fix(nubus): Fixup readonly user

README.md

@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.4.0](https://www.openproject.org/docs/release-notes/14-4-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.6.1.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.6.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

cspell.json

@@ -73,7 +73,8 @@
         "Addressbooks",
         "filestore",
         "trashbin",
-        "bootstrap"
+        "bootstrap",
+        "configurability"
     ],
     "ignoreWords": [],
     "import": []

docs/migrations.md

@@ -8,7 +8,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Releases upgrades](#releases-upgrades)
   * [From v0.9.0](#from-v090)
+    * [Manual interaction](#manual-interaction)
+      * [Fileshare configurability](#fileshare-configurability)
     * [Automated migrations](#automated-migrations)
+      * [Local Postfix as Relay](#local-postfix-as-relay)
       * [Updated IAM component Nubus](#updated-iam-component-nubus)
         * [Manual cleanup](#manual-cleanup)
   * [From v0.8.1](#from-v081)
@@ -31,18 +34,47 @@ Limitations:
 
 ## From v0.9.0
 
+### Manual interaction
+
+#### Fileshare configurability
+
+We provide now some configurability regarding the sharing capabilities of the Nextcloud component.
+
+The new default is different from the standard until now. To keep the current state after the upgrade from 0.9.0 you have to provide the following settings:
+
+```
+functional:
+  filestore:
+    sharing:
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      enableExternalSharing: true
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: false
+```
+
 ### Automated migrations
 
+#### Local Postfix as Relay
+
+All components relay outgoing mails to the local Postfix. In order for the configuration to be picked up by all components the following restarts are triggered in the migrations `POST` stage:
+
+- Deployments:
+  - `opendesk-nextcloud-php`
+  - `ums-umc-server`
+- Stateful Sets:
+  - `ums-selfservice-listener`
+  - `opendesk-synapse`
+
 #### Updated IAM component Nubus
 
 openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The now redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
 upgrade migrations executes the following steps:
 
-- Stage PRE:
+- Stage `PRE`:
   - Delete service `ums-keycloak`, as it will be recreated headless.
   - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier` in preparation or the next step:
   - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
-- Stage POST:
+- Stage `POST`:
   - Restart Keycloak.
 
 ##### Manual cleanup

helmfile/apps/collabora/values.yaml.gotmpl

@@ -7,7 +7,7 @@ autoscaling:
   enabled: false
 
 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0"
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/richdocuments/settings/fonts.json"
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:

helmfile/apps/intercom-service/values.yaml.gotmpl

@@ -67,6 +67,26 @@ ingress:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
+provisioning:
+  enabled: true
+  config:
+    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
+    keycloak:
+      url: "http://ums-keycloak:8080"
+      username: "kcadmin"
+      realm: {{ .Values.platform.realm | quote }}
+      connection:
+        host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+        baseUrl: "http://ums-keycloak:8080"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+    ics_client:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+      credentialSecret:
+        key: "ics_secret"
+
+
 podSecurityContext:
   enabled: true
   fsGroup: 1000

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -73,6 +73,12 @@ configuration:
       value: "opendesk_username"
     password:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  sharing:
+    allowLinks: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowMailNotification: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowPublicUpload: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    enforceLinksPassword: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
+    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
   smtp:
     auth:
       enabled: false

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -38,7 +38,7 @@ global:
         registry: "registry.opencode.de"
         repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
         imagePullPolicy: "IfNotPresent"
-        tag: "1.1.0"
+        tag: "1.2.0"
 
   # -- Allows to configure the system extensions to load. This is intended for
   # internal usage, prefer to use `global.extensions` for user configured
@@ -85,7 +85,13 @@ nubusGuardian:
   provisioning:
     enabled: false
     config:
+      nubusBaseUrl: {{ printf "https://portal.%s" .Values.global.domain }}
       keycloak:
+        realm: {{ .Values.platform.realm | quote }}
+        username: "kcadmin"
+        connection:
+          host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+          baseUrl: "http://ums-keycloak:8080"
         credentialSecret:
           name: "ums-opendesk-keycloak-credentials"
           key: "admin_password"
@@ -209,6 +215,44 @@ nubusStackDataUms:
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "openDesk Portal"
     installUmcPolicies: true
+  templateContext:
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+    ldapSearchUsers:
+      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
+      - username: {{ printf "ldapsearch_%s" $username | quote }}
+        password: {{ $password | quote }}
+        lastname: "LDAP-Search-User"
+      {{- end }}
+    portaltileGroupUserStandard:
+      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
+      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupUserAdmin:
+      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
+      - 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupUserAll:
+      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
+      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupGroupware:
+      - 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupFileshare:
+      - 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupManagementProject:
+      - 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupManagementKnowledge:
+      - 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupManagementLearn:
+      - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupLiveCollaboration:
+      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
+
   nubusUmcServer:
     memcached:
       auth:

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -171,15 +171,6 @@ nubusUmcGateway:
   replicaCount: {{ .Values.replicas.umsUmcGateway }}
   resources:
     {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-  extraVolumes:
-    - name: "entrypoint-swp-patches"
-      configMap:
-        name: "ums-stack-data-swp-umc-gateway-entrypoint"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "entrypoint-swp-patches"
-      mountPath: "/entrypoint.d/90-swp.sh"
-      subPath: "90-swp.sh"
 
 nubusKeycloakBootstrap:
   podAnnotations:

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -193,6 +193,11 @@ nubusUmcServer:
     registry: {{ .Values.images.nubusUmcServer.registry }}
     repository: {{ .Values.images.nubusUmcServer.repository }}
     tag: {{ .Values.images.nubusUmcServer.tag }}
+  proxy:
+    image:
+      registry: {{ .Values.images.nubusUmcServerProxy.registry }}
+      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
+      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
 
 nubusWaitForDependency:
   image:

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -389,60 +389,6 @@ config:
           backchannel.logout.session.required: false
         defaultClientScopes:
           - "opendesk-dovecot-scope"
-      - name: "opendesk-intercom"
-        clientId: "opendesk-intercom"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
-        consentRequired: false
-        frontchannelLogout: false
-        publicClient: false
-        authorizationServicesEnabled: false
-        attributes:
-          backchannel.logout.session.required: true
-          backchannel.logout.revoke.offline.tokens: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
-        protocolMappers:
-          - name: "intercom-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "opendesk-intercom"
-              id.token.claim: false
-              access.token.claim: true
-          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
-          # it to `opendesk_useruuid` standard claim. For reference:
-          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
-          - name: "entryuuid_temp"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "entryUUID"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "entryuuid"
-              jsonType.label: "String"
-          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
-          # set it to `opendesk_username` standard claim. For reference:
-          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
-          - name: "phoenixusername_temp"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "phoenixusername"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "offline_access"
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
         protocol: "openid-connect"

helmfile/environments/default/charts.yaml

@@ -119,11 +119,11 @@ charts:
     # upstreamRepository: "nubus/charts/intercom-service"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["2", "0", "1"]
-    registry: "registry.opencode.de"
+    registry: "artifacts.software-univention.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    repository: "nubus/charts"
     name: "intercom-service"
-    version: "2.0.1"
+    version: "0.8.0"
-    verify: true
+    verify: false
   jitsi:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -232,7 +232,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "3.0.0"
+    version: "3.1.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -242,7 +242,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "3.0.0"
+    version: "3.1.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -261,10 +261,12 @@ charts:
     # upstreamRepository: "nubus/charts/nubus"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "19", "3"]
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/charts"
     name: "nubus"
-    version: "0.33.0"
+    version: "0.37.0"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/functional.yaml

@@ -34,6 +34,13 @@ functional:
     quota:
       # Set the default quota for all users in GB
       default: 1
+    # Options related to file sharing, changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
+    sharing:
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+      enableExternalSharing: false
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: true
     # Nextcloud specific configuration
     nextcloud:
       retentionObligation:

helmfile/environments/default/images.yaml

@@ -20,7 +20,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.6.1.1@sha256:6237af013065838be27faae69b26feec63de6de8412499285f5379d74fef7387"
+    tag: "24.04.6.2.1@sha256:7de9ac6ce5a256b0f74a56a4654acd851502dc9e3ed4d29949ba5642bacae308"
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -79,9 +79,11 @@ images:
     # upstreamRepository: "univention/intercom-service"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["1", "6"]
-    registry: "registry.opencode.de"
+    #registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
+    #repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "1.6@sha256:f32c1e52fa132e9dc6973e9f8ed36a98c5c3e0bcd51c60f9a683e7e528dd2306"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus/images/intercom-service"
+    tag: "0.8.0@sha256:2e5e303c947aca687530244af5856cc4ba2b7cd880ff8348e922ac36c5f11167"
   jibri:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -237,7 +239,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.24@sha256:c9222da8be7af12c9076b41d1a14e019725afc075e1aaa2b727be21c1bf45f10"
+    tag: "1.2.0@sha256:f1c64bc7b9d1993a7c79ca73c1594fdea49ef4adf4ebe4286e01ccc1ad9290c7"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -253,7 +255,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.4.4@sha256:b70c159d6a1827748ca1f8fe0b9fd5b011eaed8719172105e1e9c8b8d776cf97"
+    tag: "1.5.3@sha256:19f5354a951b043327906d8670c0466e2a00317ad0dd4b99d0edf882e213d22f"
   nextcloudPHP:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -261,7 +263,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.10.3@sha256:e659ab95d0d3a33d4937354449c12fa46fe2669a866bbf432a9d729bed6d54f7"
+    tag: "1.11.3@sha256:c88af69971e2b2b1ead90db69d6af3355be5309d6c91b2b6a18fac2c6781b760"
   nubusDataLoader:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -271,7 +273,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "41", "5"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.60.0@sha256:9b43a66c32f4f66143db00b71cc62966df6ed809ec023a0d573a015f5d15305a"
+    tag: "0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -311,7 +313,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.9.1@sha256:6006fb1c2779b906e7725df524f2587b2a610cc442793bf8f16b2b4b8c0494fb"
+    tag: "0.10.0@sha256:480943182f20b04b3d37b340e701545e002710c6668925de3758587174c5ee56"
   nubusKeycloak:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -331,7 +333,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.1.0@sha256:351097e9e7b469f2fc149fe612ec6ad515d5e6b081d7e2785bd926a1d77209d2"
+    tag: "0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -433,7 +435,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "10", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    tag: "0.10.0@sha256:f6f32ce0486594eca9c8682b10f60e9d174a526d5acd2ba4d0abcb8f522539b9"
+    tag: "0.11.0@sha256:2cb5a9683b6ff81b995a5c71da52c2ff8177b662bb0be8f11e9cd0c6b48d8a11"
   nubusPortalConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -581,7 +583,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.22.2@sha256:fe4d2c148946da6f5e92201f398ebd0d5a72795c50648993bd220ea1e228658d"
+    tag: "0.26.0@sha256:c8d025851ca45c50f61fa1da97681a583e07ab57945a0b9fecb56cefc1e11331"
   nubusUmcServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -591,7 +593,17 @@ images:
     # upstreamMirrorStartFrom: ["0", "7", "3"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.22.2@sha256:474497f561c3532b37b7d5e77ec36bd1fefc4fbeaab9747b481533b0da086586"
+    tag: "0.26.0@sha256:75d5527eb352307967e051bcb394217eab5ce1d0e95d213140169a376e4d8a79"
+  nubusUmcServerProxy:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "library/traefik"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["3", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/traefik"
+    tag: "3.0@sha256:9214fcecc5833b4df2bfe6bf92714f35220d79a4c5c626931701dbbdb555f86b"
   nubusWaitForDependency:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"

helmfile/environments/default/replicas.yaml

@@ -130,8 +130,8 @@ replicas:
   # -- component: Project management (OpenProject)
   # -- scalable: true
   openprojectWeb: 1
-  # -- scalable: tdb
+  # -- scalable: true
-  # -- comment: Async process that usually has no need for scaling
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). See [upstream Helm chart documentation](https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/) for details, as e.g. dedicated workers to specific queues are in general possible with OpenProject as well.Share 
   openprojectWorker: 1
 
   # -- component: Knowledge management (XWiki)