chore(release): 0.4.6 [skip ci]

## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)

### Bug Fixes

* **openproject:** Use renamed registry open_desk ([a37faf3](a37faf3b57))

.gitlab-ci.yml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
-  - project: "souvap/tooling/gitlab-config"
+  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
     ref: "main"
     file:
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
-  - project: "souvap/devops/sovereign-workplace-env"
+  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    rules:
+      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
 
 stages:
   - ".pre"
@@ -20,22 +22,17 @@ stages:
   - "component-deploy-stage-2"
   - "tests"
   - "env-stop"
-  - "post"
+  - "generate-release-assets"
+  - ".post"
 
 variables:
   NAMESPACE:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
-    value: "develop"
+      sovereign-workplace-env included above."
-    options:
+    value: "dev"
-      - "dev"
-      - "qa"
-      - "ref"
-      - "develop"
-      - "hubble"
-      - "prototype"
   BASE_DOMAIN:
     description: "Define the Cluster Base Domain."
     value: "souvap.cloud"
@@ -61,10 +58,13 @@ variables:
       - "yes"
       - "no"
   DEPLOY_UCS:
-    description: "Enable Univention Corporate Server deployment."
+    description: >-
+      Enable Univention Corporate Server deployment.
+      "ums-eval" does deploy the Univention Management Stack instead of the UCS container.
     value: "no"
     options:
       - "yes"
+      - "ums-eval"
       - "no"
   DEPLOY_PROVISIONING:
     description: "Enable Provisioning Components."
@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_ELEMENT:
+    description: "Enable Element deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_KEYCLOAK:
     description: "Enable Keycloak deployment."
     value: "no"
@@ -126,9 +132,18 @@ variables:
     options:
       - "yes"
       - "no"
-  TESTS_PROJECT_URL:
+  TESTS_BRANCH:
-    description: "URL of the E2E-test gitlab project API with project ID."
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
-    value: "gitlab.souvap-univention.de/api/v4/projects/6"
+    value: "main"
+  RUN_UMS_TESTS:
+    description: "Run E2E test suite of SouvAP Dev team"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  UMS_TESTS_BRANCH:
+    description: "Branch of E2E test suite of SouvAP Dev team"
+    value: "main"
   # please use the following set of variables with normalized names:
   DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
   ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -138,23 +153,6 @@ variables:
   dependencies: []
   extends: ".environments"
   image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
-  secrets:
-    SMTP_PASSWORD:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/brained/mail/relay@souvap-univention.de"
-        field: "password"
-      file: false
-    TURN_CREDENTIALS:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/souvap-univention.de/develop/turn/secret"
-        field: "credentials"
-      file: false
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -192,7 +190,7 @@ env-cleanup:
 env-start:
   environment:
     name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
     on_stop: "env-stop"
   extends: ".deploy-common"
   image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -233,7 +231,7 @@ ucs-deploy:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
           $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
       when: "always"
   variables:
     COMPONENT: "univention-corporate-container"
@@ -250,6 +248,18 @@ provisioning-deploy:
   variables:
     COMPONENT: "provisioning"
 
+ums-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          $DEPLOY_UCS == "ums-eval"
+      when: "always"
+  variables:
+    COMPONENT: "univention-management-stack"
+
 keycloak-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -278,6 +288,7 @@ keycloak-bootstrap-deploy:
 ox-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
+  timeout: "30m"
   rules:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -359,6 +370,18 @@ jitsi-deploy:
   variables:
     COMPONENT: "jitsi"
 
+element-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
+      when: "always"
+  variables:
+    COMPONENT: "element"
+
 env-stop:
   extends: ".deploy-common"
   environment:
@@ -393,67 +416,183 @@ run-tests:
       when: "always"
   script:
     - |
-      COMPONENTS="login or portal or profile or navigation"
-      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
-        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
-          or xwiki"
-      else
-        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
-        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
-        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
-        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
-        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
-        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
-        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
-        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
-        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
-      fi
-
-      echo "Gathering passwords from UCS container ..."
       UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
+          'app.kubernetes.io/instance=univention-corporate-container' \
-       | awk '{print $1}' \
+        | grep Running \
+        | awk '{print $1}' \
       )
-      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
       DEFAULT_USER_PASSWORD=$( \
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_USER_PASSWORD \
         | awk '{print $2}' \
       )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
         | awk '{print $2}' \
       )
 
-      echo "triggering test pipeline ..."
+      curl --request POST \
-      curl -X POST \
+      --header "Content-Type: application/json" \
-        -F "ref=main" \
+      --data "{ \
-        -F "token=${CI_JOB_TOKEN}" \
+        \"ref\": \"${TESTS_BRANCH}\", \
-        -F "variables[url]=https://portal.${DOMAIN}" \
+        \"token\": \"${CI_JOB_TOKEN}\", \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
+        \"variables\": { \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
+          \"url\": \"https://portal.${DOMAIN}\", \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
-        -F "variables[components]=\"${COMPONENTS}\"" \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
+        } \
+      }" \
+      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
 
+run-souvap-dev-tests:
+  extends: ".deploy-common"
+  environment:
+    name: "${NAMESPACE}"
+  tags:
+    - "docker"
+    - "kubernetes"
+    - "${CLUSTER}"
+  stage: "tests"
+  rules:
+    - if: >
+        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
+      when: "always"
+  script:
+    - |
+      UCS_CONTAINER_NAME=$( \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
+        | awk '{print $1}' \
+      )
+      DEFAULT_USER_PASSWORD=$( \
+        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
+        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
+        | awk '{print $2}' \
+      )
+      DEFAULT_ADMIN_PASSWORD=$(
+        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
+        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
+        | awk '{print $2}' \
+      )
+
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${UMS_TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
+          \"username\": \"${DEFAULT_USER_NAME}\", \
+          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
+        } \
+      }" \
+      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
+
+generate-release-assets:
+  stage: "generate-release-assets"
+  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+    - when: "never"
+  script:
+    - |
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
+      cd opendesk-asset-generator
+      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
+      ./opendesk_asset_generator.py
+      mv ./build_artefacts ${CI_PROJECT_DIR}
+      cd ..
+      rm -rf opendesk-asset-generator
+      ls -l ./build_artefacts
+  artifacts:
+    paths:
+      - "./build_artefacts/chart-index.json"
+      - "./build_artefacts/image-index.json"
+  tags: []
+  variables:
+    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
+
+
+# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
+# 'cache' is used because job must contain at least one key, so cache is just a dummy key.
+.environments:
+  cache: {}
 
 # Overwrite shared settings
 .common-semantic-release:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  except:
+  tags: []
-    - "tags"
-    - "web"
 
 common-yaml-linter:
-  except:
+  rules:
-    - "tags"
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
-    - "web"
+      when: "never"
+    - when: "always"
 
 reuse-linter:
   allow_failure: false
-  except:
+  rules:
-    - "tags"
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
-    - "web"
+      when: "never"
+    - when: "always"
+
+generate-release-version:
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false'"
+      when: "always"
+
+release:
+  dependencies:
+    - "generate-release-assets"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+  script:
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          ["@semantic-release/gitlab",
+            {
+              "assets": [
+                { "path": "./build_artefacts/chart-index.json",
+                  "label": "Chart Index JSON" },
+                { "path": "./build_artefacts/image-index.json",
+                  "label": "Image Index JSON" },
+              ]
+            }
+          ],
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+...

.reuse/dep5

@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk
+Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
+Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
+
+Files: helmfile/environments/default/theme/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: Apache-2.0

CHANGELOG.md

@@ -1,3 +1,302 @@
+## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
+
+## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
+
+## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
+
+
+### Bug Fixes
+
+* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
+
+## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
+
+
+### Bug Fixes
+
+* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ce7e5f670a4dbc980eb8be73e5f7d15b27e8b1de))
+
+## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)
+
+
+### Bug Fixes
+
+* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f46c8a9a5f4f9778cb171d65e9a0280e4ce61c16))
+
+## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41b9afb3648a0e1fddc5aa4337cc1501756b370c))
+
+# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)
+
+
+### Features
+
+* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a99c088361b95b2bb7ee2b161e3a254f02bcd9ae))
+
+## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)
+
+
+### Bug Fixes
+
+* **helmfile:** Fix linter issues ([1514678](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1514678db00d32c1463d8fc496c0e6d1c2a2df96))
+* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16c08f82c9b4934567bb3b9c7fccab754bfad494))
+* **univention-management-stack:** Add Helm charts ([a74d662](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a74d66240423fd5ba87854cc2b71132f11271ec7))
+* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/471a2fa26205b8ca3afb5eeeb4524897a57f5c20))
+* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/13bcd785e8f7db22d20903020e0cdd28094309a9))
+* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/320da3bec3a49d974765e567878d5c2f2b4e93ef))
+* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5e1a7b19e278147d010c48dac2da111f828dd115))
+* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c54bab165bf81854471d790200781b4181eba22a))
+* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c61b1b828150caa8d2fe1a5b9f0a862b2fbef4f1))
+* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/96097e470483a5251acd81eb772da70ad7f55137))
+* **univention-management-stack:** Configure cookie banner data ([12c931f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/12c931fcff5536116af11df1c9c0468429949fe2))
+* **univention-management-stack:** Define resource requests and limits ([2f8a298](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2f8a2989250ea0f3b50dd3417f214a8864fe62d0))
+* **univention-management-stack:** Disable istio for the stack ([4835a2b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4835a2beec408ec6267177f82257edd9ccb0d937))
+* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ab1cb5c7e7bca85394eae2ed17141e513dd5a42))
+* **univention-management-stack:** Process bases before releases ([ec3f1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ec3f1d96ac17cf1fb9d34ab692240460d5bd4ba1))
+* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ba71f2749eaf51b09429a5f3c705bd0075c1efa))
+* **univention-management-stack:** Split templated from static values ([09079a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/09079a13031be7894a34bf92945bd25a040c2290))
+* **univention-management-stack:** Split values into templated and static ([d3c4390](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d3c439038a2551ec90324ab8659d24b65b223d4f))
+* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c84060811229bb131bcd473a9e4668dfa73f97d7))
+* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a4bab4068dc298056ed864e60a244d49a2934c8b))
+* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9409ad829a725c84ebc3de5d1c4d42fe735e9d0c))
+* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/90019e3ef6de5e4ed1742ee9ddc3bbb256cd3dec))
+* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/77e362f6bc053c5d456bf65649f15130ce53547c))
+* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fe0e0cdce4622352afbf74875adcae8324d769a3))
+* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/edb25bd7655beeefa73a62fb9a8c85e076c4cc2f))
+* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15db5dcbba33c39f752499f2d73c77cac32d1e8c))
+
+## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
+
+
+### Bug Fixes
+
+* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
+* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
+* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
+* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
+* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
+* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
+* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
+
+# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
+
+
+### Features
+
+* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
+
+
+### Bug Fixes
+
+* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
+* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
+* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
+* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
+* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
+* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
+* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
+* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
+* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
+* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
+* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
+* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
+* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
+
+## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
+
+
+### Bug Fixes
+
+* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
+
+## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
+
+
+### Bug Fixes
+
+* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
+
+
+### Bug Fixes
+
+* **xwiki:** Theming and language of central navigation ([3d4d45f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3d4d45f7114e6e3bc353b8d6c5fdbcac4cb2460f))
+
+## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)
+
+
+### Bug Fixes
+
+* **element:** Apply the global theme to Element ([7f7eae8](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7f7eae8f99a6d8ad8085ad99c63af27b858ff9b7))
+
+## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
+
+
+### Bug Fixes
+
+* **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
+
+## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
+
+
+### Bug Fixes
+
+* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
+* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
+
+## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
+
+
+### Bug Fixes
+
+* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
+
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
+## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
+
+
+### Bug Fixes
+
+* **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
+
+## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
+* **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
+
+# [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
+
+
+### Bug Fixes
+
+* **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
+
+
+### Features
+
+* **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
+
+## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
+
+## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
+
+
+### Bug Fixes
+
+* **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
+
+## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
+
+
+### Bug Fixes
+
+* **jitsi:** Fix identifiers in resources ([3a0b246](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3a0b246f83dc6a3ff19973959b3cf3c243c39025))
+
+## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10)
+
+
+### Bug Fixes
+
+* **keycloak:** Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay. ([27ce715](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/27ce71554d5f495731d90632a56e134762b95a25))
+
+## [0.0.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.1...v0.0.2) (2023-08-10)
+
+
+### Bug Fixes
+
+* **services:** Remove fqdn from dovecot in postfix ([2033c76](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/2033c76d81e39c625112b312934668d3b3eb43fe))
+
 ## 0.0.1 (2023-08-10)
 
 

COMPONENTS-FUNCTIONAL.md

@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## File & Share - Nextcloud
 
-## Kollaboration - dOnlineZusammenarbeit 2.0
+## Kollaboration - Element
 
 ## Videokonferenzen - Jitsi
 
@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## Project Management - OpenProject
 
-## IAM - Univention Corporate Services
+## Portal & IAM - Univention Corporate Services

COMPONENTS-SERVICE.md

@@ -42,7 +42,7 @@ This service is used by:
 
 ## TURN Server
 
-- dOZ 2.0
+This services is used by:
 - Jitsi
 
 ## NFS

CONTRIBUTING.md

@@ -9,17 +9,17 @@ Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/b
 
 # How to contribute?
 
-When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
+When providing contributes to this project, please adhere to the standards and conventions described further down in this document. Doing so please feel free to create merge requests.
 
 # Standards and conventions
 
 ## Branching
 
-We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
+We use [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
 
 ## Verified commits
 
-We only allow verify commits:
+We only allow verified commits:
 - https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
@@ -80,7 +80,7 @@ Due to DVS requirements:
 - we should avoid stand alone Manifests.
 - we do not use Operators and CRDs.
 
-In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
+In order to align the Helm files from various sources into an unified deployment of the SWP we make use of [Helmfile](https://github.com/helmfile/helmfile).
 
 ## Tooling
 

README.md

@@ -8,47 +8,63 @@ SPDX-License-Identifier: Apache-2.0
 
 # Disclaimer August 2023
 
-The current state of the SWP is missing one component which is not yet generally available to the public also
+The current state of the Sovereign Workplace contains components that are going to be
-outside the SWP (Element Starter Edition), and contains components that will be replaced (e.g. UCS dev container
+replaced. Like for example the UCS dev container monolith will be substituted by
-monolith to be replaced by multiple Univention Management Stack containers).
+multiple Univention Management Stack containers.
-In the next months we not only expect upstream updates of the functional components within their feature scope but we
-are going to address operational issues like monitoring and network policies.
 
-Of course we will also extend the documentation.
+In the next months we not only expect upstream updates of the functional
+components within their feature scope, but we are also going to address
+operational issues like monitoring and network policies.
 
-In any case we love to get feedback from you! Related to the deployment / contents of this repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
+Of course, further development also includes enhancing the documentation.
 
-If you want to address other topics, please check the section ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+The first release of the Sovereign Workplace is scheduled for December 2023.
+Before that release there will be breaking changes in the deployment.
 
-The first release of the SWP is scheduled for December 2023. Before that release there will be breaking changes in the deployment.
 
 # The Sovereign Workplace (SWP)
 
-The SWP's runtime environment is [Kubernetes](https://kubernetes.io/), often written in it's short form "K8s".
+The Sovereign Workplace's runtime environment is [Kubernetes](https://kubernetes.io/), or "K8s" in
+short.
 
-While not all components are perfectly shaped for the execution as containers, one of the projects objectives is the
+While not all components are still perfectly shaped for the execution inside
-make the applications more aligned with best practise when it comes to container design and operations.
+containers, one of the projects objectives is it to align the applications
+with the best practises regarding container design and operations.
 
-This documentation gives you - hopefully - all you need to setup your own instance of the SWP. You should have at least
+This documentation aims to give you all that is needed to set up your own
-basic knowledge Kubernetes and Devops knowledge.
+instance of the Sovereign Workplace. Basic knowledge of Kubernetes and Devops is
+required though.
 
-To have an overview of what can be found at Open CoDE and the basic components of the SWP, please check out the
+To have an overview of what can be found at Open CoDE and the basic components
-[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the
+of the Sovereign Workplace, please check out the
-[Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
+[OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md) in the [Info repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info).
 
-Especially check out the section
+We love to get feedback from you! Related to the deployment / contents of this
-["Mitwirkung und Beteiligung"](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#mitwirkung-und-beteiligung)
+repository please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
-if you are missing something or you have questions. We appreciate your feedback to improve product and documentation.
 
+If you want to address other topics, please check the section
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+
+# Releases
+
+All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
+
+Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
+
+The following release artefacts are provided beside the default source code assets:
+- `chart-index.json`: An overview of all Helm charts used by the release.
+- `image-index.json`: An overview of all container images used by the release.
 # Deployment
 
-**Note for project members:** You can use the project's `dev` K8s cluster to setup your own development instance. Please see the project `sovereign-workplace-env` on the internal Gitlab for more details.
+**Note for project members:** You can use the project's `dev` K8s cluster to set
+up your own instance for development purposes. Please see the project
+`sovereign-workplace-env` on the internal Gitlab for more details.
 
 ## Prerequisites
 
 ### Mandatory technical prerequisites
 
-You have to take care about the following prerequisites in order to deploy the SWP:
+These are the requirements of the Sovereign Workplace deployment:
 
 - Vanilla K8s cluster
 - Domain and DNS Service
@@ -57,8 +73,7 @@ You have to take care about the following prerequisites in order to deploy the S
 [HelmDiff](https://github.com/databus23/helm-diff)
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
-- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are working with Open-Xchange
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
-to get rid of this dependency.
 
 #### TLS Certificate
 
@@ -68,25 +83,28 @@ You can set the ClusterIssuer via `certificate.issuerRef.name`
 
 ### Required input variables
 
-You need to expose following variables to run the installation.
+You need to expose following environment variables in order to run the
+installation.
 
-| name                | default                      | description                                       |
+| name                | default               | description                                       |
-|---------------------|------------------------------|---------------------------------------------------|
+|---------------------|-----------------------|---------------------------------------------------|
-| `DOMAIN`            | `souvap-univention.de`       | External reachable domain                         |
+| `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
-| `ISTIO_DOMAIN`      | `istio.souvap-univention.de` | External reachable domain for Istio Gateway       |
+| `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
-| `MASTER_PASSWORD`   | `sovereign-workplace`        | The password that seeds the autogenerated secrets |
+| `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
-| `SMTP_PASSWORD`     |                              | Password for SMTP relay gateway                   |
-| `TURN_CREDENTIALS`  |                              | Credentials for coturn server                     |
 
-Please ensure you have set DNS records pointing to the respective loadbalancer/IP for `DOMAIN` and `ISTIO_DOMAIN`.
+Please ensure that you set the DNS records pointing to the loadbalancer/IP for
+`DOMAIN` and `ISTIO_DOMAIN`.
 
-If you want inbound mail also use MX records that point to the Postfix's pods public IP.
+If you want inbound email you need to set the MX records that points to the
+public IP address of the Postfix-pods.
 
-More details on the DNS options incl. SPF/DKIM and autodiscovery options to come...
+More details on DNS options including SPF/DKIM and autodiscovery options
+are to come...
 
 ### Optional or feature based prerequisites
 
-All of these requirements are optional as long as you do not want to make use of the given feature.
+All of these requirements are optional as long as you do not want to use the
+related feature.
 
 | Feature                      | Component(s)   | Requirement                 |
 |------------------------------|----------------|-----------------------------|
@@ -97,47 +115,75 @@ All of these requirements are optional as long as you do not want to make use of
 
 ## CI based deployment
 
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the
+deployment from a Gitlab instance of your choice.
 
-Please ensure you provide the variables listed in the `Required input variables` section.
+Please ensure to provide the environment variables listed at
+[Required input variables](#required-input-variables).
 
-When starting the CI through the Gitlab UI you will be queried for some of the variables plus the following ones:
+When starting the pipeline through the Gitlab UI you will be queried for some
+of the variables plus the following ones:
 
-- `BASE_DOMAIN`: The base domain the SWP will be installed at e.g. `souvap.cloud`
+- `BASE_DOMAIN`: The base domain the SWP will use. For example: `souvap.cloud`
 - `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
-- `MASTER_PASSWORD_WEB_VAR`: Overwrite value of `MASTER_PASSWORD`
+- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
 
 Based on your input the following variables will be set:
 - `DOMAIN` = `NAMESPACE`.`BASE_DOMAIN`
 - `ISTIO_DOMAIN` = istio.`DOMAIN`
-- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR` if that is not given `MASTER_PASSWORD` will be used, that could be set as masked CI variable in Gitlab or as a fallback the default value of `MASTER_PASSWORD`.
+- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
+is not set, the default for `MASTER_PASSWORD` will be used, unless you set
+`MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supercede the default.
 
-You might want to set password / credential variables in the projects `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the Gitlab project at
+`Settings` > `CI/CD` > `Variables`.
 
 ## Local deployment
 
-Please ensure you have set the `Required input variables` (see section above) and have also read the `Helmfile` section below for non default configurations. Then go with
+Please ensure to provide the environment variables listed at
+[Required input variables](#required-input-variables).
+Also, please read [Helmfile](#helmfile) a little below in case of a non default
+configuration.
+
+Then go with
 
 ```shell
 helmfile apply -n <NAMESPACE>
 ```
 
-and wait. After the deployment are finished some bootstrapping is executed which might take some more minutes before you can login.
+and wait a little. After the deployment is finished some bootstrapping is
+executed which might take some more minutes before you can log in your new
+instance.
+
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |
 
 ## Logging in
 
-When successfully deployed the SWP all K8s jobs from the deployment should be in the status `Succeeded` and all pods should be up an `Running`.
+When successfully deployed the SWP, all K8s jobs from the deployment should be
+in the status `Succeeded` and all pods should be `Running`.
 
 You should see the portal's login page at `https://portal.<DOMAIN>`.
 
-Off the shelf you get two accounts with passwords you can lookup in the `univention-corporate-container-*` pod environment:
+Off the shelf you get two accounts with passwords you can look up in the
+`univention-corporate-container-*` pod environment. You can use a shell on that
+container or a `kubectl describe`-command to get the credentials.
 
 | Username / Login   | Password environment variable  |
 |--------------------|--------------------------------|
 | default.user       | DEFAULT_ACCOUNT_USER_PASSWORD  |
 | default.admin      | DEFAULT_ACCOUNT_ADMIN_PASSWORD |
 
-If you do not see any tiles in the portal after the login you may want to wait a couple of minutes, as on the initial start some bootstrapping and cache building is done, that blocks the portal entries from showing up.
+If you do not see any tiles in the portal after the login you may want to wait a
+couple of minutes, as on the initial start some bootstrapping and cache building
+is done. This blocks the portal entries from showing up.
 
 # Helmfile
 
@@ -145,30 +191,33 @@ If you do not see any tiles in the portal after the login you may want to wait a
 
 ### Deployment selection
 
-By default all components are deployed. The components of type `Eval` are used for development and evaluation
+By default, all components are deployed. The components of type `Eval` are used
-purposes only and need to be replaced in production deployments. These components are grouped together in the
+for development and evaluation purposes only - they need to be replaced in
+production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.
 
-| Component                   | Name                                | Default | Description                  | Type       |
+| Component                   | Name                                | Default | Description                    | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
-| Certificates                | `certificates.enabled`              | `true`  | TLS certificates             | Eval       |
+| Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
-| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine             | Eval       |
+| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
-| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine             | Eval       |
+| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
-| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                    | Functional |
+| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
-| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                 | Functional |
+| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
-| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange  | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
-| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing            | Functional |
+| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider            | Functional |
+| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
-| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                     | Eval       |
+| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
-| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                   | Functional |
+| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
-| OpenProject                 | `openproject.enabled`               | `true`  | Project management           | Functional |
+| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
-| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                    | Functional |
+| OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
-| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning         | Functional |
+| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
-| Postfix                     | `postfix.enabled`                   | `true`  | MTA                          | Eval       |
+| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning           | Functional |
-| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                     | Eval       |
+| Postfix                     | `postfix.enabled`                   | `true`  | MTA                            | Eval       |
-| Redis                       | `redis.enabled`                     | `true`  | Cache Database               | Eval       |
+| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal | Functional |
+| Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                | Functional |
+| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
+| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal   | Eval       |
+| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |
 
 
 #### Cluster capabilities
@@ -182,10 +231,17 @@ subdirectory `/helmfile/apps/services`.
 
 #### Databases
 
-In case you don't got for a develop or evaluation environment you want to point the application to your own database instances.
+In case you don't got for a develop or evaluation environment you want to point
+the application to your own database instances.
 
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -222,27 +278,91 @@ In case you don't got for a develop or evaluation environment you want to point
 
 ### Scaling
 
-Replicas for components can be increased, while we still have to look in the actual scalability of the
+The Replicas of components can be increased, while we still have to look in the
-components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
 
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
+|-------------|------------------------|:-------------------:|:------------------:|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
+
+
+### Mail/SMTP configuration
+
+To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
+the whole subdomain.
+
+```yaml
+smtp:
+  host:     # your SMTP host or IP-address
+  username: # username/email for authentication
+  password: # password for authentication, or via environment variable SMTP_PASSWORD
+```
+
+### TURN configuration
+
+Some components (Jitsi, Element) use for direct communication a TURN server.
+You can configure your own TURN server with these options:
+
+```yaml
+turn:
+  transport:   # "udp" or "tcp"
+  credentials: # turn credential string
+  server:      # configuration for unsecure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+  tls:         # configuration for secure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+```
+
+## Security
+
+This list gives you an overview of default security settings and if they comply with security standards:
+
+
+| Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
+|            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+| Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
 # Component integration
@@ -269,29 +389,46 @@ flowchart TD
 
 #### Intercom Service (ICS)
 
-The UCS Intercom Service's role is to enable cross application integration based on browser interaction. Handling authentication when frontend of application A is using API from application B is often a challenge. For more details on the ICS please refer to it's separate [README.md](./helmfile/apps/intercom-service/README.md) - (**TODO**)
+The UCS Intercom Service's role is to enable cross application integration based
+on browser interaction. Handling authentication when the frontend of an
+application is using the API from another application is often a challenge.
+For more details on the ICS please refer to its own [README.md](./helmfile/apps/intercom-service/README.md).
 
-In order to establish a session with the ICS the application makes use of the ICS must initiate a silent login.
+In order to establish a session with the Intercom Service, the application that
+wants to use the ICS must initiate a silent login.
 
-Currently only OX AppSuite is using the frontend based integration and therefore it's the only consumer of the ICS API endpoints.
+Currently only OX AppSuite is using the frontend based integration, and
+therefore it is right now the only consumer of the ICS API.
 
 ### Filepicker
 
-The Nextcloud filepicker is integrated into the OX AppSuite allows you for adding attachments or links to files from and saving attachments to Nextcloud. The filepicker is using frontend based integration (OX AppSuite in the browser talking to Intercom service) as well as backend to backend integration e.g. (OX AppSuite middleware talking to Nextcloud). The latter one especially when adding a file to an email or storing an file into Nextcloud.
+The Nextcloud filepicker which is integrated into the OX AppSuite allows you to
+add attachments or links to files from and saving attachments to Nextcloud.
+
+The filepicker is using frontend and backend based integration. Frontend based
+integration means that OX AppSuite in the browser is communicating with ICS.
+While using backend based integration, OX AppSuite middleware is communicating
+with Nextcloud, which is especially used when adding a file to an email or
+storing a file into Nextcloud.
 
 ### Central Navigation
 
-The central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user in order to allow components to render the menu showing all available SWP applications for the user.
+Central navigation is based on an API endpoint in the portal that provides the
+contents of the portal for a user in order to allow components to render the
+menu showing all available SWP applications for the user.
 
 ### (Read & write) Central contacts
 
-Open-Xchange App Suite is the place to manage contacts within the SWP. There is a standard API in the AppSuite that is being used by Nextcloud to lookup contacts as well as to create contacts e.g. if a file is shared with a not yet available personal contact.
+Open-Xchange App Suite is used to manage contacts within the Sovereign
+Workplace. There is an API in the AppSuite that is being used by
+Nextcloud to lookup contacts as well as to create contacts. This is maybe done
+when a file is shared with a not yet available personal contact.
 
 # Identity data flows
 
-An overview on
+An overview of
-- components that consume data from the ldap, in most cases using a dedicated ldap search account and
+- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
-- components using Keycloak as IdP, if not otherwise denoted based on the OAuth2 / OIDC flows.
+- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
 
 Some components trust others to handle authentication for them.
 
@@ -302,7 +439,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    O[OpenProject]-->|in 2023|L
+    O[OpenProject]-->L
     X[XWiki]-->|in 2023|L
     A-->K
     N-->K
@@ -319,7 +456,9 @@ flowchart TD
 
 # Provisioning
 
-Currently active provisioning is only done for OX AppSuite. The OX-Connector synchronizes create, modify and delete acitivities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
+Currently active provisioning is only done for OX AppSuite. The OX-Connector
+synchronizes creates, modifies and deletes activities for the following objects
+to the OX AppSuite using the AppSuite's SOAP API:
 
 - Contexts
 - Users
@@ -329,10 +468,12 @@ Currently active provisioning is only done for OX AppSuite. The OX-Connector syn
 
 # Component specific documentation
 
-We want to provide more information per component in separate, component specific `README.md` files. In order to establish a common view on the components we are going to cover various aspects:
+We want to provide more information per component in separate, component
+specific `README.md` files. In order to establish a common view on the
+components we are going to cover various aspects:
 
-- **Component overview**: Should provide a quick introduction with the components prerequisites and subcomponents (f.e. pods).
+- **Component overview**: Shall provide a quick introduction including the components prerequisites and subcomponents (f.e. pods).
-- **Resources**: Will contain link to the components upstream documentation, the helm chart and image locations.
+- **Resources**: Will contain a link to the components upstream documentation, the helm chart and image locations.
 - **Operational Capabilities**
   - **Install**: The components installs within the SWP.
   - **Restart**: Deleting and restarting pods works seamlessly.
@@ -352,17 +493,14 @@ We want to provide more information per component in separate, component specifi
 
 ## Tests
 
-There is a frontend end-to-end test suite that can get triggered if the
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
-deployment is performed via a Gitlab pipeline.
+The `DEPLOY_`-variables are used to determine which components should be tested.
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
+`<domain of gitlab>/api/v4/projects/<id>`.
 
-Currently, the test suite is in progress to be published, so right now it is
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
-only usable by project members. But that will change soon, and it could be used
+`TESTS_BRANCH` while creating a new pipeline.
-to create custom tests and perform them after deployment.
-
-The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
-points to the test pipeline residing in another Gitlab repository. At the end of
-the deployment the test pipeline is triggered. Tests are just performed for
-components that have been deployed prior.
 
 
 # Footnotes

helmfile.yaml

@@ -9,12 +9,14 @@ helmfiles:
   - path: "helmfile/apps/services/helmfile.yaml"
   - path: "helmfile/apps/keycloak/helmfile.yaml"
   - path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
+  - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
   - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
   - path: "helmfile/apps/intercom-service/helmfile.yaml"
   - path: "helmfile/apps/open-xchange/helmfile.yaml"
   - path: "helmfile/apps/nextcloud/helmfile.yaml"
   - path: "helmfile/apps/collabora/helmfile.yaml"
   - path: "helmfile/apps/jitsi/helmfile.yaml"
+  - path: "helmfile/apps/element/helmfile.yaml"
   - path: "helmfile/apps/openproject/helmfile.yaml"
   - path: "helmfile/apps/xwiki/helmfile.yaml"
   - path: "helmfile/apps/provisioning/helmfile.yaml"
@@ -31,12 +33,15 @@ environments:
   default:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
   dev:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
 ...

helmfile/apps/collabora/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
+  - name: "collabora-online-repo"
-    url: "https://collaboraonline.github.io/online"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}
 
 releases:
   - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
     version: "1.0.2"
     values:
       - "values.yaml"

helmfile/apps/collabora/values.gotmpl

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
   tag: "{{ .Values.images.collabora.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -32,14 +33,9 @@ collabora:
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 
-{{- if not (eq .Values.cluster.container.engine "containerd") }}
-# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
-# Ref.: https://github.com/CollaboraOnline/online/issues/2800
-securityContext:
-  capabilities:
-    add:
-      - "MKNOD"
-{{- end }}
 
 replicaCount: {{ .Values.replicas.collabora }}
+
+resources:
+  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...

helmfile/apps/collabora/values.yaml

@@ -14,19 +14,74 @@ collabora:
 
 ingress:
   annotations:
-    # nginx
+    # Ingress NGINX
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    # NGINX
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+    nginx.org/proxy-read-timeout: "600"
+    nginx.org/proxy-send-timeout: "600"
+    nginx.org/client-max-body-size: "0"
+    nginx.org/server-snippets: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
     # HAProxy
     haproxy.org/timeout-tunnel: "3600s"
     haproxy.org/backend-config-snippet: |
-     mode http
+       balance url_param WOPISrc check_post
-      balance leastconn
+       hash-type consistent
-      stick-table type string len 2048 size 1k store conn_cur
+    # HAProxy - Community: https://haproxy-ingress.github.io/
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
+    haproxy-ingress.github.io/timeout-tunnel: "3600s"
-      http-request track-sc1 url_param(WOPISrc)
+    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
+    haproxy-ingress.github.io/config-backend: |
-      stick store-request url_param(WOPISrc)
+      hash-type consistent
-
+      # block admin urls from outside
+      acl admin_url path_beg /cool/getMetrics
+      acl admin_url path_beg /cool/adminws/
+      acl admin_url path_beg /browser/dist/admin/admin.html
+      http-request deny if admin_url
 autoscaling:
   enabled: false
+
+serviceAccount:
+  create: true
+
+securityContext:
+  allowPrivilegeEscalation: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+      - "MKNOD"
+
+podSecurityContext:
+  fsGroup: 100
 ...

helmfile/apps/element/helmfile.yaml

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  - name: "opendesk-element-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+
+releases:
+  - name: "opendesk-element"
+    chart: "opendesk-element-repo/opendesk-element"
+    version: "2.0.1"
+    values:
+      - "values-element.yaml"
+      - "values-element.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-well-known"
+    chart: "opendesk-element-repo/opendesk-well-known"
+    version: "2.0.1"
+    values:
+      - "values-well-known.yaml"
+      - "values-well-known.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-synapse-web"
+    chart: "opendesk-element-repo/opendesk-synapse-web"
+    version: "2.0.1"
+    values:
+      - "values-synapse-web.yaml"
+      - "values-synapse-web.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-synapse"
+    chart: "opendesk-element-repo/opendesk-synapse"
+    version: "2.0.1"
+    values:
+      - "values-synapse.yaml"
+      - "values-synapse.gotmpl"
+    condition: "element.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+
+bases:
+  - "../../bases/environments.yaml"
+...

helmfile/apps/element/values-element.gotmpl

@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  additionalConfiguration:
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.element.repository }}"
+  tag: "{{ .Values.images.element.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.element }}
+
+resources:
+  {{ .Values.resources.element | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-element.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse-web.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapseWeb.repository }}"
+  tag: "{{ .Values.images.synapseWeb.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.synapseWeb }}
+
+resources:
+  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse-web.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse.gotmpl

@@ -0,0 +1,53 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapse.repository }}"
+  tag: "{{ .Values.images.synapse.tag }}"
+
+configuration:
+  database:
+    host: "{{ .Values.databases.synapse.host }}"
+    name: "{{ .Values.databases.synapse.name }}"
+    user: "{{ .Values.databases.synapse.username }}"
+    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+
+  homeserver:
+    oidc:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+
+    turn:
+      sharedSecret: {{ .Values.turn.credentials }}
+      servers:
+        {{- if .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host }}
+          port: {{ .Values.turn.tls.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- else if .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host }}
+          port: {{ .Values.turn.server.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- end }}
+
+persistence:
+  size: "{{ .Values.persistence.size.synapse }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.synapse }}
+
+resources:
+  {{ .Values.resources.synapse | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse.yaml

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+...

helmfile/apps/element/values-well-known.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.wellKnown.repository }}"
+  tag: "{{ .Values.images.wellKnown.tag }}"
+
+ingress:
+  host: "{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.wellKnown }}
+
+resources:
+  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-well-known.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  e2ee:
+    forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/intercom-service/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
+  - name: "intercom-service-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
 
 releases:
   - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
     version: "1.1.3"
     values:
       - "values.yaml"

helmfile/apps/intercom-service/values.gotmpl

@@ -29,6 +29,7 @@ ics:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.intercom.repository }}"
   tag: "{{ .Values.images.intercom.tag }}"

helmfile/apps/jitsi/helmfile.yaml

@@ -2,16 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
+  - name: "jitsi-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
+    oci: true
-
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
 releases:
   - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    version: "1.5.1"
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -12,15 +12,19 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
   tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
 
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 
 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
   web:
     replicaCount: {{ .Values.replicas.jitsi }}
     image:
@@ -30,17 +34,17 @@ jitsi:
       enabled: "{{ .Values.ingress.enabled }}"
       ingressClassName: "{{ .Values.ingress.ingressClassName }}"
       hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
           paths:
             - "/"
       tls:
         - secretName: "{{ .Values.ingress.tls.secretName }}"
           hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     extraEnvs:
       TURN_ENABLE: "1"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
@@ -51,11 +55,11 @@ jitsi:
     {{- end }}
     extraEnvs:
       - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
       - name: "JWT_APP_ID"
         value: "myappid"
       - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
       - name: TURNS_HOST
         value: "{{ .Values.turn.tls.host }}"
       - name: TURNS_PORT
@@ -69,7 +73,7 @@ jitsi:
       - name: TURN_CREDENTIALS
         value: "{{ .Values.turn.credentials }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.prosody | toYaml | nindent 6 }}
     persistence:
       size: "{{ .Values.persistence.size.prosody }}"
       storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
@@ -79,19 +83,19 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
       tag: "{{ .Values.images.jicofo.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
       tag: "{{ .Values.images.jvb.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: "{{ .Values.cluster.service.type }}"
   jibri:
@@ -100,18 +104,22 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
       tag: "{{ .Values.images.jibri.tag }}"
     recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jibri | toYaml | nindent 6 }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
 
 patchJVB:
+  configuration:
+    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
   image:
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
     tag: "{{ .Values.images.jitsiPatchJVB.tag }}"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
 
 releases:
   - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.11"
     values:
       - "values-bootstrap.gotmpl"

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -19,6 +19,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloakBootstrap.repository }}"
   tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

helmfile/apps/keycloak/helmfile.yaml

@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
+  - name: "bitnami-repo"
-    url: "https://charts.bitnami.com/bitnami"
+    oci: true
-  - name: "keycloak-theme"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-  - name: "keycloak-extensions"
+         default "registry-1.docker.io/bitnamicharts" }}
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "keycloak-theme-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
-    version: "1.0.0"
+    version: "1.1.0"
     values:
       - "values-theme.gotmpl"
     condition: "keycloak.enabled"
   - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
     version: "12.2.0"
     values:
       - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
     wait: true
     condition: "keycloak.enabled"
   - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
     needs:
       - "keycloak"

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -15,6 +15,11 @@ global:
       username: "{{ .Values.databases.keycloakExtension.username }}"
       password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
 handler:
+  image:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   appConfig:
     smtpPassword: "{{ .Values.smtp.password }}"
     smtpHost: "{{ .Values.smtp.host }}"
@@ -25,14 +30,12 @@ handler:
 proxy:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
-    repository: "{{ .Values.images.keycloakExtension.repository }}"
+    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
-    tag: "{{ .Values.images.keycloakExtension.tag }}"
+    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   ingress:
     enabled: "{{ .Values.ingress.enabled }}"
     ingressClassName: "{{ .Values.ingress.ingressClassName }}"
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
       enabled: "{{ .Values.ingress.tls.enabled }}"

helmfile/apps/keycloak/values-extensions.yaml

@@ -9,15 +9,37 @@ global:
     realm: "souvap"
 
 handler:
-  image:
-    tag: "latest"
   appConfig:
     captchaProtectionEnable: "False"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 
 postgresql:
   enabled: false
 
 proxy:
-  image:
+  ingress:
-    tag: "latest"
+    annotations:
+      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 ...

helmfile/apps/keycloak/values-keycloak-idp.yaml

@@ -116,9 +116,9 @@ keycloakConfigCli:
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
             "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
             ],
             "webOrigins": [
               "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
             "frontchannelLogout": true,
             "protocol": "openid-connect",
             "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
             },
             "authenticationFlowBindingOverrides": {},
             "fullScopeAllowed": true,

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -13,7 +13,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloak.repository }}"
   tag: "{{ .Values.images.keycloak.tag }}"
-  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDatabase:
   host: "{{ .Values.databases.keycloak.host }}"
@@ -55,8 +55,8 @@ keycloakConfigCli:
       value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
     - name: "MATRIX_DOMAIN"
       value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
+    - name: "JITSI_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     - name: "ELEMENT_DOMAIN"
       value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
     - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
     - name: "CLIENT_SECRET_MATRIX_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
     - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
     - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
@@ -81,6 +81,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
     - name: "LDAPSEARCH_USERNAME"
       value: "ldapsearch_keycloak"
+  resources:
+    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
 
 resources:
   {{ .Values.resources.keycloak | toYaml | nindent 2 }}

helmfile/apps/keycloak/values-keycloak.yaml

@@ -54,5 +54,32 @@ keycloakConfigCli:
     - "--import.var-substitution.enabled=true"
   cache:
     enabled: false
+  containerSecurityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  runAsNonRoot: true
+
+podSecurityContext:
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/keycloak/values-theme.gotmpl

@@ -7,4 +7,7 @@ global:
   domain: "{{ .Values.global.domain }}"
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -2,33 +2,40 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-bootstrap-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
+    oci: true
-  - name: "nextcloud"
+    # yamllint disable rule:line-length
-    url: "https://nextcloud.github.io/helm/"
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
+    # yamllint enable rule:line-length
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}
 
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "2.2.0"
+    version: "3.1.1"
     wait: true
     waitForJobs: true
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
     condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 
   - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"
     needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
     condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -18,7 +18,7 @@ config:
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
     {{- else if .Values.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
@@ -44,6 +44,7 @@ config:
     password: "{{ .Values.smtp.password }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.nextcloud.repository }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
@@ -64,4 +65,7 @@ persistence:
 
 resources:
   {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
+  ldapSearch:
+    host: "univention-corporate-container"
+
 cleanup:
   deletePodsOnSuccess: false
 ...

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -25,7 +25,7 @@ ingress:
         - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
   pullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -21,6 +21,11 @@ cronjob:
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 
+ingress:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"
+
 internalDatabase:
   enabled: false
 postgresql:

helmfile/apps/open-xchange/helmfile.yaml

@@ -2,35 +2,48 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
+  - name: "dovecot-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
+    url: >-
-  - name: "openxchange"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "registry.open-xchange.com"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+  - name: "openxchange-repo"
     oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry.open-xchange.com" }}
+  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
 
 releases:
   - name: "dovecot"
-    chart: "dovecot/dovecot"
+    chart: "dovecot-repo/dovecot"
-    version: "1.2.0"
+    version: "1.3.1"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
     condition: "dovecot.enabled"
+    timeout: 900
+
   - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "1.2.13"
+    version: "2.0.4"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
+      - "values-openxchange-enterprise-contact-picker.yaml"
+      - "values-openxchange-enterprise-contact-picker.gotmpl"
     condition: "oxAppsuite.enabled"
+    timeout: 900
+
   - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+    version: "1.3.1"
     values:
       - "values-openxchange-bootstrap.yaml"
     condition: "oxAppsuite.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -7,6 +7,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.dovecot.repository }}"
   tag: "{{ .Values.images.dovecot.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+...

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml

@@ -2,22 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: false
+  deletePodsOnSuccess: true
-
-# resources:
-#   limits:
-#     # The max amount of CPUs to consume.
-#     cpu: 1
-#     # The max amount of RAM to consume.
-#     memory: "1Gi"
-#   requests:
-#     # The amount of CPUs which has to be available on the scheduled node.
-#     cpu: 1
-#     # The amount of RAM which has to be available on the scheduled node.
-#     memory: "256Mi"
-
-# Keep default values:
-# coreMiddleware:
-#   statefulSet: "open-xchange-core-mw-default-0"
-#   pod: "open-xchange-core-mw-default-0"
 ...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  core-mw:
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          auth:
+            adminDN:
+              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -0,0 +1,349 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+appsuite:
+  core-mw:
+
+    properties:
+      # Enterprise contact picker
+      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.admin.bypassAccessCombinationChecks: "true"
+      ENABLE_INTERNAL_USER_EDIT: "false"
+
+    # Enterprise contact picker (see also gotmpl)
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          pool:
+            type: "simple"
+            host:
+              address: "univention-corporate-container"
+              port: 389
+          auth:
+            type: "adminDN"
+            adminDN:
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+
+    uiSettings:
+      # Enterprise contact picker
+      io.ox/core//features/enterprisePicker/enabled: "true"
+
+    yamlFiles:
+      contacts-provider-ldap.yml:
+        # Example definitions of available LDAP contact providers, together with their corresponding configuration,
+        # referenced LDAP client connection settings and attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
+        #
+        # Each configured contacts provider can be enabled for users using the corresponding identifier used in this
+        # .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
+        # is available.
+        #
+        # Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
+        # need to be referenced.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Key will be used as identifier for the contact provider
+        opendesk:
+
+          # The display name of this contacts provider.
+          name: "Example Address Lists"
+
+          # Configures the identifier of the LDAP client configuration settings to use, as defined in
+          # 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
+          # be specified.
+          ldapClientId: "contactsLdapClient"
+
+          # A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
+          # corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
+          mappings: "ucs"
+
+          # Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
+          # identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
+          # control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
+          # provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
+          # 'usedForSync' folders property. Defaults to "false".
+          isDeletedSupport: false
+
+          # Specifies the requested maximum size for paged results. "0" disables paged results. This should be
+          #  configured, especially when the there are server-side restrictions towards the maximum result size.
+          # Defaults to "500".
+          maxPageSize: 500
+
+          # Optionally enables a local cache that holds certain properties of all of the provider's contacts in
+          # memory to speed up access. Can only be used if no individual authentication is used to access the
+          # LDAP server.
+          cache:
+            useCache: false
+
+          # Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
+          # one with its specific configuration settings. The template contains examples for all possible modes,
+          # however, only the one specified through 'mode' property is actually used.
+          folders:
+
+            # Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
+            # are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
+            # attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
+            # dynamically, or "static" to have a static search filter associated with each contact folder.
+            # The corresponding mode-specific section needs to be configured as well.
+            mode: "dynamicAttributes"
+
+            # Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
+            # If set to "false", the folders are only available in the web client. If set to "true", folders can
+            # be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
+            # and 'uid' contact properties are available, and the LDAP server supports the special
+            # "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
+            # controls whether the default value can be changed by the client or not.
+            usedForSync:
+              protected: true
+              defaultValue: false
+
+            # Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
+            # If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
+            # hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
+            usedInPicker:
+              protected: false
+              defaultValue: true
+
+            # Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
+            # If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
+            # Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
+            # the default value can be changed by the client or not.
+            shownInTree:
+              protected: false
+              defaultValue: true
+
+            # In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
+            # filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
+            # defined, which is used for operations that are not bound to
+            # a specific folder, like lookups across all visible folders.
+            # The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
+            # (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
+            # and all default to "sub" unless specified otherwise.
+            static:
+              commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
+              commonContactSearchScope: "sub"
+              folders:
+                - name: "Cupertino"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
+                  contactSearchScope: "sub"
+                - name: "San Mateo"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
+                  contactSearchScope: "sub"
+                - name: "Redwood Shores"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
+                  contactSearchScope: "sub"
+                - name: "Armonk"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
+                  contactSearchScope: "sub"
+
+            # With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
+            # serve as folders. The list of values is fetched by querying all entries that match the
+            # "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
+            # Then, the folders are derived based on all distinct attribute values found, with the value as name.
+            # Depending on the configured authentication mode, this is either done per user individually, or globally.
+            # Therefore, per-user authentication is not recommend in this mode.
+            # The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
+            # using units of measurement:
+            # "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
+            # allows to sort the attributes lexicographically, either "ascending" or "descending".
+            dynamicAttributes:
+              attributeName: "o"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactSearchScope: "sub"
+              # refreshInterval: 1h
+              refreshInterval: "5m"
+              sortOrder: "ascending"
+
+            # With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
+            # defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
+            # possible values.
+            # All items defined in the "attributeValues" array are used as folder (with the value as name). When
+            # listing the contents of a specific folder, this folder's specific attribute value is inserted in the
+            # configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
+            fixedAttributes:
+              contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
+              contactSearchScope: "sub"
+              attributeValues:
+                - "Janitorial"
+                - "Product Development"
+                - "Management"
+                - "Human Resources"
+
+      contacts-provider-ldap-mappings.yml:
+        # Example definitions of contact property <-> LDAP attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
+        #
+        # Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
+        # file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
+        #
+        # Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
+        # Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
+        # used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
+        # display name, or to have multiple mappings for contacts and distribution lists.
+        #
+        # For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
+        # (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
+        # Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
+        # the internal user- and context identifier based on attributes yielding the corresponding
+        # login information (username / contextname), the special appendix ';logininfo' can be used.
+        # Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
+        # by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
+        # property based on a specific 'objectClass' value.
+        # Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
+        # using '*'.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Mappings for a typical OpenLDAP server.
+        ucs:
+          # == ID Mappings =======================================================
+          # The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
+          # unless overridden.
+          # The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
+          # flag 'binary' should be used.
+          objectid: "uidNumber,gidNumber"
+          # The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
+          # entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
+          # Will only be considered if an entry's context identifier matches the one from the actual session of
+          # the requesting operation.
+          # If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
+          # "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
+          # Alternatively, if no internal context- or user identifier is available, also attributes yielding
+          # the corresponding login information (username / contextname) can be used by appending ';logininfo'
+          # to the attribute name.
+          internal_userid: "uid;logininfo"
+          contextid: "oxContextIDNum"
+          # The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
+          # format, the flag 'binary' should be used.
+          # uid                   : entryUUID;binary;logininfo
+
+          # == String Mappings ===================================================
+          displayname: "oxDisplayName,displayName,name"
+          file_as: "oxDisplayName,displayName,name"
+          givenname: "givenName"
+          surname: "sn"
+          email1: "mailPrimaryAddress"
+          department: "oxDepartment,department"
+          company: "oxCompany,o"
+          branches: "oxBranches"
+          # business_category     :
+          postal_code_business: "postalCode"
+          state_business: "oxStateBusiness,st"
+          street_business: "streetAddress"
+          # telephone_callback    :
+          city_home: "oxCityHome"
+          commercial_register: "oxCommercialRegister"
+          country_home: "oxCountryHome"
+          email2: "oxEmail2"
+          email3: "oxEmail3"
+          employeetype: "employeeType"
+          fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
+          fax_home: "oxFaxHome"
+          fax_other: "oxFaxOther"
+          instant_messenger1: "oxInstantMessenger1"
+          instant_messenger2: "oxInstantMessenger2"
+          telephone_ip: "oxTelephoneIp"
+          telephone_isdn: "internationaliSDNNumber"
+          marital_status: "oxMaritalStatus"
+          cellular_telephone1: "mobile"
+          # cellular_telephone2   :
+          nickname: "oxNickName"
+          number_of_children: "oxNumOfChildren"
+          number_of_employee: "employeeNumber"
+          note: "oxNote,description"
+          telephone_pager: "oxTelephonePager,pager"
+          telephone_assistant: "oxTelephoneAssistant"
+          telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
+          telephone_business2: "oxTelephoneBusiness2"
+          telephone_car: "oxTelephoneCar"
+          telephone_company: "oxTelephoneCompany"
+          telephone_home1: "oxTelephoneHome1,homePhone"
+          telephone_home2: "oxTelephoneHome2"
+          telephone_other: "oxTelephoneOther"
+          postal_code_home: "oxPostalCodeHome"
+          # telephone_radio       :
+          room_number: "roomNumber"
+          sales_volume: "oxSalesVolume"
+          city_other: "oxCityOther"
+          country_other: "oxCountryOther"
+          middle_name: "oxMiddleName,middleName"
+          postal_code_other: "oxPostalCodeOther"
+          state_other: "oxStateOther"
+          street_other: "oxStreetOther"
+          spouse_name: "oxSpouseName"
+          state_home: "oxStateHome"
+          street_home: "oxStreetHome"
+          suffix: "oxSuffix"
+          tax_id: "oxTaxId"
+          telephone_telex: "oxTelephoneTelex,telexNumber"
+          telephone_ttytdd: "oxTelephoneTtydd"
+          url: "oxUrl,wWWHome"
+          userfield01: "oxUserfiels01"
+          userfield02: "oxUserfiels02"
+          userfield03: "oxUserfiels03"
+          userfield04: "oxUserfiels04"
+          userfield05: "oxUserfiels05"
+          userfield06: "oxUserfiels06"
+          userfield07: "oxUserfiels07"
+          userfield08: "oxUserfiels08"
+          userfield09: "oxUserfiels09"
+          userfield10: "oxUserfiels10"
+          userfield11: "oxUserfiels11"
+          userfield12: "oxUserfiels12"
+          userfield13: "oxUserfiels13"
+          userfield14: "oxUserfiels14"
+          userfield15: "oxUserfiels15"
+          userfield16: "oxUserfiels16"
+          userfield17: "oxUserfiels17"
+          userfield18: "oxUserfiels18"
+          userfield19: "oxUserfiels19"
+          userfield20: "oxUserfiels20"
+          city_business: "l"
+          country_business: "oxCountryBusiness,country"
+          # telephone_primary     :
+          # categories            :
+          title: "title"
+          position: "oxPosition"
+          profession: "oxProfession"
+
+          # == Date Mappings =====================================================
+          birthday: "oxBirthday"
+          anniversary: "oxAnniversary"
+          # The last-modified and creation dates are required by the groupware server, therefore an implicit
+          # default date is assumed when no LDAP attribute is mapped here, and no results are available for this
+          # folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
+          # not be available.
+          lastmodified: "modifyTimestamp"
+          creationdate: "createTimestamp"
+
+          # == Misc Mappings =====================================================
+          # Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
+          # Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
+          # plain email address of the member.
+          distributionlist: "memberUid"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          markasdistributionlist: "objectClass=posixGroup"
+          # The values for the for assistant- and manager name mappings are either used as-is, or get resolved
+          # dynamically using the DNs found
+          # in the mapped LDAP attribute.
+          assistant_name: "secretary"
+          manager_name: "oxManagerName,manager"
+          # Contact image, binary format is expected.
+          image1: "jpegPhoto"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          number_of_images: "jpegPhoto=*"
+          # Will be set internally if not defined.
+          # image_last_modified   :
+          # Will be set automatically to "image/jpeg" if not defined.
+          # image1_content_type   :

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -34,6 +34,7 @@ public-sector-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 appsuite:
   istio:
@@ -52,6 +53,15 @@ appsuite:
   core-mw:
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
     hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    gotenberg:
+      imagePullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+      {{- end }}
+      image:
+        repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
+        tag: {{ .Values.images.openxchangeGotenberg.tag }}
+        pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     properties:
       "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
       "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -76,6 +86,16 @@ appsuite:
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
+      # Dynamic theme
+      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
     secretETCFiles:
       # Format of the OX Guard master key:
       # MC+base64(20 random bytes)
@@ -86,6 +106,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreMW.repository }}
       tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     update:
       image:
         repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -103,11 +124,13 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUI.repository }}
       tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-ui-middleware:
     ingress:
       hosts:
         - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+      enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}
@@ -115,6 +138,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-guidedtours:
     imagePullSecrets:
@@ -124,6 +148,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   guard-ui:
     imagePullSecrets:
@@ -133,11 +158,13 @@ appsuite:
     image:
       repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
       tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-user-guide:
     image:
       repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
       tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -9,6 +9,8 @@ appsuite:
   core-mw:
     enabled: true
     masterAdmin: "admin"
+    gotenberg:
+      enabled: true
     features:
       status:
         # enable admin pack
@@ -22,6 +24,13 @@ appsuite:
         open-xchange-authentication-oauth: "enabled"
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
+      # PDF Export
+      com.openexchange.capability.mail_export_pdf: "true"
+      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
+      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
       # OIDC
       com.openexchange.oidc.enabled: "true"
       com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -55,16 +64,23 @@ appsuite:
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
       # Capabilities
+      # Old capability can be used to toggle all integrations with a single switch
+      com.openexchange.capability.public-sector: "true"
+      # New capabilities in 2.0
+      com.openexchange.capability.public-sector-element: "false"
+      com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
       com.openexchange.capability.filestorage_nextcloud: "true"
       com.openexchange.capability.filestorage_nextcloud_oauth: "true"
       com.openexchange.capability.guard: "true"
       com.openexchange.capability.guard-mail: "true"
-      com.openexchange.capability.public-sector: "true"
       com.openexchange.capability.smime: "true"
+      com.openexchange.capability.share_links: "false"
+      com.openexchange.capability.invite_guests: "false"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
+      com.openexchange.mail.transport.secondary.authType: "xoauth2"
       # Nextcloud integration
       com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
       com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
@@ -92,6 +108,13 @@ appsuite:
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
     uiSettings:
+      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
+      io.ox/core//features/enterprisePicker/showLauncher: "false"
+      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
+      # Text and icon color in the topbar
+      io.ox/dynamic-theme//topbarColor: "#000"
+      io.ox/dynamic-theme//logoWidth: "82"
+      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
       # Resources
       io.ox/core//features/resourceCalendars: "true"
       io.ox/core//features/managedResources: "true"
@@ -106,18 +129,8 @@ appsuite:
       # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
       io.ox/core//apps/quickLaunchCount: "0"
       io.ox/core//coloredIcons: "false"
-      # Dynamic theme
+      # Mail templates
-      io.ox/dynamic-theme//mainColor: "#004B76"
+      io.ox/core//features/templates: "true"
-      io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
-      io.ox/dynamic-theme//logoWidth: "80"
-      io.ox/dynamic-theme//topbarBackground: "#fff"
-      io.ox/dynamic-theme//topbarColor: "#1f1f1f"
-      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
-      io.ox/dynamic-theme//listSelected: "#ADC8F0"
-      io.ox/dynamic-theme//listHover: "#ddd"
-      io.ox/dynamic-theme//folderBackground: "#fff"
-      io.ox/dynamic-theme//folderSelected: "#ADC8F0"
-      io.ox/dynamic-theme//folderHover: "#ddd"
 
     asConfig:
       default:

helmfile/apps/openproject/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
+  - name: "openproject-repo"
-    url: "https://charts.openproject.org"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}
 
 releases:
   - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
     version: "1.8.0"
     values:
       - "values.yaml"

helmfile/apps/openproject/values.gotmpl

@@ -10,7 +10,7 @@ global:
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.openproject.tag }}"
 
 memcached:
@@ -59,6 +59,8 @@ environment:
   OPENPROJECT_SMTP__PORT: "587" # (default=587)
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 
 persistence:
   size: "{{ .Values.persistence.size.openproject }}"
@@ -68,4 +70,5 @@ replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
+
 ...

helmfile/apps/openproject/values.yaml

@@ -34,11 +34,32 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
+  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
+  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
+  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
 
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
+  - name: "ox-connector-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 
 releases:
   - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
     version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
     values:
       - "values-oxconnector.yaml"

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.oxConnector.tag }}"
 
 imagePullSecrets:

helmfile/apps/services/helmfile.yaml

@@ -2,72 +2,93 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
+  - name: "sovereign-workplace-certificates-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
+    url: >-
-  - name: "postgresql"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
-  - name: "mariadb"
+  - name: "postgresql-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
+    oci: true
-  - name: "postfix"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-  - name: "istio-resources"
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
+  - name: "mariadb-repo"
-  - name: "clamav"
+    oci: true
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
+    url: >-
-  - name: "bitnami"
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-    url: "https://charts.bitnami.com/bitnami"
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+  - name: "postfix-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+  - name: "istio-resources-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+  - name: "clamav-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
 
 releases:
   - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
-    version: "1.2.1"
+    version: "1.2.2"
     values:
       - "values-certificates.gotmpl"
     condition: "certificates.enabled"
   - name: "redis"
-    chart: "bitnami/redis"
+    chart: "bitnami-repo/redis"
-    version: "^17.9.3"
+    version: "18.0.4"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     condition: "redis.enabled"
   - name: "postgresql"
-    chart: "postgresql/postgresql"
+    chart: "postgresql-repo/postgresql"
-    version: "2.0.0"
+    version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     condition: "postgresql.enabled"
   - name: "mariadb"
-    chart: "mariadb/mariadb"
+    chart: "mariadb-repo/mariadb"
-    version: "2.0.0"
+    version: "2.1.0"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
   - name: "postfix"
-    chart: "postfix/postfix"
+    chart: "postfix-repo/postfix"
-    version: "1.8.0"
+    version: "2.0.3"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     condition: "postfix.enabled"
   - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
+    chart: "clamav-repo/opendesk-clamav"
-    version: "2.1.0"
+    version: "4.0.0"
     values:
+      - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
     condition: "clamavDistributed.enabled"
   - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
+    chart: "clamav-repo/clamav-simple"
-    version: "2.1.0"
+    version: "4.0.0"
     values:
+      - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"
   - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
     version: "1.1.2"
     values:
+      - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     condition: "istio.enabled"
 

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.clamd }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
 freshclam:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.freshclam.repository }}"
     tag: "{{ .Values.images.freshclam.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -37,18 +35,18 @@ icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
 milter:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.milter }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.milter.repository }}"
     tag: "{{ .Values.images.milter.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 

helmfile/apps/services/values-clamav-distributed.yaml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
-podSecurityContext:
-  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-  enabled: false
-
 replicaCount: {{ .Values.replicas.clamav }}
 
 image:
@@ -15,10 +10,12 @@ image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.clamd | toYaml | nindent 4 }}

helmfile/apps/services/values-clamav-simple.yaml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-istio-gateway.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+tls:
+  httpsRedirect: false
+...

helmfile/apps/services/values-mariadb.gotmpl

@@ -11,7 +11,10 @@ global:
 image:
   repository: "{{ .Values.images.mariadb.repository }}"
   tag: "{{ .Values.images.mariadb.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
   users:
     - username: "xwiki_user"

helmfile/apps/services/values-mariadb.yaml

@@ -1,6 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/services/values-postfix.gotmpl

@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
+global:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
+  registry: {{ .Values.global.imageRegistry }}
-  tag: "{{ .Values.images.postfix.tag }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-imagePullSecrets:
+image:
-{{- range .Values.global.imagePullSecrets }}
+  registry: {{ .Values.global.imageRegistry }}
-  - name: {{ . }}
+  repository: "{{ .Values.images.postfix.repository }}"
-{{- end }}
+  tag: "{{ .Values.images.postfix.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 certificate:
   secretName: "{{ .Values.ingress.tls.secretName }}"
@@ -24,7 +26,7 @@ postfix:
         - "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
   relayHost: "[{{ .Values.smtp.host }}]:587"
   relayNets: {{ .Values.cluster.networking.cidr }}
-  virtualTransport: "lmtps:dovecot.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:24"
+  virtualTransport: "lmtps:dovecot:24"
   smtpdSASLPath: "inet:dovecot:3659"
   {{- if .Values.clamavDistributed.enabled }}
   smtpdMilters: "inet:clamav-milter:7357"

helmfile/apps/services/values-postfix.yaml

@@ -5,6 +5,19 @@ certificate:
   request:
     enabled: false
 
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 postfix:
   hostname: "postfix"
   inetProtocols: "ipv4"

helmfile/apps/services/values-postgresql.gotmpl

@@ -11,6 +11,7 @@ global:
 image:
   repository: "{{ .Values.images.postgresql.repository }}"
   tag: "{{ .Values.images.postgresql.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 job:
   users:

helmfile/apps/services/values-postgresql.yaml

@@ -1,11 +1,29 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-enabled: true
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   image:
     digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+
 postgres:
   user: "postgres"
 ...

helmfile/apps/services/values-redis.gotmpl

@@ -16,6 +16,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.redis.repository }}"
   tag: "{{ .Values.images.redis.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 master:
   persistence:

helmfile/apps/services/values-redis.yaml

@@ -8,4 +8,8 @@ sentinel:
 
 metrics:
   enabled: false
+
+master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
 ...

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
+  - name: "univention-corporate-container-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
 
 releases:
   - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
     version: "1.0.10"
     values:
       - "values.yaml"

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -13,7 +13,7 @@ global:
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   repository: "{{ .Values.images.univentionCorporateServer.repository }}"
   tag: "{{ .Values.images.univentionCorporateServer.tag }}"
 

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -0,0 +1,117 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+repositories:
+  - name: "univention"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+
+releases:
+  - name: "ums-store-dav"
+    chart: "univention/store-dav"
+    version: "0.2.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-store-dav.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-ldap-server"
+    chart: "univention/ldap-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-ldap-notifier"
+    chart: "univention/ldap-notifier"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-notifier.gotmpl"
+      - "values-ldap-notifier.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-udm-rest-api"
+    chart: "univention/udm-rest-api"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-udm-rest-api.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-stack-data-ums"
+    chart: "univention/stack-data-ums"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-ums.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-stack-data-swp"
+    chart: "univention/stack-data-swp"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-swp.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-portal-server"
+    chart: "univention/portal-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-notifications-api"
+    chart: "univention/notifications-api"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-notifications-api.gotmpl"
+      - "values-notifications-api.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-portal-listener"
+    chart: "univention/portal-listener"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-listener.gotmpl"
+      - "values-portal-listener.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-portal-frontend"
+    chart: "univention/portal-frontend"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-frontend.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-umc-gateway"
+    chart: "univention/umc-gateway"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-gateway.gotmpl"
+      - "values-umc-gateway.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-umc-server"
+    chart: "univention/umc-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "univention-management-stack"

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
+    enabled: false
+    secretName: ""

helmfile/apps/univention-management-stack/values-common.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+istio:
+  enabled: false

helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl

@@ -0,0 +1,20 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+volumes:
+  claims:
+    shared-data: "shared-data-ums-ldap-server-0"
+    shared-run: "shared-run-ums-ldap-server-0"
+
+...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+ldapServer:
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+
+  # TODO: Certificates handling
+  # caCert: ""
+  # certPem: ""
+  # privateKey: ""
+  # dhParam: ""
+  tlsMode: "off"
+
+  # TODO: SAML integration
+  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
+  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsLdapServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+# TODO: Pending upstream support, #199
+persistence:
+  data:
+    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
+  shared:
+    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
+
+
+resources:
+  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+postgresql:
+  bundled: false
+  connection:
+    host: "postgresql"
+    port: 5432
+  auth:
+    username: "notificationsapi_user"
+    database: "notificationsapi"
+    password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+notificationsapi:
+  apply_database_migrations: "True"
+  dev_mode: "False"
+  environment: "staging"
+  log_level: "DEBUG"
+  sql_echo: "False"
+  api_prefix: "/univention/portal/notifications-api"
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+extraIngresses:
+  redirects:
+    # The TLS configuration is on the "master" Ingress, see below.
+    tls:
+      enabled: false
+  master:
+    enabled: {{ .Values.ingress.enabled }}
+    tls:
+      enabled: {{ .Values.ingress.tls.enabled }}
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+resources:
+  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -0,0 +1,54 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalListener:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  environment: "staging"
+  debugLevel: "4"
+  assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
+  ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHost: "ums-ldap-server"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  notifierServer: "ums-ldap-notifier"
+  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalListener.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalListener.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+  waitForDependency:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    imagePullPolicy: "Always"
+    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+
+# TODO: Pending upstream support, #200
+persistence:
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
+
+resources:
+  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
+
+resourcesDependencyWaiter:
+  {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+store-dav:
+  bundled: false
+
+...

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalServer:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  authMode: "saml"
+  environment: "staging"
+  editable: "true"
+  logLevel: "DEBUG"
+  ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -0,0 +1,38 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+stackDataSwp:
+  udmApiUsername: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  loadDevData: true
+
+stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  externalDomainName: "{{ .Values.global.domain }}"
+  externalMailDomain: "{{ .Values.global.domain }}"
+
+  portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
+  portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
+  portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
+  portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
+  portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
+  portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
+
+  oxDefaultContext: "10"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+stackDataUms:
+  udmApiUser: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  loadDevData: true
+
+stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
+
+  # The SWP configuration brings its own UMC policies.
+  installUmcPolicies: false
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+storeDav:
+  auth:
+    basicAuth:
+      portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
+      portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsStoreDav.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsStoreDav.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+  configHtpasswd:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
+    pullPolicy: "Always"
+    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . }}
+      {{- end }}
+
+# TODO: Pending upstream support, #201
+persistence:
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
+
+resources:
+  {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+udmRestApi:
+  apiLogLevel: "4"
+  authGroups:
+    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
+    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
+    domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  ldapHost: "ums-ldap-server"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: Secret should be entered without b64enc
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: why do we need this many subprocesses?
+  numberOfSubprocesses: 8
+  # TODO: Stub value currently
+  caCert: ""
+  # TODO: This should not be part of the udm-rest-api anymore
+  loadJoinData:
+    enabled: true
+  # TODO: configurable
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUdmRestApi.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsUdmRestApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+umcGateway:
+  domainname: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ssoFqdn: "localhost:8097"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUmcGateway.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsUmcGateway.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+umcGateway:
+  showCookieBanner: true
+  cookieBannerTitleDE: "Cookie Zustimmung"
+  cookieBannerTitleEN: "Cookie Consent"
+  cookieBannerTextDE: >-
+    Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
+    verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
+    Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
+    Seite.
+  cookieBannerTextEN: >-
+    Usage of this site is only possible by storing and processing cookie
+    information (essential cookies). We require your consent. Please accept to
+    continue or close the page.
+
+...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -0,0 +1,42 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+umcServer:
+  domainname: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ldapHost: "ums-ldap-server"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+  enforceSessionCookie: "true"
+
+  # TODO: The keycloak integration is pending
+  samlEnabled: false
+  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
+  samlSpServer: "localhost:8000"
+  samlSchemes: "http"
+
+  tlsMode: "off"
+
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: Secret should be entered without b64enc
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUmcServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsUmcServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
+...

helmfile/apps/xwiki/helmfile.yaml

@@ -2,19 +2,21 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
+  - name: "xwiki-repo"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://xwiki-contrib.github.io/xwiki-helm" }}
 
 releases:
   - name: "xwiki"
-    chart: "xwiki/xwiki"
+    chart: "xwiki-repo/xwiki"
-    version: "1.1.1"
+    version: "1.1.3"
     wait: true
-    timeout: 600
     values:
       - "values.yaml"
       - "values.gotmpl"
     condition: "xwiki.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/xwiki/values-init.gotmpl

@@ -1,20 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-xwiki:
-  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
-  superadmin:
-    username: "superadmin"
-    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-
-image:
-  repository: "{{ .Values.images.xwikiInit.repository }}"
-  tag: "{{ .Values.images.xwikiInit.tag }}"
-...

helmfile/apps/xwiki/values.gotmpl

@@ -6,16 +6,26 @@ SPDX-License-Identifier: Apache-2.0
 image:
   name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
   tag: "{{ .Values.images.xwiki.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}"
+  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
   database: "{{ .Values.databases.xwiki.name }}"
   user: "{{ .Values.databases.xwiki.username }}"
   host: "{{ .Values.databases.xwiki.host }}"
 
 customConfigs:
   "xwiki.cfg":
-    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
+    ## LDAP Server configuration
+    # "xwiki.authentication.ldap.server": "univention-corporate-container"
+    # xwiki.authentication.ldap.port: 389
+    ## Authentication to the LDAP server
+    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    ## Base DN used for searching for users
+    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+
   "xwiki.properties":
     "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
     "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
@@ -25,10 +35,16 @@ customConfigs:
     "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }}
+    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
 
 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
+  ## Link LDAP users and users authenticated through OIDC
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}

helmfile/apps/xwiki/values.yaml

@@ -2,9 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
-  name: "git.xwikisas.com:5050/xwikisas/swp/xwiki"
+  pullPolicy: "IfNotPresent"
-  tag: "0.4-mariadb-tomcat"
-  pullPolicy: "Always"
 
 ingress:
   # enabled: true
@@ -32,9 +30,9 @@ mariadb:
 
 properties:
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -43,15 +41,37 @@ properties:
     "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color":
     "@brand-primary"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff"
   # yamllint disable-line rule:line-length
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; } #menuview .navbar-brand img { padding: 5px; }'"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": " li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd; height: 64px; } div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
+
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
+  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+  #   "sn,givenname,uid"
+  ## Restrict user import in the UI to global administrators
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  ## Enable group and user synchronization
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+  #   1
+  ## Base DN under which groups should be searched for
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+  #  "dc=swp-ldap,dc=internal"
+  ## LDAP filter to only synchronize some groups
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
 customConfigs:
   xwiki.cfg:
     xwiki.url.protocol: "https"
+    ## Indicate the LDAP field defining the user UID
+    # xwiki.authentication.ldap.UID_attr: "uid"
+    ## Indicate the LDAP field defining the user profile picture
+    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
+    ## Enable the synchronization of the LDAP profile picture
+    # xwiki.authentication.ldap.update_photo: 1
+
   xwiki.properties:
     oidc.scope: "openid,profile,email,address,phoenix"
     oidc.endpoint.userinfo.method: "GET"

helmfile/bases/environments.yaml

@@ -5,12 +5,15 @@ environments:
   default:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
   dev:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
       - "../../environments/dev/values.yaml"
   prod:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
       - "../../environments/prod/values.yaml"
 ...

helmfile/environments/default/certificate.gotmpl

@@ -1,9 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-certificate:
-  issuerRef:
-    name: "letsencrypt-prod"
-...

helmfile/environments/default/certificate.yaml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+certificate:
+  issuerRef:
+    name: "letsencrypt-prod"
+...

helmfile/environments/default/cluster.gotmpl

@@ -1,26 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-cluster:
-  service:
-    # Based on the available Implementations of your cluster, choose the type of Service.
-    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
-    type: "LoadBalancer"
-
-  persistence:
-    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
-    readWriteMany:
-      enabled: false
-
-  networking:
-    # Kubernetes internal cluster domain.
-    domain: "cluster.local"
-    # Kubernetes cluster network CIDR.
-    cidr: "10.0.0.0/8"
-
-  container:
-    # Used container engine in kubernetes cluster.
-    engine: "cri-o"
-...

helmfile/environments/default/cluster.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cluster:
+  service:
+    # Based on the available Implementations of your cluster, choose the type of Service.
+    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
+    type: "LoadBalancer"
+
+  persistence:
+    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
+    readWriteMany:
+      enabled: false
+
+  networking:
+    # Kubernetes internal cluster domain.
+    domain: "cluster.local"
+    # Kubernetes cluster network CIDR.
+    cidr: "10.0.0.0/8"
+    # Ingress-gateway IP - only relevant for "NodePort" cluster services.
+    # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
+    # you need to provide the public (load-balanced) ingress gateways ip address.
+    ingressGatewayIP: ""
+    # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services.
+    # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
+    # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
+    loadBalancerStatusField: "ip"
+
+  container:
+    # Used container engine in kubernetes cluster.
+    engine: "cri-o"
+
+...

helmfile/environments/default/database.yaml

@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
-SPDX-License-Identifier: Apache-2.0
-*/}}
 ---
 databases:
   keycloak:
@@ -32,9 +30,15 @@ databases:
     name: "CONFIGDB"
     username: "root"
     password: ""
+  synapse:
+    host: "postgresql"
+    name: "matrix"
+    username: "matrix_user"
+    password: ""
+    port: 5432
   xwiki:
     name: "xwiki"
     host: "mariadb"
-    username: "xwiki_user"
+    username: "root"
     password: ""
 ...

helmfile/environments/default/global.gotmpl

@@ -7,52 +7,12 @@ SPDX-License-Identifier: Apache-2.0
 #
 global:
 
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    dimension: "integration"
-    element: "ucc"
-    etherpad: "etherpad"
-    intercomService: "ics"
-    jitsi: "av"
-    jitsiPlain: "jitsi"
-    keycloak: "id"
-    meetingWidgetsBot: "meeting-widgets-bot"
-    meetingWidgets: "meeting-widgets"
-    newWorkBoardWidget: "whiteboard-widget"
-    moodle: "learn"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    openxchangeProvisioning: "ox-provisioning"
-    pollWidget: "poll-widget"
-    synapse: "matrix"
-    univentionCorporateServer: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
   ## Define host
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" }}
 
   ## Define docker registry address.
   #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
 
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define internal kubernetes domain, usually svc.cluster.local
-  ## Workaround for calico with postfix
-  #
-  internalDomain: "svc.cluster.local"
-
-  ## Define internal kubernetes network for postfix
-  ## Attention: Mail from this network can be sent without authentication!
-  #
-  internalNetwork: "10.0.0.0/8"
 ...

helmfile/environments/default/global.yaml

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+## The global properties are used to configure multiple charts at once.
+#
+global:
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    dimension: "integration"
+    element: "chat"
+    etherpad: "etherpad"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    meetingWidgetsBot: "meeting-widgets-bot"
+    meetingWidgets: "meeting-widgets"
+    newWorkBoardWidget: "whiteboard-widget"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    openxchangeProvisioning: "ox-provisioning"
+    pollWidget: "poll-widget"
+    synapse: "matrix"
+    univentionCorporateServer: "portal"
+    univentionManagementStack: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+
+  ## Define docker registry address.
+  #
+  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
+...

helmfile/environments/default/images.gotmpl

@@ -1,116 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-images:
-  clamd:
-    repository: "clamav/clamav"
-    tag: "1.1.0_base"
-  collabora:
-    repository: "collabora/code"
-    tag: "23.05.2.2.1"
-  dovecot:
-    repository: "dovecot/dovecot"
-    tag: "2.3.20"
-  freshclam:
-    repository: "clamav/clamav"
-    tag: "1.1.0_base"
-  jibri:
-    repository: "jitsi/jibri"
-    tag: "stable-8615"
-  jicofo:
-    repository: "jitsi/jicofo"
-    tag: "stable-8615"
-  jitsi:
-    repository: "jitsi/web"
-    tag: "stable-8615"
-  jitsiKeycloakAdapter:
-    repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230425"
-  jitsiPatchJVB:
-    repository: "bitnami/kubectl"
-    tag: "1.26.6"
-  jvb:
-    repository: "jitsi/jvb"
-    tag: "stable-8615"
-  icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
-    tag: "1.0.4"
-  intercom:
-    repository: "univention/intercom-service"
-    tag: "1.4-kubernetes"
-  keycloak:
-    repository: "bitnami/keycloak"
-    tag: "19.0.3-debian-11-r15"
-    digest: ""
-  keycloakBootstrap:
-    repository: "souvap/tooling/images/ansible"
-    tag: "4.10.0"
-  keycloakExtension:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    tag: "latest"
-  mariadb:
-    repository: "mariadb"
-    tag: "10"
-  memcached:
-    repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r4"
-  milter:
-    repository: "clamav/clamav"
-    tag: "1.1.0_base"
-  nextcloud:
-    repository: "nextcloud"
-    tag: "26.0.1-apache"
-  openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
-    tag: "dev"
-  openxchangeCoreGuidedtours:
-    repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.0"
-  openxchangeCoreMW:
-    repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.15.43"
-  openxchangeCoreUI:
-    repository: "appsuite-public-sector/core-ui"
-    tag: "8.15.2"
-  openxchangeCoreUIMiddleware:
-    repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.3"
-  openxchangeCoreUserGuide:
-    repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.15.702039"
-  openxchangeGuardUI:
-    repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.5"
-  openxchangeNextcloudIntegrationUI:
-    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.2"
-  openxchangePublicSectorUI:
-    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "1.0.3"
-  oxConnector:
-    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag: "branch-jconde-listener-entrypoint-chaining"
-  postfix:
-    repository: "souvap/tooling/images/postfix"
-    tag: "1.0.0"
-  postgresql:
-    repository: "postgres"
-    tag: "15-alpine"
-  prosody:
-    repository: "jitsi/prosody"
-    tag: "stable-8615"
-  redis:
-    repository: "bitnami/redis"
-    tag: "7.0.12-debian-11-r0"
-  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
-    tag: "20230806T234258"
-  xwiki:
-    repository: "xwikisas/swp/xwiki"
-    tag: "0.8-mariadb-tomcat"
-  xwikiInit:
-    repository: "curlimages/curl"
-    tag: "8.1.2"
-...

helmfile/environments/default/images.yaml

@@ -0,0 +1,227 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+images:
+  clamd:
+    repository: "clamav/clamav"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    # @supplier: "openDesk DevSecOps"
+  collabora:
+    repository: "souvap/tooling/images/collabora"
+    tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
+    # @supplier: "Collabora"
+  dovecot:
+    repository: "dovecot/dovecot"
+    tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+    # @supplier: "Open-Xchange"
+  element:
+    repository: "souvap/tooling/images/element-web"
+    tag: "latest@sha256:16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
+    # @supplier: "Element"
+  freshclam:
+    repository: "clamav/clamav"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    # @supplier: "openDesk DevSecOps"
+  jibri:
+    repository: "jitsi/jibri"
+    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
+    # @supplier: "Nordeck"
+  jicofo:
+    repository: "jitsi/jicofo"
+    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
+    # @supplier: "Nordeck"
+  jitsi:
+    repository: "jitsi/web"
+    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
+    # @supplier: "Nordeck"
+  jitsiKeycloakAdapter:
+    repository: "nordeck/jitsi-keycloak-adapter"
+    tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
+    # @supplier: "Nordeck"
+  jitsiPatchJVB:
+    repository: "bitnami/kubectl"
+    tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
+    # @supplier: "Nordeck"
+  jvb:
+    repository: "jitsi/jvb"
+    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
+    # @supplier: "Nordeck"
+  icap:
+    repository: "souvap/tooling/images/c-icap"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
+    # @supplier: "openDesk DevSecOps"
+  intercom:
+    repository: "univention/intercom-service"
+    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
+    # @supplier: "Univention"
+  keycloak:
+    repository: "bitnami/keycloak"
+    tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
+    # @supplier: "Univention"
+  keycloakBootstrap:
+    repository: "souvap/tooling/images/ansible"
+    tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
+    # @supplier: "Univention"
+  keycloakExtensionHandler:
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
+    tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
+    # @supplier: "Univention"
+  keycloakExtensionProxy:
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
+    tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
+    # @supplier: "Univention"
+  mariadb:
+    repository: "mariadb"
+    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
+    # @supplier: "openDesk DevSecOps"
+  memcached:
+    repository: "bitnami/memcached"
+    tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
+    # @supplier: "OpenProject"
+  milter:
+    repository: "clamav/clamav"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    # @supplier: "openDesk DevSecOps"
+  nextcloud:
+    repository: "nextcloud"
+    tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
+    # @supplier: "Nextcloud Community"
+  openproject:
+    repository: "souvap/tooling/images/openproject/open_desk"
+    tag: "dev@sha256:d2adb649aab0abdbff853d46a3b3038e096a67db46bb10208b2c5536d0dfa523"
+    # @supplier: "OpenProject"
+  openxchangeBootstrap:
+    repository: "alpine/k8s"
+    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreGuidedtours:
+    repository: "appsuite-public-sector/core-guidedtours"
+    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreMW:
+    repository: "appsuite-public-sector/middleware-public-sector"
+    tag: "8.16.60@sha256:269c5b72f380c49ba1888c4300c409745d2ce757ca0b269afe1e8ac9bb26f028"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreUI:
+    repository: "appsuite-public-sector/core-ui"
+    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreUIMiddleware:
+    repository: "appsuite-public-sector/core-ui-middleware"
+    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreUserGuide:
+    repository: "appsuite-public-sector/core-user-guide"
+    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
+    # @supplier: "Open-Xchange"
+  openxchangeGuardUI:
+    repository: "appsuite-public-sector/guard-ui"
+    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
+    # @supplier: "Open-Xchange"
+  openxchangeNextcloudIntegrationUI:
+    repository: "appsuite-public-sector/nextcloud-integration-ui"
+    tag: "1.0.5@sha256:cad4ecba431f84b8627d2e541cfea773d5ef54b65d847fa8f7e3fd0d63156497"
+    # @supplier: "Open-Xchange"
+  openxchangePublicSectorUI:
+    repository: "appsuite-public-sector/public-sector-ui"
+    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
+    # @supplier: "Open-Xchange"
+  openxchangeGotenberg:
+    repository: "appsuite-public-sector/3rdparty/gotenberg"
+    tag: "7.8.2@sha256:34af7b6d21c02b8183785177f5f3f1731633d72ec69e1f2ecdb8b43747887f62"
+    # @supplier: "Open-Xchange"
+  oxConnector:
+    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
+    tag:
+      "branch-jconde-listener-entrypoint-chaining\
+      @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
+    # @supplier: "Univention"
+  postfix:
+    repository: "souvap/tooling/images/postfix"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    # @supplier: "openDesk DevSecOps"
+  postgresql:
+    repository: "postgres"
+    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
+    # @supplier: "openDesk DevSecOps"
+  prosody:
+    repository: "jitsi/prosody"
+    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
+    # @supplier: "Nordeck"
+  redis:
+    repository: "bitnami/redis"
+    tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
+    # @supplier: "openDesk DevSecOps"
+  synapse:
+    repository: "matrixdotorg/synapse"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
+    # @supplier: "Element"
+  synapseWeb:
+    repository: "rapidfort/haproxy-official"
+    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
+    # @supplier: "Element"
+  univentionCorporateServer:
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
+    tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
+    # @supplier: "Univention"
+  umsConfigHtpasswd:
+    repository: "souvap/tooling/images/univention/config-htpasswd"
+    tag: "latest@sha256:24c5e218baa62b169e7222d8ee4d3951ddc8622cd359def6b660bb23a1052f9e"
+    # @supplier: "Univention"
+  umsDataLoader:
+    repository: "souvap/tooling/images/univention/data-loader"
+    tag: "latest@sha256:857837c1810f82362d441544dc32bd2c1d6fe358bbb5ae0e2c60b7f8f4092190"
+    # @supplier: "Univention"
+  umsLdapNotifier:
+    repository: "souvap/tooling/images/univention/ldap-notifier"
+    tag: "latest@sha256:6eccf86fe78926247ec9b59d7ba83c53271bc3ca7d0195863c0489e22c836002"
+    # @supplier: "Univention"
+  umsLdapServer:
+    repository: "souvap/tooling/images/univention/ldap-server"
+    tag: "latest@sha256:4a7c44b37c727cdc03e4043c88e3dbf6b1f119772c5c1904eaed3298bdd49a3d"
+    # @supplier: "Univention"
+  umsNotificationsApi:
+    repository: "souvap/tooling/images/univention/notifications-api"
+    tag: "latest@sha256:87a047c2d0669fcbb3501ef94192812e17e09aecabc1edd2e4b92afbb7ea4b20"
+    # @supplier: "Univention"
+  umsPortalListener:
+    repository: "souvap/tooling/images/univention/portal-listener"
+    tag: "latest@sha256:bcf48d108bc2f1afd745659a1d4f11f1dd0d8ada034899aa401dfea32a29c87a"
+    # @supplier: "Univention"
+  umsPortalFrontend:
+    repository: "souvap/tooling/images/univention/portal-frontend"
+    tag: "latest@sha256:a1b11db009e992d91cfef2bc60a5022cd4498c38908194020c881ef6dd325bae"
+    # @supplier: "Univention"
+  umsPortalServer:
+    repository: "souvap/tooling/images/univention/portal-server"
+    tag: "latest@sha256:eb0b032c4cf4b207f78b80c69f3e593e01e577779d877e16908902f19b4fc2ee"
+    # @supplier: "Univention"
+  umsWaitForDependency:
+    repository: "souvap/tooling/images/univention/wait-for-dependency"
+    tag: "latest@sha256:5d8d5e9ed55af2d12fef25856e5e61c7d13081458e4b14e6a01b10488b8067d3"
+    # @supplier: "Univention"
+  umsStoreDav:
+    repository: "souvap/tooling/images/univention/store-dav"
+    tag: "latest@sha256:d65f705e46a497ba58e7373f19973835f731796baeace16a32d6331469bf0068"
+    # @supplier: "Univention"
+  umsUdmRestApi:
+    repository: "souvap/tooling/images/univention/udm-rest-api"
+    tag: "latest@sha256:dce4322646749692c5d4692ccd7ff55df080a4af3485585a50c82871715e0cae"
+    # @supplier: "Univention"
+  umsUmcGateway:
+    repository: "souvap/tooling/images/univention/umc-gateway"
+    tag: "latest@sha256:18172ee4317a9259291f251c0cc1d2be05e003558cbd18d6dc062098a127cc8d"
+    # @supplier: "Univention"
+  umsUmcServer:
+    repository: "souvap/tooling/images/univention/umc-server"
+    tag: "latest@sha256:6cbb1708109c5a0c13f3ee433989094d04cecfb8b32975e723d0f5a2e526f8db"
+    # @supplier: "Univention"
+  wellKnown:
+    repository: "library/nginx"
+    tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
+    # @supplier: "Element"
+  xwiki:
+    repository: "xwikisas/swp/xwiki"
+    tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
+    # @supplier: "XWiki"
+...