chore(release): 0.2.0 [skip ci]

# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15) ### Bug Fixes * **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](4c21fd2286)) ### Features * **helmfile:** Implement private image/chart registry variables ([5788323](5788323621))
fix(helmfile): Replace bitnami repositories with OCI
2025-12-06 07:21:36 +01:00 · 2023-08-15 10:40:25 +00:00 · 2023-08-15 11:32:03 +02:00 · 2023-08-15 11:32:03 +02:00 · 2023-08-15 09:20:34 +00:00 · 2023-08-14 18:50:42 +02:00
41 changed files with 734 additions and 298 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -78,6 +78,12 @@ variables:
    options:
      - "yes"
      - "no"
+  DEPLOY_ELEMENT:
+    description: "Enable Element deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
  DEPLOY_KEYCLOAK:
    description: "Enable Keycloak deployment."
    value: "no"
@@ -127,8 +133,7 @@ variables:
      - "yes"
      - "no"
  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test gitlab project API with project ID."
-    value: "gitlab.souvap-univention.de/api/v4/projects/6"
+    description: "URL of the E2E-test Gitlab project API with project ID."
  # please use the following set of variables with normalized names:
  DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
  ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -192,7 +197,7 @@ env-cleanup:
 env-start:
  environment:
    name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
    on_stop: "env-stop"
  extends: ".deploy-common"
  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -359,6 +364,18 @@ jitsi-deploy:
  variables:
    COMPONENT: "jitsi"

+element-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
+      when: "always"
+  variables:
+    COMPONENT: "element"
+
 env-stop:
  extends: ".deploy-common"
  environment:
@@ -445,15 +462,18 @@ run-tests:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
  except:
    - "tags"
+    - "triggers"
    - "web"

 common-yaml-linter:
  except:
    - "tags"
+    - "triggers"
    - "web"

 reuse-linter:
  allow_failure: false
  except:
    - "tags"
+    - "triggers"
    - "web"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,77 @@
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
+## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
+
+
+### Bug Fixes
+
+* **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
+
+## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
+* **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
+
+# [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
+
+
+### Bug Fixes
+
+* **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
+
+
+### Features
+
+* **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
+
+## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
+
+## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
+
+
+### Bug Fixes
+
+* **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
+
+## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
+
+
+### Bug Fixes
+
+* **jitsi:** Fix identifiers in resources ([3a0b246](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3a0b246f83dc6a3ff19973959b3cf3c243c39025))
+
+## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10)
+
+
+### Bug Fixes
+
+* **keycloak:** Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay. ([27ce715](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/27ce71554d5f495731d90632a56e134762b95a25))
+
+## [0.0.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.1...v0.0.2) (2023-08-10)
+
+
+### Bug Fixes
+
+* **services:** Remove fqdn from dovecot in postfix ([2033c76](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/2033c76d81e39c625112b312934668d3b3eb43fe))
+
 ## 0.0.1 (2023-08-10)


--- a/README.md
+++ b/README.md
@@ -8,47 +8,54 @@ SPDX-License-Identifier: Apache-2.0

 # Disclaimer August 2023

-The current state of the SWP is missing one component which is not yet generally available to the public also
-outside the SWP (Element Starter Edition), and contains components that will be replaced (e.g. UCS dev container
-monolith to be replaced by multiple Univention Management Stack containers).
-In the next months we not only expect upstream updates of the functional components within their feature scope but we
-are going to address operational issues like monitoring and network policies.
+The current state of the Sovereign Workplace contains components that are going to be
+replaced. Like for example the UCS dev container monolith will be substituted by
+multiple Univention Management Stack containers.

-Of course we will also extend the documentation.
+In the next months we not only expect upstream updates of the functional
+components within their feature scope, but we are also going to address
+operational issues like monitoring and network policies.

-In any case we love to get feedback from you! Related to the deployment / contents of this repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
+Of course, further development also includes enhancing the documentation.

-If you want to address other topics, please check the section ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+The first release of the Sovereign Workplace is scheduled for December 2023.
+Before that release there will be breaking changes in the deployment.

-The first release of the SWP is scheduled for December 2023. Before that release there will be breaking changes in the deployment.

 # The Sovereign Workplace (SWP)

-The SWP's runtime environment is [Kubernetes](https://kubernetes.io/), often written in it's short form "K8s".
+The Sovereign Workplace's runtime environment is [Kubernetes](https://kubernetes.io/), or "K8s" in
+short.

-While not all components are perfectly shaped for the execution as containers, one of the projects objectives is the
-make the applications more aligned with best practise when it comes to container design and operations.
+While not all components are still perfectly shaped for the execution inside
+containers, one of the projects objectives is it to align the applications
+with the best practises regarding container design and operations.

-This documentation gives you - hopefully - all you need to setup your own instance of the SWP. You should have at least
-basic knowledge Kubernetes and Devops knowledge.
+This documentation aims to give you all that is needed to set up your own
+instance of the Sovereign Workplace. Basic knowledge of Kubernetes and Devops is
+required though.

-To have an overview of what can be found at Open CoDE and the basic components of the SWP, please check out the
-[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the
-[Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
+To have an overview of what can be found at Open CoDE and the basic components
+of the Sovereign Workplace, please check out the
+[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).

-Especially check out the section
-["Mitwirkung und Beteiligung"](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#mitwirkung-und-beteiligung)
-if you are missing something or you have questions. We appreciate your feedback to improve product and documentation.
+We love to get feedback from you! Related to the deployment / contents of this
+repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
+
+If you want to address other topics, please check the section
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).

 # Deployment

-**Note for project members:** You can use the project's `dev` K8s cluster to setup your own development instance. Please see the project `sovereign-workplace-env` on the internal Gitlab for more details.
+**Note for project members:** You can use the project's `dev` K8s cluster to set
+up your own instance for development purposes. Please see the project
+`sovereign-workplace-env` on the internal Gitlab for more details.

 ## Prerequisites

 ### Mandatory technical prerequisites

-You have to take care about the following prerequisites in order to deploy the SWP:
+These are the requirements of the Sovereign Workplace deployment:

 - Vanilla K8s cluster
 - Domain and DNS Service
@@ -57,8 +64,8 @@ You have to take care about the following prerequisites in order to deploy the S
 [HelmDiff](https://github.com/databus23/helm-diff)
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are working with Open-Xchange
-to get rid of this dependency.
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are
+working with Open-Xchange to get rid of this dependency.

 #### TLS Certificate

@@ -68,25 +75,30 @@ You can set the ClusterIssuer via `certificate.issuerRef.name`

 ### Required input variables

-You need to expose following variables to run the installation.
+You need to expose following environment variables in order to run the
+installation.

-| name                | default                      | description                                       |
-|---------------------|------------------------------|---------------------------------------------------|
-| `DOMAIN`            | `souvap-univention.de`       | External reachable domain                         |
-| `ISTIO_DOMAIN`      | `istio.souvap-univention.de` | External reachable domain for Istio Gateway       |
-| `MASTER_PASSWORD`   | `sovereign-workplace`        | The password that seeds the autogenerated secrets |
-| `SMTP_PASSWORD`     |                              | Password for SMTP relay gateway                   |
-| `TURN_CREDENTIALS`  |                              | Credentials for coturn server                     |
+| name                | default               | description                                       |
+|---------------------|-----------------------|---------------------------------------------------|
+| `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
+| `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
+| `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
+| `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
+| `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |

-Please ensure you have set DNS records pointing to the respective loadbalancer/IP for `DOMAIN` and `ISTIO_DOMAIN`.
+Please ensure that you set the DNS records pointing to the loadbalancer/IP for
+`DOMAIN` and `ISTIO_DOMAIN`.

-If you want inbound mail also use MX records that point to the Postfix's pods public IP.
+If you want inbound email you need to set the MX records that points to the
+public IP address of the Postfix-pods.

-More details on the DNS options incl. SPF/DKIM and autodiscovery options to come...
+More details on DNS options including SPF/DKIM and autodiscovery options
+are to come...

 ### Optional or feature based prerequisites

-All of these requirements are optional as long as you do not want to make use of the given feature.
+All of these requirements are optional as long as you do not want to use the
+related feature.

 | Feature                      | Component(s)   | Requirement                 |
 |------------------------------|----------------|-----------------------------|
@@ -97,47 +109,75 @@ All of these requirements are optional as long as you do not want to make use of

 ## CI based deployment

-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the
+deployment from a Gitlab instance of your choice.

-Please ensure you provide the variables listed in the `Required input variables` section.
+Please ensure to provide the environment variables listed at
+[Required input variables](#required-input-variables).

-When starting the CI through the Gitlab UI you will be queried for some of the variables plus the following ones:
+When starting the pipeline through the Gitlab UI you will be queried for some
+of the variables plus the following ones:

- `BASE_DOMAIN`: The base domain the SWP will be installed at e.g. `souvap.cloud`
+- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
 - `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
- `MASTER_PASSWORD_WEB_VAR`: Overwrite value of `MASTER_PASSWORD`
+- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`

 Based on your input the following variables will be set:
 - `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
 - `ISTIO_DOMAIN` = istio.`DOMAIN`
- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR` if that is not given `MASTER_PASSWORD` will be used, that could be set as masked CI variable in Gitlab or as a fallback the default value of `MASTER_PASSWORD`.
+- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
+is not set, the default for `MASTER_PASSWORD` will be used, unless you set
+`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supercede the default.

-You might want to set password / credential variables in the projects `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the Gitlab project at
+`Settings` > `CI/CD` > `Variables`.

 ## Local deployment

-Please ensure you have set the `Required input variables` (see section above) and have also read the `Helmfile` section below for non default configurations. Then go with
+Please ensure to provide the environment variables listed at
+[Required input variables](#required-input-variables).
+Also, please read [Helmfile](#helmfile) a little below in case of a non default
+configuration.
+
+Then go with

 ```shell
 helmfile apply -n <NAMESPACE>
 ```

-and wait. After the deployment are finished some bootstrapping is executed which might take some more minutes before you can login.
+and wait a little. After the deployment is finished some bootstrapping is
+executed which might take some more minutes before you can log in your new
+instance.
+
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |

 ## Logging in

-When successfully deployed the SWP all K8s jobs from the deployment should be in the status `Succeeded` and all pods should be up an `Running`.
+When successfully deployed the SWP, all K8s jobs from the deployment should be
+in the status `Succeeded` and all pods should be `Running`.

 You should see the portal's login page at `https://portal.<DOMAIN>`.

-Off the shelf you get two accounts with passwords you can lookup in the `univention-corporate-container-*` pod environment:
+Off the shelf you get two accounts with passwords you can look up in the
+`univention-corporate-container-*` pod environment. You can use a shell on that
+container or a `kubectl describe`-command to get the credentials.

 | Username / Login   | Password environment variable  |
 |--------------------|--------------------------------|
 | default.user       | DEFAULT_ACCOUNT_USER_PASSWORD  |
 | default.admin      | DEFAULT_ACCOUNT_ADMIN_PASSWORD |

-If you do not see any tiles in the portal after the login you may want to wait a couple of minutes, as on the initial start some bootstrapping and cache building is done, that blocks the portal entries from showing up.
+If you do not see any tiles in the portal after the login you may want to wait a
+couple of minutes, as on the initial start some bootstrapping and cache building
+is done. This blocks the portal entries from showing up.

 # Helmfile

@@ -145,30 +185,32 @@ If you do not see any tiles in the portal after the login you may want to wait a

 ### Deployment selection

-By default all components are deployed. The components of type `Eval` are used for development and evaluation
-purposes only and need to be replaced in production deployments. These components are grouped together in the
+By default, all components are deployed. The components of type `Eval` are used
+for development and evaluation purposes only - they need to be replaced in
+production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.

-| Component                   | Name                                | Default | Description                  | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
-| Certificates                | `certificates.enabled`              | `true`  | TLS certificates             | Eval       |
-| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine             | Eval       |
-| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine             | Eval       |
-| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                    | Functional |
-| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                 | Functional |
-| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange  | Functional |
-| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing            | Functional |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider            | Functional |
-| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                     | Eval       |
-| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                   | Functional |
-| OpenProject                 | `openproject.enabled`               | `true`  | Project management           | Functional |
-| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                    | Functional |
-| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning         | Functional |
-| Postfix                     | `postfix.enabled`                   | `true`  | MTA                          | Eval       |
-| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                     | Eval       |
-| Redis                       | `redis.enabled`                     | `true`  | Cache Database               | Eval       |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal | Functional |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                | Functional |
+| Component                   | Name                                | Default | Description                    | Type       |
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
+| Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
+| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
+| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
+| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
+| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
+| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
+| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
+| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
+| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
+| OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
+| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
+| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning           | Functional |
+| Postfix                     | `postfix.enabled`                   | `true`  | MTA                            | Eval       |
+| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
+| Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
+| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
+| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |


 #### Cluster capabilities
@@ -182,10 +224,17 @@ subdirectory `/helmfile/apps/services`.

 #### Databases

-In case you don't got for a develop or evaluation environment you want to point the application to your own database instances.
+In case you don't got for a develop or evaluation environment you want to point
+the application to your own database instances.

 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -222,8 +271,8 @@ In case you don't got for a develop or evaluation environment you want to point

 ### Scaling

-Replicas for components can be increased, while we still have to look in the actual scalability of the
-components (see column `Scales at least to 2`).
+The Replicas of components can be increased, while we still have to look in the
+actual scalability of the components (see column `Scales at least to 2`).

 | Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
 |-------------|------------------------|---------|--------------------|--------------------|----------------------|
@@ -234,10 +283,14 @@ components (see column `Scales at least to 2`).
 |             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
 | Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
+|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
 | Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
@@ -269,29 +322,46 @@ flowchart TD

 #### Intercom Service (ICS)

-The UCS Intercom Service's role is to enable cross application integration based on browser interaction. Handling authentication when frontend of application A is using API from application B is often a challenge. For more details on the ICS please refer to it's separate [README.md](./helmfile/apps/intercom-service/README.md) - (**TODO**)
+The UCS Intercom Service's role is to enable cross application integration based
+on browser interaction. Handling authentication when the frontend of an
+application is using the API from another application is often a challenge.
+For more details on the ICS please refer to its own [README.md](./helmfile/apps/intercom-service/README.md).

-In order to establish a session with the ICS the application makes use of the ICS must initiate a silent login.
+In order to establish a session with the Intercom Service, the application that
+wants to use the ICS must initiate a silent login.

-Currently only OX AppSuite is using the frontend based integration and therefore it's the only consumer of the ICS API endpoints.
+Currently only OX AppSuite is using the frontend based integration, and
+therefore it is right now the only consumer of the ICS API.

 ### Filepicker

-The Nextcloud filepicker is integrated into the OX AppSuite allows you for adding attachments or links to files from and saving attachments to Nextcloud. The filepicker is using frontend based integration (OX AppSuite in the browser talking to Intercom service) as well as backend to backend integration e.g. (OX AppSuite middleware talking to Nextcloud). The latter one especially when adding a file to an email or storing an file into Nextcloud.
+The Nextcloud filepicker which is integrated into the OX AppSuite allows you to
+add attachments or links to files from and saving attachments to Nextcloud.
+
+The filepicker is using frontend and backend based integration. Frontend based
+integration means that OX AppSuite in the browser is communicating with ICS.
+While using backend based integration, OX AppSuite middleware is communicating
+with Nextcloud, which is especially used when adding a file to an email or
+storing a file into Nextcloud.

 ### Central Navigation

-The central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user in order to allow components to render the menu showing all available SWP applications for the user.
+Central navigation is based on an API endpoint in the portal that provides the
+contents of the portal for a user in order to allow components to render the
+menu showing all available SWP applications for the user.

 ### (Read & write) Central contacts

-Open-Xchange App Suite is the place to manage contacts within the SWP. There is a standard API in the AppSuite that is being used by Nextcloud to lookup contacts as well as to create contacts e.g. if a file is shared with a not yet available personal contact.
+Open-Xchange App Suite is used to manage contacts within the Sovereign
+Workplace. There is an API in the AppSuite that is being used by
+Nextcloud to lookup contacts as well as to create contacts. This is maybe done
+when a file is shared with a not yet available personal contact.

 # Identity data flows

-An overview on
- components that consume data from the ldap, in most cases using a dedicated ldap search account and
- components using Keycloak as IdP, if not otherwise denoted based on the OAuth2 / OIDC flows.
+An overview of
+- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
+- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.

 Some components trust others to handle authentication for them.

@@ -319,7 +389,9 @@ flowchart TD

 # Provisioning

-Currently active provisioning is only done for OX AppSuite. The OX-Connector synchronizes create, modify and delete acitivities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
+Currently active provisioning is only done for OX AppSuite. The OX-Connector
+synchronizes creates, modifies and deletes activities for the following objects
+to the OX AppSuite using the AppSuite's SOAP API:

 - Contexts
 - Users
@@ -329,10 +401,12 @@ Currently active provisioning is only done for OX AppSuite. The OX-Connector syn

 # Component specific documentation

-We want to provide more information per component in separate, component specific `README.md` files. In order to establish a common view on the components we are going to cover various aspects:
+We want to provide more information per component in separate, component
+specific `README.md` files. In order to establish a common view on the
+components we are going to cover various aspects:

- **Component overview**: Should provide a quick introduction with the components prerequisites and subcomponents (f.e. pods).
- **Resources**: Will contain link to the components upstream documentation, the helm chart and image locations.
+- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
+- **Resources**: Will contain a link to the components upstream documentation, the helm chart and image locations.
 - **Operational Capabilities**
  - **Install**: The components installs within the SWP.
  - **Restart**: Deleting and restarting pods works seamlessly.
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -15,6 +15,7 @@ helmfiles:
  - path: "helmfile/apps/nextcloud/helmfile.yaml"
  - path: "helmfile/apps/collabora/helmfile.yaml"
  - path: "helmfile/apps/jitsi/helmfile.yaml"
+  - path: "helmfile/apps/element/helmfile.yaml"
  - path: "helmfile/apps/openproject/helmfile.yaml"
  - path: "helmfile/apps/xwiki/helmfile.yaml"
  - path: "helmfile/apps/provisioning/helmfile.yaml"
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
-    url: "https://collaboraonline.github.io/online"
+  - name: "collabora-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}

 releases:
  - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
    version: "1.0.2"
    values:
      - "values.yaml"
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  - name: "sovereign-workplace-element-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+
+releases:
+  - name: "sovereign-workplace-element"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
+    version: "1.1.2"
+    values:
+      - "values-element.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-well-known"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
+    version: "1.1.2"
+    values:
+      - "values-well-known.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-synapse-web"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
+    version: "1.1.2"
+    values:
+      - "values-synapse-web.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-synapse"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
+    version: "1.1.2"
+    values:
+      - "values-synapse.gotmpl"
+    condition: "element.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+
+bases:
+  - "../../bases/environments.yaml"
+...
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.element.repository }}"
+  tag: "{{ .Values.images.element.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.element }}
+
+resources:
+  {{ .Values.resources.element | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapseWeb.repository }}"
+  tag: "{{ .Values.images.synapseWeb.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.synapseWeb }}
+
+resources:
+  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -0,0 +1,52 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapse.repository }}"
+  tag: "{{ .Values.images.synapse.tag }}"
+
+configuration:
+  database:
+    host: "{{ .Values.databases.synapse.host }}"
+    name: "{{ .Values.databases.synapse.name }}"
+    user: "{{ .Values.databases.synapse.username }}"
+    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+
+  homeserver:
+    oidc:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+
+    turn:
+      sharedSecret: {{ .Values.turn.credentials }}
+      servers:
+        {{- if .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host }}
+          port: {{ .Values.turn.tls.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- else if .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host }}
+          port: {{ .Values.turn.server.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- end }}
+
+persistence:
+  size: "{{ .Values.persistence.size.synapse }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.synapse }}
+
+resources:
+  {{ .Values.resources.synapse | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.wellKnown.repository }}"
+  tag: "{{ .Values.images.wellKnown.tag }}"
+
+ingress:
+  host: "{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.wellKnown }}
+
+resources:
+  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+  - name: "intercom-service-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}

 releases:
  - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
    version: "1.1.3"
    values:
      - "values.yaml"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
+  - name: "jitsi-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable" }}

 releases:
  - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    version: "1.2.1"
    values:
      - "values-jitsi.gotmpl"
    condition: "jitsi.enabled"
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -17,10 +17,10 @@ image:
  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"

 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"

 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
@@ -30,17 +30,17 @@ jitsi:
      enabled: "{{ .Values.ingress.enabled }}"
      ingressClassName: "{{ .Values.ingress.ingressClassName }}"
      hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
          paths:
            - "/"
      tls:
        - secretName: "{{ .Values.ingress.tls.secretName }}"
          hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    extraEnvs:
      TURN_ENABLE: "1"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
@@ -51,11 +51,11 @@ jitsi:
    {{- end }}
    extraEnvs:
      - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
      - name: "JWT_APP_ID"
        value: "myappid"
      - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
      - name: TURNS_HOST
        value: "{{ .Values.turn.tls.host }}"
      - name: TURNS_PORT
@@ -69,7 +69,7 @@ jitsi:
      - name: TURN_CREDENTIALS
        value: "{{ .Values.turn.credentials }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.prosody | toYaml | nindent 6 }}
    persistence:
      size: "{{ .Values.persistence.size.prosody }}"
      storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
@@ -79,19 +79,19 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
      tag: "{{ .Values.images.jicofo.tag }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
      tag: "{{ .Values.images.jvb.tag }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
      type: "{{ .Values.cluster.service.type }}"
  jibri:
@@ -100,17 +100,19 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
      tag: "{{ .Values.images.jibri.tag }}"
    recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
    resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jibri | toYaml | nindent 6 }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
  {{- end }}

 patchJVB:
+  configuration:
+    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
--- a/helmfile/apps/keycloak-bootstrap/helmfile.yaml
+++ b/helmfile/apps/keycloak-bootstrap/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}

 releases:
  - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
    version: "1.1.11"
    values:
      - "values-bootstrap.gotmpl"
--- a/helmfile/apps/keycloak/helmfile.yaml
+++ b/helmfile/apps/keycloak/helmfile.yaml
@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
-  - name: "keycloak-theme"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
-  - name: "keycloak-extensions"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
+  - name: "keycloak-theme-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}

 releases:
  - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
    version: "1.0.0"
    values:
      - "values-theme.gotmpl"
    condition: "keycloak.enabled"
  - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
    version: "12.2.0"
    values:
      - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
    wait: true
    condition: "keycloak.enabled"
  - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
    version: "0.1.0"
    needs:
      - "keycloak"
--- a/helmfile/apps/keycloak/values-extensions.gotmpl
+++ b/helmfile/apps/keycloak/values-extensions.gotmpl
@@ -15,6 +15,15 @@ global:
      username: "{{ .Values.databases.keycloakExtension.username }}"
      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
 handler:
+  image:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+{{- if .Values.images.keycloakExtensionHandler.digest }}
+    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
+{{- else if .Values.images.keycloakExtensionHandler.tag }}
+    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+{{- end }}
+    imagePullPolicy: "Always"
  appConfig:
    smtpPassword: "{{ .Values.smtp.password }}"
    smtpHost: "{{ .Values.smtp.host }}"
@@ -25,8 +34,12 @@ handler:
 proxy:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
-    repository: "{{ .Values.images.keycloakExtension.repository }}"
-    tag: "{{ .Values.images.keycloakExtension.tag }}"
+    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
+{{- if .Values.images.keycloakExtensionProxy.digest }}
+    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
+{{- else if .Values.images.keycloakExtensionProxy.tag }}
+    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
+{{- end }}
    imagePullPolicy: "Always"
  ingress:
    enabled: "{{ .Values.ingress.enabled }}"
--- a/helmfile/apps/keycloak/values-extensions.yaml
+++ b/helmfile/apps/keycloak/values-extensions.yaml
@@ -9,8 +9,6 @@ global:
    realm: "souvap"

 handler:
-  image:
-    tag: "latest"
  appConfig:
    captchaProtectionEnable: "False"

--- a/helmfile/apps/keycloak/values-keycloak-idp.yaml
+++ b/helmfile/apps/keycloak/values-keycloak-idp.yaml
@@ -116,9 +116,9 @@ keycloakConfigCli:
            "enabled": true,
            "alwaysDisplayInConsole": false,
            "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
            "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
            ],
            "webOrigins": [
              "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
            "frontchannelLogout": true,
            "protocol": "openid-connect",
            "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
            },
            "authenticationFlowBindingOverrides": {},
            "fullScopeAllowed": true,
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -55,8 +55,8 @@ keycloakConfigCli:
      value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    - name: "MATRIX_DOMAIN"
      value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+    - name: "JITSI_DOMAIN"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    - name: "ELEMENT_DOMAIN"
      value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
    - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
      value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
    - name: "CLIENT_SECRET_MATRIX_PASSWORD"
      value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
    - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
    - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -2,14 +2,18 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
-  - name: "nextcloud"
-    url: "https://nextcloud.github.io/helm/"
+  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}

 releases:
  - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
+    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
    version: "2.2.0"
    wait: true
    waitForJobs: true
@@ -20,7 +24,7 @@ releases:
    timeout: 1800

  - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
    version: "3.5.19"
    needs:
      - "sovereign-workplace-nextcloud-bootstrap"
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -2,32 +2,38 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
-  - name: "openxchange"
-    url: "registry.open-xchange.com"
+  - name: "dovecot-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+  - name: "openxchange-repo"
    oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry.open-xchange.com" }}
+  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}

 releases:
  - name: "dovecot"
-    chart: "dovecot/dovecot"
-    version: "1.2.0"
+    chart: "dovecot-repo/dovecot"
+    version: "1.3.1"
    values:
      - "values-dovecot.yaml"
      - "values-dovecot.gotmpl"
    condition: "dovecot.enabled"
  - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
    version: "1.2.13"
    values:
      - "values-openxchange.yaml"
      - "values-openxchange.gotmpl"
    condition: "oxAppsuite.enabled"
  - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+    version: "1.3.1"
    values:
      - "values-openxchange-bootstrap.yaml"
    condition: "oxAppsuite.enabled"
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.dovecot.repository }}"
-  tag: "{{ .Values.images.dovecot.tag }}"
+  digest: "{{ .Values.images.dovecot.digest }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
@@ -0,0 +1,15 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+...
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml
@@ -2,22 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: false
-
-# resources:
-#   limits:
-#     # The max amount of CPUs to consume.
-#     cpu: 1
-#     # The max amount of RAM to consume.
-#     memory: "1Gi"
-#   requests:
-#     # The amount of CPUs which has to be available on the scheduled node.
-#     cpu: 1
-#     # The amount of RAM which has to be available on the scheduled node.
-#     memory: "256Mi"
-
-# Keep default values:
-# coreMiddleware:
-#   statefulSet: "open-xchange-core-mw-default-0"
-#   pod: "open-xchange-core-mw-default-0"
+  deletePodsOnSuccess: true
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -65,6 +65,7 @@ appsuite:
      com.openexchange.capability.smime: "true"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
+      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
-    url: "https://charts.openproject.org"
+  - name: "openproject-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}

 releases:
  - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
    version: "1.8.0"
    values:
      - "values.yaml"
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+  - name: "ox-connector-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}

 releases:
  - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
    version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
    values:
      - "values-oxconnector.yaml"
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -2,70 +2,85 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
-  - name: "postgresql"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
-  - name: "mariadb"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
-  - name: "postfix"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
-  - name: "istio-resources"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
-  - name: "clamav"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
+  - name: "sovereign-workplace-certificates-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
+  - name: "postgresql-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
+  - name: "mariadb-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
+  - name: "postfix-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+  - name: "istio-resources-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+  - name: "clamav-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}

 releases:
  - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
-    version: "1.2.1"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
+    version: "1.2.2"
    values:
      - "values-certificates.gotmpl"
    condition: "certificates.enabled"
  - name: "redis"
-    chart: "bitnami/redis"
+    chart: "bitnami-repo/redis"
    version: "^17.9.3"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    condition: "redis.enabled"
  - name: "postgresql"
-    chart: "postgresql/postgresql"
+    chart: "postgresql-repo/postgresql"
    version: "2.0.0"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    condition: "postgresql.enabled"
  - name: "mariadb"
-    chart: "mariadb/mariadb"
+    chart: "mariadb-repo/mariadb"
    version: "2.0.0"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    condition: "mariadb.enabled"
  - name: "postfix"
-    chart: "postfix/postfix"
-    version: "1.8.0"
+    chart: "postfix-repo/postfix"
+    version: "1.13.0"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    condition: "postfix.enabled"
  - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
+    chart: "clamav-repo/sovereign-workplace-clamav"
    version: "2.1.0"
    values:
      - "values-clamav-distributed.gotmpl"
    condition: "clamavDistributed.enabled"
  - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
+    chart: "clamav-repo/clamav-simple"
    version: "2.1.0"
    values:
      - "values-clamav-simple.gotmpl"
    condition: "clamavSimple.enabled"
  - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
    version: "1.1.2"
    values:
      - "values-istio-gateway.gotmpl"
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 image:
  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
-  tag: "{{ .Values.images.postfix.tag }}"
+  digest: "{{ .Values.images.postfix.digest }}"

 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -24,7 +24,7 @@ postfix:
        - "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
  relayHost: "[{{ .Values.smtp.host }}]:587"
  relayNets: {{ .Values.cluster.networking.cidr }}
-  virtualTransport: "lmtps:dovecot.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:24"
+  virtualTransport: "lmtps:dovecot:24"
  smtpdSASLPath: "inet:dovecot:3659"
  {{- if .Values.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
--- a/helmfile/apps/univention-corporate-container/helmfile.yaml
+++ b/helmfile/apps/univention-corporate-container/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+  - name: "univention-corporate-container-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}

 releases:
  - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
    version: "1.0.10"
    values:
      - "values.yaml"
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+  - name: "xwiki-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://xwiki-contrib.github.io/xwiki-helm" }}

 releases:
  - name: "xwiki"
-    chart: "xwiki/xwiki"
+    chart: "xwiki-repo/xwiki"
    version: "1.1.1"
    wait: true
    timeout: 600
--- a/helmfile/apps/xwiki/values-init.gotmpl
+++ b/helmfile/apps/xwiki/values-init.gotmpl
@@ -1,20 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
---
-global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-xwiki:
-  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
-  superadmin:
-    username: "superadmin"
-    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-
-image:
-  repository: "{{ .Values.images.xwikiInit.repository }}"
-  tag: "{{ .Values.images.xwikiInit.tag }}"
-...
--- a/helmfile/environments/default/cluster.gotmpl
+++ b/helmfile/environments/default/cluster.gotmpl
@@ -19,6 +19,10 @@ cluster:
    domain: "cluster.local"
    # Kubernetes cluster network CIDR.
    cidr: "10.0.0.0/8"
+    # Ingress-gateway IP - only relevant for "NodePort" cluster services.
+    # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
+    # you need to provide the public (load-balanced) ingress gateways ip address.
+    ingressGatewayIP: ""

  container:
    # Used container engine in kubernetes cluster.
--- a/helmfile/environments/default/database.gotmpl
+++ b/helmfile/environments/default/database.gotmpl
@@ -32,6 +32,12 @@ databases:
    name: "CONFIGDB"
    username: "root"
    password: ""
+  synapse:
+    host: "postgresql"
+    name: "matrix"
+    username: "matrix_user"
+    password: ""
+    port: 5432
  xwiki:
    name: "xwiki"
    host: "mariadb"
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -12,16 +12,14 @@ global:
  hosts:
    collabora: "collabora"
    dimension: "integration"
-    element: "ucc"
+    element: "chat"
    etherpad: "etherpad"
    intercomService: "ics"
-    jitsi: "av"
-    jitsiPlain: "jitsi"
+    jitsi: "meet"
    keycloak: "id"
    meetingWidgetsBot: "meeting-widgets-bot"
    meetingWidgets: "meeting-widgets"
    newWorkBoardWidget: "whiteboard-widget"
-    moodle: "learn"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
@@ -38,21 +36,11 @@ global:

  ## Define docker registry address.
  #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}

  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
-
-  ## Define internal kubernetes domain, usually svc.cluster.local
-  ## Workaround for calico with postfix
-  #
-  internalDomain: "svc.cluster.local"
-
-  ## Define internal kubernetes network for postfix
-  ## Attention: Mail from this network can be sent without authentication!
-  #
-  internalNetwork: "10.0.0.0/8"
 ...
--- a/helmfile/environments/default/images.gotmpl
+++ b/helmfile/environments/default/images.gotmpl
@@ -12,7 +12,10 @@ images:
    tag: "23.05.2.2.1"
  dovecot:
    repository: "dovecot/dovecot"
-    tag: "2.3.20"
+    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+  element:
+    repository: "vectorim/element-web"
+    tag: "v1.11.35"
  freshclam:
    repository: "clamav/clamav"
    tag: "1.1.0_base"
@@ -47,9 +50,12 @@ images:
  keycloakBootstrap:
    repository: "souvap/tooling/images/ansible"
    tag: "4.10.0"
-  keycloakExtension:
+  keycloakExtensionHandler:
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
+    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+  keycloakExtensionProxy:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    tag: "latest"
+    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
  mariadb:
    repository: "mariadb"
    tag: "10"
@@ -65,6 +71,9 @@ images:
  openproject:
    repository: "souvap/tooling/images/openproject/souvap"
    tag: "dev"
+  openxchangeBootstrap:
+    repository: "alpine/k8s"
+    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
  openxchangeCoreGuidedtours:
    repository: "appsuite-public-sector/core-guidedtours"
    tag: "8.5.0"
@@ -94,7 +103,7 @@ images:
    tag: "branch-jconde-listener-entrypoint-chaining"
  postfix:
    repository: "souvap/tooling/images/postfix"
-    tag: "1.0.0"
+    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
  postgresql:
    repository: "postgres"
    tag: "15-alpine"
@@ -104,13 +113,19 @@ images:
  redis:
    repository: "bitnami/redis"
    tag: "7.0.12-debian-11-r0"
+  synapse:
+    repository: "matrixdotorg/synapse"
+    tag: "v1.87.0"
+  synapseWeb:
+    repository: "library/haproxy"
+    tag: "2.4"
  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
-    tag: "20230806T234258"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
+    tag: "286503f13726399284b49d4521f45fdbed81216875d78e76dcae20e0d8301f65"
+  wellKnown:
+    repository: "library/nginx"
+    tag: "1.23"
  xwiki:
    repository: "xwikisas/swp/xwiki"
    tag: "0.8-mariadb-tomcat"
-  xwikiInit:
-    repository: "curlimages/curl"
-    tag: "8.1.2"
 ...
--- a/helmfile/environments/default/persistence.gotmpl
+++ b/helmfile/environments/default/persistence.gotmpl
@@ -19,6 +19,7 @@ persistence:
    postgresql: "1Gi"
    prosody: "1Gi"
    redis: "1Gi"
+    synapse: "1Gi"
    univentionCorporateServer: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.gotmpl
+++ b/helmfile/environments/default/replicas.gotmpl
@@ -10,6 +10,7 @@ replicas:
  clamd: 1
  collabora: 1
  dovecot: 1
+  element: 2
  {{/* clamav-distributed */}}
  freshclam: 1
  {{/* clamav-distributed */}}
@@ -25,5 +26,8 @@ replicas:
  nextcloud: 1
  openproject: 1
  postfix: 1
+  synapse: 1
+  synapseWeb: 2
+  wellKnown: 2
  xwiki: 1
 ...
--- a/helmfile/environments/default/resources.gotmpl
+++ b/helmfile/environments/default/resources.gotmpl
@@ -14,17 +14,24 @@ resources:
  dovecot:
    limits:
      cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
+  element:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  freshclam:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  icap:
    limits:
      cpu: 2
@@ -35,24 +42,24 @@ resources:
  jibri:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "125Mi"
  jicofo:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  jitsi:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  jitsiKeycloakAdapter:
    limits:
      cpu: "100m"
@@ -63,45 +70,45 @@ resources:
  jvb:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  keycloak:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.75Gi"
+      memory: "750Mi"
  keycloakExtension:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  keycloakBootstrap:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  keycloakProxy:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  mariadb:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
  milter:
    limits:
      cpu: 4
@@ -115,49 +122,63 @@ resources:
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
  openproject:
    limits:
      cpu: 2
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  oxConnector:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  postfix:
    limits:
      cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  postgresql:
    limits:
      cpu: 2
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  prosody:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  redis:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
+  synapse:
+    limits:
+      cpu: 4
+      memory: "4Gi"
+    requests:
+      cpu: 1
+      memory: "2Gi"
+  synapseWeb:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  univentionCorporateServer:
    limits:
      cpu: 2
@@ -165,6 +186,13 @@ resources:
    requests:
      cpu: 0.5
      memory: "1Gi"
+  wellKnown:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
  xwiki:
    limits:
      cpu: 2
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -40,7 +40,7 @@ secrets:
    clientSecret:
      intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
      matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
-      jitsiPlain: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
+      jitsi: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
      ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
@@ -54,17 +54,6 @@ secrets:
    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
  jitsi:
    synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "as_token" | sha1sum) }}
-    synapseHsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "hs_token" | sha1sum) }}
-    jicofoAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jicofo_auth" | sha1sum) }}
-    componentAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "component_auth" | sha1sum) }}
-    jvbAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jvb_auth" | sha1sum) }}
-    jigasiAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jigasi_auth" | sha1sum) }}
-    jibriUserAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_user_auth" | sha1sum) }}
-    jibriRecorderAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_recorder_auth" | sha1sum) }}
-    rageshakeListingPass: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "rageshakeListingPass" | sha1sum) }}
-    conferencemapperSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "conferencemapperSecret" | sha1sum) }}
-    jitsiFeedbackBackend: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jitsiFeedbackBackend" | sha1sum) }}
-  jitsiPlain:
    jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
    jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
    jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}
--- a/helmfile/environments/default/workplace.gotmpl
+++ b/helmfile/environments/default/workplace.gotmpl
@@ -15,6 +15,8 @@ collabora:
  enabled: true
 dovecot:
  enabled: true
+element:
+  enabled: true
 intercom:
  enabled: true
 jitsi:
Author	SHA1	Message	Date
Dominik Kaminski	83aeb4ece2	chore(release): 0.2.0 [skip ci] # [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15) ### Bug Fixes * helmfile: Replace bitnami repositories with OCI ([`4c21fd2`](`4c21fd2286`)) ### Features * helmfile: Implement private image/chart registry variables ([`5788323`](`5788323621`))	2023-08-15 10:40:25 +00:00
Dominik Kaminski	4c21fd2286	fix(helmfile): Replace bitnami repositories with OCI	2023-08-15 11:32:03 +02:00
Dominik Kaminski	5788323621	feat(helmfile): Implement private image/chart registry variables	2023-08-15 11:32:03 +02:00
Dominik Kaminski	3cad4ce886	chore(release): 0.1.2 [skip ci] ## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15) ### Bug Fixes * jitsi: Update support for NodePort setups with different ingress/egress ips ([`de25789`](`de257893d4`))	2023-08-15 09:20:34 +00:00
Dominik Kaminski	de257893d4	fix(jitsi): Update support for NodePort setups with different ingress/egress ips	2023-08-14 18:50:42 +02:00
Thomas Kaltenbrunner	dcbb9981f5	chore(release): 0.1.1 [skip ci] ## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14) ### Bug Fixes * open-xchange: Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([`53796da`](`53796dae66`)) * open-xchange: Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([`390f2de`](`390f2dee52`))	2023-08-14 10:32:36 +00:00
Thomas Kaltenbrunner	390f2dee52	fix(open-xchange): Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1	2023-08-14 11:18:35 +02:00
Thomas Kaltenbrunner	53796dae66	fix(open-xchange): Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support	2023-08-14 11:18:33 +02:00
Thomas Kaltenbrunner	2d376b35ed	chore(xwiki): Remove xwiki init	2023-08-14 11:17:29 +02:00
Dominik Kaminski	bcee05d537	chore(release): 0.1.0 [skip ci] # [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14) ### Bug Fixes * docs: Typo ([`ee684a7`](`ee684a7891`)) ### Features * element: Add element component ([`5f0ca92`](`5f0ca92a05`))	2023-08-14 08:36:35 +00:00
Thorsten Rossner	ee684a7891	fix(docs): Typo	2023-08-14 08:34:08 +00:00
Dominik Kaminski	5f0ca92a05	feat(element): Add element component	2023-08-14 08:48:42 +02:00
Thorsten Rossner	152b4fb7b5	chore(release): 0.0.6 [skip ci] ## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14) ### Bug Fixes * open-xchange: Functional mailboxes auth settings update in AppSuite and Dovecot ([`53948ea`](`53948eae76`))	2023-08-14 06:44:08 +00:00
Thorsten Rossner	53948eae76	fix(open-xchange): Functional mailboxes auth settings update in AppSuite and Dovecot	2023-08-14 06:42:59 +00:00
Thorsten Rossner	48a87fb839	chore(release): 0.0.5 [skip ci] ## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11) ### Bug Fixes * keycloak: Improve digest image pinning ([`b8a8932`](`b8a8932221`))	2023-08-11 09:31:56 +00:00
Thorsten Rossner	b8a8932221	fix(keycloak): Improve digest image pinning	2023-08-11 09:30:37 +00:00
Dominik Kaminski	37876a5a96	chore(release): 0.0.4 [skip ci] ## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11) ### Bug Fixes * jitsi: Fix identifiers in resources ([`3a0b246`](`3a0b246f83`))	2023-08-11 08:52:59 +00:00
Dominik Kaminski	3a0b246f83	fix(jitsi): Fix identifiers in resources	2023-08-11 09:58:10 +02:00
Thorsten Rossner	d82e03f1ae	chore(release): 0.0.3 [skip ci] ## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10) ### Bug Fixes * keycloak: Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay. ([`27ce715`](`27ce71554d`))	2023-08-10 13:42:26 +00:00
Thorsten Rossner	27ce71554d	fix(keycloak): Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay.	2023-08-10 13:41:13 +00:00
Thomas Kaltenbrunner	6e16e5fce8	chore(release): 0.0.2 [skip ci] ## [0.0.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.1...v0.0.2) (2023-08-10) ### Bug Fixes * services: Remove fqdn from dovecot in postfix ([`2033c76`](`2033c76d81`))	2023-08-10 10:40:53 +00:00
Thomas Kaltenbrunner	2033c76d81	fix(services): Remove fqdn from dovecot in postfix	2023-08-10 10:39:04 +00:00
Tobias Heinzmann	b253b193a0	chore(docs): Smoothen the README	2023-08-10 08:55:18 +00:00