chore(release): 0.5.28 [skip ci]

## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)

### Bug Fixes

* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](899a8c5af9))

.gitignore

@@ -5,4 +5,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml
+helmfile/environments/dev/values.gotmpl
+helmfile/environments/test/values.yaml
+helmfile/environments/test/values.gotmpl
 helmfile/environments/prod/values.yaml
+helmfile/environments/prod/values.gotmpl

.gitlab-ci.yml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
-  - project: "souvap/tooling/gitlab-config"
+  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
     ref: "main"
     file:
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
-  - project: "souvap/devops/sovereign-workplace-env"
+  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    rules:
+      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
 
 stages:
   - ".pre"
@@ -20,22 +22,17 @@ stages:
   - "component-deploy-stage-2"
   - "tests"
   - "env-stop"
-  - "post"
+  - "generate-release-assets"
+  - ".post"
 
 variables:
   NAMESPACE:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use"
-    value: "develop"
-    options:
-      - "dev"
-      - "qa"
-      - "ref"
-      - "develop"
-      - "hubble"
-      - "prototype"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
+      sovereign-workplace-env included above."
+    value: "dev"
   BASE_DOMAIN:
     description: "Define the Cluster Base Domain."
     value: "souvap.cloud"
@@ -61,10 +58,13 @@ variables:
       - "yes"
       - "no"
   DEPLOY_UCS:
-    description: "Enable Univention Corporate Server deployment."
+    description: >-
+      Enable Univention Corporate Server deployment.
+      "ums-eval" does deploy the Univention Management Stack instead of the UCS container.
     value: "no"
     options:
       - "yes"
+      - "ums-eval"
       - "no"
   DEPLOY_PROVISIONING:
     description: "Enable Provisioning Components."
@@ -78,6 +78,18 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_CRYPTPAD:
+    description: "Enable CryptPad deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  DEPLOY_ELEMENT:
+    description: "Enable Element deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_KEYCLOAK:
     description: "Enable Keycloak deployment."
     value: "no"
@@ -126,9 +138,18 @@ variables:
     options:
       - "yes"
       - "no"
-  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test gitlab project API with project ID."
-    value: "gitlab.souvap-univention.de/api/v4/projects/6"
+  TESTS_BRANCH:
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
+    value: "main"
+  RUN_UMS_TESTS:
+    description: "Run E2E test suite of SouvAP Dev team"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  UMS_TESTS_BRANCH:
+    description: "Branch of E2E test suite of SouvAP Dev team"
+    value: "main"
   # please use the following set of variables with normalized names:
   DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
   ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -138,23 +159,6 @@ variables:
   dependencies: []
   extends: ".environments"
   image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
-  secrets:
-    SMTP_PASSWORD:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/brained/mail/relay@souvap-univention.de"
-        field: "password"
-      file: false
-    TURN_CREDENTIALS:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/souvap-univention.de/develop/turn/secret"
-        field: "credentials"
-      file: false
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -185,14 +189,22 @@ env-cleanup:
           $ENV_STOP_BEFORE != "no"
       when: "always"
   script:
-    - "helmfile destroy --namespace ${NAMESPACE}"
-    - "kubectl delete pvc --all --namespace ${NAMESPACE}"
+    - |
+      if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
+        for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
+          helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
+        done
+        kubectl delete pvc --all --namespace ${NAMESPACE};
+        kubectl delete jobs --all --namespace ${NAMESPACE};
+      else
+        helmfile destroy --namespace ${NAMESPACE};
+      fi
   stage: "env-cleanup"
 
 env-start:
   environment:
     name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
     on_stop: "env-stop"
   extends: ".deploy-common"
   image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -233,7 +245,7 @@ ucs-deploy:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
           $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
       when: "always"
   variables:
     COMPONENT: "univention-corporate-container"
@@ -250,6 +262,18 @@ provisioning-deploy:
   variables:
     COMPONENT: "provisioning"
 
+ums-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          $DEPLOY_UCS == "ums-eval"
+      when: "always"
+  variables:
+    COMPONENT: "univention-management-stack"
+
 keycloak-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -278,6 +302,7 @@ keycloak-bootstrap-deploy:
 ox-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
+  timeout: "30m"
   rules:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -323,6 +348,18 @@ collabora-deploy:
   variables:
     COMPONENT: "collabora"
 
+cryptpad-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
+      when: "always"
+  variables:
+    COMPONENT: "cryptpad"
+
 nextcloud-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -359,6 +396,18 @@ jitsi-deploy:
   variables:
     COMPONENT: "jitsi"
 
+element-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
+      when: "always"
+  variables:
+    COMPONENT: "element"
+
 env-stop:
   extends: ".deploy-common"
   environment:
@@ -393,67 +442,183 @@ run-tests:
       when: "always"
   script:
     - |
-      COMPONENTS="login or portal or profile or navigation"
-      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
-        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
-          or xwiki"
-      else
-        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
-        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
-        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
-        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
-        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
-        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
-        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
-        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
-        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
-      fi
-
-      echo "Gathering passwords from UCS container ..."
       UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
-       | awk '{print $1}' \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
+        | awk '{print $1}' \
       )
-      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
       DEFAULT_USER_PASSWORD=$( \
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_USER_PASSWORD \
         | awk '{print $2}' \
       )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
         | awk '{print $2}' \
       )
 
-      echo "triggering test pipeline ..."
-      curl -X POST \
-        -F "ref=main" \
-        -F "token=${CI_JOB_TOKEN}" \
-        -F "variables[url]=https://portal.${DOMAIN}" \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
-        -F "variables[components]=\"${COMPONENTS}\"" \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"url\": \"https://portal.${DOMAIN}\", \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
+        } \
+      }" \
+      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
 
+run-souvap-dev-tests:
+  extends: ".deploy-common"
+  environment:
+    name: "${NAMESPACE}"
+  tags:
+    - "docker"
+    - "kubernetes"
+    - "${CLUSTER}"
+  stage: "tests"
+  rules:
+    - if: >
+        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
+      when: "always"
+  script:
+    - |
+      UCS_CONTAINER_NAME=$( \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
+        | awk '{print $1}' \
+      )
+      DEFAULT_USER_PASSWORD=$( \
+        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
+        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
+        | awk '{print $2}' \
+      )
+      DEFAULT_ADMIN_PASSWORD=$(
+        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
+        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
+        | awk '{print $2}' \
+      )
+
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${UMS_TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
+          \"username\": \"${DEFAULT_USER_NAME}\", \
+          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
+        } \
+      }" \
+      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
+
+generate-release-assets:
+  stage: "generate-release-assets"
+  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+    - when: "never"
+  script:
+    - |
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
+      cd opendesk-asset-generator
+      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
+      ./opendesk_asset_generator.py
+      mv ./build_artefacts ${CI_PROJECT_DIR}
+      cd ..
+      rm -rf opendesk-asset-generator
+      ls -l ./build_artefacts
+  artifacts:
+    paths:
+      - "./build_artefacts/chart-index.json"
+      - "./build_artefacts/image-index.json"
+  tags: []
+  variables:
+    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
+
+
+# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
+# 'cache' is used because job must contain at least one key, so cache is just a dummy key.
+.environments:
+  cache: {}
 
 # Overwrite shared settings
 .common-semantic-release:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  except:
-    - "tags"
-    - "web"
+  tags: []
 
 common-yaml-linter:
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
 
 reuse-linter:
   allow_failure: false
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+generate-release-version:
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false'"
+      when: "always"
+
+release:
+  dependencies:
+    - "generate-release-assets"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+  script:
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          ["@semantic-release/gitlab",
+            {
+              "assets": [
+                { "path": "./build_artefacts/chart-index.json",
+                  "label": "Chart Index JSON" },
+                { "path": "./build_artefacts/image-index.json",
+                  "label": "Image Index JSON" },
+              ]
+            }
+          ],
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+...

.reuse/dep5

@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk
+Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
+Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
+
+Files: helmfile/environments/default/theme/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: Apache-2.0

CHANGELOG.md

@@ -1,3 +1,560 @@
+## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
+
+
+### Bug Fixes
+
+* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
+
+## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
+
+
+### Bug Fixes
+
+* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
+
+## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
+
+
+### Bug Fixes
+
+* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
+
+## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
+
+## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
+
+
+### Bug Fixes
+
+* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
+
+## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
+
+## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
+
+
+### Bug Fixes
+
+* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
+
+## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
+* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
+
+## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5d01f8ca46384d63d69dab0119998c4bb3183084))
+
+## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2313f75dbe32d855b0c440944bd0de51c8e104ca))
+
+## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)
+
+
+### Bug Fixes
+
+* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b39986907cece3cec06012531a55b2699d131f90))
+
+## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)
+
+
+### Bug Fixes
+
+* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a046deaf173ab41029c2ab5e3161bd89e0fdabcb))
+
+## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)
+
+
+### Bug Fixes
+
+* **openproject:** Slim container with upgraded helm-chart ([535823e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/535823e0a8b2bde72d159835248b2287fd136af7))
+
+## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)
+
+
+### Bug Fixes
+
+* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8e376bb4a5e37e16d76ea527cd02a5f614cdfe3d))
+
+## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)
+
+
+### Bug Fixes
+
+* **element:** Support for openDesk top bar with central navigation ([e609b75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e609b75cc7fcbb7f03997cb5e26dd9cf4628f77d))
+
+## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)
+
+
+### Bug Fixes
+
+* **element:** Configure rights and roles ([59d58e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/59d58e320e503727e42dbfe0b027ba7948275ac6))
+
+## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)
+
+
+### Bug Fixes
+
+* **element:** Add an application service for the intercom-service ([1a4eced](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1a4eced998998faa7ac862b8c409bbd743b16ec0))
+* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5afd2339c20a0be41078ae4c3ce703c62f332557))
+* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7756d35fa156b36ed50ba8f837273db56323f45f))
+* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/785989e91df5547ab5ac60914b82bc99c4f1a790))
+* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/27b6796639f37dbd6c26f21fd54502153398aed0))
+* **element:** Add the Matrix User Verification Service deployment ([30405d1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/30405d182d44a5586a4070738dfbe1c141841d19))
+* **element:** Upgrade Element to v1.11.46 ([82a037e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/82a037ec7c25baf41bd0542c3ded47402adc2844))
+* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fd9e04d9922b949d0f213016169a9024a66a1ded))
+* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cbe514176a4d86d166db248d7297d215409016d2))
+* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7f7c364071072b01d485d3e248a3f8de49a07309))
+* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16f2ac464eb7267f1c4d87c3ccaca2c91a7ecc1b))
+* **intercom-service:** Fix the nordeck configuration ([06dcdd7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/06dcdd78afe0e6514c1f30d24924d3e7077ae6da))
+* **jitsi:** Use template for the cluster networking domain ([0898d96](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0898d9657145d66fd4c52fe6036c955ad58a0cfe))
+* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/86657b139a6d8f4ff3f921b8755e04cb790c3786))
+* **open-xchange:** Enable Element calendar integration ([f564efd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f564efd97f8db39cffaea317e36db3825fc9121e))
+
+## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
+
+
+### Bug Fixes
+
+* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
+* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
+
+## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
+
+
+### Bug Fixes
+
+* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
+
+## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
+
+
+### Bug Fixes
+
+* **element:** Enable the guest module in Synapse ([da1bf35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/da1bf3581c5790786601948cabcef8a1d1c680ad))
+
+## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)
+
+
+### Bug Fixes
+
+* **helmfile:** Add default port for SMTP in environment ([74f9ec2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74f9ec28e401f7caeefc4e50ac0a7e95fea41a53))
+
+## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Mail sender address ([711d29e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/711d29e374d13a3c8b7bcdf3e8440d03e0ef2b7d))
+
+## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
+
+
+### Bug Fixes
+
+* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
+* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
+
+## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e42feb4c260fc24692bc2742c97754230f8e2857))
+
+## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)
+
+
+### Bug Fixes
+
+* **helmfile:** Add third environment (test) ([7dbcbfe](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7dbcbfe7237b365cf53f4c850b149e8b95149901))
+
+## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)
+
+
+### Bug Fixes
+
+* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e33acd33e79740144e8fe318fe34dc705834ddf3))
+
+## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)
+
+
+### Bug Fixes
+
+* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6fd655a0b1afd40303ac11130692202146bab215))
+
+## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)
+
+
+### Bug Fixes
+
+* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b6b4972a5dd426bcc8fa00137d7e7b60056376c8))
+* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d86f516747323d117f620658c4368408926c507a))
+* **element:** Use OCI registry and verify chart signatures ([a41b9a6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a41b9a699c79bf90163bbb3c233c805b8d0a999e))
+* **helmfile:** Add cleanup flag for job resources ([0f01b94](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f01b94aa19b40b4774ba11d9886fe6f12090e73))
+* **helmfile:** Create directory for gpg pubkeys ([4c5731e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4c5731e6bb057cb272f660b4df0369b67709c203))
+* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74b3d41381474efd2fbc5a9f3a0f1c0713811106))
+* **jitsi:** Verify chart signatures ([1dd6582](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1dd6582ec7d742250ba08f69eba9a4679984b1ae))
+* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ca5d5f82800ea6d7ecfa38eb2b5d8b85e709bb9f))
+* **keycloak:** Use OCI registry and verify chart signatures ([095059c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/095059c7e53bbe8a874773f574cc6794ef8af6e4))
+* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41dfdc0c8f83e3d79fa5a763ac449f6edfc76676))
+* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2d5d3708f7f45600961c22ce11e750561de1fd27))
+* **open-xchange:** Use renamed istio gateway ([65d2642](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65d2642d34c1c21a00a29278f7e1143f7fabb2aa))
+* **openproject:** Use OCI registry and verify chart signatures ([5343840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5343840bed01992b3132eace362f91588c705a98))
+* **services:** Add wildcard certifcate request support ([15ad8ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15ad8ca7ab34b079252f7b69219ede81ad43aa1c))
+* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4372f063e0a27d5156da963d44d3ed4e72490fc4))
+* **services:** Only create istio gateway with webmail domain ([6a39011](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6a390112dab11afaca06118a0ca7a18afe633a30))
+* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/892920b0487b41a35b5a96596c61101827e8dd6d))
+* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/424317ed585f7bd5036259d7e3d77d081d2aec1b))
+
+# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)
+
+
+### Bug Fixes
+
+* **element:** Move the static configuration into the values.yaml ([f22619b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f22619bd8ef11cb43147ef19dcff2c02d9fe0503))
+* **element:** Specify resources for the guest module init container ([275798c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/275798c1d6aa47ef33fbb0da3bb03a86d3e4b0ee))
+
+
+### Features
+
+* **element:** Activate the guest module ([5ad25ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5ad25acafd54d19dd2ed330b19f7860aff5d49f4))
+
+## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/62b767ef38c8eae2874b20a9aa51e85d2a3fe5a3))
+
+## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Digest rollback ([9acce08](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9acce081397c06426820b61f39c9aa0dcc1234a5))
+
+## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Add timeout for database services ([98ec02f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/98ec02f230f1691eb8c17d8d3552fceda329bf7c))
+* **openproject:** Image digest ([b340373](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b340373133ad973cfd6a3632adc9a74a23419cc7))
+
+## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
+
+## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
+
+## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
+
+
+### Bug Fixes
+
+* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
+
+## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
+
+
+### Bug Fixes
+
+* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ce7e5f670a4dbc980eb8be73e5f7d15b27e8b1de))
+
+## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)
+
+
+### Bug Fixes
+
+* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f46c8a9a5f4f9778cb171d65e9a0280e4ce61c16))
+
+## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41b9afb3648a0e1fddc5aa4337cc1501756b370c))
+
+# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)
+
+
+### Features
+
+* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a99c088361b95b2bb7ee2b161e3a254f02bcd9ae))
+
+## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)
+
+
+### Bug Fixes
+
+* **helmfile:** Fix linter issues ([1514678](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1514678db00d32c1463d8fc496c0e6d1c2a2df96))
+* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16c08f82c9b4934567bb3b9c7fccab754bfad494))
+* **univention-management-stack:** Add Helm charts ([a74d662](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a74d66240423fd5ba87854cc2b71132f11271ec7))
+* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/471a2fa26205b8ca3afb5eeeb4524897a57f5c20))
+* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/13bcd785e8f7db22d20903020e0cdd28094309a9))
+* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/320da3bec3a49d974765e567878d5c2f2b4e93ef))
+* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5e1a7b19e278147d010c48dac2da111f828dd115))
+* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c54bab165bf81854471d790200781b4181eba22a))
+* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c61b1b828150caa8d2fe1a5b9f0a862b2fbef4f1))
+* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/96097e470483a5251acd81eb772da70ad7f55137))
+* **univention-management-stack:** Configure cookie banner data ([12c931f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/12c931fcff5536116af11df1c9c0468429949fe2))
+* **univention-management-stack:** Define resource requests and limits ([2f8a298](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2f8a2989250ea0f3b50dd3417f214a8864fe62d0))
+* **univention-management-stack:** Disable istio for the stack ([4835a2b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4835a2beec408ec6267177f82257edd9ccb0d937))
+* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ab1cb5c7e7bca85394eae2ed17141e513dd5a42))
+* **univention-management-stack:** Process bases before releases ([ec3f1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ec3f1d96ac17cf1fb9d34ab692240460d5bd4ba1))
+* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ba71f2749eaf51b09429a5f3c705bd0075c1efa))
+* **univention-management-stack:** Split templated from static values ([09079a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/09079a13031be7894a34bf92945bd25a040c2290))
+* **univention-management-stack:** Split values into templated and static ([d3c4390](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d3c439038a2551ec90324ab8659d24b65b223d4f))
+* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c84060811229bb131bcd473a9e4668dfa73f97d7))
+* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a4bab4068dc298056ed864e60a244d49a2934c8b))
+* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9409ad829a725c84ebc3de5d1c4d42fe735e9d0c))
+* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/90019e3ef6de5e4ed1742ee9ddc3bbb256cd3dec))
+* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/77e362f6bc053c5d456bf65649f15130ce53547c))
+* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fe0e0cdce4622352afbf74875adcae8324d769a3))
+* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/edb25bd7655beeefa73a62fb9a8c85e076c4cc2f))
+* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15db5dcbba33c39f752499f2d73c77cac32d1e8c))
+
+## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
+
+
+### Bug Fixes
+
+* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
+* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
+* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
+* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
+* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
+* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
+* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
+
+# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
+
+
+### Features
+
+* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
+
+
+### Bug Fixes
+
+* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
+* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
+* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
+* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
+* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
+* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
+* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
+* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
+* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
+* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
+* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
+* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
+* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
+
+## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
+
+
+### Bug Fixes
+
+* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
+
+## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
+
+
+### Bug Fixes
+
+* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
+
+
+### Bug Fixes
+
+* **xwiki:** Theming and language of central navigation ([3d4d45f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3d4d45f7114e6e3bc353b8d6c5fdbcac4cb2460f))
+
+## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)
+
+
+### Bug Fixes
+
+* **element:** Apply the global theme to Element ([7f7eae8](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7f7eae8f99a6d8ad8085ad99c63af27b858ff9b7))
+
+## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
+
+
+### Bug Fixes
+
+* **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
+
+## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
+
+
+### Bug Fixes
+
+* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
+* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
+
+## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
+
+
+### Bug Fixes
+
+* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
+
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
+## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
+
+
+### Bug Fixes
+
+* **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
+
+## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
+* **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
+
+# [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
+
+
+### Bug Fixes
+
+* **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
+
+
+### Features
+
+* **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
+
+## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
+
+## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
+
+
+### Bug Fixes
+
+* **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
+
+## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
+
+
+### Bug Fixes
+
+* **jitsi:** Fix identifiers in resources ([3a0b246](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3a0b246f83dc6a3ff19973959b3cf3c243c39025))
+
+## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10)
+
+
+### Bug Fixes
+
+* **keycloak:** Keycloak extensions sha256 image pinning, includes fix for failing keycloak extension handler on unavailable SMTP relay. ([27ce715](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/27ce71554d5f495731d90632a56e134762b95a25))
+
 ## [0.0.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.1...v0.0.2) (2023-08-10)
 
 
@@ -44,3 +601,8 @@
 * **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
 * **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
 * **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
+
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->

COMPONENTS-FUNCTIONAL.md

@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## File & Share - Nextcloud
 
-## Kollaboration - dOnlineZusammenarbeit 2.0
+## Kollaboration - Element
 
 ## Videokonferenzen - Jitsi
 
@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## Project Management - OpenProject
 
-## IAM - Univention Corporate Services
+## Portal & IAM - Univention Corporate Services

COMPONENTS-SERVICE.md

@@ -42,7 +42,7 @@ This service is used by:
 
 ## TURN Server
 
-- dOZ 2.0
+This services is used by:
 - Jitsi
 
 ## NFS

CONTRIBUTING.md

@@ -9,17 +9,17 @@ Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/b
 
 # How to contribute?
 
-When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
+When providing contributes to this project, please adhere to the standards and conventions described further down in this document. Doing so please feel free to create merge requests.
 
 # Standards and conventions
 
 ## Branching
 
-We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
+We use [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
 
 ## Verified commits
 
-We only allow verify commits:
+We only allow verified commits:
 - https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
@@ -80,7 +80,7 @@ Due to DVS requirements:
 - we should avoid stand alone Manifests.
 - we do not use Operators and CRDs.
 
-In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
+In order to align the Helm files from various sources into an unified deployment of the SWP we make use of [Helmfile](https://github.com/helmfile/helmfile).
 
 ## Tooling
 

README.md

@@ -6,14 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 
 [[_TOC_]]
 
-# Disclaimer August 2023
+# Disclaimer
 
-The current state of the Sovereign Workplace misses the component
-_Element Starter Edition_ because it is not generally available yet.
+openDesk will face breaking changes in the near future without upgrade paths.
 
-Also does the Sovereign Workplace contain components that are going to be
-replaced. Like for example the UCS dev container monolith will be substituted by
-multiple Univention Management Stack containers.
+While most components support upgrades, major configuration or component changes
+may occur, therefore we recommend always installing from scratch.
+
+Components that are going to be replaced soon are:
+- The UCS dev container monolith will be substituted by multiple Univention
+Management Stack containers,
+- the Nextcloud community container is going to be replaced by an openDesk
+specific Nextcloud distroless container and
+- Dovecot Community is going to be replaced by a Dovecot container tailored for the
+needs of the public sector.
 
 In the next months we not only expect upstream updates of the functional
 components within their feature scope, but we are also going to address
@@ -22,8 +28,6 @@ operational issues like monitoring and network policies.
 Of course, further development also includes enhancing the documentation.
 
 The first release of the Sovereign Workplace is scheduled for December 2023.
-Before that release there will be breaking changes in the deployment.
-
 
 # The Sovereign Workplace (SWP)
 
@@ -48,6 +52,15 @@ repository please use the [issues within this project](https://gitlab.opencode.d
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 
+# Releases
+
+All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
+
+Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
+
+The following release artefacts are provided beside the default source code assets:
+- `chart-index.json`: An overview of all Helm charts used by the release.
+- `image-index.json`: An overview of all container images used by the release.
 # Deployment
 
 **Note for project members:** You can use the project's `dev` K8s cluster to set
@@ -60,15 +73,15 @@ up your own instance for development purposes. Please see the project
 
 These are the requirements of the Sovereign Workplace deployment:
 
-- Vanilla K8s cluster
+- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
-- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and
-[HelmDiff](https://github.com/databus23/helm-diff)
+- [Helm](https://helm.sh/) >= v3.9.0
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
+- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
-- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are
-working with Open-Xchange to get rid of this dependency.
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
 
 #### TLS Certificate
 
@@ -86,8 +99,6 @@ installation.
 | `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
 | `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
 | `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
-| `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
-| `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |
 
 Please ensure that you set the DNS records pointing to the loadbalancer/IP for
 `DOMAIN` and `ISTIO_DOMAIN`.
@@ -152,6 +163,22 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+Deployments can be removed with:
+
+```shell
+helmfile destroy -n <NAMESPACE>
+```
+
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |
+
 ## Logging in
 
 When successfully deployed the SWP, all K8s jobs from the deployment should be
@@ -183,26 +210,30 @@ for development and evaluation purposes only - they need to be replaced in
 production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.
 
-| Component                   | Name                                | Default | Description                  | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
-| Certificates                | `certificates.enabled`              | `true`  | TLS certificates             | Eval       |
-| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine             | Eval       |
-| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine             | Eval       |
-| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                    | Functional |
-| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                 | Functional |
-| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange  | Functional |
-| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing            | Functional |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider            | Functional |
-| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                     | Eval       |
-| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                   | Functional |
-| OpenProject                 | `openproject.enabled`               | `true`  | Project management           | Functional |
-| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                    | Functional |
-| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning         | Functional |
-| Postfix                     | `postfix.enabled`                   | `true`  | MTA                          | Eval       |
-| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                     | Eval       |
-| Redis                       | `redis.enabled`                     | `true`  | Cache Database               | Eval       |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal | Functional |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                | Functional |
+| Component                   | Name                                | Default | Description                    | Type       |
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
+| Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
+| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
+| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
+| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| CryptPad                    | `cryptpad.enabled`                  | `true`  | Weboffice                      | Functional |
+| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
+| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
+| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
+| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
+| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
+| Memcached                   | `memcached.enabled`                 | `true`  | Cache Database                 | Eval       |
+| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
+| OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
+| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
+| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning           | Functional |
+| Postfix                     | `postfix.enabled`                   | `true`  | MTA                            | Eval       |
+| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
+| Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
+| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
+| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal   | Eval       |
+| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |
 
 
 #### Cluster capabilities
@@ -216,11 +247,17 @@ subdirectory `/helmfile/apps/services`.
 
 #### Databases
 
-In case you don't got for a develop or evaluation environment you want to point
-the application to your own database instances.
+When deploying this suite to production, you need to configure the applications to use your production grade database
+service.
 
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -255,29 +292,153 @@ the application to your own database instances.
 |             |                    |            | Username  | `databases.xwiki.username`             | `xwiki_user`               |
 |             |                    |            | Password  | `databases.xwiki.password`             |                            |
 
+#### Cache
+
+When deploying this suite to production, you need to configure the applications to use your production grade cache
+service.
+
+| Component        | Name             | Type      | Parameter | Key                          | Default          |
+|------------------|------------------|-----------|-----------|------------------------------|------------------|
+| Intercom Service | Intercom Service | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.intercomService.host` | `redis-headless` |
+|                  |                  |           | Port      | `cache.intercomService.port` | `6379`           |
+| Nextcloud        | Nextcloud        | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.nextcloud.host`       | `redis-headless` |
+|                  |                  |           | Port      | `cache.nextcloud.port`       | `6379`           |
+| OpenProject      | OpenProject      | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
+|                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
+
+
 ### Scaling
 
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
 
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
+|-------------|------------------------|:-------------------:|:------------------:|
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| CryptPad    | `replicas.cryptpad`    | :white_check_mark:  |       :gear:       |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
+
+
+### Mail/SMTP configuration
+
+To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
+the whole subdomain.
+
+```yaml
+smtp:
+  host:     # your SMTP host or IP-address
+  username: # username/email for authentication
+  password: # password for authentication, or via environment variable SMTP_PASSWORD
+```
+
+### TURN configuration
+
+Some components (Jitsi, Element) use for direct communication a TURN server.
+You can configure your own TURN server with these options:
+
+```yaml
+turn:
+  transport:   # "udp" or "tcp"
+  credentials: # turn credential string
+  server:      # configuration for unsecure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+  tls:         # configuration for secure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+```
+
+## Security
+
+This section summarizes various aspects of security and compliance aspects.
+
+### Kubernetes Security Enforcements
+
+This list gives you an overview of default security settings and if they comply with security standards:
+
+
+| Component   | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV      | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| CryptPad    | cryptpad                 |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |  4001   |
+| Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
+|             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|             | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+| Jitsi       | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|             | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Keycloak    | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|             | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|             | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|             | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| MariaDB     | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Memcached   | memcached                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
+| Postfix     | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| OpenProject | openproject              |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| PostgreSQL  | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+
+
+### Helm Chart Trust Chain
+
+Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
+`pubkey.gpg` file and are validated during helmfile installation.
+
+| Repository                           | OCI |     Verifiable     |
+|--------------------------------------|:---:|:------------------:|
+| bitnami-repo (openDesk build)        | yes | :white_check_mark: |
+| clamav-repo                          | yes | :white_check_mark: |
+| collabora-online-repo                | no  |        :x:         |
+| cryptpad-online-repo                 | no  |        :x:         |
+| intercom-service-repo                | yes | :white_check_mark: |
+| istio-resources-repo                 | yes | :white_check_mark: |
+| jitsi-repo                           | yes | :white_check_mark: |
+| keycloak-extensions-repo             | no  |        :x:         |
+| keycloak-theme-repo                  | yes | :white_check_mark: |
+| mariadb-repo                         | yes | :white_check_mark: |
+| nextcloud-repo                       | no  |        :x:         |
+| opendesk-certificates-repo           | yes | :white_check_mark: |
+| opendesk-dovecot-repo                | yes | :white_check_mark: |
+| opendesk-element-repo                | yes | :white_check_mark: |
+| opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
+| opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
+| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
+| openproject-repo                     | no  |        :x:         |
+| openxchange-repo                     | yes |        :x:         |
+| ox-connector-repo                    | no  |        :x:         |
+| postfix-repo                         | yes | :white_check_mark: |
+| postgresql-repo                      | yes | :white_check_mark: |
+| univention-corporate-container-repo  | yes | :white_check_mark: |
+| ums-repo                             | no  |        :x:         |
+| xwiki-repo                           | no  |        :x:         |
 
 
 # Component integration
@@ -354,7 +515,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    O[OpenProject]-->|in 2023|L
+    O[OpenProject]-->L
     X[XWiki]-->|in 2023|L
     A-->K
     N-->K
@@ -366,6 +527,7 @@ flowchart TD
     J[Jitsi]-->K
     I[IntercomService]-->K
     C[Collabora]-->N
+    R[CryptPad]-->N
     F[Postfix]-->D
 ```
 
@@ -408,18 +570,20 @@ components we are going to cover various aspects:
 
 ## Tests
 
-There is a frontend end-to-end test suite that can get triggered if the
-deployment is performed via a Gitlab pipeline.
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
+`<domain of gitlab>/api/v4/projects/<id>`.
 
-Currently, the test suite is in progress to be published, so right now it is
-only usable by project members. But that will change soon, and it could be used
-to create custom tests and perform them after deployment.
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+`TESTS_BRANCH` while creating a new pipeline.
 
-The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
-points to the test pipeline residing in another Gitlab repository. At the end of
-the deployment the test pipeline is triggered. Tests are just performed for
-components that have been deployed prior.
+# License
+This project uses the following license: Apache-2.0
 
+# Copyright
+Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 
 # Footnotes
 

helmfile.yaml

@@ -9,12 +9,14 @@ helmfiles:
   - path: "helmfile/apps/services/helmfile.yaml"
   - path: "helmfile/apps/keycloak/helmfile.yaml"
   - path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
+  - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
   - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
   - path: "helmfile/apps/intercom-service/helmfile.yaml"
   - path: "helmfile/apps/open-xchange/helmfile.yaml"
   - path: "helmfile/apps/nextcloud/helmfile.yaml"
   - path: "helmfile/apps/collabora/helmfile.yaml"
   - path: "helmfile/apps/jitsi/helmfile.yaml"
+  - path: "helmfile/apps/element/helmfile.yaml"
   - path: "helmfile/apps/openproject/helmfile.yaml"
   - path: "helmfile/apps/xwiki/helmfile.yaml"
   - path: "helmfile/apps/provisioning/helmfile.yaml"
@@ -27,16 +29,28 @@ missingFileHandler: "Error"
 # - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
 # - Installing a single release from app directory via helmfile apply
 # Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
+
 environments:
   default:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
   dev:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
+      - "helmfile/environments/dev/values.gotmpl"
+  test:
+    values:
+      - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/test/values.yaml"
+      - "helmfile/environments/test/values.gotmpl"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
+      - "helmfile/environments/prod/values.gotmpl"
 ...

helmfile/apps/collabora/helmfile.yaml

@@ -1,23 +1,28 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "collabora-online"
-    url: "https://collaboraonline.github.io/online"
+  # Collabora Online
+  # Source: https://github.com/CollaboraOnline/online
+  - name: "collabora-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}
 
 releases:
   - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
     version: "1.0.2"
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "collabora.enabled"
+    installed: {{ .Values.collabora.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "collabora"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/collabora/values.gotmpl

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
   tag: "{{ .Values.images.collabora.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -28,18 +29,13 @@ ingress:
 collabora:
   # Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
   username: "collabora-internal-admin"
-  password: {{ .Values.secrets.collabora.adminPassword }}
+  password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 
-{{- if not (eq .Values.cluster.container.engine "containerd") }}
-# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
-# Ref.: https://github.com/CollaboraOnline/online/issues/2800
-securityContext:
-  capabilities:
-    add:
-      - "MKNOD"
-{{- end }}
 
 replicaCount: {{ .Values.replicas.collabora }}
+
+resources:
+  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...

helmfile/apps/collabora/values.yaml

@@ -14,19 +14,74 @@ collabora:
 
 ingress:
   annotations:
-    # nginx
+    # Ingress NGINX
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    # NGINX
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+    nginx.org/proxy-read-timeout: "600"
+    nginx.org/proxy-send-timeout: "600"
+    nginx.org/client-max-body-size: "0"
+    nginx.org/server-snippets: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
     # HAProxy
     haproxy.org/timeout-tunnel: "3600s"
     haproxy.org/backend-config-snippet: |
-     mode http
-      balance leastconn
-      stick-table type string len 2048 size 1k store conn_cur
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
-      http-request track-sc1 url_param(WOPISrc)
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
-      stick store-request url_param(WOPISrc)
-
+       balance url_param WOPISrc check_post
+       hash-type consistent
+    # HAProxy - Community: https://haproxy-ingress.github.io/
+    haproxy-ingress.github.io/timeout-tunnel: "3600s"
+    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
+    haproxy-ingress.github.io/config-backend: |
+      hash-type consistent
+      # block admin urls from outside
+      acl admin_url path_beg /cool/getMetrics
+      acl admin_url path_beg /cool/adminws/
+      acl admin_url path_beg /browser/dist/admin/admin.html
+      http-request deny if admin_url
 autoscaling:
   enabled: false
+
+serviceAccount:
+  create: true
+
+securityContext:
+  allowPrivilegeEscalation: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+      - "MKNOD"
+
+podSecurityContext:
+  fsGroup: 100
 ...

helmfile/apps/cryptpad/helmfile.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # CryptPad
+  # Source: https://github.com/cryptpad/helm
+  - name: "cryptpad-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://cryptpad.github.io/helm" }}
+
+releases:
+  - name: "cryptpad"
+    chart: "cryptpad-online-repo/cryptpad"
+    version: "0.0.13"
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.cryptpad.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "cryptpad"
+...

helmfile/apps/cryptpad/values.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...

helmfile/apps/cryptpad/values.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
+
+# Disable registration and access to unregistered users:
+# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
+
+application_config:
+  availablePadTypes:
+    - "diagram"
+
+# Deactivating public access breaks nextcloud plugin!
+#  registeredOnlyTypes:
+#    - "diagram"
+
+autoscaling:
+  enabled: false
+
+enableEmbedding: true
+
+fullnameOverride: "cryptpad"
+
+persistence:
+  enabled: false
+
+podSecurityContext:
+  fsGroup: 4001
+
+securityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+serviceAccount:
+  create: true
+
+workloadStateful: false
+...

helmfile/apps/element/helmfile.yaml

@@ -0,0 +1,136 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # openDesk Element
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
+  - name: "opendesk-element-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
+  # openDesk Matrix Widgets
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
+  - name: "opendesk-matrix-widgets-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
+releases:
+  - name: "opendesk-element"
+    chart: "opendesk-element-repo/opendesk-element"
+    version: "2.5.0"
+    values:
+      - "values-element.yaml"
+      - "values-element.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-well-known"
+    chart: "opendesk-element-repo/opendesk-well-known"
+    version: "2.5.0"
+    values:
+      - "values-well-known.yaml"
+      - "values-well-known.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-synapse-web"
+    chart: "opendesk-element-repo/opendesk-synapse-web"
+    version: "2.5.0"
+    values:
+      - "values-synapse-web.yaml"
+      - "values-synapse-web.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-synapse"
+    chart: "opendesk-element-repo/opendesk-synapse"
+    version: "2.5.0"
+    values:
+      - "values-synapse.yaml"
+      - "values-synapse.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-matrix-user-verification-service-bootstrap"
+    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    version: "2.5.0"
+    values:
+      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-matrix-user-verification-service"
+    chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
+    version: "2.5.0"
+    values:
+      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neoboard-widget"
+    chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neochoice-widget"
+    chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-widget"
+    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-bot-bootstrap"
+    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    version: "2.5.0"
+    values:
+      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-bot"
+    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+...

helmfile/apps/element/values-element.gotmpl

@@ -0,0 +1,126 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  additionalConfiguration:
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+
+    "net.nordeck.element_web.module.opendesk":
+      config:
+        ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
+        ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
+        portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+        portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
+        custom_css_variables:
+          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
+
+    "net.nordeck.element_web.module.widget_lifecycle":
+      widget_permissions:
+        "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
+          identity_approved: true
+        "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          capabilities_approved:
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.send.state_event:m.room.power_levels#
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels#
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
+            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
+            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
+            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
+            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
+            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
+            - town.robin.msc3846.turn_servers
+        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          capabilities_approved:
+            - org.matrix.msc2762.send.event:net.nordeck.poll.vote
+            - org.matrix.msc2762.receive.event:net.nordeck.poll.vote
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll.group
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
+            - org.matrix.msc2762.send.event:net.nordeck.poll.start
+            - org.matrix.msc2762.receive.event:net.nordeck.poll.start
+        "https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          identity_approved: true
+          capabilities_approved:
+            - org.matrix.msc2931.navigate
+            - org.matrix.msc2762.timeline:*
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels
+            - org.matrix.msc2762.receive.event:m.reaction
+            - org.matrix.msc2762.receive.state_event:m.room.create
+            - org.matrix.msc2762.receive.state_event:m.room.tombstone
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.send.state_event:m.room.member
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.receive.state_event:m.room.topic
+            - org.matrix.msc2762.receive.state_event:m.space.parent
+            - org.matrix.msc2762.receive.state_event:m.space.child
+            - org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
+            - org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
+            - org.matrix.msc3973.user_directory_search
+
+  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.element.repository }}"
+  tag: "{{ .Values.images.element.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.element }}
+
+resources:
+  {{ .Values.resources.element | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-element.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-neoboard-widget.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}"
+  tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}"
+
+ingress:
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neoboard-widget.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-neochoice-widget.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  repository: "{{ .Values.images.matrixNeoChoiceWidget.repository }}"
+  tag: "{{ .Values.images.matrixNeoChoiceWidget.tag }}"
+
+ingress:
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neochoice-widget.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.synapseCreateUser.repository }}"
+  tag: "{{ .Values.images.synapseCreateUser.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
+...

helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl

@@ -0,0 +1,37 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  repository: "{{ .Values.images.matrixNeoDateFixBot.repository }}"
+  tag: "{{ .Values.images.matrixNeoDateFixBot.tag }}"
+
+ingress:
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+persistence:
+  size: "{{ .Values.persistence.size.matrixNeoDateFixBot }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml

@@ -0,0 +1,50 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+    displayname: "Terminplaner Bot"
+
+  strings:
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
+    matrixNeoBoardWidgetName: "Whiteboard"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "matrix-neodatefix-bot-account"
+        key: "access_token"
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+livenessProbe:
+  enabled: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+readinessProbe:
+  enabled: false
+...

helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  repository: "{{ .Values.images.matrixNeoDateFixWidget.repository }}"
+  tag: "{{ .Values.images.matrixNeoDateFixWidget.tag }}"
+
+ingress:
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  password: {{ .Values.secrets.matrixUserVerificationService.password }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.synapseCreateUser.repository }}"
+  tag: "{{ .Values.images.synapseCreateUser.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+...

helmfile/apps/element/values-matrix-user-verification-service.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
+  tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-user-verification-service.yaml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  # TODO: the service can't run with read only filesystem or as non-root
+  # readOnlyRootFilesystem: true
+  # runAsGroup: 101
+  # runAsNonRoot: true
+  # runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "UVS_ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "opendesk-matrix-user-verification-service-account"
+        key: "access_token"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse-web.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapseWeb.repository }}"
+  tag: "{{ .Values.images.synapseWeb.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.synapseWeb }}
+
+resources:
+  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse-web.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse.gotmpl

@@ -0,0 +1,71 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapse.repository }}"
+  tag: "{{ .Values.images.synapse.tag }}"
+
+configuration:
+  database:
+    host: "{{ .Values.databases.synapse.host }}"
+    name: "{{ .Values.databases.synapse.name }}"
+    user: "{{ .Values.databases.synapse.username }}"
+    password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
+
+  homeserver:
+    appServiceConfigs:
+      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+        id: intercom-service
+        namespaces:
+          users:
+            - exclusive: false
+              regex: "@.*"
+        url: null
+        sender_localpart: intercom-service
+
+    oidc:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+
+    turn:
+      sharedSecret: {{ .Values.turn.credentials }}
+      servers:
+        {{- if .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host }}
+          port: {{ .Values.turn.tls.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- else if .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host }}
+          port: {{ .Values.turn.server.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- end }}
+
+    guestModule:
+      image:
+        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+        registry: "{{ .Values.global.imageRegistry }}"
+        repository: "{{ .Values.images.synapseGuestModule.repository }}"
+        tag: "{{ .Values.images.synapseGuestModule.tag }}"
+
+persistence:
+  size: "{{ .Values.persistence.size.synapse }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.synapse }}
+
+resources:
+  {{ .Values.resources.synapse | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse.yaml

@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
+    room_prejoin_state:
+      additional_event_types:
+        - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
+        - "m.room.power_levels"
+
+  homeserver:
+    guestModule:
+      enabled: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+...

helmfile/apps/element/values-well-known.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.wellKnown.repository }}"
+  tag: "{{ .Values.images.wellKnown.tag }}"
+
+ingress:
+  host: "{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.wellKnown }}
+
+resources:
+  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-well-known.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  e2ee:
+    forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/intercom-service/helmfile.yaml

@@ -1,23 +1,30 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "intercom-service"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+  # Intercom Service
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
+  - name: "intercom-service-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
-    version: "1.1.3"
+    chart: "intercom-service-repo/intercom-service"
+    version: "2.0.0"
     values:
-      - "values.yaml"
       - "values.gotmpl"
-    condition: "intercom.enabled"
+    installed: {{ .Values.intercom.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "intercom-service"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/intercom-service/values.gotmpl

@@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
   domain: "{{ .Values.global.domain }}"
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
@@ -13,23 +14,28 @@ global:
 ics:
   secret: {{ .Values.secrets.intercom.secret }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
-  originRegex: "{{ .Values.istio.domain }}"
+  originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
   default:
     domain: "{{ .Values.global.domain }}"
   oidc:
     secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
   matrix:
-    asSecret: {{ .Values.secrets.jitsi.synapseAsToken }}
-    serverName: "matrix.{{ .Values.global.domain }}"
+    asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+    subdomain: {{ .Values.global.hosts.synapse }}
+    serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  nordeck:
+    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot }}
   portal:
     apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
   redis:
-    password: {{ .Values.secrets.redis.password }}
+    host: {{ .Values.cache.intercomService.host }}
+    port: {{ .Values.cache.intercomService.port }}
+    password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   repository: "{{ .Values.images.intercom.repository }}"
   tag: "{{ .Values.images.intercom.tag }}"
 

helmfile/apps/jitsi/helmfile.yaml

@@ -1,22 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "jitsi"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
+  # openDesk Jitsi
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
+  - name: "jitsi-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    version: "1.7.1"
     values:
       - "values-jitsi.gotmpl"
-    condition: "jitsi.enabled"
+    installed: {{ .Values.jitsi.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "jitsi"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -11,16 +11,23 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
   tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
 
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 
 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
   web:
     replicaCount: {{ .Values.replicas.jitsi }}
     image:
@@ -30,17 +37,17 @@ jitsi:
       enabled: "{{ .Values.ingress.enabled }}"
       ingressClassName: "{{ .Values.ingress.ingressClassName }}"
       hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
           paths:
             - "/"
       tls:
         - secretName: "{{ .Values.ingress.tls.secretName }}"
           hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     extraEnvs:
       TURN_ENABLE: "1"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
@@ -51,11 +58,15 @@ jitsi:
     {{- end }}
     extraEnvs:
       - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
       - name: "JWT_APP_ID"
         value: "myappid"
       - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+      - name: "MATRIX_UVS_SYNC_POWER_LEVELS"
+        value: "true"
+      - name: "MATRIX_UVS_URL"
+        value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
       - name: TURNS_HOST
         value: "{{ .Values.turn.tls.host }}"
       - name: TURNS_PORT
@@ -69,7 +80,7 @@ jitsi:
       - name: TURN_CREDENTIALS
         value: "{{ .Values.turn.credentials }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.prosody | toYaml | nindent 6 }}
     persistence:
       size: "{{ .Values.persistence.size.prosody }}"
       storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
@@ -79,19 +90,19 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
       tag: "{{ .Values.images.jicofo.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
       tag: "{{ .Values.images.jvb.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: "{{ .Values.cluster.service.type }}"
   jibri:
@@ -100,18 +111,22 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
       tag: "{{ .Values.images.jibri.tag }}"
     recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jibri | toYaml | nindent 6 }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
 
 patchJVB:
+  configuration:
+    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
   image:
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
     tag: "{{ .Values.images.jitsiPatchJVB.tag }}"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -1,25 +1,35 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+  # openDesk Keycloak Bootstrap
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
+  - name: "opendesk-keycloak-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+  - name: "opendesk-keycloak-bootstrap"
+    chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.11"
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
     # as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
     timeout: 1800
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak-bootstrap"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -11,14 +11,19 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
 config:
   administrator:
-    password: "{{ .Values.secrets.keycloak.adminPassword }}"
+    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloakBootstrap.repository }}"
   tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml

@@ -4,7 +4,4 @@
 config:
   administrator:
     username: "kcadmin"
-
-cleanup:
-  deletePodsOnSuccess: true
 ...

helmfile/apps/keycloak/helmfile.yaml

@@ -1,44 +1,62 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
-  - name: "keycloak-theme"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
-  - name: "keycloak-extensions"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Keycloak Theme
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
+  - name: "keycloak-theme-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Keycloak Extensions
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
-    version: "1.0.0"
+    chart: "keycloak-theme-repo/opendesk-keycloak-theme"
+    version: "2.0.0"
     values:
       - "values-theme.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak"
-    chart: "bitnami/keycloak"
-    version: "12.2.0"
+    chart: "bitnami-repo/keycloak"
+    version: "12.1.5"
     values:
       - "values-keycloak.gotmpl"
       - "values-keycloak.yaml"
       - "values-keycloak-idp.yaml"
     wait: true
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
     needs:
       - "keycloak"
     values:
       - "values-extensions.yaml"
       - "values-extensions.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   keycloak:
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
+    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
   postgresql:
     connection:
       host: "{{ .Values.databases.keycloakExtension.host }}"
@@ -13,10 +13,15 @@ global:
     auth:
       database: "{{ .Values.databases.keycloakExtension.name }}"
       username: "{{ .Values.databases.keycloakExtension.username }}"
-      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
+      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
 handler:
+  image:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   appConfig:
-    smtpPassword: "{{ .Values.smtp.password }}"
+    smtpPassword: {{ .Values.smtp.password | quote }}
     smtpHost: "{{ .Values.smtp.host }}"
     smtpUsername: "{{ .Values.smtp.username }}"
     mailFrom: "noreply@{{ .Values.global.domain }}"
@@ -25,14 +30,12 @@ handler:
 proxy:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
-    repository: "{{ .Values.images.keycloakExtension.repository }}"
-    tag: "{{ .Values.images.keycloakExtension.tag }}"
-    imagePullPolicy: "Always"
+    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
+    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   ingress:
     enabled: "{{ .Values.ingress.enabled }}"
     ingressClassName: "{{ .Values.ingress.ingressClassName }}"
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
       enabled: "{{ .Values.ingress.tls.enabled }}"

helmfile/apps/keycloak/values-extensions.yaml

@@ -9,15 +9,37 @@ global:
     realm: "souvap"
 
 handler:
-  image:
-    tag: "latest"
   appConfig:
     captchaProtectionEnable: "False"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 
 postgresql:
   enabled: false
 
 proxy:
-  image:
-    tag: "latest"
+  ingress:
+    annotations:
+      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 ...

helmfile/apps/keycloak/values-keycloak-idp.yaml

@@ -116,9 +116,9 @@ keycloakConfigCli:
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
             "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
             ],
             "webOrigins": [
               "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
             "frontchannelLogout": true,
             "protocol": "openid-connect",
             "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
             },
             "authenticationFlowBindingOverrides": {},
             "fullScopeAllowed": true,
@@ -181,7 +181,7 @@ keycloakConfigCli:
             "attributes": {
               "backchannel.logout.revoke.offline.tokens": "true",
               "backchannel.logout.session.required": "true",
-              "backchannel.logout.url": "https://$(ELEMENT_DOMAIN)/_synapse/client/oidc/backchannel_logout",
+              "backchannel.logout.url": "https://$(MATRIX_DOMAIN)/_synapse/client/oidc/backchannel_logout",
               "post.logout.redirect.uris": "https://$(ELEMENT_DOMAIN)/*##https://$(MATRIX_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
             },
             "authenticationFlowBindingOverrides": {},

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -13,17 +13,17 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloak.repository }}"
   tag: "{{ .Values.images.keycloak.tag }}"
-  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDatabase:
   host: "{{ .Values.databases.keycloak.host }}"
   port: {{ .Values.databases.keycloak.port }}
   user: "{{ .Values.databases.keycloak.username }}"
   database: "{{ .Values.databases.keycloak.name }}"
-  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
+  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
 
 auth:
-  adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
+  adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 replicaCount: {{ .Values.replicas.keycloak }}
 
@@ -55,8 +55,8 @@ keycloakConfigCli:
       value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
     - name: "MATRIX_DOMAIN"
       value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+    - name: "JITSI_DOMAIN"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     - name: "ELEMENT_DOMAIN"
       value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
     - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
     - name: "CLIENT_SECRET_MATRIX_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
     - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
     - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
@@ -81,6 +81,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
     - name: "LDAPSEARCH_USERNAME"
       value: "ldapsearch_keycloak"
+  resources:
+    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
 
 resources:
   {{ .Values.resources.keycloak | toYaml | nindent 2 }}

helmfile/apps/keycloak/values-keycloak.yaml

@@ -54,5 +54,32 @@ keycloakConfigCli:
     - "--import.var-substitution.enabled=true"
   cache:
     enabled: false
+  containerSecurityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  runAsNonRoot: true
+
+podSecurityContext:
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/keycloak/values-theme.gotmpl

@@ -7,4 +7,7 @@ global:
   domain: "{{ .Values.global.domain }}"
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -1,39 +1,54 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
-  - name: "nextcloud"
-    url: "https://nextcloud.github.io/helm/"
+  # openDesk Keycloak Bootstrap
+  # Source:
+  #  https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
+  - name: "opendesk-nextcloud-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # Nextcloud
+  # Source: https://github.com/nextcloud/helm/
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}
 
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
-    version: "2.2.0"
+  - name: "opendesk-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
+    version: "3.2.2"
     wait: true
     waitForJobs: true
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "nextcloud.enabled"
-    timeout: 1800
+    installed: {{ .Values.nextcloud.enabled }}
+    timeout: 900
 
   - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"
     needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
-    condition: "nextcloud.enabled"
-    timeout: 1800
+    installed: {{ .Values.nextcloud.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "nextcloud"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -14,26 +14,26 @@ global:
 
 config:
   administrator:
-    password: {{ .Values.secrets.nextcloud.adminPassword }}
+    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
     {{- else if .Values.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
 
   apps:
     integrationSwp:
-      password: {{ .Values.secrets.centralnavigation.apiKey }}
+      password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     userOidc:
-      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
+      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
 
   database:
     host: "{{ .Values.databases.nextcloud.host }}"
     name: "{{ .Values.databases.nextcloud.name }}"
     user: "{{ .Values.databases.nextcloud.username }}"
-    password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
+    password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 
   ldapSearch:
     password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
@@ -43,7 +43,13 @@ config:
     username: "{{ .Values.smtp.username }}"
     password: "{{ .Values.smtp.password }}"
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.nextcloud.repository }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
@@ -64,4 +70,7 @@ persistence:
 
 resources:
   {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
-cleanup:
-  deletePodsOnSuccess: false
+  cryptpad:
+    enabled: true
+
+  ldapSearch:
+    host: "univention-corporate-container"
 ...

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -6,16 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 nextcloud:
   host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
   username: "nextcloud"
-  password: {{ .Values.secrets.nextcloud.adminPassword }}
+  password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 externalDatabase:
   database: "{{ .Values.databases.nextcloud.name }}"
   user: "{{ .Values.databases.nextcloud.username }}"
   host: "{{ .Values.databases.nextcloud.host }}"
-  password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
+  password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+extraEnv:
+  REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
+  REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
+  REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 redis:
   auth:
     enabled: true
-    password: {{ .Values.secrets.redis.password }}
+    password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   className: {{ .Values.ingress.ingressClassName }}
@@ -25,7 +29,7 @@ ingress:
         - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
   pullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -21,6 +21,11 @@ cronjob:
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 
+ingress:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"
+
 internalDatabase:
   enabled: false
 postgresql:
@@ -39,6 +44,18 @@ externalDatabase:
 metrics:
   enabled: false
 
+nextcloud:
+  configs:
+    mimetypealiases.json: |-
+      {
+        "application/x-drawio": "image"
+      }
+
+    mimetypemapping.json: |-
+      {
+        "drawio": ["application/x-drawio"]
+      }
+
 # this is not documented but can be found in values.yaml
 service:
   port: "80"

helmfile/apps/open-xchange/helmfile.yaml

@@ -1,41 +1,67 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "dovecot"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
-  - name: "openxchange"
-    url: "registry.open-xchange.com"
+  # openDesk Dovecot
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
+  - name: "opendesk-dovecot-repo"
     oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # Open-Xchange
+  - name: "openxchange-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
+  # openDesk Open-Xchange Bootstrap
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
+  - name: "opendesk-open-xchange-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "dovecot"
-    chart: "dovecot/dovecot"
-    version: "1.2.0"
+    chart: "opendesk-dovecot-repo/dovecot"
+    version: "1.3.1"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
-    condition: "dovecot.enabled"
+    installed: {{ .Values.dovecot.enabled }}
+    timeout: 900
+
   - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "1.2.13"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
+    version: "2.1.1"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
-    condition: "oxAppsuite.enabled"
-  - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+      - "values-openxchange-enterprise-contact-picker.yaml"
+      - "values-openxchange-enterprise-contact-picker.gotmpl"
+    installed: {{ .Values.oxAppsuite.enabled }}
+    timeout: 900
+
+  - name: "opendesk-open-xchange-bootstrap"
+    chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+    version: "1.3.1"
     values:
-      - "values-openxchange-bootstrap.yaml"
-    condition: "oxAppsuite.enabled"
+      - "values-openxchange-bootstrap.gotmpl"
+    installed: {{ .Values.oxAppsuite.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "open-xchange"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -7,6 +7,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.dovecot.repository }}"
   tag: "{{ .Values.images.dovecot.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -15,10 +16,10 @@ imagePullSecrets:
 
 dovecot:
   mailDomain: "{{ .Values.global.domain }}"
-  password: {{ .Values.secrets.dovecot.doveadm }}
+  password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
+    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   oidc:
     introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
     clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -0,0 +1,20 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+...

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml

@@ -1,23 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-cleanup:
-  deletePodsOnSuccess: false
-
-# resources:
-#   limits:
-#     # The max amount of CPUs to consume.
-#     cpu: 1
-#     # The max amount of RAM to consume.
-#     memory: "1Gi"
-#   requests:
-#     # The amount of CPUs which has to be available on the scheduled node.
-#     cpu: 1
-#     # The amount of RAM which has to be available on the scheduled node.
-#     memory: "256Mi"
-
-# Keep default values:
-# coreMiddleware:
-#   statefulSet: "open-xchange-core-mw-default-0"
-#   pod: "open-xchange-core-mw-default-0"
-...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  core-mw:
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          auth:
+            adminDN:
+              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -0,0 +1,397 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+appsuite:
+  core-mw:
+
+    properties:
+      # Enterprise contact picker
+      com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
+      com.openexchange.admin.bypassAccessCombinationChecks: "true"
+      ENABLE_INTERNAL_USER_EDIT: "false"
+
+    # Enterprise contact picker (see also gotmpl)
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          pool:
+            type: "simple"
+            host:
+              address: "univention-corporate-container"
+              port: 389
+          auth:
+            type: "adminDN"
+            adminDN:
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+
+    uiSettings:
+      # Enterprise contact picker
+      io.ox/core//features/enterprisePicker/enabled: "true"
+
+    yamlFiles:
+      contacts-provider-ldap.yml:
+        # Example definitions of available LDAP contact providers, together with their corresponding configuration,
+        # referenced LDAP client connection settings and attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
+        #
+        # Each configured contacts provider can be enabled for users using the corresponding identifier used in this
+        # .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
+        # is available.
+        #
+        # Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
+        # need to be referenced.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Key will be used as identifier for the contact provider
+        opendesk:
+
+          # The display name of this contacts provider.
+          name: "Example Address Lists"
+
+          # Configures the identifier of the LDAP client configuration settings to use, as defined in
+          # 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
+          # be specified.
+          ldapClientId: "contactsLdapClient"
+
+          # A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
+          # corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
+          mappings: "ucs"
+
+          # Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
+          # identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
+          # control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
+          # provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
+          # 'usedForSync' folders property. Defaults to "false".
+          isDeletedSupport: false
+
+          # Specifies the requested maximum size for paged results. "0" disables paged results. This should be
+          #  configured, especially when the there are server-side restrictions towards the maximum result size.
+          # Defaults to "500".
+          maxPageSize: 500
+
+          # Optionally enables a local cache that holds certain properties of all of the provider's contacts in
+          # memory to speed up access. Can only be used if no individual authentication is used to access the
+          # LDAP server.
+          cache:
+            useCache: false
+
+          # Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
+          # one with its specific configuration settings. The template contains examples for all possible modes,
+          # however, only the one specified through 'mode' property is actually used.
+          folders:
+
+            # Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
+            # are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
+            # attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
+            # dynamically, or "static" to have a static search filter associated with each contact folder.
+            # The corresponding mode-specific section needs to be configured as well.
+            mode: "dynamicAttributes"
+
+            # Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
+            # If set to "false", the folders are only available in the web client. If set to "true", folders can
+            # be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
+            # and 'uid' contact properties are available, and the LDAP server supports the special
+            # "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
+            # controls whether the default value can be changed by the client or not.
+            usedForSync:
+              protected: true
+              defaultValue: false
+
+            # Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
+            # If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
+            # hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
+            usedInPicker:
+              protected: false
+              defaultValue: true
+
+            # Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
+            # If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
+            # Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
+            # the default value can be changed by the client or not.
+            shownInTree:
+              protected: false
+              defaultValue: true
+
+            # In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
+            # filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
+            # defined, which is used for operations that are not bound to
+            # a specific folder, like lookups across all visible folders.
+            # The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
+            # (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
+            # and all default to "sub" unless specified otherwise.
+            static:
+              commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
+              commonContactSearchScope: "sub"
+              folders:
+                - name: "Cupertino"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
+                  contactSearchScope: "sub"
+                - name: "San Mateo"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
+                  contactSearchScope: "sub"
+                - name: "Redwood Shores"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
+                  contactSearchScope: "sub"
+                - name: "Armonk"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
+                  contactSearchScope: "sub"
+
+            # With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
+            # serve as folders. The list of values is fetched by querying all entries that match the
+            # "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
+            # Then, the folders are derived based on all distinct attribute values found, with the value as name.
+            # Depending on the configured authentication mode, this is either done per user individually, or globally.
+            # Therefore, per-user authentication is not recommend in this mode.
+            # The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
+            # using units of measurement:
+            # "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
+            # allows to sort the attributes lexicographically, either "ascending" or "descending".
+            dynamicAttributes:
+              attributeName: "o"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
+              contactSearchScope: "sub"
+              # refreshInterval: 1h
+              refreshInterval: "5m"
+              sortOrder: "ascending"
+
+            # With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
+            # defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
+            # possible values.
+            # All items defined in the "attributeValues" array are used as folder (with the value as name). When
+            # listing the contents of a specific folder, this folder's specific attribute value is inserted in the
+            # configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
+            fixedAttributes:
+              contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
+              contactSearchScope: "sub"
+              attributeValues:
+                - "Janitorial"
+                - "Product Development"
+                - "Management"
+                - "Human Resources"
+
+        other:
+          name: "Other contacts"
+          ldapClientId: "contactsLdapClient"
+          mappings: "ucs"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+              folders:
+                - name: "Ohne Organisation"
+                  contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+
+        functional:
+          name: "Functional mailboxes"
+          ldapClientId: "contactsLdapClient"
+          mappings: "functional"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
+              folders:
+                - name: "Funktionale Postfächer"
+                  contactFilter: "(univentionObjectType=oxmail/functional_account)"
+
+      contacts-provider-ldap-mappings.yml:
+        # Example definitions of contact property <-> LDAP attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
+        #
+        # Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
+        # file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
+        #
+        # Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
+        # Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
+        # used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
+        # display name, or to have multiple mappings for contacts and distribution lists.
+        #
+        # For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
+        # (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
+        # Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
+        # the internal user- and context identifier based on attributes yielding the corresponding
+        # login information (username / contextname), the special appendix ';logininfo' can be used.
+        # Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
+        # by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
+        # property based on a specific 'objectClass' value.
+        # Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
+        # using '*'.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Mappings for a typical OpenLDAP server.
+        ucs:
+          # == ID Mappings =======================================================
+          # The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
+          # unless overridden.
+          # The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
+          # flag 'binary' should be used.
+          objectid: "uidNumber,gidNumber"
+          # The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
+          # entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
+          # Will only be considered if an entry's context identifier matches the one from the actual session of
+          # the requesting operation.
+          # If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
+          # "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
+          # Alternatively, if no internal context- or user identifier is available, also attributes yielding
+          # the corresponding login information (username / contextname) can be used by appending ';logininfo'
+          # to the attribute name.
+          internal_userid: "uid;logininfo"
+          contextid: "oxContextIDNum"
+          # The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
+          # format, the flag 'binary' should be used.
+          # uid                   : entryUUID;binary;logininfo
+
+          # == String Mappings ===================================================
+          displayname: "oxDisplayName,displayName,name"
+          file_as: "oxDisplayName,displayName,name"
+          givenname: "givenName"
+          surname: "sn"
+          email1: "mailPrimaryAddress"
+          department: "oxDepartment,department"
+          company: "oxCompany,o"
+          branches: "oxBranches"
+          # business_category     :
+          postal_code_business: "postalCode"
+          state_business: "oxStateBusiness,st"
+          street_business: "streetAddress"
+          # telephone_callback    :
+          city_home: "oxCityHome"
+          commercial_register: "oxCommercialRegister"
+          country_home: "oxCountryHome"
+          email2: "oxEmail2"
+          email3: "oxEmail3"
+          employeetype: "employeeType"
+          fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
+          fax_home: "oxFaxHome"
+          fax_other: "oxFaxOther"
+          instant_messenger1: "oxInstantMessenger1"
+          instant_messenger2: "oxInstantMessenger2"
+          telephone_ip: "oxTelephoneIp"
+          telephone_isdn: "internationaliSDNNumber"
+          marital_status: "oxMaritalStatus"
+          cellular_telephone1: "mobile"
+          # cellular_telephone2   :
+          nickname: "oxNickName"
+          number_of_children: "oxNumOfChildren"
+          number_of_employee: "employeeNumber"
+          note: "oxNote,description"
+          telephone_pager: "oxTelephonePager,pager"
+          telephone_assistant: "oxTelephoneAssistant"
+          telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
+          telephone_business2: "oxTelephoneBusiness2"
+          telephone_car: "oxTelephoneCar"
+          telephone_company: "oxTelephoneCompany"
+          telephone_home1: "oxTelephoneHome1,homePhone"
+          telephone_home2: "oxTelephoneHome2"
+          telephone_other: "oxTelephoneOther"
+          postal_code_home: "oxPostalCodeHome"
+          # telephone_radio       :
+          room_number: "roomNumber"
+          sales_volume: "oxSalesVolume"
+          city_other: "oxCityOther"
+          country_other: "oxCountryOther"
+          middle_name: "oxMiddleName,middleName"
+          postal_code_other: "oxPostalCodeOther"
+          state_other: "oxStateOther"
+          street_other: "oxStreetOther"
+          spouse_name: "oxSpouseName"
+          state_home: "oxStateHome"
+          street_home: "oxStreetHome"
+          suffix: "oxSuffix"
+          tax_id: "oxTaxId"
+          telephone_telex: "oxTelephoneTelex,telexNumber"
+          telephone_ttytdd: "oxTelephoneTtydd"
+          url: "oxUrl,wWWHome"
+          userfield01: "oxUserfiels01"
+          userfield02: "oxUserfiels02"
+          userfield03: "oxUserfiels03"
+          userfield04: "oxUserfiels04"
+          userfield05: "oxUserfiels05"
+          userfield06: "oxUserfiels06"
+          userfield07: "oxUserfiels07"
+          userfield08: "oxUserfiels08"
+          userfield09: "oxUserfiels09"
+          userfield10: "oxUserfiels10"
+          userfield11: "oxUserfiels11"
+          userfield12: "oxUserfiels12"
+          userfield13: "oxUserfiels13"
+          userfield14: "oxUserfiels14"
+          userfield15: "oxUserfiels15"
+          userfield16: "oxUserfiels16"
+          userfield17: "oxUserfiels17"
+          userfield18: "oxUserfiels18"
+          userfield19: "oxUserfiels19"
+          userfield20: "oxUserfiels20"
+          city_business: "l"
+          country_business: "oxCountryBusiness,country"
+          # telephone_primary     :
+          # categories            :
+          title: "title"
+          position: "oxPosition"
+          profession: "oxProfession"
+
+          # == Date Mappings =====================================================
+          birthday: "oxBirthday"
+          anniversary: "oxAnniversary"
+          # The last-modified and creation dates are required by the groupware server, therefore an implicit
+          # default date is assumed when no LDAP attribute is mapped here, and no results are available for this
+          # folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
+          # not be available.
+          lastmodified: "modifyTimestamp"
+          creationdate: "createTimestamp"
+
+          # == Misc Mappings =====================================================
+          # Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
+          # Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
+          # plain email address of the member.
+          distributionlist: "memberUid"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          markasdistributionlist: "objectClass=posixGroup"
+          # The values for the for assistant- and manager name mappings are either used as-is, or get resolved
+          # dynamically using the DNs found
+          # in the mapped LDAP attribute.
+          assistant_name: "secretary"
+          manager_name: "oxManagerName,manager"
+          # Contact image, binary format is expected.
+          image1: "jpegPhoto"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          number_of_images: "jpegPhoto=*"
+          # Will be set internally if not defined.
+          # image_last_modified   :
+          # Will be set automatically to "image/jpeg" if not defined.
+          # image1_content_type   :
+
+        functional:
+          objectid: "mailPrimaryAddress"
+          displayname: "oxPersonal,cn,mailPrimaryAddress"
+          file_as: "oxPersonal,cn,mailPrimaryAddress"
+          email1: "mailPrimaryAddress"

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -11,8 +11,8 @@ global:
     database: "{{ .Values.databases.oxAppsuite.name }}"
     auth:
       user: "{{ .Values.databases.oxAppsuite.username }}"
-      password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
-      rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
+      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
+      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
@@ -34,6 +34,7 @@ public-sector-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 appsuite:
   istio:
@@ -52,6 +53,15 @@ appsuite:
   core-mw:
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
     hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    gotenberg:
+      imagePullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+      {{- end }}
+      image:
+        repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
+        tag: {{ .Values.images.openxchangeGotenberg.tag }}
+        pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     properties:
       "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
       "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -76,6 +86,16 @@ appsuite:
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
+      # Dynamic theme
+      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
     secretETCFiles:
       # Format of the OX Guard master key:
       # MC+base64(20 random bytes)
@@ -83,9 +103,13 @@ appsuite:
       oxguardpass: |
         {{ .Values.secrets.oxAppsuite.oxguardMC }}
         {{ .Values.secrets.oxAppsuite.oxguardRC }}
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
     image:
       repository: {{ .Values.images.openxchangeCoreMW.repository }}
       tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     update:
       image:
         repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -103,11 +127,13 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUI.repository }}
       tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-ui-middleware:
     ingress:
       hosts:
         - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+      enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}
@@ -115,6 +141,17 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
+
+  core-documentconverter:
+    image:
+      repository: {{ .Values.images.openxchangeDocumentConverter.repository }}
+      tag: {{ .Values.images.openxchangeDocumentConverter.tag }}
+    resources:
+      {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
@@ -124,6 +161,12 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+  core-imageconverter:
+    image:
+      repository: {{ .Values.images.openxchangeImageConverter.repository }}
+      tag: {{ .Values.images.openxchangeImageConverter.tag }}
 
   guard-ui:
     imagePullSecrets:
@@ -133,11 +176,13 @@ appsuite:
     image:
       repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
       tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-user-guide:
     image:
       repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
       tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -4,11 +4,16 @@
 appsuite:
   istio:
     ingressGateway:
-      name: "sovereign-workplace-gateway-istio-gateway"
+      name: "opendesk-gateway-istio-gateway"
+
+  switchboard:
+    enabled: false
 
   core-mw:
     enabled: true
     masterAdmin: "admin"
+    gotenberg:
+      enabled: true
     features:
       status:
         # enable admin pack
@@ -22,6 +27,13 @@ appsuite:
         open-xchange-authentication-oauth: "enabled"
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
+      # PDF Export
+      com.openexchange.capability.mail_export_pdf: "true"
+      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
+      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
       # OIDC
       com.openexchange.oidc.enabled: "true"
       com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -54,17 +66,27 @@ appsuite:
       com.openexchange.mail.filter.credentialSource: "mail"
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
+      # Dovecot
+      com.openexchange.imap.attachmentMarker.enabled: "true"
       # Capabilities
+      # Old capability can be used to toggle all integrations with a single switch
+      com.openexchange.capability.public-sector: "true"
+      # New capabilities in 2.0
+      com.openexchange.capability.public-sector-element: "true"
+      com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
       com.openexchange.capability.filestorage_nextcloud: "true"
       com.openexchange.capability.filestorage_nextcloud_oauth: "true"
       com.openexchange.capability.guard: "true"
       com.openexchange.capability.guard-mail: "true"
-      com.openexchange.capability.public-sector: "true"
       com.openexchange.capability.smime: "true"
+      com.openexchange.capability.share_links: "false"
+      com.openexchange.capability.invite_guests: "false"
+      com.openexchange.capability.document_preview: "true"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
+      com.openexchange.mail.transport.secondary.authType: "xoauth2"
       # Nextcloud integration
       com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
       com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
@@ -73,6 +95,8 @@ appsuite:
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
       # Guard
+      com.openexchange.guard.storage.file.fileStorageType: "file"
+      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
       com.openexchange.guard.guestSMTPServer: "postfix"
       # S/MIME
       # Usage (in browser console after login):
@@ -92,6 +116,13 @@ appsuite:
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
     uiSettings:
+      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
+      io.ox/core//features/enterprisePicker/showLauncher: "false"
+      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
+      # Text and icon color in the topbar
+      io.ox/dynamic-theme//topbarColor: "#000"
+      io.ox/dynamic-theme//logoWidth: "82"
+      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
       # Resources
       io.ox/core//features/resourceCalendars: "true"
       io.ox/core//features/managedResources: "true"
@@ -106,18 +137,8 @@ appsuite:
       # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
       io.ox/core//apps/quickLaunchCount: "0"
       io.ox/core//coloredIcons: "false"
-      # Dynamic theme
-      io.ox/dynamic-theme//mainColor: "#004B76"
-      io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
-      io.ox/dynamic-theme//logoWidth: "80"
-      io.ox/dynamic-theme//topbarBackground: "#fff"
-      io.ox/dynamic-theme//topbarColor: "#1f1f1f"
-      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
-      io.ox/dynamic-theme//listSelected: "#ADC8F0"
-      io.ox/dynamic-theme//listHover: "#ddd"
-      io.ox/dynamic-theme//folderBackground: "#fff"
-      io.ox/dynamic-theme//folderSelected: "#ADC8F0"
-      io.ox/dynamic-theme//folderHover: "#ddd"
+      # Mail templates
+      io.ox/core//features/templates: "true"
 
     asConfig:
       default:
@@ -126,10 +147,31 @@ appsuite:
         oidcLogin: true
         oidcPath: "/oidc"
 
+    redis:
+      enabled: true
+      mode: "standalone"
+      hosts:
+        - "redis-master"
+
+    hooks:
+      beforeAppsuiteStart:
+        create-guard-dir.sh: |
+          mkdir -p /opt/open-xchange/guard-files
+          chown open-xchange:open-xchange /opt/open-xchange/guard-files
+
   core-ui:
     enabled: true
+
   core-ui-middleware:
     enabled: true
+    overrides: {}
+    redis:
+      mode: "standalone"
+      hosts:
+        - "redis-master:6379"
+      auth:
+        enabled: true
+
   core-guidedtours:
     enabled: true
   guard-ui:
@@ -138,12 +180,26 @@ appsuite:
     enabled: false
   core-user-guide:
     enabled: true
+
   core-imageconverter:
-    enabled: false
+    enabled: true
+    objectCache:
+      s3ObjectStores:
+        - id: -1
+          endpoint: "."
+          accessKey: "."
+          secretKey: "."
+
   core-spellcheck:
     enabled: false
+
   core-documentconverter:
-    enabled: false
+    enabled: true
+    documentConverter:
+      cache:
+        remoteCache:
+          enabled: false
+
   core-documents-collaboration:
     enabled: false
   office-web:

helmfile/apps/openproject/helmfile.yaml

@@ -1,23 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "openproject"
-    url: "https://charts.openproject.org"
+  # OpenProject
+  # Source: https://github.com/opf/helm-charts
+  - name: "openproject-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}
 
 releases:
   - name: "openproject"
-    chart: "openproject/openproject"
-    version: "1.8.0"
+    chart: "openproject-repo/openproject"
+    version: "2.0.4"
+    wait: true
+    waitForJobs: true
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "openproject.enabled"
+    installed: {{ .Values.openproject.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "openproject"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/openproject/values.gotmpl

@@ -10,10 +10,13 @@ global:
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.openproject.tag }}"
 
 memcached:
+  connection:
+    host: "{{ .Values.cache.openproject.host }}"
+    port: {{ .Values.cache.openproject.port }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.memcached.repository }}"
@@ -21,7 +24,7 @@ memcached:
 
 postgresql:
   auth:
-    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
+    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
     username: "{{ .Values.databases.openproject.username }}"
     database: "{{ .Values.databases.openproject.name }}"
   connection:
@@ -35,7 +38,7 @@ openproject:
     name: "OpenProject Interal Admin"
     mail: "openproject-admin@swp-domain.internal"
     password_reset: "false"
-    password: "{{ .Values.secrets.openproject.adminPassword }}"
+    password: {{ .Values.secrets.openproject.adminPassword | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
@@ -51,21 +54,25 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
   OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
-  OPENPROJECT_SMTP__PORT: "587" # (default=587)
+  OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 
 persistence:
   size: "{{ .Values.persistence.size.openproject }}"
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
 
 replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
+
 ...

helmfile/apps/openproject/values.yaml

@@ -4,6 +4,9 @@
 image:
   registry: "registry.souvap-univention.de"
 
+memcached:
+  bundled: false
+
 probes:
   liveness:
     initialDelaySeconds: 300
@@ -27,6 +30,16 @@ openproject:
   # seed will only be executed on initial installation
   seed_locale: "de"
 
+securityContext:
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+
+persistence:
+  accessModes:
+    - "ReadWriteMany"
+
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:
@@ -34,11 +47,32 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
+  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
+  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
+  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
 
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -1,23 +1,27 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "ox-connector"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+  # OX Connector
+  - name: "ox-connector-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 
 releases:
   - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
     version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
     values:
       - "values-oxconnector.yaml"
       - "values-oxconnector.gotmpl"
-    condition: "oxConnector.enabled"
+    installed: {{ .Values.oxConnector.enabled }}
 
 commonLabels:
   deploy-stage: "component-2"
   component: "provisioning"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.oxConnector.tag }}"
 
 imagePullSecrets:
@@ -21,7 +21,7 @@ oxConnector:
   domainName: "{{ .Values.global.domain }}"
   #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
   oxMasterAdmin: "admin"
-  oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
+  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   oxDefaultContext: "1"
 

helmfile/apps/services/helmfile.yaml

@@ -1,80 +1,144 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
-  - name: "postgresql"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
-  - name: "mariadb"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
-  - name: "postfix"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
-  - name: "istio-resources"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
-  - name: "clamav"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
+  # openDesk Certificates
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
+  - name: "opendesk-certificates-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk PostgreSQL
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
+  - name: "postgresql-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk MariaDB
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
+  - name: "mariadb-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Postfix
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
+  - name: "postfix-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Istio Resources
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
+  - name: "istio-resources-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk ClamAV
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
+  - name: "clamav-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
-    version: "1.2.1"
+  - name: "opendesk-certificates"
+    chart: "opendesk-certificates-repo/opendesk-certificates"
+    version: "2.1.0"
     values:
       - "values-certificates.gotmpl"
-    condition: "certificates.enabled"
+    installed: {{ .Values.certificates.enabled }}
   - name: "redis"
-    chart: "bitnami/redis"
-    version: "^17.9.3"
+    chart: "bitnami-repo/redis"
+    version: "18.1.2"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
-    condition: "redis.enabled"
+    installed: {{ .Values.redis.enabled }}
+  - name: "memcached"
+    chart: "bitnami-repo/memcached"
+    version: "6.6.2"
+    values:
+      - "values-memcached.yaml"
+      - "values-memcached.gotmpl"
+    installed: {{ .Values.memcached.enabled }}
   - name: "postgresql"
-    chart: "postgresql/postgresql"
-    version: "2.0.0"
+    chart: "postgresql-repo/postgresql"
+    version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
-    condition: "postgresql.enabled"
+    installed: {{ .Values.postgresql.enabled }}
+    timeout: 900
   - name: "mariadb"
-    chart: "mariadb/mariadb"
-    version: "2.0.0"
+    chart: "mariadb-repo/mariadb"
+    version: "2.0.2"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
-    condition: "mariadb.enabled"
+    installed: {{ .Values.mariadb.enabled }}
+    timeout: 900
   - name: "postfix"
-    chart: "postfix/postfix"
-    version: "1.13.0"
+    chart: "postfix-repo/postfix"
+    version: "2.0.3"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
-    condition: "postfix.enabled"
+    installed: {{ .Values.postfix.enabled }}
   - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
-    version: "2.1.0"
+    chart: "clamav-repo/opendesk-clamav"
+    version: "4.0.0"
     values:
+      - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
-    condition: "clamavDistributed.enabled"
+    installed: {{ .Values.clamavDistributed.enabled }}
   - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
-    version: "2.1.0"
+    chart: "clamav-repo/clamav-simple"
+    version: "4.0.0"
     values:
+      - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
-    condition: "clamavSimple.enabled"
-  - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
-    version: "1.1.2"
+    installed: {{ .Values.clamavSimple.enabled }}
+  - name: "opendesk-gateway"
+    chart: "istio-resources-repo/istio-gateway"
+    version: "2.0.0"
     values:
+      - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
-    condition: "istio.enabled"
+    installed: {{ .Values.istio.enabled }}
 
 commonLabels:
   deploy-stage: "services"
   component: "services"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/services/values-certificates.gotmpl

@@ -18,4 +18,9 @@ istio:
   issuerRef:
     name: "{{ .Values.istio.issuerRef.name }}"
 {{- end }}
+
+cleanup:
+  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+
+wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.clamd }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
 freshclam:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.freshclam.repository }}"
     tag: "{{ .Values.images.freshclam.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -37,18 +35,18 @@ icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
 milter:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.milter }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.milter.repository }}"
     tag: "{{ .Values.images.milter.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 

helmfile/apps/services/values-clamav-distributed.yaml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
-podSecurityContext:
-  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-  enabled: false
-
 replicaCount: {{ .Values.replicas.clamav }}
 
 image:
@@ -15,10 +10,12 @@ image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.clamd | toYaml | nindent 4 }}

helmfile/apps/services/values-clamav-simple.yaml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-istio-gateway.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 global:
   domain: "{{ .Values.istio.domain }}"
   hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
+    openxchange: "{{ .Values.global.hosts.openxchange }}"
 
 tls:
   secretName: "{{ .Values.istio.domain }}-tls"

helmfile/apps/services/values-istio-gateway.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+tls:
+  httpsRedirect: false
+...

helmfile/apps/services/values-mariadb.gotmpl

@@ -11,15 +11,18 @@ global:
 image:
   repository: "{{ .Values.images.mariadb.repository }}"
   tag: "{{ .Values.images.mariadb.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
   users:
     - username: "xwiki_user"
-      password: "{{ .Values.secrets.mariadb.xwikiUser }}"
+      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
     - username: "openxchange_user"
-      password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
+      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
     - username: "nextcloud_user"
-      password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
+      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
   databases:
     - name: "xwiki"
       user: "xwiki_user"
@@ -29,7 +32,7 @@ job:
       user: "openxchange_user"
 
 mariadb:
-  rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
+  rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
 
 persistence:
   storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

helmfile/apps/services/values-mariadb.yaml

@@ -1,6 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/services/values-memcached.gotmpl

@@ -8,13 +8,12 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-xwiki:
-  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
-  superadmin:
-    username: "superadmin"
-    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-
 image:
-  repository: "{{ .Values.images.xwikiInit.repository }}"
-  tag: "{{ .Values.images.xwikiInit.tag }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.memcached.repository }}"
+  tag: "{{ .Values.images.memcached.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+resources:
+  {{ .Values.resources.memcached | toYaml | nindent 2 }}
 ...

helmfile/apps/services/values-memcached.yaml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+
+serviceAccount:
+  create: true
+...

helmfile/apps/services/values-postfix.gotmpl

@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
-  digest: "{{ .Values.images.postfix.digest }}"
+global:
+  registry: {{ .Values.global.imageRegistry }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
-{{- end }}
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: "{{ .Values.images.postfix.repository }}"
+  tag: "{{ .Values.images.postfix.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 certificate:
   secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/services/values-postfix.yaml

@@ -5,6 +5,19 @@ certificate:
   request:
     enabled: false
 
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 postfix:
   hostname: "postfix"
   inetProtocols: "ipv4"

helmfile/apps/services/values-postgresql.gotmpl

@@ -11,19 +11,20 @@ global:
 image:
   repository: "{{ .Values.images.postgresql.repository }}"
   tag: "{{ .Values.images.postgresql.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 job:
   users:
     - username: "keycloak_user"
-      password: {{ .Values.secrets.postgresql.keycloakUser }}
+      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
     - username: "openproject_user"
-      password: {{ .Values.secrets.postgresql.openprojectUser }}
+      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
     - username: "keycloak_extensions_user"
-      password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
+      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
     - username: "matrix_user"
-      password: {{ .Values.secrets.postgresql.matrixUser }}
+      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+      password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"
@@ -42,7 +43,7 @@ persistence:
   size: "{{ .Values.persistence.size.postgresql }}"
 
 postgres:
-  password: {{ .Values.secrets.postgresql.postgresUser }}
+  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
 
 resources:
   {{ .Values.resources.postgresql | toYaml | nindent 2 }}

helmfile/apps/services/values-postgresql.yaml

@@ -1,11 +1,29 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-enabled: true
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   image:
     digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+
 postgres:
   user: "postgres"
 ...

helmfile/apps/services/values-redis.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 auth:
-  password: {{ .Values.secrets.redis.password }}
+  password: {{ .Values.secrets.redis.password | quote }}
 
 global:
   imageRegistry: "{{ .Values.global.imageRegistry }}"
@@ -16,6 +16,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.redis.repository }}"
   tag: "{{ .Values.images.redis.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 master:
   persistence:

helmfile/apps/services/values-redis.yaml

@@ -8,4 +8,8 @@ sentinel:
 
 metrics:
   enabled: false
+
+master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
 ...

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -1,23 +1,32 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "univention-corporate-container"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+  # openDesk Univention Corporate Server (as eval Container)
+  - name: "univention-corporate-container-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
     version: "1.0.10"
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "univentionCorporateServer.enabled"
+    installed: {{ .Values.univentionCorporateServer.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-corporate-container"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -13,7 +13,7 @@ global:
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   repository: "{{ .Values.images.univentionCorporateServer.repository }}"
   tag: "{{ .Values.images.univentionCorporateServer.tag }}"
 
@@ -37,31 +37,31 @@ extraEnvVars:
   - name: LDAPSEARCH_OX_USERNAME
     value: "ldapsearch_ox"
   - name: LDAPSEARCH_OX_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
   - name: LDAPSEARCH_DOVECOT_USERNAME
     value: "ldapsearch_dovecot"
   - name: LDAPSEARCH_DOVECOT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   - name: LDAPSEARCH_KEYCLOAK_USERNAME
     value: "ldapsearch_keycloak"
   - name: LDAPSEARCH_KEYCLOAK_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
   - name: LDAPSEARCH_NEXTCLOUD_USERNAME
     value: "ldapsearch_nextcloud"
   - name: LDAPSEARCH_NEXTCLOUD_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
   - name: LDAPSEARCH_OPENPROJECT_USERNAME
     value: "ldapsearch_openproject"
   - name: LDAPSEARCH_OPENPROJECT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
   - name: LDAPSEARCH_XWIKI_USERNAME
     value: "ldapsearch_xwiki"
   - name: LDAPSEARCH_XWIKI_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
   - name: DEFAULT_ACCOUNT_USER_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
+    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
   - name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
+    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
 
 resources:
   {{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -0,0 +1,120 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # Univention Management Stack
+  - name: "ums-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+
+releases:
+  - name: "ums-store-dav"
+    chart: "ums-repo/store-dav"
+    version: "0.2.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-store-dav.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-ldap-server"
+    chart: "ums-repo/ldap-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-server.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-ldap-notifier"
+    chart: "ums-repo/ldap-notifier"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-notifier.gotmpl"
+      - "values-ldap-notifier.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-udm-rest-api"
+    chart: "ums-repo/udm-rest-api"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-udm-rest-api.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-stack-data-ums"
+    chart: "ums-repo/stack-data-ums"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-ums.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-stack-data-swp"
+    chart: "ums-repo/stack-data-swp"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-swp.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-portal-server"
+    chart: "ums-repo/portal-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-server.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-notifications-api"
+    chart: "ums-repo/notifications-api"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-notifications-api.gotmpl"
+      - "values-notifications-api.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-portal-listener"
+    chart: "ums-repo/portal-listener"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-listener.gotmpl"
+      - "values-portal-listener.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-portal-frontend"
+    chart: "ums-repo/portal-frontend"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-frontend.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-umc-gateway"
+    chart: "ums-repo/umc-gateway"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-gateway.gotmpl"
+      - "values-umc-gateway.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-umc-server"
+    chart: "ums-repo/umc-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-server.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "univention-management-stack"
+...

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
+    enabled: false
+    secretName: ""

helmfile/apps/univention-management-stack/values-common.yaml

@@ -1,8 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+
 istio:
   enabled: false
-  virtualService:
-    enabled: false
-...

helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl

@@ -0,0 +1,20 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+volumes:
+  claims:
+    shared-data: "shared-data-ums-ldap-server-0"
+    shared-run: "shared-run-ums-ldap-server-0"
+
+...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+ldapServer:
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+
+  # TODO: Certificates handling
+  # caCert: ""
+  # certPem: ""
+  # privateKey: ""
+  # dhParam: ""
+  tlsMode: "off"
+
+  # TODO: SAML integration
+  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
+  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsLdapServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+# TODO: Pending upstream support, #199
+persistence:
+  data:
+    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
+  shared:
+    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
+
+
+resources:
+  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+postgresql:
+  bundled: false
+  connection:
+    host: "postgresql"
+    port: 5432
+  auth:
+    username: "notificationsapi_user"
+    database: "notificationsapi"
+    password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+notificationsapi:
+  apply_database_migrations: "True"
+  dev_mode: "False"
+  environment: "staging"
+  log_level: "DEBUG"
+  sql_echo: "False"
+  api_prefix: "/univention/portal/notifications-api"
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+extraIngresses:
+  redirects:
+    # The TLS configuration is on the "master" Ingress, see below.
+    tls:
+      enabled: false
+  master:
+    enabled: {{ .Values.ingress.enabled }}
+    tls:
+      enabled: {{ .Values.ingress.tls.enabled }}
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+resources:
+  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -0,0 +1,54 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalListener:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  environment: "staging"
+  debugLevel: "4"
+  assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
+  ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHost: "ums-ldap-server"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  notifierServer: "ums-ldap-notifier"
+  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalListener.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalListener.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+  waitForDependency:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    imagePullPolicy: "Always"
+    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+
+# TODO: Pending upstream support, #200
+persistence:
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
+
+resources:
+  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
+
+resourcesDependencyWaiter:
+  {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
+
+...