+    tag: "0.36.0@sha256:34f03f48b4c9b470f9809b5fa6bfd6e96346e3f99ac0a2d7eaeac3cf9a4a633d"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -483,7 +511,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.44.0@sha256:b87218dcd2db7539b786ff479cde9620939274d4365721531dc6075b6fcc19ea"
+    tag: "0.36.0@sha256:69dd2946e7b05384304eeeca50dea645d20f7658d225e7c532381c3bdf2027ce"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -493,7 +521,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.44.0@sha256:86201a277164ceb9a8df3fd4c7fc28b0185cadf7962a937d88d9feb576e77da2"
+    tag: "0.36.0@sha256:147406648848c068aacc2cb467633d51c65cddbcaa622c352e5fe5349bf92ce6"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -503,7 +531,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.44.0@sha256:03c8f03ca0fab92ecd3234d1f3fad3293629feae0123134641dad243f3ca328c"
+    tag: "0.36.0@sha256:8a960db9ff94b3c8a63be1588e47ccc1f62f3071abdce7ee2ef89afbe2674eed"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -513,8 +541,8 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    tag: "0.44.0@sha256:1aca5eaa575ab0ee7b9fa128de30050b748a182b53b7bcdc6293b58187f5416a"
-  nubusSelfServiceConsumer:
+    tag: "0.36.0@sha256:8080b55e705391aa2ac9b11db11dc1f984b5626271b2f175bfe26967b857b06d"
+  nubusSelfserviceInvitation:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
     # upstreamRegistry: "https://artifacts.software-univention.de"
@@ -523,7 +551,17 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.11.3@sha256:cd51246ae9436426bd7ee12bc85466cafc18a43ba05ab3ede35dfcf3a012656f"
+    tag: "0.6.5@sha256:5630c9df3da4134789d2ebafad7de9062375d21547a2074827b680debd7a909e"
+  nubusSelfserviceListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/selfservice-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "3", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
+    tag: "0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -533,7 +571,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.25.1@sha256:0078b16ecf5539e6f3c7e6d5a7ddb57937d3d2d143754fbd6d439a3a8741abe8"
+    tag: "0.21.0@sha256:f3d189dd0ca619778c907569ddedbdf8772fba26f26cf9e6b8cde2a62618da63"
   nubusUmcGateway:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -543,7 +581,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.34.1@sha256:ab4ffccc182bae115dc8f264c051f1c23102b1416ac00709d95285218829ce39"
+    tag: "0.27.1@sha256:50991e4b8e13fd1b1a07228192eadd1b43d8a3502aba16f129ee5ba794720392"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -553,15 +591,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.34.1@sha256:4addb518b7b622f0e82dbdde30bbb8d8da6cc197528268d2ad856635f3bbe64a"
-  nubusUmcServerProxy:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: "traefik"
-    registry: "registry-1.docker.io"
-    repository: "library/traefik"
-    tag: "3.0@sha256:a208c74fd80a566d4ea376053bff73d31616d7af3f1465a7747b8b89ee34d97e"
+    tag: "0.27.1@sha256:006680e0a7ffcec3119c85eb30eaa6bbf9b2df54a14dd3d41b6bb7ce71226557"
   nubusWaitForDependency:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -571,7 +601,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "9", "4"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.26.0@sha256:a31fde86bf21c597a31356fe492ab7e7a03a89282ca215eb7100763d6eb96b6b"
+    tag: "0.25.0@sha256:71a4d66fd67db6f92212b1936862b2b0d5a678d412213d74452a9195c2fe67f7"
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -589,7 +619,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.6.1@sha256:3c9828b1ab4dc91f2b3887f9bfddda8ba79b92a2f335dd2db2295d14a98deab0"
+    tag: "14.4.1@sha256:40a2ff3f3a75b9792f93da07e80a730941f783abc7ae3c1a988c7904cbc1f2a4"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -598,7 +628,7 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
-  openprojectDbInit:
+  openprojectInitDb:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"
     # upstreamRegistry: "https://registry-1.docker.io"
@@ -623,7 +653,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "6", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.6@sha256:3082f3259a03025c03f6b9b77fafcd5b9e391ae5ac4a47b47d5f546d4f1534ee"
+    tag: "8.6.5@sha256:cbdea676267011d5c9ef7764fcd23ef432219b61c4f3949ef11ddfc4920873dd"
   openxchangeCoreMW:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -633,7 +663,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "51"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.28.50@sha256:38447bd607c497977a5ba9189d957eebe7f82f09fa329ebc38c0785c70b04558"
+    tag: "8.26.38@sha256:ff2dcf50a9d9a801357255f7244173fe9835715fd1852a28e3a8ebb7c0634293"
   openxchangeCoreUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -643,7 +673,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.28.1@sha256:be9cfb5a1d9389a151b057884857ddebba982cfde621e432c55a17c03fff28d0"
+    tag: "8.27.4@sha256:d5b99bfc12baaeb5cbfc332c260ecca5308b6b662fe8acc8cd07479c99a1d148"
   openxchangeCoreUIMiddleware:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -663,7 +693,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "799279"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.28.1107609@sha256:96a700ef71b4c723146ed0a274482422e09f5a9ccd035c351e192ea4de81eb9f"
+    tag: "8.27.1071402@sha256:764108a8dcb28467dadad1cfd98074a8e174209652de2f009d74fea51bb50d65"
   openxchangeDocumentConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -673,7 +703,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.28.49@sha256:0b45243cb2b6453b4073f4b80f205873fff49d8ed93f05c55971d728aa957e07"
+    tag: "8.27.54@sha256:79080b4b766901977532a18ef38af70234a99cf0bf53900c4df3902f24702eb7"
   openxchangeGotenberg:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -693,7 +723,7 @@ images:
     # upstreamMirrorStartFrom: ["4", "2", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.28.0@sha256:950dd4ec4633fb920502392e8e93d9f497eaf920ae4fe79629b53a835f129741"
+    tag: "8.27.0@sha256:89b81de90a6e7078371d8ea02ab4e1056c512ba515db113daf55b160533f7a73"
   openxchangeImageConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -703,7 +733,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.28.49@sha256:90d2f7defae974d115654986acb2035e38bb16a9daa9b2bf15078d48c0c24366"
+    tag: "8.27.55@sha256:f999c8205d83730a064aec13eb98762e1c7354f31f42e0add0136cf15be32dd0"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -733,7 +763,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "4", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-connector-standalone"
-    tag: "0.14.5@sha256:0b7816e3c8eca1949d3adc8c19d64394a862cbe478a3c51c6d18e546f02aea3d"
+    tag: "0.4.2@sha256:308489c0c0e0436bbbedbd757f78875d44468992c46c8d371c584dc778b30770"
   postfix:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -778,7 +808,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.115.0@sha256:abf4a5b5b2030f7deb555a8ec7b945607db9e98b057eb06364e66ba8308bdd40"
+    tag: "v1.108.0@sha256:0754a5c372f4cfb5f69f58ad4b70d05bc2e380354f1b0c9101611e9157082712"
   synapseCreateUser:
     # providerCategory: "Community"
     # providerResponsible: "Nordeck"
@@ -796,7 +826,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "0", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/synapse-guest-module"
-    tag: "2.0.0@sha256:0fb4ee93cf6fc58f3f3b2f7f8c95d5e6d259b9a5dc354bde516e441187819283"
+    tag: "1.0.0@sha256:6b3b17183a7d163148cc1bc5342604682ec67d898394fc743db2f339e61c722e"
   synapseWeb:
     # providerCategory: "Community"
     # providerResponsible: "Element"
@@ -822,5 +852,5 @@ images:
     # upstreamMirrorStartFrom: ["0", "12"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.22-mariadb-jetty-alpine@sha256:ba29f44befc558c4a4d969f103b216c13a55194dbc532adc43567bee4943d65f"
+    tag: "0.19-mariadb-jetty-alpine@sha256:8590ee815bceb7764df681b9239b4606adc5b3750e4eff2d928b62dcd046a623"
 ...

helmfile/environments/default/opendesk_main.gotmpl

@@ -31,6 +31,9 @@ element:
 home:
   enabled: true
   namespace: ~
+intercom:
+  enabled: true
+  namespace: ~
 jitsi:
   enabled: true
   namespace: ~
@@ -58,6 +61,9 @@ openproject:
 oxAppsuite:
   enabled: true
   namespace: ~
+oxConnector:
+  enabled: true
+  namespace: ~
 postfix:
   enabled: true
   namespace: ~

helmfile/environments/default/persistence.yaml

@@ -19,7 +19,7 @@ persistence:
     nubus:
       ldapServerData: "1Gi"
       ldapServerShared: "1Gi"
-      portalConsumer: "1Gi"
-      provisioningNats: "1Gi"
+      portalListener: "1Gi"
+      selfserviceListener: "1Gi"
     xwiki: "1Gi"
 ...

helmfile/environments/default/replicas.yaml

@@ -13,8 +13,7 @@ replicas:
   # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
   clamd: 1
   # -- scalable: true
-  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files
-  # centrally an should be a singleton.
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files centrally an should be a singleton.
   freshclam: 1
   # -- scalable: true
   # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
@@ -76,8 +75,6 @@ replicas:
   umsGuardianManagementUi: 1
   # -- scalable: tbd
   umsGuardianOpenPolicyAgent: 1
-  # -- scalable: tbd
-  umsKeycloak: 1
   # -- scalable: false
   # -- comment: Should not be scaled, is an async process.
   umsKeycloakExtensionsHandler: 1
@@ -96,32 +93,20 @@ replicas:
   umsNotificationsApi: 1
   # -- scalable: true
   umsPortalFrontend: 1
-  # -- scalable: false
-  umsPortalConsumer: 1
+  # -- scalable: tbd
+  umsPortalListener: 1
   # -- scalable: true
   umsPortalServer: 1
-  # -- scalable: tdb
-  umsProvisioningApi: 1
-  # -- scalable: false
-  umsProvisioningDispatcher: 1
-  # -- scalable: tdb
-  umsProvisioningNats: 1
-  # -- scalable: tdb
-  umsProvisioningPrefill: 1
-  # -- scalable: false
-  umsProvisioningUdmTransformer: 1
   # -- scalable: tbd
-  umsSelfserviceConsumer: 1
+  umsSelfserviceListener: 1
+  # -- scalable: tbd
+  umsStackGateway: 1
   # -- scalable: true
-  umsUdmListener: 1
-  # -- scalable: tbd
   umsUdmRestApi: 1
   # -- scalable: tbd
   umsUmcGateway: 1
   # -- scalable: tbd
   umsUmcServer: 1
-  # -- scalable: tbd
-  umsUmcServerProxy: 1
 
   # -- component: Video conference (Jitsi)
   # -- scalable: tbd
@@ -149,9 +134,11 @@ replicas:
 
   # -- component: Filestore (Nextcloud)
   # -- scalable: true
-  nextcloud: 1
+  nextcloudApache2: 1
   # -- scalable: true
   nextcloudExporter: 1
+  # -- scalable: true
+  nextcloudPHP: 1
 
   # -- component: Project management (OpenProject)
   # -- scalable: true

helmfile/environments/default/resources.yaml

@@ -204,13 +204,13 @@ resources:
     requests:
       cpu: 0.25
       memory: "256Mi"
-  nextcloud:
+  nextcloudApache2:
     limits:
       cpu: 99
-      memory: "1Gi"
+      memory: "256Mi"
     requests:
       cpu: 0.1
-      memory: "512Mi"
+      memory: "128Mi"
   nextcloudExporter:
     limits:
       cpu: 99
@@ -218,6 +218,56 @@ resources:
     requests:
       cpu: 0.1
       memory: "32Mi"
+  nextcloudPHP:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
+  nubusProvisioning:
+    nats:
+      limits:
+        cpu: 288
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "128Mi"
+    dispatcher:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    registerConsumers:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    udmTransformer:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    prefill:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    api:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "100Mi"
   openproject:
     limits:
       cpu: 99
@@ -225,34 +275,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "768Mi"
-  openprojectDbInit:
-    limits:
-      cpu: 99
-      memory: "768Mi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  openprojectAppInit:
-    limits:
-      cpu: 99
-      memory: "768Mi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  openprojectSeederJob:
-    limits:
-      cpu: 99
-      memory: "768Mi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
-  openprojectWorkers:
-    limits:
-      cpu: 99
-      memory: "4Gi"
-    requests:
-      cpu: 0.25
-      memory: "512Mi"
   openxchangeCoreDocumentConverter:
     limits:
       cpu: 99
@@ -428,6 +450,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsLdapServerInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsNotificationsApi:
     limits:
       cpu: 99
@@ -442,14 +471,14 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsPortalConsumer:
+  umsPortalListener:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsPortalConsumerDependencies:
+  umsPortalListenerDependencies:
     limits:
       cpu: 99
       memory: "1Gi"
@@ -463,13 +492,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsProvisioningApi:
+  umsProvisioningEventsAndConsumerApi:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "100Mi"
+      memory: "256Mi"
   umsProvisioningDispatcher:
     limits:
       cpu: 99
@@ -484,28 +513,28 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsProvisioningRegisterConsumers:
+  umsProvisioningUdmListener:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "64Mi"
-  umsProvisioningUdmTransformer:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "64Mi"
+      memory: "256Mi"
   umsProvisioningNats:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "128Mi"
-  umsSelfserviceConsumer:
+      memory: "256Mi"
+  umsSelfserviceListener:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
+  umsSelfserviceListenerDependencies:
     limits:
       cpu: 99
       memory: "1Gi"
@@ -519,13 +548,20 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsUdmListener:
+  umsStackDataSwp:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsStackGateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
   umsUdmRestApi:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -7,7 +7,6 @@ SPDX-License-Identifier: Apache-2.0
 secrets:
   oxAppsuite:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
-    migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
     cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
@@ -20,8 +19,6 @@ secrets:
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
     synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
-  oxConnector:
-    provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
   nubus:
     ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
     ldapSearch:
@@ -37,19 +34,21 @@ secrets:
     systemAccounts:
       administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
       sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
-    portalConsumer:
-      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "provisioning-api" | sha1sum | quote }}
-    selfserviceConsumer:
-      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-consumer" "provisioning-api" | sha1sum | quote }}
+    storeDavUsers:
+      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
+      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
     provisioning:
-      api:
-        adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-        natsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
-        prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
-        udmTransformerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
-      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
       prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
-      udmTransformerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmTransformer" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
     guardian:
       udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
   nats:

helmfile/environments/default/selinux.yaml

@@ -34,13 +34,14 @@ seLinuxOptions:
   migrations: ~
   milter: ~
   minio: ~
-  nextcloud: ~
+  nextcloudApache2: ~
   nextcloudExporter: ~
   nextcloudManagement: ~
+  nextcloudPHP: ~
   opendeskKeycloakBootstrap: ~
   openproject: ~
   openprojectBootstrap: ~
-  openprojectDbInit: ~
+  openprojectInitDb: ~
   openxchangeBootstrap: ~
   openxchangeCoreGuidedtours: ~
   openxchangeCoreMW: ~
@@ -62,10 +63,11 @@ seLinuxOptions:
   synapseCreateUser: ~
   synapseGuestModule: ~
   synapseWeb: ~
+  umsConfigHtpasswd: ~
+  umsDataLoader: ~
   umsGuardianAuthorizationApi: ~
   umsGuardianManagementApi: ~
   umsGuardianManagementUi: ~
-  umsGuardianOpenPolicyAgent: ~
   umsKeycloak: ~
   umsKeycloakBootstrap: ~
   umsKeycloakExtensionHandler: ~
@@ -73,17 +75,24 @@ seLinuxOptions:
   umsLdapNotifier: ~
   umsLdapServer: ~
   umsNotificationsApi: ~
+  umsOpenPolicyAgent: ~
   umsPortalFrontend: ~
-  umsPortalConsumer: ~
+  umsPortalListener: ~
   umsPortalServer: ~
-  umsProvisioning: ~
+  umsProvisioningDispatcher: ~
+  umsProvisioningEventsAndConsumerApi: ~
   umsProvisioningNats: ~
-  umsSelfserviceConsumer: ~
-  umsStackDataUms: ~
-  umsUdmListener: ~
+  umsProvisioningNatsBox: ~
+  umsProvisioningNatsReloader: ~
+  umsProvisioningUdmListener: ~
+  umsSelfserviceInvitation: ~
+  umsSelfserviceListener: ~
+  umsStackGateway: ~
+  umsStoreDav: ~
   umsUdmRestApi: ~
   umsUmcGateway: ~
   umsUmcServer: ~
+  umsWaitForDependency: ~
   wellKnown: ~
   xwiki: ~
 ...

helmfile/environments/default/theme.gotmpl

@@ -15,7 +15,7 @@ theme:
   ## Define colors
   #
   colors:
-    # Element, OX AppSuite, Xwiki, Jitsi
+    # Element, OX AppSuite, Xwiki
     primary: "#5e27dd"
     # OX AppSuite
     primary15: "#e7dffa"
@@ -23,7 +23,7 @@ theme:
     black: "#000000"
     # OX AppSuite, Xwiki
     white: "#ffffff"
-    # OX AppSuite, Xwiki, Jitsi
+    # OX AppSuite, Xwiki
     secondaryGreyLight: "#f5f5f5"
 
     # Not in use yet
@@ -53,29 +53,4 @@ theme:
     logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
     portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}
 
-  portalTiles:
-    adminAnnouncement: {{ readFile "./../../files/portal-tiles/admin_announcement.svg" | b64enc | quote }}
-    adminContext: {{ readFile "./../../files/portal-tiles/admin_context.svg" | b64enc | quote }}
-    adminFunctionalmailbox: {{ readFile "./../../files/portal-tiles/admin_functionalmailbox.svg" | b64enc | quote }}
-    adminGroup: {{ readFile "./../../files/portal-tiles/admin_group.svg" | b64enc | quote }}
-    adminResource: {{ readFile "./../../files/portal-tiles/admin_resource.svg" | b64enc | quote }}
-    adminUser: {{ readFile "./../../files/portal-tiles/admin_user.svg" | b64enc | quote }}
-    anonymousLogin: {{ readFile "./../../files/portal-tiles/anonymous_login.svg" | b64enc | quote }}
-    dummyCircle: {{ readFile "./../../files/portal-tiles/dummy_circle.svg" | b64enc | quote }}
-    fileshareActivity: {{ readFile "./../../files/portal-tiles/fileshare_activity.svg" | b64enc | quote }}
-    fileshareDirectdocOdp: {{ readFile "./../../files/portal-tiles/fileshare_directdoc_odp.svg" | b64enc | quote }}
-    fileshareDirectdocOds: {{ readFile "./../../files/portal-tiles/fileshare_directdoc_ods.svg" | b64enc | quote }}
-    fileshareDirectdocOdt: {{ readFile "./../../files/portal-tiles/fileshare_directdoc_odt.svg" | b64enc | quote }}
-    fileshareFiles: {{ readFile "./../../files/portal-tiles/fileshare_files.svg" | b64enc | quote }}
-    groupwareCalendar: {{ readFile "./../../files/portal-tiles/groupware_calendar.svg" | b64enc | quote }}
-    groupwareContacts: {{ readFile "./../../files/portal-tiles/groupware_contacts.svg" | b64enc | quote }}
-    groupwareMail: {{ readFile "./../../files/portal-tiles/groupware_mail.svg" | b64enc | quote }}
-    groupwareTasks: {{ readFile "./../../files/portal-tiles/groupware_tasks.svg" | b64enc | quote }}
-    managementKnowledge: {{ readFile "./../../files/portal-tiles/management_knowledge.svg" | b64enc | quote }}
-    managementProject: {{ readFile "./../../files/portal-tiles/management_project.svg" | b64enc | quote }}
-    realtimeCollaboration: {{ readFile "./../../files/portal-tiles/realtime_collaboration.svg" | b64enc | quote }}
-    realtimeVideoconference: {{ readFile "./../../files/portal-tiles/realtime_videoconference.svg" | b64enc | quote }}
-    selfserviceChangepassword: {{ readFile "./../../files/portal-tiles/selfservice_changepassword.svg" | b64enc | quote }}
-    selfserviceEditprofile: {{ readFile "./../../files/portal-tiles/selfservice_editprofile.svg" | b64enc | quote }}
-    selfserviceProtectaccount: {{ readFile "./../../files/portal-tiles/selfservice_protectaccount.svg" | b64enc | quote }}
 ...

helmfile/environments/test/values.yaml.gotmpl

@@ -0,0 +1,103 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "my_private_registry.domain.tld"
+  imagePullSecrets:
+    - "kyverno-test"
+  imagePullPolicy: "kyverno"
+persistence:
+  storageClassNames:
+    RWX: "kyverno-test"
+    RWO: "kyverno-test"
+  size:
+    clamav: "42Gi"
+    dovecot: "42Gi"
+    mariadb: "42Gi"
+    matrixNeoDateFixBot: "42Gi"
+    minio: "42Gi"
+    nubus:
+      ldapServerData: "42Gi"
+      ldapServerShared: "42Gi"
+      portalListener: "42Gi"
+      selfserviceListener: "42Gi"
+    postfix: "42Gi"
+    postgresql: "42Gi"
+    prosody: "42Gi"
+    redis: "42Gi"
+    synapse: "42Gi"
+    xwiki: "42Gi"
+ingress:
+  ingressClassName: "kyverno"
+  tls:
+    enabled: true
+    secretName: "kyverno-tls"
+replicas:
+  clamav: 42
+  clamd: 42
+  collabora: 42
+  cryptpad: 42
+  dovecot: 42
+  element: 42
+  freshclam: 42
+  icap: 42
+  intercomService: 42
+  jibri: 42
+  jicofo: 42
+  jitsi: 42
+  jitsiKeycloakAdapter: 42
+  jvb: 42
+  keycloak: 42
+  mariadb: 42
+  matrixNeoBoardWidget: 42
+  matrixNeoChoiceWidget: 42
+  matrixNeoDateFixBot: 42
+  matrixNeoDateFixWidget: 42
+  matrixUserVerificationService: 42
+  memcached: 42
+  milter: 42
+  minio: 42
+  nextcloudApache2: 42
+  nextcloudExporter: 42
+  nextcloudPHP: 42
+  openprojectWeb: 42
+  openprojectWorker: 42
+  openxchangeCoreGuidedtours: 42
+  openxchangeCoreMW: 42
+  openxchangeCoreUI: 42
+  openxchangeCoreUIMiddleware: 42
+  openxchangeCoreUserGuide: 42
+  openxchangeDocumentConverter: 42
+  openxchangeGotenberg: 42
+  openxchangeGuardUI: 42
+  openxchangeImageConverter: 42
+  openxchangeNextcloudIntegrationUI: 42
+  openxchangePublicSectorUI: 42
+  oxConnector: 42
+  postfix: 42
+  postgres: 42
+  redis: 42
+  synapse: 42
+  synapseWeb: 42
+  umsGuardianAuthorizationApi: 42
+  umsGuardianManagementApi: 42
+  umsGuardianManagementUi: 42
+  umsGuardianOpenPolicyAgent: 42
+  umsKeycloakExtensionsHandler: 42
+  umsKeycloakExtensionsProxy: 42
+  umsLdapNotifier: 42
+  umsLdapServer: 42
+  umsNotificationsApi: 42
+  umsPortalFrontend: 42
+  umsPortalListener: 42
+  umsPortalServer: 42
+  umsSelfserviceListener: 42
+  umsStackGateway: 42
+  umsUdmRestApi: 42
+  umsUmcGateway: 42
+  umsUmcServer: 42
+  wellKnown: 42
+  xwiki: 42
+...

helmfile/files/portal-tiles/admin_announcement.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M716.92-460v-40h129.23v40H716.92Zm43.39 258.46-103.39-77.54 24.93-31.69 103.38 77.54-24.92 31.69Zm-81.54-450.77L653.85-684l103.38-77.54 24.92 31.69-103.38 77.54ZM220-241.54v-152.31h-41.54q-26.84 0-45.73-18.88-18.88-18.89-18.88-45.73v-43.08q0-26.84 18.88-45.73 18.89-18.88 45.73-18.88h149.23L486.15-660v360l-158.46-93.85H260v152.31h-40Zm226.15-129.69v-217.54l-107.23 62.62H178.46q-9.23 0-16.92 7.69-7.69 7.69-7.69 16.92v43.08q0 9.23 7.69 16.92 7.69 7.69 16.92 7.69h160.46l107.23 62.62Zm110.77 6.77v-231.08q20.08 18.62 32.35 48.89 12.27 30.27 12.27 66.65 0 36.38-12.27 66.65-12.27 30.27-32.35 48.89ZM300-480Z"/></svg>

helmfile/files/portal-tiles/admin_context.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M160-440v-295.38q0-27.62 18.5-46.12Q197-800 224.62-800H440v360H160Zm240-40Zm120-320h215.38q27.62 0 46.12 18.5Q800-763 800-735.13V-600H520v-200Zm0 640v-360h280v295.38q0 27.62-18.5 46.12Q763-160 735.38-160H520ZM160-360h280v200H224.62q-27.62 0-46.12-18.5Q160-197 160-224.87V-360Zm240 40Zm160-320Zm0 160Zm-360 0h200v-280H224.62q-10.77 0-17.7 6.92-6.92 6.93-6.92 17.7V-480Zm360-160h200v-95.38q0-10.77-6.92-17.7-6.93-6.92-17.7-6.92H560v120Zm0 160v280h175.38q10.77 0 17.7-6.92 6.92-6.93 6.92-17.7V-480H560ZM200-320v95.38q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92H400v-120H200Z"/></svg>

helmfile/files/portal-tiles/admin_functionalmailbox.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M600-240v89.23q0 12.39-9.19 21.58-9.19 9.19-21.58 9.19H150.77q-12.39 0-21.58-9.19-9.19-9.19-9.19-21.58v-258.46q0-12.39 9.19-21.58 9.19-9.19 21.58-9.19H280v-200q0-83.08 58.46-141.54Q396.92-840 480-840h160q83.08 0 141.54 58.46Q840-723.08 840-640v520h-40v-120H600Zm0-40h200v-360q0-66-47-113t-113-47H480q-66 0-113 47t-47 113v200h249.23q12.39 0 21.58 9.19 9.19 9.19 9.19 21.58V-280ZM420-580v-40h280v40H420Zm-60 294 200-114H160l200 114Zm0 40.77-200-114V-160h400v-199.23l-200 114ZM160-400v240-240Z"/></svg>

helmfile/files/portal-tiles/admin_group.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M103.85-215.38v-65.85q0-27.85 14.42-47.89 14.42-20.03 38.76-32.02 52.05-24.78 103.35-39.51 51.31-14.73 123.47-14.73 72.15 0 123.46 14.73 51.31 14.73 103.35 39.51 24.34 11.99 38.76 32.02 14.43 20.04 14.43 47.89v65.85h-560Zm640 0v-67.7q0-34.77-14.08-65.64-14.07-30.87-39.92-52.97 29.46 6 56.77 16.65 27.3 10.66 54 23.96 26 13.08 40.77 33.47 14.76 20.4 14.76 44.53v67.7h-112.3Zm-360-289.24q-49.5 0-84.75-35.25t-35.25-84.75q0-49.5 35.25-84.75t84.75-35.25q49.5 0 84.75 35.25t35.25 84.75q0 49.5-35.25 84.75t-84.75 35.25Zm290.77-120q0 49.5-35.25 84.75t-84.75 35.25q-2.54 0-6.47-.57-3.92-.58-6.46-1.27 20.33-24.9 31.24-55.24 10.92-30.34 10.92-63.01t-11.43-62.44q-11.42-29.77-30.73-55.62 3.23-1.15 6.46-1.5 3.23-.35 6.47-.35 49.5 0 84.75 35.25t35.25 84.75ZM143.85-255.38h480v-25.85q0-14.08-7.04-24.62-7.04-10.53-25.27-20.15-44.77-23.92-94.39-36.65-49.61-12.73-113.3-12.73-63.7 0-113.31 12.73-49.62 12.73-94.39 36.65-18.23 9.62-25.27 20.15-7.03 10.54-7.03 24.62v25.85Zm240-289.24q33 0 56.5-23.5t23.5-56.5q0-33-23.5-56.5t-56.5-23.5q-33 0-56.5 23.5t-23.5 56.5q0 33 23.5 56.5t56.5 23.5Zm0 289.24Zm0-369.24Z"/></svg>

helmfile/files/portal-tiles/admin_resource.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M180-160v-40h80v-600h320v40h120v560h80v40H660v-560h-80v560H180Zm120-600v560-560Zm160 310.77q12.38 0 21.58-9.19 9.19-9.2 9.19-21.58 0-12.38-9.19-21.58-9.2-9.19-21.58-9.19-12.38 0-21.58 9.19-9.19 9.2-9.19 21.58 0 12.38 9.19 21.58 9.2 9.19 21.58 9.19ZM300-200h240v-560H300v560Z"/></svg>

helmfile/files/portal-tiles/admin_user.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M480-504.62q-49.5 0-84.75-35.25T360-624.62q0-49.5 35.25-84.75T480-744.62q49.5 0 84.75 35.25T600-624.62q0 49.5-35.25 84.75T480-504.62ZM200-215.38v-65.85q0-24.77 14.42-46.35 14.43-21.57 38.81-33.5 56.62-27.15 113.31-40.73 56.69-13.57 113.46-13.57 56.77 0 113.46 13.57 56.69 13.58 113.31 40.73 24.38 11.93 38.81 33.5Q760-306 760-281.23v65.85H200Zm40-40h480v-25.85q0-13.31-8.58-25-8.57-11.69-23.73-19.77-49.38-23.92-101.83-36.65-52.45-12.73-105.86-12.73t-105.86 12.73Q321.69-349.92 272.31-326q-15.16 8.08-23.73 19.77-8.58 11.69-8.58 25v25.85Zm240-289.24q33 0 56.5-23.5t23.5-56.5q0-33-23.5-56.5t-56.5-23.5q-33 0-56.5 23.5t-23.5 56.5q0 33 23.5 56.5t56.5 23.5Zm0-80Zm0 369.24Z"/></svg>

helmfile/files/portal-tiles/anonymous_login.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M280-430.77q-20.69 0-34.96-14.27T230.77-480q0-20.69 14.27-34.96T280-529.23q20.69 0 34.96 14.27T329.23-480q0 20.69-14.27 34.96T280-430.77ZM280-280q-83.08 0-141.54-58.46Q80-396.92 80-480q0-83.08 58.46-141.54Q196.92-680 280-680q61.62 0 111.12 33.38 49.5 33.39 72.26 86.62h368.16l80 80-127.69 126.15-68.47-51.53-72.3 53.07L571.92-400H463.38q-22.76 52.46-72.26 86.23T280-280Zm0-40q59.08 0 100.81-35.54 41.73-35.54 53.42-84.46h150.39l57.23 38.69 74.3-53.31L781-405.77 855.23-480l-40-40h-381q-11.69-48.92-53.42-84.46Q339.08-640 280-640q-66 0-113 47t-47 113q0 66 47 113t113 47Z"/></svg>

helmfile/files/portal-tiles/fileshare_activity.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M120-561.54v-155.38q0-27.62 18.5-46.12 18.5-18.5 46.12-18.5h590.76q27.62 0 46.12 18.5 18.5 18.5 18.5 46.12v155.38h-40v-155.38q0-9.23-7.69-16.93-7.69-7.69-16.93-7.69H184.62q-9.24 0-16.93 7.69-7.69 7.7-7.69 16.93v155.38h-40Zm64.62 300q-27.62 0-46.12-18.5-18.5-18.5-18.5-46.11v-195.39h40v195.39q0 9.23 7.69 16.92 7.69 7.69 16.93 7.69h590.76q9.24 0 16.93-7.69 7.69-7.69 7.69-16.92v-195.39h40v195.39q0 27.61-18.5 46.11t-46.12 18.5H184.62Zm-113.85 80v-40h818.46v40H70.77Zm409.23-340Zm-360 0v-40h200q5.62 0 10.62 2.92 5 2.93 7.69 8.31L403-421.15l139.15-249.62q2.7-5.15 7.47-7.19Q554.38-680 560-680q5.62 0 10.62 2.04 5 2.04 7.69 7.65l54.38 108.77H840v40H627.69q-8.69 0-16.77-4.73-8.07-4.73-12.3-13.42L558-620.38 418.08-372.31q-2.7 5.39-7.7 8.08-5 2.69-10.61 2.69-5.62 0-10.5-2.92-4.89-2.92-7.58-8.31l-74.38-148.77H120Z"/></svg>

helmfile/files/portal-tiles/fileshare_directdoc_odp.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M480-480ZM224.62-160q-27.62 0-46.12-18.5Q160-197 160-224.62v-510.76q0-27.62 18.5-46.12Q197-800 224.62-800h280v40h-280q-10.77 0-17.7 6.92-6.92 6.93-6.92 17.7v510.76q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92h510.76q10.77 0 17.7-6.92 6.92-6.93 6.92-17.7v-280h40v280q0 27.62-18.5 46.12Q763-160 735.38-160H224.62Zm46.15-144.62h418.46L560-476.92 440-325.38l-80-96.16-89.23 116.92ZM680-600v-80h-80v-40h80v-80h40v80h80v40h-80v80h-40Z"/></svg>

helmfile/files/portal-tiles/fileshare_directdoc_ods.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M204.62-160q-27.62 0-46.12-18.5Q140-197 140-224.62v-510.76q0-27.62 18.5-46.12Q177-800 204.62-800h372.3v40h-372.3q-10.77 0-17.7 6.92-6.92 6.93-6.92 17.7v510.76q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92h510.76q10.77 0 17.7-6.92 6.92-6.93 6.92-17.7v-372.3h40v372.3q0 27.62-18.5 46.12Q743-160 715.38-160H204.62Zm84.61-140h40v-240h-40v240ZM440-300h40v-360h-40v360Zm150.77 0h40v-120h-40v120ZM700-640v-80h-80v-40h80v-80h40v80h80v40h-80v80h-40ZM460-480Z"/></svg>

helmfile/files/portal-tiles/fileshare_directdoc_odt.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M204.62-160q-27.62 0-46.12-18.5Q140-197 140-224.62v-510.76q0-27.62 18.5-46.12Q177-800 204.62-800h372.3v40h-372.3q-9.24 0-16.93 7.69-7.69 7.69-7.69 16.93v510.76q0 9.24 7.69 16.93 7.69 7.69 16.93 7.69h510.76q9.24 0 16.93-7.69 7.69-7.69 7.69-16.93v-372.3h40v372.3q0 27.62-18.5 46.12Q743-160 715.38-160H204.62ZM320-300v-40h280v40H320Zm0-120v-40h280v40H320Zm0-120v-40h280v40H320Zm380-100v-80h-80v-40h80v-80h40v80h80v40h-80v80h-40Z"/></svg>

helmfile/files/portal-tiles/fileshare_files.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M180-200q-25.31 0-42.65-17.35Q120-234.69 120-260v-435.38q0-25.31 19.65-44.97Q159.31-760 184.62-760h199.23l80 80h311.53q20.7 0 36.12 11.19 15.42 11.19 21.58 28.81H447.77l-80-80H184.62q-10.77 0-17.7 6.92-6.92 6.93-6.92 17.7v430.76q0 8.47 4.23 13.85 4.23 5.39 11.15 9.23L266-544.62h648.62l-90.7 302.24q-5.69 19.07-21.8 30.73Q786-200 766.15-200H180Zm37.08-40h564.46l78.92-264.62H296L217.08-240Zm0 0L296-504.62 217.08-240ZM160-640v-80 80Z"/></svg>

helmfile/files/portal-tiles/groupware_calendar.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M224.62-120q-27.62 0-46.12-18.5Q160-157 160-184.62v-510.76q0-27.62 18.5-46.12Q197-760 224.62-760h70.76v-89.23h43.08V-760h286.16v-89.23h40V-760h70.76q27.62 0 46.12 18.5Q800-723 800-695.38v510.76q0 27.62-18.5 46.12Q763-120 735.38-120H224.62Zm0-40h510.76q9.24 0 16.93-7.69 7.69-7.69 7.69-16.93v-350.76H200v350.76q0 9.24 7.69 16.93 7.69 7.69 16.93 7.69ZM200-575.39h560v-119.99q0-9.24-7.69-16.93-7.69-7.69-16.93-7.69H224.62q-9.24 0-16.93 7.69-7.69 7.69-7.69 16.93v119.99Zm0 0V-720-575.39Zm280 181.54q-12.38 0-21.58-9.19-9.19-9.19-9.19-21.58 0-12.38 9.19-21.57 9.2-9.19 21.58-9.19 12.38 0 21.58 9.19 9.19 9.19 9.19 21.57 0 12.39-9.19 21.58-9.2 9.19-21.58 9.19Zm-160 0q-12.38 0-21.58-9.19-9.19-9.19-9.19-21.58 0-12.38 9.19-21.57 9.2-9.19 21.58-9.19 12.38 0 21.58 9.19 9.19 9.19 9.19 21.57 0 12.39-9.19 21.58-9.2 9.19-21.58 9.19Zm320 0q-12.38 0-21.58-9.19-9.19-9.19-9.19-21.58 0-12.38 9.19-21.57 9.2-9.19 21.58-9.19 12.38 0 21.58 9.19 9.19 9.19 9.19 21.57 0 12.39-9.19 21.58-9.2 9.19-21.58 9.19ZM480-240q-12.38 0-21.58-9.19-9.19-9.19-9.19-21.58 0-12.38 9.19-21.58 9.2-9.19 21.58-9.19 12.38 0 21.58 9.19 9.19 9.2 9.19 21.58 0 12.39-9.19 21.58Q492.38-240 480-240Zm-160 0q-12.38 0-21.58-9.19-9.19-9.19-9.19-21.58 0-12.38 9.19-21.58 9.2-9.19 21.58-9.19 12.38 0 21.58 9.19 9.19 9.2 9.19 21.58 0 12.39-9.19 21.58Q332.38-240 320-240Zm320 0q-12.38 0-21.58-9.19-9.19-9.19-9.19-21.58 0-12.38 9.19-21.58 9.2-9.19 21.58-9.19 12.38 0 21.58 9.19 9.19 9.2 9.19 21.58 0 12.39-9.19 21.58Q652.38-240 640-240Z"/></svg>

helmfile/files/portal-tiles/groupware_contacts.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M480-418.46q25.31 0 42.65-17.35Q540-453.15 540-478.46t-17.35-42.66q-17.34-17.34-42.65-17.34t-42.65 17.34Q420-503.77 420-478.46q0 25.31 17.35 42.65 17.34 17.35 42.65 17.35ZM340-283.08h280v-6.07q0-18.62-9.92-31.7-9.93-13.07-26.77-20.77-23.69-10.23-49.66-15.84-25.96-5.62-53.65-5.62-27.69 0-53.65 5.62-25.97 5.61-49.66 15.84-16.84 7.7-26.77 20.77-9.92 13.08-9.92 31.7v6.07ZM695.38-120H264.62q-27.62 0-46.12-18.5Q200-157 200-184.62v-590.76q0-27.62 18.5-46.12Q237-840 264.62-840h278.46L760-623.08v438.46q0 27.62-18.5 46.12Q723-120 695.38-120Zm0-40q9.24 0 16.93-7.69 7.69-7.69 7.69-16.93V-606L526-800H264.62q-9.24 0-16.93 7.69-7.69 7.69-7.69 16.93v590.76q0 9.24 7.69 16.93 7.69 7.69 16.93 7.69h430.76ZM240-160v-640 640Z"/></svg>

helmfile/files/portal-tiles/groupware_mail.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M184.62-200q-27.62 0-46.12-18.5Q120-237 120-264.62v-430.76q0-27.62 18.5-46.12Q157-760 184.62-760h590.76q27.62 0 46.12 18.5Q840-723 840-695.38v430.76q0 27.62-18.5 46.12Q803-200 775.38-200H184.62ZM480-475.38 160-684.62v420q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92h590.76q10.77 0 17.7-6.92 6.92-6.93 6.92-17.7v-420L480-475.38Zm0-44.62 307.69-200H172.31L480-520ZM160-684.62V-720v455.38q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92H160v-444.62Z"/></svg>

helmfile/files/portal-tiles/groupware_tasks.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M645.36-248.05 531.82-361.59l23.33-23.33 89.88 89.2 172.41-172.92 23.33 24.33-195.41 196.26Zm0-289.23L531.82-650.82l23.33-23.33 89.88 89.2 172.41-172.92 23.33 24.33-195.41 196.26ZM120-318.46v-33.85h320v33.85H120Zm0-289.23v-33.85h320v33.85H120Z"/></svg>

helmfile/files/portal-tiles/management_knowledge.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M480-113.85q-27.62 0-48.04-18.5-20.42-18.5-24.27-46.11h144.62q-3.85 27.61-24.27 46.11-20.42 18.5-48.04 18.5ZM340-249.23v-40h280v40H340ZM342.31-360q-56.69-37.15-89.5-94.23Q220-511.31 220-580q0-108.85 75.58-184.42Q371.15-840 480-840t184.42 75.58Q740-688.85 740-580q0 68.69-32.81 125.77T617.69-360H342.31ZM354-400h252q45-32 69.5-79T700-580q0-92-64-156t-156-64q-92 0-156 64t-64 156q0 54 24.5 101t69.5 79Zm126 0Z"/></svg>

helmfile/files/portal-tiles/management_project.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M264.62-299.85h190.76v-33.84H264.62v33.84Zm120-163.23h190.76v-33.84H384.62v33.84Zm120-163.23h190.76v-33.84H504.62v33.84ZM218.46-160q-24.58 0-41.52-16.94Q160-193.88 160-218.46v-523.08q0-24.58 16.94-41.52Q193.88-800 218.46-800h523.08q24.58 0 41.52 16.94Q800-766.12 800-741.54v523.08q0 24.58-16.94 41.52Q766.12-160 741.54-160H218.46Zm0-33.85h523.08q9.23 0 16.92-7.69 7.69-7.69 7.69-16.92v-523.08q0-9.23-7.69-16.92-7.69-7.69-16.92-7.69H218.46q-9.23 0-16.92 7.69-7.69 7.69-7.69 16.92v523.08q0 9.23 7.69 16.92 7.69 7.69 16.92 7.69Zm-24.61-572.3V-193.85-766.15Z"/></svg>

helmfile/files/portal-tiles/realtime_collaboration.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M824.62-187.69 701.54-310.77H320q-25.38 0-43.46-18.08-18.08-18.07-18.08-43.46v-9.23h430.77q26.65 0 45.64-18.98 18.98-18.98 18.98-45.63V-720h9.23q25.38 0 43.46 18.08 18.08 18.07 18.08 43.46v470.77ZM175.38-435.31l66.24-66.23h367.61q10.77 0 17.69-6.92 6.93-6.92 6.93-17.69v-249.23q0-10.77-6.93-17.7Q620-800 609.23-800H200q-10.77 0-17.69 6.92-6.93 6.93-6.93 17.7v340.07Zm-40 96.85v-436.92q0-26.66 18.99-45.64Q173.35-840 200-840h409.23q26.65 0 45.64 18.98 18.98 18.98 18.98 45.64v249.23q0 26.65-18.98 45.63-18.99 18.98-45.64 18.98H258.46L135.38-338.46Zm40-187.69V-800-526.15Z"/></svg>

helmfile/files/portal-tiles/realtime_videoconference.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M820.09-310.77q-16.63 0-28.36-11.67Q780-334.1 780-350.77v-100q0-16.67 11.64-28.33 11.64-11.67 28.27-11.67t28.36 11.67Q860-467.44 860-450.77v100q0 16.67-11.64 28.33-11.64 11.67-28.27 11.67Zm-15.47 146.15v-61.23q-49.47-8-78.97-41.88-29.5-33.89-31.8-83.04h30.77q0 39.69 27.66 67.54 27.66 27.85 67.72 27.85t67.72-27.67q27.66-27.66 27.66-67.72h30.77q-2.3 49.15-31.42 83.04-29.11 33.88-79.35 41.8v61.31h-30.76ZM346.15-506.15q-44.46-1.54-76.84-35.47-32.39-33.92-32.39-83 0-49.07 32.39-83 32.38-33.92 76.84-35.46 2.97 0 5.83.46 2.87.47 6.64 1.62-19.08 21-28.85 49.88-9.77 28.89-9.77 66.5 0 37.62 9.38 65.74 9.39 28.11 29.24 50.65-3 1.15-6.12 1.61-3.12.47-6.35.47ZM76.92-215.38V-281q0-20.92 11.23-40.69 11.23-19.77 34.31-34.77 18-10.77 40.58-19.5t47.11-13.66q-23.84 17.24-37 44.85Q160-317.15 160-281v65.62H76.92ZM520-504.62q-49.5 0-84.75-35.25T400-624.62q0-49.5 35.25-84.75T520-744.62q49.5 0 84.75 35.25T640-624.62q0 49.5-35.25 84.75T520-504.62Zm0-40q33 0 56.5-23.5t23.5-56.5q0-33-23.5-56.5t-56.5-23.5q-33 0-56.5 23.5t-23.5 56.5q0 33 23.5 56.5t56.5 23.5ZM240-215.38V-281q0-24.77 14.31-46.46t38.92-33.62q47.92-23.69 107.42-39 59.5-15.3 119.35-15.3 25.85 0 54.65 3.96 28.81 3.96 53.66 10.34-3.85 8-6.12 18.66-2.27 10.65-3.5 20.11-24.23-6.92-49.73-10-25.5-3.07-48.96-3.07-63.54 0-116.73 15.3-53.19 15.31-90.73 34.08-15.39 7.31-23.96 19.5Q280-294.31 280-281v25.62h360.08q6.54 12.15 14.69 21.76 8.15 9.62 18.23 18.24H240Zm280-409.24Zm0 369.24Z"/></svg>

helmfile/files/portal-tiles/selfservice_changepassword.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M186.15-186.15v-40h123.62Q238-288.62 209-349.08q-29-60.46-29-127.84 0-98.16 56.08-176.35Q292.15-731.46 380-762.31v42.46q-71.54 29.62-115.77 96.12Q220-557.23 220-476.92q0 60.92 25.73 112.19 25.73 51.27 91.19 108.88v-121.07h40v190.77H186.15ZM740-478.46q0-62.54-25.88-114.35-25.89-51.81-91.04-110.57v120.3h-40v-190.77h190.77v40H650.23q75.92 64.54 103.5 129.27T780-478.46h-40ZM646.15-90.77q-14.69 0-25.8-11.11-11.12-11.12-11.12-25.81v-107.69q0-14.7 11.12-25.81 11.11-11.12 25.8-11.12H650v-40q0-29.92 20.42-50.34 20.43-20.43 50.35-20.43t50.35 20.43q20.42 20.42 20.42 50.34v40h3.84q14.7 0 25.04 11.12 10.35 11.11 10.35 25.81v107.69q0 14.69-11.12 25.81-11.11 11.11-25.8 11.11h-147.7Zm34.62-181.54h80v-40q0-17-11.5-28.5t-28.5-11.5q-17 0-28.5 11.5t-11.5 28.5v40Z"/></svg>

helmfile/files/portal-tiles/selfservice_editprofile.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M184.62-120q-27.62 0-46.12-18.5Q120-157 120-184.62v-390.76q0-27.62 18.5-46.12Q157-640 184.62-640H400v-160q0-16.85 11.58-28.42Q423.15-840 440-840h80q16.85 0 28.42 11.58Q560-816.85 560-800v160h215.38q27.62 0 46.12 18.5Q840-603 840-575.38v390.76q0 27.62-18.5 46.12Q803-120 775.38-120H184.62Zm0-40h590.76q10.77 0 17.7-6.92 6.92-6.93 6.92-17.7v-390.76q0-10.77-6.92-17.7-6.93-6.92-17.7-6.92H560v30.77q0 16.08-11.96 28.04T520-529.23h-80q-16.08 0-28.04-11.96T400-569.23V-600H184.62q-10.77 0-17.7 6.92-6.92 6.93-6.92 17.7v390.76q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92Zm67.69-103.08h215.38v-5.69q0-13.92-7.57-25.35-7.58-11.42-20.74-17.88-19.23-8.23-38.96-12.35-19.73-4.11-40.42-4.11t-40.42 4.11q-19.73 4.12-38.96 12.35-13.16 6.46-20.74 17.88-7.57 11.43-7.57 25.35v5.69ZM560-324.62h160V-360H560v35.38ZM360-360q19.62 0 33.65-14.04 14.04-14.04 14.04-33.65 0-19.62-14.04-33.66-14.03-14.03-33.65-14.03-19.62 0-33.65 14.03-14.04 14.04-14.04 33.66 0 19.61 14.04 33.65Q340.38-360 360-360Zm200-60h160v-35.38H560V-420ZM440-569.23h80V-800h-80v230.77ZM480-380Z"/></svg>

helmfile/files/portal-tiles/selfservice_protectaccount.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 -960 960 960" width="24px" fill="#5e27dd"><path d="M184.62-200q-27.62 0-46.12-18.5Q120-237 120-264.62v-430.76q0-27.62 18.5-46.12Q157-760 184.62-760h590.76q27.62 0 46.12 18.5Q840-723 840-695.38V-591h-40v-93.62L480-475.38 160-684.62v420q0 10.77 6.92 17.7 6.93 6.92 17.7 6.92h440v40h-440ZM480-520l307.69-200H172.31L480-520ZM160-240v-480 480Zm580 40q-14.69 0-25.04-10.35-10.34-10.34-10.34-25.03v-120q0-14.7 11.5-25.04 11.5-10.35 28.5-10.35v-44.61q0-31.47 21.96-53.43T820-510.77q31.46 0 53.42 21.96t21.96 53.43v44.61q17 0 28.5 10.35 11.5 10.34 11.5 25.04v120q0 14.69-10.34 25.03Q914.69-200 900-200H740Zm35.38-190.77h89.24v-44.61q0-18.54-13.04-31.58T820-480q-18.54 0-31.58 13.04t-13.04 31.58v44.61Z"/></svg>