fix(element): Provide certificate for alternative synapse domain

.gitlab-ci.yml

@@ -539,7 +539,7 @@ avscan-start:
 
 # Overwrite shared settings
 .common-semantic-release:
-  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release-patched:1.0.0"
   tags: []
 
 conventional-commits-linter:

.kyverno/policies/template-image-registries.yaml

@@ -24,10 +24,10 @@ spec:
         pattern:
           spec:
             =(ephemeralContainers):
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
             =(initContainers):
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
             containers:
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
   validationFailureAction: "audit"
 ...

README.md

@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -22,8 +23,8 @@ SPDX-License-Identifier: Apache-2.0
 
 # Overview
 
-openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
-Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
+openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
+*Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
 
 openDesk currently features the following functional main components:
 
@@ -31,11 +32,11 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
-| File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.0.1](https://www.openproject.org/docs/release-notes/14-0-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
@@ -71,6 +72,7 @@ Of course, further development also includes enhancing the documentation itself.
 
 # Advanced customization
 
+- [Enhanced Configuration](./docs/enhanced-configuration.md)
 - [External services](./docs/external-services.md)
 - [Security](./docs/security.md)
 - [Scaling](./docs/scaling.md)
@@ -116,7 +118,7 @@ This project uses the following license: Apache-2.0
 
 # Copyright
 
-Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+Copyright (C) 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 
 # Footnotes
 

docs/ci.md

@@ -15,17 +15,16 @@ This page covers openDesk deployment automation via Gitlab CI.
 
 The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
 
-
 When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
 
-- `DOMAIN` = The domain to deploy to.
-- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
-- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
-- `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
-- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
+- `DOMAIN`: Primary domain for your deployment making the openDesk services available e.g. as `https://portal.DOMAIN`.
+- `MAIL_DOMAIN`: (optional) Domain for the users mail addresses, defaults to `DOMAIN`.
+- `MATRIX_DOMAIN`: (optional) Domain for the users Matrix IDs, defaults to `DOMAIN`.
+- `NAMESPACE`: Namespace of your K8s cluster openDesk will be installed to.
+- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`.
 
 Based on your input, the following variables will be set:
-- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
+- `MASTER_PASSWORD:`: `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
   is not set, the default for `MASTER_PASSWORD` will be used, unless you set
   `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
 

docs/enhanced-configuration.md

@@ -0,0 +1,14 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Enhanced configuration use cases for openDesk</h1>
+
+# Overview
+
+The follownig enhanced configuration use cases are described in separate documents.
+
+- [Separate mail & Matrix domain](enhanced-configuration/separate-mail-matrix-domain.md)
+- [Federation with external identity provider](enhanced-configuration/idp-federation.md)
+- [Matrix federation](enhanced-configuration/matrix-federation.md)

docs/enhanced-configuration/idp-federation.md

@@ -0,0 +1,157 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Federation with external identity provider (IdP)</h1>
+
+* [Context](#context)
+* [Prerequisites](#prerequisites)
+  * [User accounts](#user-accounts)
+  * [External IdP with OIDC](#external-idp-with-oidc)
+* [Example configuration](#example-configuration)
+  * [Versions](#versions)
+  * [Example values](#example-values)
+  * [Keycloak admin console access](#keycloak-admin-console-access)
+  * [Your organizations IdP](#your-organizations-idp)
+    * [Separate realm](#separate-realm)
+    * [OIDC Client](#oidc-client)
+  * [openDesk IdP](#opendesk-idp)
+
+# Context
+
+Most organizations already have an Identity and Access Management (IAM) of their own that includes an identity provider (IdP) for single-sign-on to internal or external web applications.
+
+This document shows how to configure your organizations IdP as well as the openDesk IdP to allow account federation to support single-sign-on to openDesk based on your organization's login.
+
+# Prerequisites
+
+## User accounts
+
+Beside the configuration it is required that the user accounts with the same name exist within openDesk. This prerequisite is outside the scope of this document.
+
+We will provide additional documents regarding user provisioning in the future, so here's just an overview regarding potential scenarios:
+
+- Manual user management
+  - That is a lightweight way for testing your IdP federation setup or in case you just have a small amount of users to manage.
+  - Just create and maintain you user(s) in openDesk and ensure the username in your IAM and openDesk is identical.
+- User import
+  - If you need to create more than just a couple of test accounts you can use the [openDesk User Importer](https://gitlab.opencode.de/bmi/opendesk/tooling/user-import) that utilizes the UDM REST API for user account creation.
+  - Downsides: Managing groups and deleting accounts needs to be done manually.
+- Automated Pre-provisioning:
+  - Pre-provisioning users and groups including de-provisioning (deleting) accounts is the best practise as it ensures that openDesk is in sync with your organization's IAM.
+  - There are at least two ways of implementing the pre-provisioning:
+  - UDM REST API:
+    - Build a provisioning solution by yourself using the [UDM REST API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html).
+    - The API gives you full control over the contents of the IAM in order to create, update or delete users and groups.
+  - Directory Connector:
+    - It is based on a Python one-way directory synchronization for users and groups.
+    - We will provide more details on this approach soon one the tool is made publicly available.
+- Ad-hoc provisioning (AHP)
+  - This feature is currently not available in the openDesk Keycloak, but there are plans by the Supplier Univention to make it available.
+  - Ad-hoc provisioning creates an user account on the fly during a users first login.
+  - While AHP this is a nice approach for a quick start with openDesk it has various downsides:
+    - Users are just created after their first login, so you cannot find your colleagues in the openDesk apps unless they already logged in.
+    - A user account would never be deactivated or deleted in openDesk.
+    - Group memberships are not transferred.
+
+## External IdP with OIDC
+
+This document focusses on the OIDC federation between an external IdP and the openDesk IdP. It makes use of the OpenID Connect (OIDC) protocol, so your external IdP must support OIDC.
+
+# Example configuration
+
+## Versions
+
+The example was tested with openDesk v0.7.0 using its integrated Keycloak v24.0.3, as external IdP we also used an openDesk deployment of the same version but created a separate realm for proper separation of the configuration.
+
+## Example values
+
+The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+
+- `idp.organization.tld`: hostname for your organization's IdP
+- `id.opendesk.tld`: hostname for the openDesk IdP, so openDesk is obviously deployed at `opendesk.tld`
+- `fed-test-idp-realm`: realm name for your organizations IdP
+- `opendesk-federation-client`: OIDC client for the openDesk federation that is defined in your organizations IdP
+- `auto-federate-idp`: Identifier of your organizations IdP's configuration within the openDesk Keycloak.
+- `auto-federate-flow`: Identifier of the required additional login flow to be created and referenced in the openDesk Keycloak.
+
+## Keycloak admin console access
+
+To access the admin console of Keycloak in an openDesk deployment you need to add a route for `/admin` to the Keycloak's ingress. This is done automatically if you deploy openDesk with `debug.enabled: true` but beware that this will also cause a lot of log output across all openDesk pods.
+
+The admin console will be available at:
+- Organization's IdP: https://idp.organization.tld/admin/master/console/
+- openDesk IdP: https://id.opendesk.tld/admin/master/console/
+
+For the following configuration steps login with user `kcadmin` and grab the password from the `ums-keycloak` pod's `KEYCLOAK_ADMIN_PASSWORD` variable.
+
+## Your organizations IdP
+
+As we use the Keycloak of another openDesk instance to simulate your organization's IdP in this example, especially URL paths within the Keycloak might differ if you use different products.
+
+Please let us know about your experiences or differences you came accross.
+
+### Separate realm
+
+To not interfere with an existing configuration for our test scenario we create a separate realm:
+
+- `Create realm` (from realm selection drop down menu in the left upper corner)
+- *Realm name*: `fed-test-idp-realm`
+- `Create`
+
+### OIDC Client
+
+If you just created the `fed-test-idp-realm` your are already in the admin screen for the realm, if not use the realm selection drop down menu in the left upper corner to switch to the realm.
+
+- *Clients* > *Create Client*
+  - Client create wizard page 1:
+    - *Client type*: `OpenID Connect`
+    - *Client-ID*: `opendesk-federation-client`
+    - *Name*: `openDesk @ your organization` (is the descriptive text of the client that might show up in you IdP's UI and therefore should explain what the client is used for)
+  - Client create wizard page 2:
+    - *Client authentication*: `On`
+    - *Authorization*: `Off` (default)
+    - *Authentication flow*: leave defaults
+	    - `Standard flow`
+	    - `Direct access grants`
+  - Client create wizard page 3:
+    - *Valid Redirect URLs*: `https://id.opendesk.tld/realms/opendesk/broker/auto-federate-idp/endpoint`
+  - When completed with *Save* you get to the detailed client configured that also needs some updates:
+    - Tab *Settings* > Section *Logout settings*
+      - *Front channel logout*: `Off`
+      - *Back channel logout URL*: `https://id.opendesk.tld/realms/opendesk/protocol/openid-connect/logout/backchannel-logout`
+    - Tab *Credentials*
+      - Copy the *Client Secret* as we need it for the configuration of the openDesk IdP to be used in the openDesk IdP, as well as the *Client-ID*.
+
+## openDesk IdP
+
+The following configuration is taking place in the Keycloak realm `opendesk`.
+
+- *Authentication* > *Create flow*
+  - *Name*: `auto-federate-flow`
+  - *Flow type*: `Basic flow`
+  - *Create*
+  - *Add execution*: Add `Detect existing broker user` and set it to `Required`
+  - *Add step*: `Automatically set existing user` and set it to `Required`
+
+- *Identity providers* > *User-defined* > *OpenID Connect 1.0*
+  - *Alias*: `auto-federate-idp` (used in our example)
+  - *Display Name*: Descriptive Name in case you do not forcefully redirect the user to the IdP that name is shown in the login screen for manual selection.
+  - *Use discovery endpoint*: `On` (default)
+  - *Discovery endpoint*: `https://idp.organization.tld/realms/fed-test-idp-realm/.well-known/openid-configuration` - this URL may look different if you do not use Keycloak or a different Keycloak version as IdP in your organization
+    - In case the IdP metadata could not be auto-discovered you will get an error.
+    - If everything is fine you can review the discovered metadata for your IdP by clicking on *Show metadata*.
+  - *Client authentication*: `Client secret sent as post` (default)
+  - *Client ID*: Use the client ID you took form your organization's IdP config (`opendesk-federation-client` in this example)
+  - *Client Secret*: Use the secret you took form your organization's IdP config
+  - When completed with *Add* you get to the detailed IdP configured that also needs some updates (you may need to open the *Advanced* section to access some settings)
+	- *Backchannel logout*: `On`
+	- *Disable user info*: `On`
+    - *First login flow override*: `auto-federate-flow`
+
+- In case you want to forcefully redirect all users to your organizations IdP (disabling login with local openDesk accounts):
+  - *Authentication* > `2fa-browser`
+    - Click on the cogwheel next to the *Identitify Provider Redirector*
+      - *Alias*: `auto-federate-idp`
+      - *Default Identity Provider*: `auto-federate-idp`

docs/enhanced-configuration/matrix-federation.md

@@ -0,0 +1,32 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Matrix federation</h1>
+
+* [Use case](#use-case)
+* [Example configuration](#example-configuration)
+  * [DNS setup](#dns-setup)
+
+# Use case
+
+By default you only can chat with users that also have an account within your openDesk installation. The Element chat application and its server component Synapse are based on the Matrix protocol that supports federation with other Matrix servers to communicate with the users with accounts on these servers.
+
+# Example configuration
+
+The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+
+- `opendesk.domain.tld`: the mandatory `DOMAIN` setting for your deployment resulting in `https://chat.opendesk.domain.tld` to access the Element chat.
+- `my_organization.tld`: an optional alternative domain used for mail and/or Matrix. If not used it is also set to `opendesk.domain.tld`.
+
+## DNS setup
+
+If you want to federate with other Matrix instances, you need to have both SRV records:
+
+| Record name                         | Type | Value                                  | Additional Information                                                             |
+| ----------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
+| _matrix._tcp.my_organization.tld    | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+| matrix-fed._tcp.my_organization.tld | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+
+*Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.

docs/enhanced-configuration/separate-mail-matrix-domain.md

@@ -0,0 +1,68 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Separate domains for mail and or matrix</h1>
+
+* [Use case](#use-case)
+* [Example configuration](#example-configuration)
+  * [Mail domain](#mail-domain)
+  * [Matrix domain](#matrix-domain)
+
+# Use case
+
+As communication over mail and chat can go beyond the borders of your openDesk installation you may want to use different domains for the mail and/or matrix.
+
+# Example configuration
+
+The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+
+- `opendesk.domain.tld`: the mandatory `DOMAIN` setting for your deployment resulting in `https://mail.opendesk.domain.tld` to access emails and `https://chat.opendesk.domain.tld` to access the Element chat that is based on the Matrix protocol.
+- `my_organization.tld`: the alternative domain used for mail and/or Matrix.
+
+## Mail domain
+
+By default all email addresses in openDesk are created based on the `DOMAIN` you specified for your deployment. In our example resulting in the users having `<username>@opendesk.domain.tld` as mail addresses. In case you prefer the users to send and receive emails with another domain you can set that one using the optional `MAIL_DOMAIN` in the deployment:
+
+```yaml
+global:
+  mailDomain: "my_organization.tld"
+```
+
+or via environment variable
+
+```shell
+export MAIL_DOMAIN=my_organization.tld
+```
+
+This of course requires the MX record for the domain to point to the mail host for your openDesk deployment. Optionally add the SPF and DMARC records.
+
+| Record name                | Type | Value                                            |
+| -------------------------- | ---- | ------------------------------------------------ |
+| my_organization.tld        | MX   | `10 mail.opendesk.domain.tld`                    |
+| my_organization.tld        | TXT  | `v=spf1 +a +mx +a:mail.opendesk.domain.tld ~all` |
+| _dmarc.my_organization.tld | TXT  | `v=DMARC1; p=quarantine`                         |
+
+## Matrix domain
+
+Similar to the specific domain for email addresses you may want to specify a domain that differs from your deployment's default `DOMAIN` to define your users Matrix IDs. Use the `MATRIX_DOMAIN` to do so:
+
+```yaml
+global:
+  matrixDomain: "my_organization.tld"
+```
+
+or via environment variable
+
+```shell
+export MATRIX_DOMAIN=my_organization.tld
+```
+
+This setup requires also a different DNS setup:
+
+| Record name                      | Type | Value                                  | Comment                                                                            |
+| -------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
+| _matrix._tcp.my_organization.tld | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+
+*Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.

docs/getting-started.md

@@ -57,7 +57,7 @@ For your convenience, we recommend to create a `*.domain.tld` A-Record to your c
 otherwise you need to create an A-Record for each subdomain.
 
 | Record name             | Type | Value                                              | Additional information                                                             |
-| ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| ----------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
 | *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                    |
 | *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                    |
 | mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
@@ -65,7 +65,7 @@ otherwise you need to create an A-Record for each subdomain.
 | domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                    |
 | domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                         |
 | _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                           |
-| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
 
 ## Domain
 
@@ -92,40 +92,6 @@ or via environment variable
 export DOMAIN=domain.tld
 ```
 
-Additionally, you can announce/specify an alternative domain for mail and chat.
-
-As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
-`*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
-Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
-The required routing have to be implemented by yourself.
-
-The alternative domains have to be set either via `dev` environment
-
-```yaml
-global:
-  mailDomain: "open.desk"
-  synapseDomain: "open.desk"
-```
-
-or via environment variable
-
-```shell
-export MAIL_DOMAIN=open.desk
-export SYNAPSE_DOMAIN=open.desk
-```
-
-If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
-
-| Record name                    | Type | Value                     |
-|--------------------------------|------|---------------------------|
-| _matrix._tcp.SYNAPSE_DOMAIN    | SRV  | `1 10 PORT matrix.DOMAIN` |
-| matrix-fed._tcp.SYNAPSE_DOMAIN | SRV  | `1 10 PORT matrix.DOMAIN` |
-| MAIL_DOMAIN                    | MX   | `10 mail.domain.tld`    |
-
-_Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
-
-_Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
-
 ### Apps
 
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
@@ -178,13 +144,13 @@ prefer the use of a private image registry anyway you can configure such for
 
 ```yaml
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: "my_private_registry.domain.tld"
 ```
 
 alternatively you can use an environment variable:
 
 ```shell
-export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
+export PRIVATE_IMAGE_REGISTRY_URL=my_private_registry.domain.tld
 ```
 
 If authentication is required, you can reference imagePullSecrets as following:

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -4,7 +4,7 @@
 configuration:
   bot:
     username: "meetings-bot"
-    homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
+    homeserver: {{ .Values.global.matrixDomain | default .Values.global.domain }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -29,7 +29,7 @@ configuration:
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
-    serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
     appServiceConfigs:
       - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -113,4 +113,6 @@ replicaCount: {{ .Values.replicas.synapse }}
 resources:
   {{ .Values.resources.synapse | toYaml | nindent 2 }}
 
+tls:
+  secretName: {{ if .Values.global.matrixDomain }}"opendesk-certificates-synapse-tls"{{ else }}"opendesk-certificates-tls"{{ end }}
 ...

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   domain: {{ .Values.global.domain | quote }}
+  synapseDomain: {{ .Values.global.matrixDomain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
 

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -1053,14 +1053,27 @@ keycloak-bootstrap:
     deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
     keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 
-  config:
   keycloak:
-      adminUser: "kcadmin"
-      adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    connection:
+      baseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    auth:
+      username: "kcadmin"
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
       realm: {{ .Values.platform.realm | quote }}
-      intraCluster:
-        enabled: true
-        internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  ldap:
+    baseDn: {{ .Values.ldap.baseDn | quote }}
+    connection:
+      host: {{ .Values.ldap.host | quote }}
+      port: "389"
+      protocol: "ldap"
+    auth:
+      bindDn: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
+      password: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
+
+  bootstrap:
+    ldapMappers:
+      - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
+      - ldapAndUserModelAttributeName: "oxContextIDNum"
     loginLinks:
       - link_number: 1
         language: "de"
@@ -1070,21 +1083,14 @@ keycloak-bootstrap:
         language: "en"
         description: "Forgot password?"
         href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-    ums:
-      ldap:
-        internalHostname: {{ .Values.ldap.host | quote }}
-        baseDN: {{ .Values.ldap.baseDn | quote }}
-        readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
-        readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
-        mappers:
-          - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
-          - ldapAndUserModelAttributeName: "oxContextIDNum"
-      saml:
-        serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
     twoFactorAuthentication:
       enabled: true
       group: "2fa-users"
 
+  config:
+    saml:
+      serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+
   containerSecurityContext:
     enabled: true
     allowPrivilegeEscalation: false

helmfile/environments/default/charts.yaml

@@ -14,7 +14,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
     name: "opendesk-certificates"
-    version: "2.1.3"
+    version: "2.2.0"
     verify: true
   clamav:
     # providerCategory: 'Platform'
@@ -375,24 +375,10 @@ charts:
     # upstreamRepository: 'souvap/tooling/charts/univention/ums'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ['0', '0', '1']
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    registry: "registry.souvap-univention.de"
-    repository: "souvap/tooling/charts/univention"
-    name: "ums"
-    version: "0.12.0"
-    verify: true
-  umsKeycloakBootstrap:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '0', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ums-keycloak-bootstrap"
-    version: "1.0.1"
+    name: "ums"
+    version: "0.13.0"
     verify: true
   xwiki:
     # providerCategory: 'Supplier'

helmfile/environments/default/global.gotmpl

@@ -17,7 +17,7 @@ global:
 
   ## Define synapse host
   #
-  synapseDomain: {{ env "SYNAPSE_DOMAIN" | quote }}
+  matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}
 
   ## Define docker registry address.
   #

helmfile/environments/default/images.yaml

@@ -78,31 +78,31 @@ images:
     # providerResponsible: 'Nordeck'
     # upstreamRegistry: 'registry-1.docker.io'
     # upstreamRepository: 'jitsi/jibri'
-    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
     # upstreamMirrorStartFrom: ['8922']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
+    tag: "stable-9457-2@sha256:eb079f650649c6336dc93eb30cdc086c0b784f5c3fe80ea3441a1f00ebf073f3"
   jicofo:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Nordeck'
     # upstreamRegistry: 'registry-1.docker.io'
     # upstreamRepository: 'jitsi/jicofo'
-    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
     # upstreamMirrorStartFrom: ['8922']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
+    tag: "stable-9457-2@sha256:7d3213eea740721755da81ecfd9b500c71c610d04939b26de4434619a66e15e1"
   jitsi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Nordeck'
     # upstreamRegistry: 'registry-1.docker.io'
     # upstreamRepository: 'jitsi/web'
-    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
     # upstreamMirrorStartFrom: ['8922']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
+    tag: "stable-9457-2@sha256:263e2e52934900547f1496eed965e2d3e01e9b8a251844bacbac49deba97f6b2"
   jitsiKeycloakAdapter:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Nordeck'
@@ -126,11 +126,11 @@ images:
     # providerResponsible: 'Nordeck'
     # upstreamRegistry: 'registry-1.docker.io'
     # upstreamRepository: 'jitsi/jvb'
-    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
     # upstreamMirrorStartFrom: ['8922']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
+    tag: "stable-9457-2@sha256:2f10f28463e65a13a260d379c4cce62531d66a94bb8dcf2dbe88cdb4cd01b16c"
   mariadb:
     # providerCategory: 'Community'
     # providerResponsible: 'openDesk'
@@ -220,7 +220,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.19@sha256:ebe4e1187a474739794115ec97ba3759cf61fcc2967fc799ff1ec4e7ba0a4243"
+    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
   nextcloudExporter:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -236,7 +236,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.10@sha256:ed038316eb84e42716c7c31d7275cddc1125781cbb7583e716a978b9407ba738"
+    tag: "1.3.12@sha256:54bb5a90ebe49b33b053e8a7df2fa8d8cb992b17f68a04d08357961c3aded0b0"
   nextcloudPHP:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -244,7 +244,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.9@sha256:9da3810989c60a3913f9ab366442925d39011a41c9f761ea05650de5935a4514"
+    tag: "1.8.11@sha256:85b3bbf027c9e6a2ccf411b8e2b3752f6a58a3a14f00fb92ecefd9e7ca0c6954"
   opendeskKeycloakBootstrap:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -262,7 +262,7 @@ images:
     # upstreamMirrorStartFrom: ['13', '1', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "13.4.1@sha256:b72d3e841fa4da03fc284e0ef7c56e763a9b04188f4219e527d9de93ccc49fe3"
+    tag: "14.0.1@sha256:664f5131dbca43084dd3fb0be22d8520b3de4148f5511b25751f6bb8eb4e76c0"
   openprojectBootstrap:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -428,11 +428,11 @@ images:
     # providerResponsible: 'Nordeck'
     # upstreamRegistry: 'registry-1.docker.io'
     # upstreamRepository: 'jitsi/prosody'
-    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)$'
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
     # upstreamMirrorStartFrom: ['8922']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
+    tag: "stable-9457-2@sha256:5364b0c9c6de654b7b31b5821e9cd7a39660a19010348e7ac56b85be2944daa0"
   redis:
     # providerCategory: 'Community'
     # providerResponsible: 'openDesk'
@@ -536,17 +536,17 @@ images:
     # upstreamMirrorStartFrom: ['22', '0', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
-    tag: "23.0.7-ucs1@sha256:94b34cf3d9266435cf03549b58f874219ecbe9c38c18a070fea403d0cdd2bfc4"
+    tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
   umsKeycloakBootstrap:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/images/univention-keycloak-bootstrap'
+    # upstreamRegistry: 'artifacts.software-univention.de'
+    # upstreamRepository: 'nubus/images/keycloak-bootstrap'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '0', '5']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/univention-keycloak-bootstrap"
-    tag: "1.0.8@sha256:fef48cb1b2552977e8a4253516249b59ef6c42189dd13cd6d98269b8988b362a"
+    # upstreamMirrorStartFrom: ['0', '1', '0']
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/images/keycloak-bootstrap"
+    tag: "0.1.0-pre-feat-cleanup-redundant-values@sha256:3fd138b07f21979757eb4a6962e77ca734e15754e53f69df988607d0aa0947fa"
   umsKeycloakExtensionHandler:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'

helmfile/environments/test/values.yaml.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: "my_private_registry.domain.tld"
   imagePullSecrets:
     - "kyverno-test"
   imagePullPolicy: "kyverno"