feat(nubus): OpenDesk UDM loader

README.md

@@ -38,7 +38,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [14.4.0](https://www.openproject.org/docs/release-notes/14-4-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.6.1.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Weboffice            | Collabora                   | [24.04.6.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

cspell.json

@@ -73,7 +73,8 @@
         "Addressbooks",
         "filestore",
         "trashbin",
-        "bootstrap"
+        "bootstrap",
+        "configurability"
     ],
     "ignoreWords": [],
     "import": []

docs/migrations.md

@@ -8,7 +8,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Releases upgrades](#releases-upgrades)
   * [From v0.9.0](#from-v090)
+    * [Manual interaction](#manual-interaction)
+      * [Fileshare configurability](#fileshare-configurability)
     * [Automated migrations](#automated-migrations)
+      * [Local Postfix as Relay](#local-postfix-as-relay)
       * [Updated IAM component Nubus](#updated-iam-component-nubus)
         * [Manual cleanup](#manual-cleanup)
   * [From v0.8.1](#from-v081)
@@ -31,18 +34,47 @@ Limitations:
 
 ## From v0.9.0
 
+### Manual interaction
+
+#### Fileshare configurability
+
+We provide now some configurability regarding the sharing capabilities of the Nextcloud component.
+
+The new default is different from the standard until now. To keep the current state after the upgrade from 0.9.0 you have to provide the following settings:
+
+```
+functional:
+  filestore:
+    sharing:
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      enableExternalSharing: true
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: false
+```
+
 ### Automated migrations
 
+#### Local Postfix as Relay
+
+All components relay outgoing mails to the local Postfix. In order for the configuration to be picked up by all components the following restarts are triggered in the migrations `POST` stage:
+
+- Deployments:
+  - `opendesk-nextcloud-php`
+  - `ums-umc-server`
+- Stateful Sets:
+  - `ums-selfservice-listener`
+  - `opendesk-synapse`
+
 #### Updated IAM component Nubus
 
 openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The now redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
 upgrade migrations executes the following steps:
 
-- Stage PRE:
+- Stage `PRE`:
   - Delete service `ums-keycloak`, as it will be recreated headless.
   - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier` in preparation or the next step:
   - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
-- Stage POST:
+- Stage `POST`:
   - Restart Keycloak.
 
 ##### Manual cleanup

helmfile/apps/collabora/values.yaml.gotmpl

@@ -7,7 +7,7 @@ autoscaling:
   enabled: false
 
 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0"
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/richdocuments/settings/fonts.json"
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -73,6 +73,12 @@ configuration:
       value: "opendesk_username"
     password:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  sharing:
+    allowLinks: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowMailNotification: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowPublicUpload: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    enforceLinksPassword: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
+    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
   smtp:
     auth:
       enabled: false

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -8,7 +8,7 @@ global:
     domainName: {{ .Values.global.domain | quote }}
   domain: {{ .Values.global.domain | quote }}
   ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
-  certManagerIssuer: "letsencrypt-prod-dns"
+  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
   nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
@@ -35,10 +35,10 @@ global:
         imagePullPolicy: "IfNotPresent"
     - name: "opendesk"
       image:
-        registry: "registry.opencode.de"
-        repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
+        registry: {{ .Values.images.nubusOpendeskExtension.registry }}
+        repository: {{ .Values.images.nubusOpendeskExtension.repository }}
+        tag: {{ .Values.images.nubusOpendeskExtension.tag }}
         imagePullPolicy: "IfNotPresent"
-        tag: "1.1.0"
 
   # -- Allows to configure the system extensions to load. This is intended for
   # internal usage, prefer to use `global.extensions` for user configured
@@ -51,6 +51,12 @@ global:
         tag: {{ .Values.images.nubusPortalExtension.tag }}
         imagePullPolicy: "IfNotPresent"
 
+ingress:
+  certManager:
+    enabled: false
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
 # Nubus bundled services
 postgresql:
   enabled: false
@@ -93,7 +99,11 @@ nubusGuardian:
         credentialSecret:
           name: "ums-opendesk-guardian-client-secret"
           key: "managementApiClientSecret"
-
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
   postgresql:
     connection:
       host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
@@ -114,6 +124,11 @@ nubusNotificationsApi:
       username: {{ .Values.databases.umsNotificationsApi.username | quote }}
       database: {{ .Values.databases.umsNotificationsApi.name | quote }}
       existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 
 nubusKeycloakExtensions:
@@ -138,6 +153,10 @@ nubusKeycloakExtensions:
           path: "/resources/"
         - pathType: "Prefix"
           path: "/fingerprintjs"
+      certManager:
+        enabled: false
+      tls:
+        secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 
   postgresql:
@@ -168,6 +187,13 @@ nubusKeycloakExtensions:
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
       mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
 
+nubusPortalFrontend:
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
 nubusPortalListener:
   portalListener:
     objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
@@ -188,6 +214,18 @@ nubusPortalServer:
     centralNavigation:
       enabled: true
       authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+nubusUdmRestApi:
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 # NOTE: disabled until the next update.
 nubusProvisioning:
@@ -209,6 +247,44 @@ nubusStackDataUms:
     externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     umcHtmlTitle: "openDesk Portal"
     installUmcPolicies: true
+  templateContext:
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+    ldapSearchUsers:
+      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
+      - username: {{ printf "ldapsearch_%s" $username | quote }}
+        password: {{ $password | quote }}
+        lastname: "LDAP-Search-User"
+      {{- end }}
+    portaltileGroupUserStandard:
+      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
+      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupUserAdmin:
+      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
+      - 'cn=Support,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupUserAll:
+      - 'cn=Domain Admins,cn=groups,{{ .Values.ldap.baseDn }}'
+      - 'cn=Domain Users,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupGroupware:
+      - 'cn=managed-by-attribute-Groupware,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupFileshare:
+      - 'cn=managed-by-attribute-Fileshare,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupManagementProject:
+      - 'cn=managed-by-attribute-Projectmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupManagementKnowledge:
+      - 'cn=managed-by-attribute-Knowledgemanagement,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupManagementLearn:
+      - 'cn=managed-by-attribute-Learnmanagement,cn=groups,{{ .Values.ldap.baseDn }}'
+    portaltileGroupLiveCollaboration:
+      - 'cn=managed-by-attribute-Livecollaboration,cn=groups,{{ .Values.ldap.baseDn }}'
+
   nubusUmcServer:
     memcached:
       auth:
@@ -268,10 +344,20 @@ nubusUmcServer:
   smtp:
     credentialSecret:
       name: "ums-umc-server-smtp-credentials-custom"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusUmcGateway:
   umcGateway:
     umcHtmlTitle: "openDesk Portal"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 nubusKeycloakBootstrap:
   keycloak:

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -171,15 +171,6 @@ nubusUmcGateway:
   replicaCount: {{ .Values.replicas.umsUmcGateway }}
   resources:
     {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
-  extraVolumes:
-    - name: "entrypoint-swp-patches"
-      configMap:
-        name: "ums-stack-data-swp-umc-gateway-entrypoint"
-        defaultMode: 0555
-  extraVolumeMounts:
-    - name: "entrypoint-swp-patches"
-      mountPath: "/entrypoint.d/90-swp.sh"
-      subPath: "90-swp.sh"
 
 nubusKeycloakBootstrap:
   podAnnotations:

helmfile/environments/default/charts.yaml

@@ -232,7 +232,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "3.0.0"
+    version: "3.1.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -242,7 +242,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "3.0.0"
+    version: "3.1.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -261,12 +261,10 @@ charts:
     # upstreamRepository: "nubus/charts/nubus"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "19", "3"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus-dev/charts"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "nubus"
-    version: "0.40.0-pre-jtorres-create-readonly-user"
+    version: "0.39.1"
     verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"

helmfile/environments/default/functional.yaml

@@ -34,6 +34,13 @@ functional:
     quota:
       # Set the default quota for all users in GB
       default: 1
+    # Options related to file sharing, changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
+    sharing:
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+      enableExternalSharing: false
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: true
     # Nextcloud specific configuration
     nextcloud:
       retentionObligation:

helmfile/environments/default/images.yaml

@@ -20,7 +20,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.6.1.1@sha256:6237af013065838be27faae69b26feec63de6de8412499285f5379d74fef7387"
+    tag: "24.04.6.2.1@sha256:7de9ac6ce5a256b0f74a56a4654acd851502dc9e3ed4d29949ba5642bacae308"
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -203,11 +203,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/memcached"
-    # registry: "registry-1.docker.io"
-    # repository: "bitnami/memcached"
-    registry: "docker.io"
+    registry: "registry-1.docker.io"
     repository: "bitnami/memcached"
-    tag: "1.6.29-debian-12-r4"
+    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
   migrations:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -229,11 +227,9 @@ images:
     # providerResponsible: "openDesk"
     # upstreamRegistry: "https://registry-1.docker.io"
     # upstreamRepository: "bitnami/minio"
-    # registry: "registry-1.docker.io"
-    # repository: "bitnami/minio"
-    registry: "docker.io"
+    registry: "registry-1.docker.io"
     repository: "bitnami/minio"
-    tag: "2024.8.3-debian-12-r1"
+    tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
   nextcloudApache2:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -241,7 +237,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.24@sha256:c9222da8be7af12c9076b41d1a14e019725afc075e1aaa2b727be21c1bf45f10"
+    tag: "1.2.0@sha256:f1c64bc7b9d1993a7c79ca73c1594fdea49ef4adf4ebe4286e01ccc1ad9290c7"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -257,7 +253,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.4.4@sha256:b70c159d6a1827748ca1f8fe0b9fd5b011eaed8719172105e1e9c8b8d776cf97"
+    tag: "1.5.3@sha256:19f5354a951b043327906d8670c0466e2a00317ad0dd4b99d0edf882e213d22f"
   nextcloudPHP:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -265,7 +261,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.10.3@sha256:e659ab95d0d3a33d4937354449c12fa46fe2669a866bbf432a9d729bed6d54f7"
+    tag: "1.11.3@sha256:c88af69971e2b2b1ead90db69d6af3355be5309d6c91b2b6a18fac2c6781b760"
   nubusDataLoader:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -273,11 +269,9 @@ images:
     # upstreamRepository: "nubus/images/data-loader"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "41", "5"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus-dev/images/data-loader"
-    tag: "0.63.0-pre-jtorres-create-readonly-user-nubus@sha256:82947d98b5c04b9ffa0093429dc33b0f94c602f08b6e595eb1ca28bb4dd160b7"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
+    tag: "0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f"
   nubusGuardianAuthorizationApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -315,10 +309,8 @@ images:
     # upstreamRepository: "nubus/images/guardian-init"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "3", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/guardian-init"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
     tag: "0.11.0@sha256:c691aecaf2074a9f1cc6ec5277a70792642bd677f0ff58a6278041b2d99c9d51"
   nubusKeycloak:
     # providerCategory: "Supplier"
@@ -337,11 +329,9 @@ images:
     # upstreamRepository: "nubus/images/keycloak-bootstrap"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "1", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/keycloak-bootstrap"
-    tag: "0.1.2"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
+    tag: "0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0"
   nubusKeycloakExtensionHandler:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -349,10 +339,8 @@ images:
     # upstreamRepository: "nubus/images/keycloak-handler"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "0", "3"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/keycloak-handler"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
     tag: "0.10.0@sha256:7aa5bac4821c9226fd74c6a2883f7c24d214b4610d516574866cf933ee1be080"
   nubusKeycloakExtensionProxy:
     # providerCategory: "Supplier"
@@ -361,10 +349,8 @@ images:
     # upstreamRepository: "nubus/images/keycloak-proxy"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "0", "3"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/keycloak-proxy"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
     tag: "0.10.0@sha256:a5f6ae65732f7fb9d7ceae11f1c412b109d230e197075d8a8e1d989c87a0309d"
   nubusLdapNotifier:
     # providerCategory: "Supplier"
@@ -373,10 +359,8 @@ images:
     # upstreamRepository: "nubus/images/ldap-notifier"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "8", "2"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/ldap-notifier"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
     tag: "0.20.0@sha256:d891fe11075740ff0fe1694b2c5fb72c43ac6d823904af8593e0ab359b9175e0"
   nubusLdapServer:
     # providerCategory: "Supplier"
@@ -386,8 +370,8 @@ images:
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "8", "2"]
     registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/platform-development/images/temp-nubus-ldap-2.5-upgrade"
-    tag: "1.1.20@sha256:90f46b8817fa05e6e3ac3b2f053911198675805fb82db8240bfa41239d7e7c61"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
+    tag: "0.20.0@sha256:ad73addd9201378fd5c978ab6bfc64bbd23bb279fc065cade9cb2f8e48a9c85f"
   nubusLdapServerDhInitContainer:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -427,11 +411,17 @@ images:
     # upstreamRepository: "nubus/images/notifications-api"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "4"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/notifications-api"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
     tag: "0.33.0@sha256:0ddb81d4789b2f43b55ded46ff88db4b99a68e7b1006e35877f582aac875c9ad"
+  nubusOpendeskExtension:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
+    tag: "1.2.0@sha256:88be278c7e3da0eeeef08510319c4997b8a62ecdb5e13491f8c4ca8d5640a258"
   nubusOpenPolicyAgent:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -449,11 +439,9 @@ images:
     # upstreamRepository: "nubus/images/ox-extension"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "10", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/ox-extension"
-    tag: "0.11.0"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
+    tag: "0.11.0@sha256:2cb5a9683b6ff81b995a5c71da52c2ff8177b662bb0be8f11e9cd0c6b48d8a11"
   nubusPortalConsumer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -463,7 +451,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "27", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
-    tag: "0.27.0@sha256:e86bf827d1e93b61473a0730492f48f8dbf0d056b79dd9ecde7af1612696b144"
+    tag: "0.32.0@sha256:7f38a8db34bfe67c9ad0711c0a2c615e278b20a1a7b66b77bd28faa339eaf897"
   nubusPortalExtension:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -471,11 +459,9 @@ images:
     # upstreamRepository: "nubus/images/portal-extension"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "28", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/portal-extension"
-    tag: "0.28.0"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
+    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
   nubusPortalFrontend:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -483,10 +469,8 @@ images:
     # upstreamRepository: "nubus/images/portal-frontend"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "4"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/portal-frontend"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
     tag: "0.33.0@sha256:9cce16009cc478ece11704521347fc4938a3ac5ee4570ac439dd50b08452a3ff"
   nubusPortalListener:
     # providerCategory: "Supplier"
@@ -505,10 +489,8 @@ images:
     # upstreamRepository: "nubus/images/portal-server"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "4"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus-dev/images/portal-server"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
     tag: "0.33.1@sha256:82e9002786a9d1ec524c0f386838ac4ee1fa9a581b66d2e353ea57cc01e26a95"
   nubusProvisioningDispatcher:
     # providerCategory: "Supplier"
@@ -519,7 +501,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "14", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.28.3@sha256:79c81b0143e78c7cabb1efd63d47530eac686fba11db57c173abd8ebdd396778"
+    tag: "0.36.0@sha256:34f03f48b4c9b470f9809b5fa6bfd6e96346e3f99ac0a2d7eaeac3cf9a4a633d"
   nubusProvisioningEventsAndConsumerApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -527,10 +509,8 @@ images:
     # upstreamRepository: "nubus/images/provisioning-events-and-consumer-api"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "14", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/provisioning-events-and-consumer-api"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
     tag: "0.36.0@sha256:69dd2946e7b05384304eeeca50dea645d20f7658d225e7c532381c3bdf2027ce"
   nubusProvisioningPrefill:
     # providerCategory: "Supplier"
@@ -539,10 +519,8 @@ images:
     # upstreamRepository: "nubus/images/provisioning-prefill"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "14", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/provisioning-prefill"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
     tag: "0.36.0@sha256:147406648848c068aacc2cb467633d51c65cddbcaa622c352e5fe5349bf92ce6"
   nubusProvisioningUdmListener:
     # providerCategory: "Supplier"
@@ -551,10 +529,8 @@ images:
     # upstreamRepository: "nubus/images/provisioning-udm-listener"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "14", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/provisioning-udm-listener"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
     tag: "0.36.0@sha256:8a960db9ff94b3c8a63be1588e47ccc1f62f3071abdce7ee2ef89afbe2674eed"
   nubusProvisioningUdmTransformer:
     # providerCategory: "Supplier"
@@ -563,10 +539,8 @@ images:
     # upstreamRepository: "nubus/images/provisioning-udm-transformer"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "14", "0"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/provisioning-udm-transformer"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
     tag: "0.36.0@sha256:8080b55e705391aa2ac9b11db11dc1f984b5626271b2f175bfe26967b857b06d"
   nubusSelfserviceInvitation:
     # providerCategory: "Supplier"
@@ -577,7 +551,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.6.4@sha256:3fcc56c2e039a5a503183ec272fea334083079ceb83c8af7283f9be9b4334d71"
+    tag: "0.6.5@sha256:5630c9df3da4134789d2ebafad7de9062375d21547a2074827b680debd7a909e"
   nubusSelfserviceListener:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -587,15 +561,7 @@ images:
     # upstreamMirrorStartFrom: ["0", "3", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
-    tag: "0.6.4@sha256:9605072b60d832ba165d8b7f9b1b7195693e7d5744479af321e4cf242f9ea500"
-  nubusStackGateway:
-    # providerCategory: "Community"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: "bitnami/nginx"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/nginx"
-    tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
+    tag: "0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d"
   nubusUdmRestApi:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -603,10 +569,8 @@ images:
     # upstreamRepository: "nubus/images/udm-rest-api"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "9", "3"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/udm-rest-api"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
     tag: "0.21.0@sha256:f3d189dd0ca619778c907569ddedbdf8772fba26f26cf9e6b8cde2a62618da63"
   nubusUmcGateway:
     # providerCategory: "Supplier"
@@ -615,10 +579,8 @@ images:
     # upstreamRepository: "nubus/images/umc-gateway"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "7", "3"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/umc-gateway"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
     tag: "0.27.0@sha256:f0d5831061d9e8c9a47e724d00eeb8902b08f2380d4ca298812e9c1870ff4697"
   nubusUmcServer:
     # providerCategory: "Supplier"
@@ -627,10 +589,8 @@ images:
     # upstreamRepository: "nubus/images/umc-server"
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ["0", "7", "3"]
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    registry: "artifacts.software-univention.de"
-    repository: "nubus/images/umc-server"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
     tag: "0.27.0@sha256:fa552aa595f75d54b216af4390bd5ea3d5385e6a9a5f558804da3aae9f700acf"
   nubusWaitForDependency:
     # providerCategory: "Supplier"

helmfile/environments/default/replicas.yaml

@@ -130,8 +130,8 @@ replicas:
   # -- component: Project management (OpenProject)
   # -- scalable: true
   openprojectWeb: 1
-  # -- scalable: tdb
-  # -- comment: Async process that usually has no need for scaling
+  # -- scalable: true
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). See [upstream Helm chart documentation](https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/) for details, as e.g. dedicated workers to specific queues are in general possible with OpenProject as well.Share 
   openprojectWorker: 1
 
   # -- component: Knowledge management (XWiki)

helmfile/environments/default/resources.yaml

@@ -586,7 +586,7 @@ resources:
   umsUmcServer:
     limits:
       cpu: 99
-      memory: "1Gi"
+      memory: "2Gi"
     requests:
       cpu: 0.1
       memory: "256Mi"