fix(minio): temporarily set minio provisioning ttl for debugging

README.md

@@ -29,7 +29,7 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version                                                                 | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- |---------------------------------------------------------------------------------------| -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |

docs/components.md

@@ -33,7 +33,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
-| dkimpy-milter               | DKIM milter for Postfix        | Eval       |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |

docs/getting-started.md

@@ -60,16 +60,16 @@ The deployment is designed to deploy each application/service under a dedicated
 For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
 otherwise you need to create an A-Record for each subdomain.
 
-| Record name                   | Type | Value                                              | Additional information                                           |
+| Record name             | Type | Value                                              | Additional information                                                             |
-|-------------------------------|------|----------------------------------------------------|------------------------------------------------------------------|
+| ----------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
-| *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                  |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                    |
-| *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                  |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                    |
-| mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
-| mail.domain.tld               | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
-| domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                  |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                    |
-| domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                       |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                         |
-| _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                         |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                           |
-| default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional DKIM settings                                           |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
 
 ## Domain
 
@@ -263,8 +263,6 @@ To use the openDesk functionality with its web based user interface you need to
 
 | Component          | Description             |  Port | Type |
 | ------------------ | ----------------------- | ----: | ---: |
-| openDesk           | Kubernetes Ingress      |    80 |  TCP |
-| openDesk           | Kubernetes Ingress      |   443 |  TCP |
 | Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
 
 #### Mail clients
@@ -290,20 +288,6 @@ smtp:
   password: "secret"
 ```
 
-Enabling DKIM signing of emails helps to reduce spam and increases trust.
-openDesk ships dkimpy-milter as Postfix milter for signing mails.
-
-```yaml
-dkimpy:
-  enable: true
-  dkim:
-    key:
-      value: |
-        HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E=
-    selector: "default"
-    useED25519: true # when false, RSA is used
-```
-
 ### TURN configuration
 
 Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -54,13 +54,11 @@ configuration:
       enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
     
     smtp:
-      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.element }}.{{ end }}{{ .Values.global.domain }}"
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ .Values.smtp.host | quote }}
-      port: 25
+      port: {{ .Values.smtp.port }}
-      tls: false
+      username: {{ .Values.smtp.username | quote }}
-      starttls: false
+      password: {{ .Values.smtp.password | quote }}
-      username: ""
-      password: ""
 
     oidc:
       clientId: "opendesk-matrix"

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -75,17 +75,14 @@ configuration:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   smtp:
     auth:
-      enabled: false
       username:
-        value: ""
+        value: {{ .Values.smtp.username | quote }}
       password:
-        value: ""
+        value: {{ .Values.smtp.password | quote }}
-    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    host: {{ .Values.smtp.host | quote }}
-    port: 25
+    port: {{ .Values.smtp.port | quote }}
     fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
-    mailDomain: "{{ .Values.global.domain }}"
+    mailDomain: "{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.nextcloud }}.{{ end }}{{ .Values.global.domain }}"
-    security: ""
-    skipVerifyPeer: true
   quota:
     default: "{{ .Values.functional.filestore.quota.default }} GB"
     retentionObligation:

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -83,7 +83,7 @@ keycloak:
 
 nubusGuardian:
   provisioning:
-    enabled: false
+    enabled: true
     config:
       keycloak:
         credentialSecret:
@@ -152,13 +152,10 @@ nubusKeycloakExtensions:
         key: "umcKeycloakExtensionsDatabasePassword"
   smtp:
     connection:
-      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      host: {{ .Values.smtp.host | quote }}
-      port: 25
+      port: {{ .Values.smtp.port | quote }}
-      ssl: false
-      starttls: false
     auth:
-      enabled: false
+      username: {{ .Values.smtp.username | quote }}
-      username: ""
       credentialSecret:
         name: "ums-keycloak-extensions-smtp-opendesk-credentials"
         key: "umcKeycloakExtensionsSmtpPassword"
@@ -166,16 +163,20 @@ nubusKeycloakExtensions:
     appConfig:
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.keycloak }}.{{ end }}{{ .Values.global.domain }}"
 
-nubusPortalListener:
+nubusPortalConsumer:
-  portalListener:
+  portalConsumer:
+    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
     objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
     objectStorageCredentialSecret:
-      name: "ums-portal-listener-minio-opendesk-credentials"
+      name: "ums-portal-consumer-minio-opendesk-credentials"
       accessKeyKey: "access-key-id"
       secretKeyKey: "secret-key-id"
+  provisioningApi:
+    auth:
+      username: "portal-consumer"
 
 nubusPortalServer:
   portalServer:
@@ -189,15 +190,12 @@ nubusPortalServer:
       enabled: true
       authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
 
-# NOTE: disabled until the next update.
 nubusProvisioning:
-  enabled: false
+  enabled: true
 nubusUdmListener:
-  enabled: false
+  enabled: true
 nubusSelfServiceListener:
   enabled: true
-  selfserviceListener:
-    umcAdminUser: "default.admin"
 
 # Nubus services
 nubusStackDataUms:
@@ -216,12 +214,6 @@ nubusStackDataUms:
 
 # TODO: Remove values when upstreaming fixes
 nubusStackDataSwp:
-  stackDataSwp:
-    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
-    systemInformation:
-      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-    {{- end }}
   stackDataContext:
     ldapSearchUsers:
       {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
@@ -230,10 +222,9 @@ nubusStackDataSwp:
         lastname: "LDAP-Search-User"
       {{- end }}
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
-    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpHost: {{ .Values.smtp.host | quote }}
-    smtpPort: 25
+    smtpPort: {{ .Values.smtp.port | quote }}
-    smtpUser: ""
+    smtpUser: {{ .Values.smtp.username | quote }}
-    smtpStartTls: false
     ldapBase: {{ .Values.ldap.baseDn }}
     # FIXME: Should be templated correctly in the future
     portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
@@ -319,15 +310,15 @@ extraSecrets:
       umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
   - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
     stringData:
-      umcKeycloakExtensionsSmtpPassword: ""
+      umcKeycloakExtensionsSmtpPassword: {{ .Values.smtp.password | quote }}
   - name: "ums-portal-server-minio-opendesk-credentials"
     stringData:
       access-key-id: {{ .Values.objectstores.nubus.username | quote }}
       secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  - name: "ums-portal-listener-minio-opendesk-credentials"
+  - name: "ums-portal-consumer-minio-opendesk-credentials"
     stringData:
       access-key-id: {{ .Values.objectstores.nubus.username | quote }}
       secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: "ums-umc-server-smtp-credentials-custom"
     stringData:
-      password: ""
+      password: {{ .Values.smtp.password | quote }}

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -81,15 +81,17 @@ nubusKeycloakExtensions:
     resources:
       {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
 
-nubusPortalListener:
+nubusPortalConsumer:
   podAnnotations:
-    intents.otterize.com/service-name: "ums-portal-listener"
+    intents.otterize.com/service-name: "ums-portal-consumer"
-  replicaCount: {{ .Values.replicas.umsPortalListener }}
+  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
   resources:
-    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
+    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
+  resourcesWaitForDependency:
+    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
   persistence:
     storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.nubus.portalListener | quote }}
+    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
 
 nubusPortalServer:
   additionalAnnotations:

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -49,7 +49,6 @@ nubusLdapServer:
       repository: {{ .Values.images.nubusWaitForDependency.repository }}
       tag: {{ .Values.images.nubusWaitForDependency.tag }}
 
-
 nubusPortalConsumer:
   portalConsumer:
     image:
@@ -57,7 +56,6 @@ nubusPortalConsumer:
       repository: {{ .Values.images.nubusPortalConsumer.repository }}
       tag: {{ .Values.images.nubusPortalConsumer.tag }}
 
-
 nubusNotificationsApi:
   image:
     registry: {{ .Values.images.nubusNotificationsApi.registry }}
@@ -70,11 +68,12 @@ nubusPortalFrontend:
     repository: {{ .Values.images.nubusPortalFrontend.repository }}
     tag: {{ .Values.images.nubusPortalFrontend.tag }}
 
-nubusPortalListener:
+nubusPortalConsumer:
-  image:
+  portalConsumer:
-    registry: {{ .Values.images.nubusPortalListener.registry }}
+    image:
-    repository: {{ .Values.images.nubusPortalListener.repository }}
+      registry: {{ .Values.images.nubusPortalConsumer.registry }}
-    tag: {{ .Values.images.nubusPortalListener.tag }}
+      repository: {{ .Values.images.nubusPortalConsumer.repository }}
+      tag: {{ .Values.images.nubusPortalConsumer.tag }}
   waitForDependency:
     image:
       registry: {{ .Values.images.nubusWaitForDependency.registry }}
@@ -154,6 +153,7 @@ nubusSelfServiceListener:
       registry: {{ .Values.images.nubusSelfserviceListener.registry }}
       repository: {{ .Values.images.nubusSelfserviceListener.repository }}
       tag: {{ .Values.images.nubusSelfserviceListener.tag }}
+
   selfserviceInvitation:
     image:
       registry: {{ .Values.images.nubusSelfserviceInvitation.registry }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -28,8 +28,7 @@ config:
       {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
-    # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
+    clients: [ 'UMC', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
-    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -571,296 +570,6 @@ config:
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk-xwiki-scope"
-      - name: "guardian-management-api"
-        clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        protocol: "openid-connect"
-        publicClient: false
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
-        fullScopeAllowed: true
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: true
-        protocolMappers:
-          - name: "Client Host"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientHost"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientHost"
-              jsonType.label: "String"
-          - name: "Client ID"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "client_id"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "client_id"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              userinfo.token.claim: false
-              id.token.claim: false
-              access.token.claim: true
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-cli"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "Client IP Address"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientAddress"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientAddress"
-              jsonType.label: "String"
-      - name: "guardian-scripts"
-        clientId: "guardian-scripts"
-        description: ""
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        surrogateAuthRequired: false
-        enabled: true
-        alwaysDisplayInConsole: false
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
-        webOrigins:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        bearerOnly: false
-        consentRequired: false
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        publicClient: true
-        frontchannelLogout: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-scripts"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              aggregate.attrs: false
-              multivalued: false
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "web-origins"
-          - "acr"
-          - "roles"
-          - "profile"
-          - "email"
-        optionalClientScopes:
-          - "address"
-          - "phone"
-          - "offline_access"
-          - "microprofile-jwt"
-      - name: "guardian-ui"
-        clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
-        standardFlowEnabled: true
-        publicClient: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: false
-        serviceAccountsEnabled: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: "false"
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -36,7 +36,7 @@ dovecot:
   submission:
     enabled: true
     ssl: "no"
-    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
+    host: "postfix:25"
 
 certificate:
   secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/openproject/values.yaml.gotmpl

@@ -59,15 +59,15 @@ environment:
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: ""
+  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
-  OPENPROJECT_SMTP__PASSWORD: ""
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
-  OPENPROJECT_SMTP__PORT: 25
+  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
-  OPENPROJECT_SMTP__AUTHENTICATION: "none"
+  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
-  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
+  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.openproject }}.{{ end }}{{ .Values.global.domain }}"
   OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"

helmfile/apps/services/helmfile-child.yaml

@@ -57,17 +57,6 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
       {{ .Values.charts.mariadb.repository }}"
 
-  # openDesk dkimpy-milter
-  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
-  - name: "dkimpy-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.dkimpy.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/\
-      {{ .Values.charts.dkimpy.repository }}"
-
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
   - name: "postfix-repo"
@@ -189,14 +178,6 @@ releases:
     installed: {{ .Values.postfix.enabled }}
     timeout: 900
 
-  - name: "opendesk-dkimpy-milter"
-    chart: "dkimpy-repo/{{ .Values.charts.dkimpy.name }}"
-    version: "{{ .Values.charts.dkimpy.version }}"
-    values:
-      - "values-dkimpy.yaml.gotmpl"
-    installed: {{ .Values.dkimpy.enabled }}
-    timeout: 900
-
   - name: "clamav"
     chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
     version: "{{ .Values.charts.clamav.version }}"

helmfile/apps/services/values-dkimpy.yaml.gotmpl

@@ -1,44 +0,0 @@
-# SPDX-FileCopyrightText: Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-containerSecurityContext:
-  allowPrivilegeEscalation: true
-  capabilities: {}
-  enabled: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  privileged: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.dkimpy | toYaml | nindent 4 }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.dkimpy.registry | quote }}
-  repository: {{ .Values.images.dkimpy.repository | quote }}
-  tag: {{ .Values.images.dkimpy.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-
-configuration:
-  domain: "{{ .Values.global.domain }}{{ if .Values.global.mailDomain }}, {{ .Values.global.mailDomain }}{{ end }}"
-  key:
-    {{ .Values.smtp.dkim.key | toYaml | nindent 4 }}
-  mode: "s"
-  selector: {{ .Values.smtp.dkim.selector }}
-  useED25519: {{ .Values.smtp.dkim.useED25519 }}
-
-replicaCount: {{ .Values.replicas.dkimpy }}
-
-resources:
-  {{ .Values.resources.dkimpy | toYaml | nindent 2 }}
-...

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -3,7 +3,6 @@
 ---
 cleanup:
   deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -36,32 +35,19 @@ job:
   retries: 10
   wait: 30
   users:
-    - username: {{ .Values.databases.nextcloud.username | quote }}
-      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
-      connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
-    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
-    # users for the moment.
-    - username: "openxchange_user"
-    # - username: {{ .Values.databases.xwiki.username | quote }}
-      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
-      connectionLimit: {{ .Values.databases.oxAppsuite.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
     - username: "xwiki_user"
-    # - username: {{ .Values.databases.oxAppsuite.username | quote }}
       password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
-      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
   databases:
-    - name: {{ .Values.databases.nextcloud.name | quote }}
-      user: {{ .Values.databases.nextcloud.username | quote }}
-    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
-    # users for the moment.
-    - name: "openxchange"
-      user: "openxchange_user"
-    # - name: {{ .Values.databases.oxAppsuite.name | quote }}
-    #   user: {{ .Values.databases.oxAppsuite.username | quote }}
     - name: "xwiki"
       user: "xwiki_user"
-    # - name: {{ .Values.databases.xwiki.name | quote }}
+    - name: "nextcloud"
-    #   user: {{ .Values.databases.xwiki.username | quote }}
+      user: "nextcloud_user"
+    - name: "openxchange"
+      user: "openxchange_user"
 
 mariadb:
   rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -85,8 +85,8 @@ persistence:
 provisioning:
   enabled: true
   cleanupAfterFinished:
-    enabled: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    enabled: true
-    seconds: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+    seconds: 3000
   extraCommands:
     - "mc anonymous set download provisioning/ums/portal-assets"
   buckets:

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -49,9 +49,6 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  {{- if .Values.dkimpy.enabled }}
-  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
-  {{- end }}
   rspamdHost: ""
   relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -1,10 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-cleanup:
-  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
-
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -21,6 +17,8 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
 
+job:
+
 podSecurityContext:
   enabled: true
   fsGroup: 1001
@@ -45,43 +43,36 @@ image:
 
 job:
   users:
-    - username: {{ .Values.databases.keycloak.username | quote }}
+    - username: "keycloak_user"
       password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
-      connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "openproject_user"
-    - username: {{ .Values.databases.openproject.username | quote }}
       password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
-      connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "keycloak_extensions_user"
-    - username: {{ .Values.databases.keycloakExtension.username | quote }}
       password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
-      connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "matrix_user"
-    - username: {{ .Values.databases.synapse.username | quote }}
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
-      connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "notificationsapi_user"
-    - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
       password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-      connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "guardianmanagementapi_user"
-    - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
       password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-      connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "selfservice_user"
-    - username: {{ .Values.databases.umsSelfservice.username | quote }}
       password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-      connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
   databases:
-    - name: {{ .Values.databases.keycloak.name | quote }}
+    - name: "keycloak"
-      user: {{ .Values.databases.keycloak.username | quote }}
+      user: "keycloak_user"
-    - name: {{ .Values.databases.keycloakExtension.name | quote }}
+    - name: "keycloak_extensions"
-      user: {{ .Values.databases.keycloakExtension.username | quote }}
+      user: "keycloak_extensions_user"
-    - name: {{ .Values.databases.openproject.name | quote }}
+    - name: "openproject"
-      user: {{ .Values.databases.openproject.username | quote }}
+      user: "openproject_user"
-    - name: {{ .Values.databases.synapse.name | quote }}
+    - name: "matrix"
-      user: {{ .Values.databases.synapse.username | quote }}
+      user: "matrix_user"
       additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
-    - name: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+    - name: "guardianmanagementapi"
-      user: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+      user: "guardianmanagementapi_user"
-    - name: {{ .Values.databases.umsNotificationsApi.name | quote }}
+    - name: "notificationsapi"
-      user: {{ .Values.databases.umsNotificationsApi.username | quote }}
+      user: "notificationsapi_user"
-    - name: {{ .Values.databases.umsSelfservice.name | quote }}
+    - name: "selfservice"
-      user: {{ .Values.databases.umsSelfservice.username | quote }}
+      user: "selfservice_user"
 
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -137,10 +137,12 @@ properties:
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
   ## SMTP settings
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ if .Values.functional.email.systemGenerated.useComponentInSenderdomain }}{{ .Values.global.hosts.xwiki }}.{{ end }}{{ .Values.global.domain }}"
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ .Values.smtp.host | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": {{ .Values.smtp.port | quote }}
-  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.username": {{ .Values.smtp.username | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.password": {{ .Values.smtp.password | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=true"
   ## Link LDAP users and users authenticated through OIDC
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"

helmfile/environments/default/charts.yaml

@@ -60,18 +60,6 @@ charts:
     name: "cryptpad"
     version: "0.0.19"
     verify: true
-  dkimpy:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter/opendesk-dkimpy-milter"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter"
-    name: "opendesk-dkimpy-milter"
-    version: "1.0.0"
-    verify: true
   dovecot:
     # providerCategory: "Platform"
     # providerResponsible: "Open-Xchange"
@@ -90,7 +78,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "3.3.2"
+    version: "3.3.0"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -100,7 +88,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "3.3.2"
+    version: "3.3.0"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -142,7 +130,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
     name: "mariadb"
-    version: "2.3.1"
+    version: "2.2.1"
     verify: true
   matrixNeoboardWidget:
     # providerCategory: "Platform"
@@ -192,7 +180,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "3.3.2"
+    version: "3.3.0"
     verify: true
   memcached:
     # providerCategory: "Community"
@@ -266,7 +254,7 @@ charts:
     registry: "artifacts.software-univention.de"
     repository: "nubus-dev/charts"
     name: "nubus"
-    version: "0.38.1-pre-jlohmer-provisioning-consumer-feature-flag"
+    version: "0.34.0-pre-jlohmer-provisioning-consumer-integration"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
@@ -352,7 +340,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "2.3.0"
+    version: "2.2.0"
     verify: true
   postgresql:
     # providerCategory: "Platform"
@@ -362,7 +350,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql"
     name: "postgresql"
-    version: "2.1.1"
+    version: "2.0.5"
     verify: true
   redis:
     # providerCategory: "Community"
@@ -382,7 +370,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "3.3.2"
+    version: "3.3.0"
     verify: true
   synapseCreateAccount:
     # providerCategory: "Platform"
@@ -392,7 +380,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "3.3.2"
+    version: "3.3.0"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"
@@ -402,7 +390,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "3.3.2"
+    version: "3.3.0"
     verify: true
   xwiki:
     # providerCategory: "Supplier"

helmfile/environments/default/database.yaml

@@ -2,76 +2,62 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 databases:
-  defaults:
-    userConnectionLimit: 100
   keycloak:
     name: "keycloak"
     host: "postgresql"
     port: 5432
     username: "keycloak_user"
     password: ""
-    connectionLimit: ~
   keycloakExtension:
     name: "keycloak_extensions"
     host: "postgresql"
     port: 5432
     username: "keycloak_extensions_user"
     password: ""
-    connectionLimit: ~
   nextcloud:
     name: "nextcloud"
     host: "mariadb"
     port: 3306
     username: "nextcloud_user"
     password: ""
-    connectionLimit: ~
   openproject:
     name: "openproject"
     host: "postgresql"
     port: 5432
     username: "openproject_user"
     password: ""
-    connectionLimit: ~
   oxAppsuite:
-    name: "configdb"
     host: "mariadb"
-    port: 3306
+    name: "configdb"
     username: "root"
     password: ""
-    connectionLimit: ~
   synapse:
-    name: "matrix"
     host: "postgresql"
-    port: 5432
+    name: "matrix"
     username: "matrix_user"
     password: ""
-    connectionLimit: ~
+    port: 5432
   umsGuardianManagementApi:
     name: "guardianmanagementapi"
     host: "postgresql"
     port: 5432
     username: "guardianmanagementapi_user"
     password: ""
-    connectionLimit: ~
   umsNotificationsApi:
     name: "notificationsapi"
     host: "postgresql"
     port: 5432
     username: "notificationsapi_user"
     password: ""
-    connectionLimit: ~
   umsSelfservice:
     name: "selfservice"
     host: "postgresql"
     port: 5432
     username: "selfservice_user"
     password: ""
-    connectionLimit: 10
   xwiki:
     name: "xwiki"
     host: "mariadb"
-    port: 3306
     username: "root"
     password: ""
-    connectionLimit: ~
 ...

helmfile/environments/default/functional.yaml

@@ -30,6 +30,11 @@ functional:
         # Disable to not support Matrix federation with your installation.
         enabled: true
 
+  email:
+    systemGenerated:
+      # By disabling all mails are sent from @<domain> instead of @<component>.<domain>.
+      useComponentInSenderdomain: true
+
   filestore:
     quota:
       # Set the default quota for all users in GB

helmfile/environments/default/images.yaml

@@ -30,14 +30,6 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
     tag: "opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2"
-  dkimpy:
-    # providerCategory: "Platform"
-    # providerResponsible: "openDesk"
-    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: "bmi/opendesk/components/platform-development/images/dkimpy-milter"
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/dkimpy-milter"
-    tag: "1.1.0@sha256:f140c7fc3fd9636addc612edd6e10f6aefa69e34ff637c95ce9036a32e44555f"
   dovecot:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -203,11 +195,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/memcached"
-    # registry: "registry-1.docker.io"
+    registry: "registry-1.docker.io"
-    # repository: "bitnami/memcached"
-    registry: "docker.io"
     repository: "bitnami/memcached"
-    tag: "1.6.29-debian-12-r4"
+    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
   migrations:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -229,11 +219,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/minio"
-    # registry: "registry-1.docker.io"
+    registry: "registry-1.docker.io"
-    # repository: "bitnami/minio"
-    registry: "docker.io"
     repository: "bitnami/minio"
-    tag: "2024.8.17-debian-12-r0"
+    tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
   nextcloudApache2:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -273,11 +261,9 @@ images:
     # upstreamRepository: "nubus/images/data-loader"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "41", "5"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    registry: "artifacts.software-univention.de"
+    tag: "0.60.0@sha256:9b43a66c32f4f66143db00b71cc62966df6ed809ec023a0d573a015f5d15305a"
-    repository: "nubus/images/data-loader"
-    tag: "0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -315,11 +301,9 @@ images:
     # upstreamRepository: "nubus/images/guardian-init"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "3", "0"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    registry: "artifacts.software-univention.de"
+    tag: "0.9.1@sha256:6006fb1c2779b906e7725df524f2587b2a610cc442793bf8f16b2b4b8c0494fb"
-    repository: "nubus/images/guardian-init"
-    tag: "0.10.0@sha256:480943182f20b04b3d37b340e701545e002710c6668925de3758587174c5ee56"
   nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -337,11 +321,9 @@ images:
     # upstreamRepository: "nubus/images/keycloak-bootstrap"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "1", "0"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    registry: "artifacts.software-univention.de"
+    tag: "0.1.0@sha256:351097e9e7b469f2fc149fe612ec6ad515d5e6b081d7e2785bd926a1d77209d2"
-    repository: "nubus/images/keycloak-bootstrap"
-    tag: "0.1.2"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -369,11 +351,9 @@ images:
     # upstreamRepository: "nubus/images/ldap-notifier"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "8", "2"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    registry: "artifacts.software-univention.de"
+    tag: "0.15.2@sha256:1f2a9d2136c8e87a4c4a59a94a2235d00e969c98bd7bfe75707a299918f271b5"
-    repository: "nubus/images/ldap-notifier"
-    tag: "0.22.1@sha256:34a7afc7789705f964846b340c0368d144cff397c718fda8902944cf22e61c15"
   nubusLdapServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -423,9 +403,11 @@ images:
     # upstreamRepository: "nubus/images/notifications-api"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.27.0@sha256:d99173199f20c701b29b8a3c1a46465085a873b37f413882e7d2e106e258c35a"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/notifications-api"
+    tag: "0.31.1@sha256:cc51d3d7c25f2bef2bda4f3baad0c29dc428b798be78697d58739eb6a79636d2"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -443,11 +425,9 @@ images:
     # upstreamRepository: "nubus/images/ox-extension"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "10", "0"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    registry: "artifacts.software-univention.de"
+    tag: "0.10.0@sha256:f6f32ce0486594eca9c8682b10f60e9d174a526d5acd2ba4d0abcb8f522539b9"
-    repository: "nubus/images/ox-extension"
-    tag: "0.11.0"
   nubusPortalConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -465,11 +445,9 @@ images:
     # upstreamRepository: "nubus/images/portal-extension"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "28", "0"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    registry: "artifacts.software-univention.de"
+    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
-    repository: "nubus/images/portal-extension"
-    tag: "0.28.0"
   nubusPortalFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -477,9 +455,11 @@ images:
     # upstreamRepository: "nubus/images/portal-frontend"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.29.0@sha256:3af3d5d24f690557b4a644d5720113dca0c802465b0e43466b49db27acd37939"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/portal-frontend"
+    tag: "0.31.1@sha256:499266cb7c645775dd2d0c9f386498114ab0dcda67b014db0e86735d757b4187"
   nubusPortalListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -497,9 +477,11 @@ images:
     # upstreamRepository: "nubus/images/portal-server"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.27.0@sha256:e1ad659feb4a1948d07e6e7d99b94b6bdbd4525d96f4cf9a010b75189f0082fc"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/portal-server"
+    tag: "0.31.1@sha256:381e0cbbcac0e9bba6d3c1c7fe7757d18c09e7afaab912c02f38bdfa481723cd"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -521,7 +503,7 @@ images:
     # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
     registry: "artifacts.software-univention.de"
     repository: "nubus/images/provisioning-events-and-consumer-api"
-    tag: "0.36.0@sha256:69dd2946e7b05384304eeeca50dea645d20f7658d225e7c532381c3bdf2027ce"
+    tag: "0.34.0@sha256:7fc2ab2a89b46cd95c20f99e70636d62d45447ca2678fc78a620b4819521368f"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -533,7 +515,7 @@ images:
     # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
     registry: "artifacts.software-univention.de"
     repository: "nubus/images/provisioning-prefill"
-    tag: "0.36.0@sha256:147406648848c068aacc2cb467633d51c65cddbcaa622c352e5fe5349bf92ce6"
+    tag: "0.34.0@sha256:baab4e6e8393110ac7d159159dad9ecca74359ce74144dd51b4aec2a383778eb"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -545,7 +527,7 @@ images:
     # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
     registry: "artifacts.software-univention.de"
     repository: "nubus/images/provisioning-udm-listener"
-    tag: "0.36.0@sha256:8a960db9ff94b3c8a63be1588e47ccc1f62f3071abdce7ee2ef89afbe2674eed"
+    tag: "0.34.0@sha256:5f1177f58a189de935b73e905b9dff69b34f508a570244c75d5358cdb1bc2b27"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -557,7 +539,7 @@ images:
     # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
     registry: "artifacts.software-univention.de"
     repository: "nubus/images/provisioning-udm-transformer"
-    tag: "0.36.0@sha256:8080b55e705391aa2ac9b11db11dc1f984b5626271b2f175bfe26967b857b06d"
+    tag: "0.34.0@sha256:416ea5082d55346f58de535e39943552162a555455ae75f2efaad424e4fc8f70"
   nubusSelfserviceInvitation:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -603,11 +585,9 @@ images:
     # upstreamRepository: "nubus/images/umc-gateway"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "7", "3"]
-    # registry: "registry.opencode.de"
+    registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    registry: "artifacts.software-univention.de"
+    tag: "0.22.2@sha256:fe4d2c148946da6f5e92201f398ebd0d5a72795c50648993bd220ea1e228658d"
-    repository: "nubus/images/umc-gateway"
-    tag: "0.26.0@sha256:c8d025851ca45c50f61fa1da97681a583e07ab57945a0b9fecb56cefc1e11331"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -797,7 +777,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "2.0.0@sha256:5b2432dc09318db172a593bca860887ee9d713b9987db64f8b265f3e08a1d374"
+    tag: "1.0.0@sha256:61e4661a7323101dfb51c85c5a48c345c75436f3f533176f049d2660d711a8a5"
   postgresql:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"

helmfile/environments/default/opendesk_main.gotmpl

@@ -19,9 +19,6 @@ collabora:
 cryptpad:
   enabled: true
   namespace: ~
-dkimpy:
-  enabled: false
-  namespace: ~
 dovecot:
   enabled: true
   namespace: ~

helmfile/environments/default/persistence.yaml

@@ -19,7 +19,7 @@ persistence:
     nubus:
       ldapServerData: "1Gi"
       ldapServerShared: "1Gi"
-      portalListener: "1Gi"
+      portalConsumer: "1Gi"
       selfserviceListener: "1Gi"
     xwiki: "1Gi"
 ...

helmfile/environments/default/replicas.yaml

@@ -36,8 +36,6 @@ replicas:
   dovecot: 1
   # -- scalable: false
   postfix: 1
-  # -- scalable: true
-  dkimpy: 1
 
   # -- component: Chat (Element, Synapse)
   # -- scalable: true
@@ -81,7 +79,7 @@ replicas:
   # -- scalable: true
   umsPortalFrontend: 1
   # -- scalable: tbd
-  umsPortalListener: 1
+  umsPortalConsumer: 1
   # -- scalable: true
   umsPortalServer: 1
   # -- scalable: tbd

helmfile/environments/default/resources.yaml

@@ -25,13 +25,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "512Mi"
-  dkimpy:
-    limits:
-      cpu: 99
-      memory: "256Mi"
-    requests:
-      cpu: 0.1
-      memory: "128Mi"
   dovecot:
     limits:
       cpu: 99
@@ -471,14 +464,14 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsPortalListener:
+  umsPortalConsumer:
     limits:
       cpu: 99
       memory: "1Gi"
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsPortalListenerDependencies:
+  umsPortalConsumerDependencies:
     limits:
       cpu: 99
       memory: "1Gi"

helmfile/environments/default/secrets.gotmpl

@@ -36,7 +36,7 @@ secrets:
       sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}
     storeDavUsers:
       portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
-      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+      portalConsumer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-consumer" "store-dav" | sha1sum | quote }}
     provisioning:
       apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
       apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}

helmfile/environments/default/selinux.yaml

@@ -11,7 +11,6 @@ seLinuxOptions:
   clamd: ~
   collabora: ~
   cryptpad: ~
-  dkimpy: ~
   dovecot: ~
   element: ~
   freshclam: ~
@@ -77,7 +76,7 @@ seLinuxOptions:
   umsNotificationsApi: ~
   umsOpenPolicyAgent: ~
   umsPortalFrontend: ~
-  umsPortalListener: ~
+  umsPortalConsumer: ~
   umsPortalServer: ~
   umsProvisioningDispatcher: ~
   umsProvisioningEventsAndConsumerApi: ~

helmfile/environments/default/smtp.gotmpl

@@ -9,17 +9,4 @@ smtp:
   username: ""
   password: {{ env "SMTP_PASSWORD" | quote }}
   localpartNoReply: "no-reply"
-
-  # For the following settings to have effect `dkimpy.enabled` must be `true`.
-  dkim:
-    key:
-      # DKIM private key as plaintext value.
-      value: ""
-
-      # DKIM private key from existing secret. As a higher precedence than the plain `value`.
-      secret:
-        name: ""
-        key: ""
-    selector: "rsa"
-    useED25519: false
 ...

helmfile/environments/test/values.yaml.gotmpl

@@ -21,7 +21,7 @@ persistence:
     nubus:
       ldapServerData: "42Gi"
       ldapServerShared: "42Gi"
-      portalListener: "42Gi"
+      portalConsumer: "42Gi"
       selfserviceListener: "42Gi"
     postfix: "42Gi"
     postgresql: "42Gi"
@@ -76,7 +76,7 @@ replicas:
   umsLdapServer: 42
   umsNotificationsApi: 42
   umsPortalFrontend: 42
-  umsPortalListener: 42
+  umsPortalConsumer: 42
   umsPortalServer: 42
   umsSelfserviceListener: 42
   umsStackGateway: 42