chore(release): 0.5.0 [skip ci]

# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)

### Bug Fixes

* **element:** Move the static configuration into the values.yaml ([f22619b](f22619bd8e))
* **element:** Specify resources for the guest module init container ([275798c](275798c1d6))

### Features

* **element:** Activate the guest module ([5ad25ac](5ad25acafd))

.gitlab-ci.yml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
-  - project: "souvap/tooling/gitlab-config"
+  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
     ref: "main"
     file:
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
-  - project: "souvap/devops/sovereign-workplace-env"
+  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    rules:
+      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
 
 stages:
   - ".pre"
@@ -20,22 +22,17 @@ stages:
   - "component-deploy-stage-2"
   - "tests"
   - "env-stop"
-  - "post"
+  - "generate-release-assets"
+  - ".post"
 
 variables:
   NAMESPACE:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use"
-    value: "develop"
-    options:
-      - "dev"
-      - "qa"
-      - "ref"
-      - "develop"
-      - "hubble"
-      - "prototype"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
+      sovereign-workplace-env included above."
+    value: "dev"
   BASE_DOMAIN:
     description: "Define the Cluster Base Domain."
     value: "souvap.cloud"
@@ -61,10 +58,13 @@ variables:
       - "yes"
       - "no"
   DEPLOY_UCS:
-    description: "Enable Univention Corporate Server deployment."
+    description: >-
+      Enable Univention Corporate Server deployment.
+      "ums-eval" does deploy the Univention Management Stack instead of the UCS container.
     value: "no"
     options:
       - "yes"
+      - "ums-eval"
       - "no"
   DEPLOY_PROVISIONING:
     description: "Enable Provisioning Components."
@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_ELEMENT:
+    description: "Enable Element deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_KEYCLOAK:
     description: "Enable Keycloak deployment."
     value: "no"
@@ -126,9 +132,18 @@ variables:
     options:
       - "yes"
       - "no"
-  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test gitlab project API with project ID."
-    value: "gitlab.souvap-univention.de/api/v4/projects/6"
+  TESTS_BRANCH:
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
+    value: "main"
+  RUN_UMS_TESTS:
+    description: "Run E2E test suite of SouvAP Dev team"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  UMS_TESTS_BRANCH:
+    description: "Branch of E2E test suite of SouvAP Dev team"
+    value: "main"
   # please use the following set of variables with normalized names:
   DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
   ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -138,23 +153,6 @@ variables:
   dependencies: []
   extends: ".environments"
   image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
-  secrets:
-    SMTP_PASSWORD:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/brained/mail/relay@souvap-univention.de"
-        field: "password"
-      file: false
-    TURN_CREDENTIALS:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/souvap-univention.de/develop/turn/secret"
-        field: "credentials"
-      file: false
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -192,7 +190,7 @@ env-cleanup:
 env-start:
   environment:
     name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
     on_stop: "env-stop"
   extends: ".deploy-common"
   image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -233,7 +231,7 @@ ucs-deploy:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
           $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
       when: "always"
   variables:
     COMPONENT: "univention-corporate-container"
@@ -250,6 +248,18 @@ provisioning-deploy:
   variables:
     COMPONENT: "provisioning"
 
+ums-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          $DEPLOY_UCS == "ums-eval"
+      when: "always"
+  variables:
+    COMPONENT: "univention-management-stack"
+
 keycloak-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -278,6 +288,7 @@ keycloak-bootstrap-deploy:
 ox-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
+  timeout: "30m"
   rules:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -359,6 +370,18 @@ jitsi-deploy:
   variables:
     COMPONENT: "jitsi"
 
+element-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
+      when: "always"
+  variables:
+    COMPONENT: "element"
+
 env-stop:
   extends: ".deploy-common"
   environment:
@@ -393,67 +416,183 @@ run-tests:
       when: "always"
   script:
     - |
-      COMPONENTS="login or portal or profile or navigation"
-      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
-        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
-          or xwiki"
-      else
-        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
-        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
-        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
-        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
-        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
-        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
-        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
-        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
-        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
-      fi
-
-      echo "Gathering passwords from UCS container ..."
       UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
-       | awk '{print $1}' \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
+        | awk '{print $1}' \
       )
-      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
       DEFAULT_USER_PASSWORD=$( \
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_USER_PASSWORD \
         | awk '{print $2}' \
       )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
         | awk '{print $2}' \
       )
 
-      echo "triggering test pipeline ..."
-      curl -X POST \
-        -F "ref=main" \
-        -F "token=${CI_JOB_TOKEN}" \
-        -F "variables[url]=https://portal.${DOMAIN}" \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
-        -F "variables[components]=\"${COMPONENTS}\"" \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"url\": \"https://portal.${DOMAIN}\", \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
+        } \
+      }" \
+      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
 
+run-souvap-dev-tests:
+  extends: ".deploy-common"
+  environment:
+    name: "${NAMESPACE}"
+  tags:
+    - "docker"
+    - "kubernetes"
+    - "${CLUSTER}"
+  stage: "tests"
+  rules:
+    - if: >
+        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
+      when: "always"
+  script:
+    - |
+      UCS_CONTAINER_NAME=$( \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
+        | awk '{print $1}' \
+      )
+      DEFAULT_USER_PASSWORD=$( \
+        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
+        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
+        | awk '{print $2}' \
+      )
+      DEFAULT_ADMIN_PASSWORD=$(
+        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
+        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
+        | awk '{print $2}' \
+      )
+
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${UMS_TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
+          \"username\": \"${DEFAULT_USER_NAME}\", \
+          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
+        } \
+      }" \
+      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
+
+generate-release-assets:
+  stage: "generate-release-assets"
+  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+    - when: "never"
+  script:
+    - |
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
+      cd opendesk-asset-generator
+      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
+      ./opendesk_asset_generator.py
+      mv ./build_artefacts ${CI_PROJECT_DIR}
+      cd ..
+      rm -rf opendesk-asset-generator
+      ls -l ./build_artefacts
+  artifacts:
+    paths:
+      - "./build_artefacts/chart-index.json"
+      - "./build_artefacts/image-index.json"
+  tags: []
+  variables:
+    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
+
+
+# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
+# 'cache' is used because job must contain at least one key, so cache is just a dummy key.
+.environments:
+  cache: {}
 
 # Overwrite shared settings
 .common-semantic-release:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  except:
-    - "tags"
-    - "web"
+  tags: []
 
 common-yaml-linter:
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
 
 reuse-linter:
   allow_failure: false
-  except:
-    - "tags"
-    - "web"
+  rules:
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+generate-release-version:
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false'"
+      when: "always"
+
+release:
+  dependencies:
+    - "generate-release-assets"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+  script:
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          ["@semantic-release/gitlab",
+            {
+              "assets": [
+                { "path": "./build_artefacts/chart-index.json",
+                  "label": "Chart Index JSON" },
+                { "path": "./build_artefacts/image-index.json",
+                  "label": "Image Index JSON" },
+              ]
+            }
+          ],
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+...

.reuse/dep5

@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk
+Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
+Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
+
+Files: helmfile/environments/default/theme/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: Apache-2.0

CHANGELOG.md

@@ -1,3 +1,323 @@
+# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)
+
+
+### Bug Fixes
+
+* **element:** Move the static configuration into the values.yaml ([f22619b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f22619bd8ef11cb43147ef19dcff2c02d9fe0503))
+* **element:** Specify resources for the guest module init container ([275798c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/275798c1d6aa47ef33fbb0da3bb03a86d3e4b0ee))
+
+
+### Features
+
+* **element:** Activate the guest module ([5ad25ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5ad25acafd54d19dd2ed330b19f7860aff5d49f4))
+
+## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/62b767ef38c8eae2874b20a9aa51e85d2a3fe5a3))
+
+## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Digest rollback ([9acce08](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9acce081397c06426820b61f39c9aa0dcc1234a5))
+
+## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Add timeout for database services ([98ec02f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/98ec02f230f1691eb8c17d8d3552fceda329bf7c))
+* **openproject:** Image digest ([b340373](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b340373133ad973cfd6a3632adc9a74a23419cc7))
+
+## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
+
+## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
+
+## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
+
+
+### Bug Fixes
+
+* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
+
+## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
+
+
+### Bug Fixes
+
+* **nextcloud:** Update image to 27.1.1 ([ce7e5f6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ce7e5f670a4dbc980eb8be73e5f7d15b27e8b1de))
+
+## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)
+
+
+### Bug Fixes
+
+* **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f46c8a9a5f4f9778cb171d65e9a0280e4ce61c16))
+
+## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41b9afb3648a0e1fddc5aa4337cc1501756b370c))
+
+# [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)
+
+
+### Features
+
+* **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a99c088361b95b2bb7ee2b161e3a254f02bcd9ae))
+
+## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)
+
+
+### Bug Fixes
+
+* **helmfile:** Fix linter issues ([1514678](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1514678db00d32c1463d8fc496c0e6d1c2a2df96))
+* **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16c08f82c9b4934567bb3b9c7fccab754bfad494))
+* **univention-management-stack:** Add Helm charts ([a74d662](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a74d66240423fd5ba87854cc2b71132f11271ec7))
+* **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/471a2fa26205b8ca3afb5eeeb4524897a57f5c20))
+* **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/13bcd785e8f7db22d20903020e0cdd28094309a9))
+* **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/320da3bec3a49d974765e567878d5c2f2b4e93ef))
+* **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5e1a7b19e278147d010c48dac2da111f828dd115))
+* **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c54bab165bf81854471d790200781b4181eba22a))
+* **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c61b1b828150caa8d2fe1a5b9f0a862b2fbef4f1))
+* **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/96097e470483a5251acd81eb772da70ad7f55137))
+* **univention-management-stack:** Configure cookie banner data ([12c931f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/12c931fcff5536116af11df1c9c0468429949fe2))
+* **univention-management-stack:** Define resource requests and limits ([2f8a298](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2f8a2989250ea0f3b50dd3417f214a8864fe62d0))
+* **univention-management-stack:** Disable istio for the stack ([4835a2b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4835a2beec408ec6267177f82257edd9ccb0d937))
+* **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ab1cb5c7e7bca85394eae2ed17141e513dd5a42))
+* **univention-management-stack:** Process bases before releases ([ec3f1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ec3f1d96ac17cf1fb9d34ab692240460d5bd4ba1))
+* **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ba71f2749eaf51b09429a5f3c705bd0075c1efa))
+* **univention-management-stack:** Split templated from static values ([09079a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/09079a13031be7894a34bf92945bd25a040c2290))
+* **univention-management-stack:** Split values into templated and static ([d3c4390](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d3c439038a2551ec90324ab8659d24b65b223d4f))
+* **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c84060811229bb131bcd473a9e4668dfa73f97d7))
+* **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a4bab4068dc298056ed864e60a244d49a2934c8b))
+* **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9409ad829a725c84ebc3de5d1c4d42fe735e9d0c))
+* **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/90019e3ef6de5e4ed1742ee9ddc3bbb256cd3dec))
+* **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/77e362f6bc053c5d456bf65649f15130ce53547c))
+* **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fe0e0cdce4622352afbf74875adcae8324d769a3))
+* **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/edb25bd7655beeefa73a62fb9a8c85e076c4cc2f))
+* **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15db5dcbba33c39f752499f2d73c77cac32d1e8c))
+
+## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
+
+
+### Bug Fixes
+
+* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
+* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
+* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
+* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
+* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
+* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
+* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
+
+# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
+
+
+### Features
+
+* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
+
+
+### Bug Fixes
+
+* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
+* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
+* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
+* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
+* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
+* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
+* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
+* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
+* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
+* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
+* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
+* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
+* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
+
+## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
+
+
+### Bug Fixes
+
+* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
+
+## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
+
+
+### Bug Fixes
+
+* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
+
+
+### Bug Fixes
+
+* **xwiki:** Theming and language of central navigation ([3d4d45f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3d4d45f7114e6e3bc353b8d6c5fdbcac4cb2460f))
+
+## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)
+
+
+### Bug Fixes
+
+* **element:** Apply the global theme to Element ([7f7eae8](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7f7eae8f99a6d8ad8085ad99c63af27b858ff9b7))
+
+## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
+
+
+### Bug Fixes
+
+* **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
+
+## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
+
+
+### Bug Fixes
+
+* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
+* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
+
+## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
+
+
+### Bug Fixes
+
+* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
+
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
+## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
+
+
+### Bug Fixes
+
+* **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
+
+## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
+* **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
+
+# [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
+
+
+### Bug Fixes
+
+* **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
+
+
+### Features
+
+* **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
+
+## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
+
+## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
+
+
+### Bug Fixes
+
+* **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
+
+## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
+
+
+### Bug Fixes
+
+* **jitsi:** Fix identifiers in resources ([3a0b246](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3a0b246f83dc6a3ff19973959b3cf3c243c39025))
+
 ## [0.0.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.2...v0.0.3) (2023-08-10)
 
 

COMPONENTS-FUNCTIONAL.md

@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## File & Share - Nextcloud
 
-## Kollaboration - dOnlineZusammenarbeit 2.0
+## Kollaboration - Element
 
 ## Videokonferenzen - Jitsi
 
@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## Project Management - OpenProject
 
-## IAM - Univention Corporate Services
+## Portal & IAM - Univention Corporate Services

COMPONENTS-SERVICE.md

@@ -42,7 +42,7 @@ This service is used by:
 
 ## TURN Server
 
-- dOZ 2.0
+This services is used by:
 - Jitsi
 
 ## NFS

CONTRIBUTING.md

@@ -9,17 +9,17 @@ Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/b
 
 # How to contribute?
 
-When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
+When providing contributes to this project, please adhere to the standards and conventions described further down in this document. Doing so please feel free to create merge requests.
 
 # Standards and conventions
 
 ## Branching
 
-We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
+We use [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
 
 ## Verified commits
 
-We only allow verify commits:
+We only allow verified commits:
 - https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
@@ -80,7 +80,7 @@ Due to DVS requirements:
 - we should avoid stand alone Manifests.
 - we do not use Operators and CRDs.
 
-In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
+In order to align the Helm files from various sources into an unified deployment of the SWP we make use of [Helmfile](https://github.com/helmfile/helmfile).
 
 ## Tooling
 

README.md

@@ -8,10 +8,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # Disclaimer August 2023
 
-The current state of the Sovereign Workplace misses the component
-_Element Starter Edition_ because it is not generally available yet.
-
-Also does the Sovereign Workplace contain components that are going to be
+The current state of the Sovereign Workplace contains components that are going to be
 replaced. Like for example the UCS dev container monolith will be substituted by
 multiple Univention Management Stack containers.
 
@@ -48,6 +45,15 @@ repository please use the [issues within this project](https://gitlab.opencode.d
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 
+# Releases
+
+All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
+
+Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
+
+The following release artefacts are provided beside the default source code assets:
+- `chart-index.json`: An overview of all Helm charts used by the release.
+- `image-index.json`: An overview of all container images used by the release.
 # Deployment
 
 **Note for project members:** You can use the project's `dev` K8s cluster to set
@@ -67,8 +73,7 @@ These are the requirements of the Sovereign Workplace deployment:
 [HelmDiff](https://github.com/databus23/helm-diff)
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
-- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are
-working with Open-Xchange to get rid of this dependency.
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
 
 #### TLS Certificate
 
@@ -86,8 +91,6 @@ installation.
 | `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
 | `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
 | `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
-| `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
-| `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |
 
 Please ensure that you set the DNS records pointing to the loadbalancer/IP for
 `DOMAIN` and `ISTIO_DOMAIN`.
@@ -152,6 +155,16 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |
+
 ## Logging in
 
 When successfully deployed the SWP, all K8s jobs from the deployment should be
@@ -183,26 +196,28 @@ for development and evaluation purposes only - they need to be replaced in
 production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.
 
-| Component                   | Name                                | Default | Description                  | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
-| Certificates                | `certificates.enabled`              | `true`  | TLS certificates             | Eval       |
-| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine             | Eval       |
-| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine             | Eval       |
-| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                    | Functional |
-| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                 | Functional |
-| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange  | Functional |
-| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing            | Functional |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider            | Functional |
-| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                     | Eval       |
-| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                   | Functional |
-| OpenProject                 | `openproject.enabled`               | `true`  | Project management           | Functional |
-| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                    | Functional |
-| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning         | Functional |
-| Postfix                     | `postfix.enabled`                   | `true`  | MTA                          | Eval       |
-| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                     | Eval       |
-| Redis                       | `redis.enabled`                     | `true`  | Cache Database               | Eval       |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal | Functional |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                | Functional |
+| Component                   | Name                                | Default | Description                    | Type       |
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
+| Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
+| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
+| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
+| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
+| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
+| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
+| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
+| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
+| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
+| OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
+| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
+| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning           | Functional |
+| Postfix                     | `postfix.enabled`                   | `true`  | MTA                            | Eval       |
+| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
+| Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
+| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
+| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal   | Eval       |
+| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |
 
 
 #### Cluster capabilities
@@ -221,6 +236,12 @@ the application to your own database instances.
 
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -258,26 +279,90 @@ the application to your own database instances.
 ### Scaling
 
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
 
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
+|-------------|------------------------|:-------------------:|:------------------:|
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
+
+
+### Mail/SMTP configuration
+
+To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
+the whole subdomain.
+
+```yaml
+smtp:
+  host:     # your SMTP host or IP-address
+  username: # username/email for authentication
+  password: # password for authentication, or via environment variable SMTP_PASSWORD
+```
+
+### TURN configuration
+
+Some components (Jitsi, Element) use for direct communication a TURN server.
+You can configure your own TURN server with these options:
+
+```yaml
+turn:
+  transport:   # "udp" or "tcp"
+  credentials: # turn credential string
+  server:      # configuration for unsecure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+  tls:         # configuration for secure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+```
+
+## Security
+
+This list gives you an overview of default security settings and if they comply with security standards:
+
+
+| Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
+|            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+| Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
 # Component integration
@@ -354,7 +439,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    O[OpenProject]-->|in 2023|L
+    O[OpenProject]-->L
     X[XWiki]-->|in 2023|L
     A-->K
     N-->K
@@ -408,17 +493,14 @@ components we are going to cover various aspects:
 
 ## Tests
 
-There is a frontend end-to-end test suite that can get triggered if the
-deployment is performed via a Gitlab pipeline.
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
+`<domain of gitlab>/api/v4/projects/<id>`.
 
-Currently, the test suite is in progress to be published, so right now it is
-only usable by project members. But that will change soon, and it could be used
-to create custom tests and perform them after deployment.
-
-The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
-points to the test pipeline residing in another Gitlab repository. At the end of
-the deployment the test pipeline is triggered. Tests are just performed for
-components that have been deployed prior.
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+`TESTS_BRANCH` while creating a new pipeline.
 
 
 # Footnotes

helmfile.yaml

@@ -9,12 +9,14 @@ helmfiles:
   - path: "helmfile/apps/services/helmfile.yaml"
   - path: "helmfile/apps/keycloak/helmfile.yaml"
   - path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
+  - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
   - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
   - path: "helmfile/apps/intercom-service/helmfile.yaml"
   - path: "helmfile/apps/open-xchange/helmfile.yaml"
   - path: "helmfile/apps/nextcloud/helmfile.yaml"
   - path: "helmfile/apps/collabora/helmfile.yaml"
   - path: "helmfile/apps/jitsi/helmfile.yaml"
+  - path: "helmfile/apps/element/helmfile.yaml"
   - path: "helmfile/apps/openproject/helmfile.yaml"
   - path: "helmfile/apps/xwiki/helmfile.yaml"
   - path: "helmfile/apps/provisioning/helmfile.yaml"
@@ -31,12 +33,15 @@ environments:
   default:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
   dev:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
 ...

helmfile/apps/collabora/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
-    url: "https://collaboraonline.github.io/online"
+  - name: "collabora-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}
 
 releases:
   - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
     version: "1.0.2"
     values:
       - "values.yaml"

helmfile/apps/collabora/values.gotmpl

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
   tag: "{{ .Values.images.collabora.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -32,14 +33,9 @@ collabora:
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 
-{{- if not (eq .Values.cluster.container.engine "containerd") }}
-# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
-# Ref.: https://github.com/CollaboraOnline/online/issues/2800
-securityContext:
-  capabilities:
-    add:
-      - "MKNOD"
-{{- end }}
 
 replicaCount: {{ .Values.replicas.collabora }}
+
+resources:
+  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...

helmfile/apps/collabora/values.yaml

@@ -14,19 +14,74 @@ collabora:
 
 ingress:
   annotations:
-    # nginx
+    # Ingress NGINX
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    # NGINX
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+    nginx.org/proxy-read-timeout: "600"
+    nginx.org/proxy-send-timeout: "600"
+    nginx.org/client-max-body-size: "0"
+    nginx.org/server-snippets: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
     # HAProxy
     haproxy.org/timeout-tunnel: "3600s"
     haproxy.org/backend-config-snippet: |
-     mode http
-      balance leastconn
-      stick-table type string len 2048 size 1k store conn_cur
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
-      http-request track-sc1 url_param(WOPISrc)
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
-      stick store-request url_param(WOPISrc)
-
+       balance url_param WOPISrc check_post
+       hash-type consistent
+    # HAProxy - Community: https://haproxy-ingress.github.io/
+    haproxy-ingress.github.io/timeout-tunnel: "3600s"
+    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
+    haproxy-ingress.github.io/config-backend: |
+      hash-type consistent
+      # block admin urls from outside
+      acl admin_url path_beg /cool/getMetrics
+      acl admin_url path_beg /cool/adminws/
+      acl admin_url path_beg /browser/dist/admin/admin.html
+      http-request deny if admin_url
 autoscaling:
   enabled: false
+
+serviceAccount:
+  create: true
+
+securityContext:
+  allowPrivilegeEscalation: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+      - "MKNOD"
+
+podSecurityContext:
+  fsGroup: 100
 ...

helmfile/apps/element/helmfile.yaml

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  - name: "opendesk-element-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+
+releases:
+  - name: "opendesk-element"
+    chart: "opendesk-element-repo/opendesk-element"
+    version: "2.2.0"
+    values:
+      - "values-element.yaml"
+      - "values-element.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-well-known"
+    chart: "opendesk-element-repo/opendesk-well-known"
+    version: "2.2.0"
+    values:
+      - "values-well-known.yaml"
+      - "values-well-known.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-synapse-web"
+    chart: "opendesk-element-repo/opendesk-synapse-web"
+    version: "2.2.0"
+    values:
+      - "values-synapse-web.yaml"
+      - "values-synapse-web.gotmpl"
+    condition: "element.enabled"
+
+  - name: "opendesk-synapse"
+    chart: "opendesk-element-repo/opendesk-synapse"
+    version: "2.2.0"
+    values:
+      - "values-synapse.yaml"
+      - "values-synapse.gotmpl"
+    condition: "element.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+
+bases:
+  - "../../bases/environments.yaml"
+...

helmfile/apps/element/values-element.gotmpl

@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  additionalConfiguration:
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.element.repository }}"
+  tag: "{{ .Values.images.element.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.element }}
+
+resources:
+  {{ .Values.resources.element | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-element.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse-web.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapseWeb.repository }}"
+  tag: "{{ .Values.images.synapseWeb.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.synapseWeb }}
+
+resources:
+  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse-web.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse.gotmpl

@@ -0,0 +1,60 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapse.repository }}"
+  tag: "{{ .Values.images.synapse.tag }}"
+
+configuration:
+  database:
+    host: "{{ .Values.databases.synapse.host }}"
+    name: "{{ .Values.databases.synapse.name }}"
+    user: "{{ .Values.databases.synapse.username }}"
+    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+
+  homeserver:
+    oidc:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+
+    turn:
+      sharedSecret: {{ .Values.turn.credentials }}
+      servers:
+        {{- if .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host }}
+          port: {{ .Values.turn.tls.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- else if .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host }}
+          port: {{ .Values.turn.server.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- end }}
+    
+    guestModule:
+      image:
+        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+        registry: "{{ .Values.global.imageRegistry }}"
+        repository: "{{ .Values.images.synapseGuestModule.repository }}"
+        tag: "{{ .Values.images.synapseGuestModule.tag }}"
+
+persistence:
+  size: "{{ .Values.persistence.size.synapse }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.synapse }}
+
+resources:
+  {{ .Values.resources.synapse | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  homeserver:
+    guestModule:
+      enabled: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+...

helmfile/apps/element/values-well-known.gotmpl

@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.wellKnown.repository }}"
+  tag: "{{ .Values.images.wellKnown.tag }}"
+
+ingress:
+  host: "{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.wellKnown }}
+
+resources:
+  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-well-known.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  e2ee:
+    forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/intercom-service/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+  - name: "intercom-service-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
 
 releases:
   - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
     version: "1.1.3"
     values:
       - "values.yaml"

helmfile/apps/intercom-service/values.gotmpl

@@ -29,6 +29,7 @@ ics:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.intercom.repository }}"
   tag: "{{ .Values.images.intercom.tag }}"

helmfile/apps/jitsi/helmfile.yaml

@@ -2,16 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
-
+  - name: "jitsi-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
 releases:
   - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    version: "1.5.1"
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -12,15 +12,19 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
   tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
 
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 
 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
   web:
     replicaCount: {{ .Values.replicas.jitsi }}
     image:
@@ -30,17 +34,17 @@ jitsi:
       enabled: "{{ .Values.ingress.enabled }}"
       ingressClassName: "{{ .Values.ingress.ingressClassName }}"
       hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
           paths:
             - "/"
       tls:
         - secretName: "{{ .Values.ingress.tls.secretName }}"
           hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     extraEnvs:
       TURN_ENABLE: "1"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
@@ -51,11 +55,11 @@ jitsi:
     {{- end }}
     extraEnvs:
       - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
       - name: "JWT_APP_ID"
         value: "myappid"
       - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
       - name: TURNS_HOST
         value: "{{ .Values.turn.tls.host }}"
       - name: TURNS_PORT
@@ -69,7 +73,7 @@ jitsi:
       - name: TURN_CREDENTIALS
         value: "{{ .Values.turn.credentials }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.prosody | toYaml | nindent 6 }}
     persistence:
       size: "{{ .Values.persistence.size.prosody }}"
       storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
@@ -79,19 +83,19 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
       tag: "{{ .Values.images.jicofo.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
       tag: "{{ .Values.images.jvb.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
       type: "{{ .Values.cluster.service.type }}"
   jibri:
@@ -100,18 +104,22 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
       tag: "{{ .Values.images.jibri.tag }}"
     recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
     resources:
-      {{ .Values.resources.openproject | toYaml | nindent 6 }}
+      {{ .Values.resources.jibri | toYaml | nindent 6 }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
 
 patchJVB:
+  configuration:
+    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
   image:
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
     tag: "{{ .Values.images.jitsiPatchJVB.tag }}"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
 
 releases:
   - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.11"
     values:
       - "values-bootstrap.gotmpl"

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -19,6 +19,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloakBootstrap.repository }}"
   tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

helmfile/apps/keycloak/helmfile.yaml

@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
-  - name: "keycloak-theme"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
-  - name: "keycloak-extensions"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
+  - name: "keycloak-theme-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
-    version: "1.0.0"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
+    version: "1.1.0"
     values:
       - "values-theme.gotmpl"
     condition: "keycloak.enabled"
   - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
     version: "12.2.0"
     values:
       - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
     wait: true
     condition: "keycloak.enabled"
   - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
     needs:
       - "keycloak"

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -19,7 +19,7 @@ handler:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
     tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   appConfig:
     smtpPassword: "{{ .Values.smtp.password }}"
     smtpHost: "{{ .Values.smtp.host }}"
@@ -32,12 +32,10 @@ proxy:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
     tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   ingress:
     enabled: "{{ .Values.ingress.enabled }}"
     ingressClassName: "{{ .Values.ingress.ingressClassName }}"
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
       enabled: "{{ .Values.ingress.tls.enabled }}"

helmfile/apps/keycloak/values-extensions.yaml

@@ -11,11 +11,35 @@ global:
 handler:
   appConfig:
     captchaProtectionEnable: "False"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 
 postgresql:
   enabled: false
 
 proxy:
-  image:
-    tag: "latest"
+  ingress:
+    annotations:
+      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 ...

helmfile/apps/keycloak/values-keycloak-idp.yaml

@@ -116,9 +116,9 @@ keycloakConfigCli:
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
             "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
             ],
             "webOrigins": [
               "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
             "frontchannelLogout": true,
             "protocol": "openid-connect",
             "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
             },
             "authenticationFlowBindingOverrides": {},
             "fullScopeAllowed": true,

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -13,7 +13,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloak.repository }}"
   tag: "{{ .Values.images.keycloak.tag }}"
-  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDatabase:
   host: "{{ .Values.databases.keycloak.host }}"
@@ -55,8 +55,8 @@ keycloakConfigCli:
       value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
     - name: "MATRIX_DOMAIN"
       value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+    - name: "JITSI_DOMAIN"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     - name: "ELEMENT_DOMAIN"
       value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
     - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
     - name: "CLIENT_SECRET_MATRIX_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
     - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
     - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
@@ -81,6 +81,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
     - name: "LDAPSEARCH_USERNAME"
       value: "ldapsearch_keycloak"
+  resources:
+    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
 
 resources:
   {{ .Values.resources.keycloak | toYaml | nindent 2 }}

helmfile/apps/keycloak/values-keycloak.yaml

@@ -54,5 +54,32 @@ keycloakConfigCli:
     - "--import.var-substitution.enabled=true"
   cache:
     enabled: false
+  containerSecurityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  runAsNonRoot: true
+
+podSecurityContext:
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/keycloak/values-theme.gotmpl

@@ -7,4 +7,7 @@ global:
   domain: "{{ .Values.global.domain }}"
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -2,33 +2,40 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
-  - name: "nextcloud"
-    url: "https://nextcloud.github.io/helm/"
+  - name: "opendesk-nextcloud-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
+    # yamllint enable rule:line-length
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}
 
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
-    version: "2.2.0"
+  - name: "opendesk-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
+    version: "3.1.2"
     wait: true
     waitForJobs: true
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
     condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 
   - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"
     needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
     condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -18,7 +18,7 @@ config:
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
     {{- else if .Values.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
@@ -44,6 +44,7 @@ config:
     password: "{{ .Values.smtp.password }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.nextcloud.repository }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
@@ -64,4 +65,7 @@ persistence:
 
 resources:
   {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
+  ldapSearch:
+    host: "univention-corporate-container"
+
 cleanup:
   deletePodsOnSuccess: false
 ...

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -25,7 +25,7 @@ ingress:
         - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
   pullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -21,6 +21,11 @@ cronjob:
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 
+ingress:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"
+
 internalDatabase:
   enabled: false
 postgresql:

helmfile/apps/open-xchange/helmfile.yaml

@@ -2,35 +2,48 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
-  - name: "openxchange"
-    url: "registry.open-xchange.com"
+  - name: "dovecot-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+  - name: "openxchange-repo"
     oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry.open-xchange.com" }}
+  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
 
 releases:
   - name: "dovecot"
-    chart: "dovecot/dovecot"
-    version: "1.2.0"
+    chart: "dovecot-repo/dovecot"
+    version: "1.3.1"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
     condition: "dovecot.enabled"
+    timeout: 900
+
   - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "1.2.13"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
+    version: "2.0.4"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
+      - "values-openxchange-enterprise-contact-picker.yaml"
+      - "values-openxchange-enterprise-contact-picker.gotmpl"
     condition: "oxAppsuite.enabled"
+    timeout: 900
+
   - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+    version: "1.3.1"
     values:
       - "values-openxchange-bootstrap.yaml"
     condition: "oxAppsuite.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -7,6 +7,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.dovecot.repository }}"
   tag: "{{ .Values.images.dovecot.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+...

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml

@@ -2,22 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: false
-
-# resources:
-#   limits:
-#     # The max amount of CPUs to consume.
-#     cpu: 1
-#     # The max amount of RAM to consume.
-#     memory: "1Gi"
-#   requests:
-#     # The amount of CPUs which has to be available on the scheduled node.
-#     cpu: 1
-#     # The amount of RAM which has to be available on the scheduled node.
-#     memory: "256Mi"
-
-# Keep default values:
-# coreMiddleware:
-#   statefulSet: "open-xchange-core-mw-default-0"
-#   pod: "open-xchange-core-mw-default-0"
+  deletePodsOnSuccess: true
 ...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  core-mw:
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          auth:
+            adminDN:
+              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -0,0 +1,349 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+appsuite:
+  core-mw:
+
+    properties:
+      # Enterprise contact picker
+      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.admin.bypassAccessCombinationChecks: "true"
+      ENABLE_INTERNAL_USER_EDIT: "false"
+
+    # Enterprise contact picker (see also gotmpl)
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          pool:
+            type: "simple"
+            host:
+              address: "univention-corporate-container"
+              port: 389
+          auth:
+            type: "adminDN"
+            adminDN:
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+
+    uiSettings:
+      # Enterprise contact picker
+      io.ox/core//features/enterprisePicker/enabled: "true"
+
+    yamlFiles:
+      contacts-provider-ldap.yml:
+        # Example definitions of available LDAP contact providers, together with their corresponding configuration,
+        # referenced LDAP client connection settings and attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
+        #
+        # Each configured contacts provider can be enabled for users using the corresponding identifier used in this
+        # .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
+        # is available.
+        #
+        # Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
+        # need to be referenced.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Key will be used as identifier for the contact provider
+        opendesk:
+
+          # The display name of this contacts provider.
+          name: "Example Address Lists"
+
+          # Configures the identifier of the LDAP client configuration settings to use, as defined in
+          # 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
+          # be specified.
+          ldapClientId: "contactsLdapClient"
+
+          # A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
+          # corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
+          mappings: "ucs"
+
+          # Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
+          # identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
+          # control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
+          # provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
+          # 'usedForSync' folders property. Defaults to "false".
+          isDeletedSupport: false
+
+          # Specifies the requested maximum size for paged results. "0" disables paged results. This should be
+          #  configured, especially when the there are server-side restrictions towards the maximum result size.
+          # Defaults to "500".
+          maxPageSize: 500
+
+          # Optionally enables a local cache that holds certain properties of all of the provider's contacts in
+          # memory to speed up access. Can only be used if no individual authentication is used to access the
+          # LDAP server.
+          cache:
+            useCache: false
+
+          # Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
+          # one with its specific configuration settings. The template contains examples for all possible modes,
+          # however, only the one specified through 'mode' property is actually used.
+          folders:
+
+            # Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
+            # are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
+            # attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
+            # dynamically, or "static" to have a static search filter associated with each contact folder.
+            # The corresponding mode-specific section needs to be configured as well.
+            mode: "dynamicAttributes"
+
+            # Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
+            # If set to "false", the folders are only available in the web client. If set to "true", folders can
+            # be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
+            # and 'uid' contact properties are available, and the LDAP server supports the special
+            # "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
+            # controls whether the default value can be changed by the client or not.
+            usedForSync:
+              protected: true
+              defaultValue: false
+
+            # Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
+            # If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
+            # hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
+            usedInPicker:
+              protected: false
+              defaultValue: true
+
+            # Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
+            # If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
+            # Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
+            # the default value can be changed by the client or not.
+            shownInTree:
+              protected: false
+              defaultValue: true
+
+            # In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
+            # filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
+            # defined, which is used for operations that are not bound to
+            # a specific folder, like lookups across all visible folders.
+            # The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
+            # (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
+            # and all default to "sub" unless specified otherwise.
+            static:
+              commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
+              commonContactSearchScope: "sub"
+              folders:
+                - name: "Cupertino"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
+                  contactSearchScope: "sub"
+                - name: "San Mateo"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
+                  contactSearchScope: "sub"
+                - name: "Redwood Shores"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
+                  contactSearchScope: "sub"
+                - name: "Armonk"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
+                  contactSearchScope: "sub"
+
+            # With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
+            # serve as folders. The list of values is fetched by querying all entries that match the
+            # "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
+            # Then, the folders are derived based on all distinct attribute values found, with the value as name.
+            # Depending on the configured authentication mode, this is either done per user individually, or globally.
+            # Therefore, per-user authentication is not recommend in this mode.
+            # The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
+            # using units of measurement:
+            # "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
+            # allows to sort the attributes lexicographically, either "ascending" or "descending".
+            dynamicAttributes:
+              attributeName: "o"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactSearchScope: "sub"
+              # refreshInterval: 1h
+              refreshInterval: "5m"
+              sortOrder: "ascending"
+
+            # With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
+            # defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
+            # possible values.
+            # All items defined in the "attributeValues" array are used as folder (with the value as name). When
+            # listing the contents of a specific folder, this folder's specific attribute value is inserted in the
+            # configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
+            fixedAttributes:
+              contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
+              contactSearchScope: "sub"
+              attributeValues:
+                - "Janitorial"
+                - "Product Development"
+                - "Management"
+                - "Human Resources"
+
+      contacts-provider-ldap-mappings.yml:
+        # Example definitions of contact property <-> LDAP attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
+        #
+        # Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
+        # file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
+        #
+        # Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
+        # Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
+        # used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
+        # display name, or to have multiple mappings for contacts and distribution lists.
+        #
+        # For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
+        # (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
+        # Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
+        # the internal user- and context identifier based on attributes yielding the corresponding
+        # login information (username / contextname), the special appendix ';logininfo' can be used.
+        # Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
+        # by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
+        # property based on a specific 'objectClass' value.
+        # Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
+        # using '*'.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Mappings for a typical OpenLDAP server.
+        ucs:
+          # == ID Mappings =======================================================
+          # The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
+          # unless overridden.
+          # The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
+          # flag 'binary' should be used.
+          objectid: "uidNumber,gidNumber"
+          # The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
+          # entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
+          # Will only be considered if an entry's context identifier matches the one from the actual session of
+          # the requesting operation.
+          # If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
+          # "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
+          # Alternatively, if no internal context- or user identifier is available, also attributes yielding
+          # the corresponding login information (username / contextname) can be used by appending ';logininfo'
+          # to the attribute name.
+          internal_userid: "uid;logininfo"
+          contextid: "oxContextIDNum"
+          # The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
+          # format, the flag 'binary' should be used.
+          # uid                   : entryUUID;binary;logininfo
+
+          # == String Mappings ===================================================
+          displayname: "oxDisplayName,displayName,name"
+          file_as: "oxDisplayName,displayName,name"
+          givenname: "givenName"
+          surname: "sn"
+          email1: "mailPrimaryAddress"
+          department: "oxDepartment,department"
+          company: "oxCompany,o"
+          branches: "oxBranches"
+          # business_category     :
+          postal_code_business: "postalCode"
+          state_business: "oxStateBusiness,st"
+          street_business: "streetAddress"
+          # telephone_callback    :
+          city_home: "oxCityHome"
+          commercial_register: "oxCommercialRegister"
+          country_home: "oxCountryHome"
+          email2: "oxEmail2"
+          email3: "oxEmail3"
+          employeetype: "employeeType"
+          fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
+          fax_home: "oxFaxHome"
+          fax_other: "oxFaxOther"
+          instant_messenger1: "oxInstantMessenger1"
+          instant_messenger2: "oxInstantMessenger2"
+          telephone_ip: "oxTelephoneIp"
+          telephone_isdn: "internationaliSDNNumber"
+          marital_status: "oxMaritalStatus"
+          cellular_telephone1: "mobile"
+          # cellular_telephone2   :
+          nickname: "oxNickName"
+          number_of_children: "oxNumOfChildren"
+          number_of_employee: "employeeNumber"
+          note: "oxNote,description"
+          telephone_pager: "oxTelephonePager,pager"
+          telephone_assistant: "oxTelephoneAssistant"
+          telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
+          telephone_business2: "oxTelephoneBusiness2"
+          telephone_car: "oxTelephoneCar"
+          telephone_company: "oxTelephoneCompany"
+          telephone_home1: "oxTelephoneHome1,homePhone"
+          telephone_home2: "oxTelephoneHome2"
+          telephone_other: "oxTelephoneOther"
+          postal_code_home: "oxPostalCodeHome"
+          # telephone_radio       :
+          room_number: "roomNumber"
+          sales_volume: "oxSalesVolume"
+          city_other: "oxCityOther"
+          country_other: "oxCountryOther"
+          middle_name: "oxMiddleName,middleName"
+          postal_code_other: "oxPostalCodeOther"
+          state_other: "oxStateOther"
+          street_other: "oxStreetOther"
+          spouse_name: "oxSpouseName"
+          state_home: "oxStateHome"
+          street_home: "oxStreetHome"
+          suffix: "oxSuffix"
+          tax_id: "oxTaxId"
+          telephone_telex: "oxTelephoneTelex,telexNumber"
+          telephone_ttytdd: "oxTelephoneTtydd"
+          url: "oxUrl,wWWHome"
+          userfield01: "oxUserfiels01"
+          userfield02: "oxUserfiels02"
+          userfield03: "oxUserfiels03"
+          userfield04: "oxUserfiels04"
+          userfield05: "oxUserfiels05"
+          userfield06: "oxUserfiels06"
+          userfield07: "oxUserfiels07"
+          userfield08: "oxUserfiels08"
+          userfield09: "oxUserfiels09"
+          userfield10: "oxUserfiels10"
+          userfield11: "oxUserfiels11"
+          userfield12: "oxUserfiels12"
+          userfield13: "oxUserfiels13"
+          userfield14: "oxUserfiels14"
+          userfield15: "oxUserfiels15"
+          userfield16: "oxUserfiels16"
+          userfield17: "oxUserfiels17"
+          userfield18: "oxUserfiels18"
+          userfield19: "oxUserfiels19"
+          userfield20: "oxUserfiels20"
+          city_business: "l"
+          country_business: "oxCountryBusiness,country"
+          # telephone_primary     :
+          # categories            :
+          title: "title"
+          position: "oxPosition"
+          profession: "oxProfession"
+
+          # == Date Mappings =====================================================
+          birthday: "oxBirthday"
+          anniversary: "oxAnniversary"
+          # The last-modified and creation dates are required by the groupware server, therefore an implicit
+          # default date is assumed when no LDAP attribute is mapped here, and no results are available for this
+          # folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
+          # not be available.
+          lastmodified: "modifyTimestamp"
+          creationdate: "createTimestamp"
+
+          # == Misc Mappings =====================================================
+          # Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
+          # Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
+          # plain email address of the member.
+          distributionlist: "memberUid"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          markasdistributionlist: "objectClass=posixGroup"
+          # The values for the for assistant- and manager name mappings are either used as-is, or get resolved
+          # dynamically using the DNs found
+          # in the mapped LDAP attribute.
+          assistant_name: "secretary"
+          manager_name: "oxManagerName,manager"
+          # Contact image, binary format is expected.
+          image1: "jpegPhoto"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          number_of_images: "jpegPhoto=*"
+          # Will be set internally if not defined.
+          # image_last_modified   :
+          # Will be set automatically to "image/jpeg" if not defined.
+          # image1_content_type   :

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -34,6 +34,7 @@ public-sector-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 appsuite:
   istio:
@@ -52,6 +53,15 @@ appsuite:
   core-mw:
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
     hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    gotenberg:
+      imagePullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+      {{- end }}
+      image:
+        repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
+        tag: {{ .Values.images.openxchangeGotenberg.tag }}
+        pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     properties:
       "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
       "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -76,6 +86,16 @@ appsuite:
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
+      # Dynamic theme
+      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
     secretETCFiles:
       # Format of the OX Guard master key:
       # MC+base64(20 random bytes)
@@ -86,6 +106,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreMW.repository }}
       tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     update:
       image:
         repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -103,11 +124,13 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUI.repository }}
       tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-ui-middleware:
     ingress:
       hosts:
         - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+      enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}
@@ -115,6 +138,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-guidedtours:
     imagePullSecrets:
@@ -124,6 +148,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   guard-ui:
     imagePullSecrets:
@@ -133,11 +158,13 @@ appsuite:
     image:
       repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
       tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-user-guide:
     image:
       repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
       tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -9,6 +9,8 @@ appsuite:
   core-mw:
     enabled: true
     masterAdmin: "admin"
+    gotenberg:
+      enabled: true
     features:
       status:
         # enable admin pack
@@ -22,6 +24,13 @@ appsuite:
         open-xchange-authentication-oauth: "enabled"
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
+      # PDF Export
+      com.openexchange.capability.mail_export_pdf: "true"
+      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
+      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
       # OIDC
       com.openexchange.oidc.enabled: "true"
       com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -55,16 +64,23 @@ appsuite:
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
       # Capabilities
+      # Old capability can be used to toggle all integrations with a single switch
+      com.openexchange.capability.public-sector: "true"
+      # New capabilities in 2.0
+      com.openexchange.capability.public-sector-element: "false"
+      com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
       com.openexchange.capability.filestorage_nextcloud: "true"
       com.openexchange.capability.filestorage_nextcloud_oauth: "true"
       com.openexchange.capability.guard: "true"
       com.openexchange.capability.guard-mail: "true"
-      com.openexchange.capability.public-sector: "true"
       com.openexchange.capability.smime: "true"
+      com.openexchange.capability.share_links: "false"
+      com.openexchange.capability.invite_guests: "false"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
+      com.openexchange.mail.transport.secondary.authType: "xoauth2"
       # Nextcloud integration
       com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
       com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
@@ -92,6 +108,13 @@ appsuite:
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
     uiSettings:
+      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
+      io.ox/core//features/enterprisePicker/showLauncher: "false"
+      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
+      # Text and icon color in the topbar
+      io.ox/dynamic-theme//topbarColor: "#000"
+      io.ox/dynamic-theme//logoWidth: "82"
+      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
       # Resources
       io.ox/core//features/resourceCalendars: "true"
       io.ox/core//features/managedResources: "true"
@@ -106,18 +129,8 @@ appsuite:
       # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
       io.ox/core//apps/quickLaunchCount: "0"
       io.ox/core//coloredIcons: "false"
-      # Dynamic theme
-      io.ox/dynamic-theme//mainColor: "#004B76"
-      io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
-      io.ox/dynamic-theme//logoWidth: "80"
-      io.ox/dynamic-theme//topbarBackground: "#fff"
-      io.ox/dynamic-theme//topbarColor: "#1f1f1f"
-      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
-      io.ox/dynamic-theme//listSelected: "#ADC8F0"
-      io.ox/dynamic-theme//listHover: "#ddd"
-      io.ox/dynamic-theme//folderBackground: "#fff"
-      io.ox/dynamic-theme//folderSelected: "#ADC8F0"
-      io.ox/dynamic-theme//folderHover: "#ddd"
+      # Mail templates
+      io.ox/core//features/templates: "true"
 
     asConfig:
       default:

helmfile/apps/openproject/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
-    url: "https://charts.openproject.org"
+  - name: "openproject-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}
 
 releases:
   - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
     version: "1.8.0"
     values:
       - "values.yaml"

helmfile/apps/openproject/values.gotmpl

@@ -10,7 +10,7 @@ global:
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.openproject.tag }}"
 
 memcached:
@@ -59,6 +59,8 @@ environment:
   OPENPROJECT_SMTP__PORT: "587" # (default=587)
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 
 persistence:
   size: "{{ .Values.persistence.size.openproject }}"
@@ -68,4 +70,5 @@ replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
+
 ...

helmfile/apps/openproject/values.yaml

@@ -34,11 +34,32 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
+  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
+  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
+  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
 
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+  - name: "ox-connector-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 
 releases:
   - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
     version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
     values:
       - "values-oxconnector.yaml"

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.oxConnector.tag }}"
 
 imagePullSecrets:

helmfile/apps/services/helmfile.yaml

@@ -2,72 +2,95 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
-  - name: "postgresql"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
-  - name: "mariadb"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
-  - name: "postfix"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
-  - name: "istio-resources"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
-  - name: "clamav"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
+  - name: "sovereign-workplace-certificates-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
+  - name: "postgresql-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+  - name: "mariadb-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+  - name: "postfix-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+  - name: "istio-resources-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+  - name: "clamav-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
 
 releases:
   - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
-    version: "1.2.1"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
+    version: "1.2.2"
     values:
       - "values-certificates.gotmpl"
     condition: "certificates.enabled"
   - name: "redis"
-    chart: "bitnami/redis"
-    version: "^17.9.3"
+    chart: "bitnami-repo/redis"
+    version: "18.0.4"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     condition: "redis.enabled"
   - name: "postgresql"
-    chart: "postgresql/postgresql"
-    version: "2.0.0"
+    chart: "postgresql-repo/postgresql"
+    version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     condition: "postgresql.enabled"
+    timeout: 900
   - name: "mariadb"
-    chart: "mariadb/mariadb"
-    version: "2.0.0"
+    chart: "mariadb-repo/mariadb"
+    version: "2.1.0"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
+    timeout: 900
   - name: "postfix"
-    chart: "postfix/postfix"
-    version: "1.13.0"
+    chart: "postfix-repo/postfix"
+    version: "2.0.3"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     condition: "postfix.enabled"
   - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
-    version: "2.1.0"
+    chart: "clamav-repo/opendesk-clamav"
+    version: "4.0.0"
     values:
+      - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
     condition: "clamavDistributed.enabled"
   - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
-    version: "2.1.0"
+    chart: "clamav-repo/clamav-simple"
+    version: "4.0.0"
     values:
+      - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"
   - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
     version: "1.1.2"
     values:
+      - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     condition: "istio.enabled"
 

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.clamd }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
 freshclam:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.freshclam.repository }}"
     tag: "{{ .Values.images.freshclam.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -37,18 +35,18 @@ icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
 milter:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.milter }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.milter.repository }}"
     tag: "{{ .Values.images.milter.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 

helmfile/apps/services/values-clamav-distributed.yaml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
-podSecurityContext:
-  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-  enabled: false
-
 replicaCount: {{ .Values.replicas.clamav }}
 
 image:
@@ -15,10 +10,12 @@ image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.clamd | toYaml | nindent 4 }}

helmfile/apps/services/values-clamav-simple.yaml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-istio-gateway.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+tls:
+  httpsRedirect: false
+...

helmfile/apps/services/values-mariadb.gotmpl

@@ -11,7 +11,10 @@ global:
 image:
   repository: "{{ .Values.images.mariadb.repository }}"
   tag: "{{ .Values.images.mariadb.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
   users:
     - username: "xwiki_user"

helmfile/apps/services/values-mariadb.yaml

@@ -1,6 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/services/values-postfix.gotmpl

@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
-  digest: "{{ .Values.images.postfix.digest }}"
+global:
+  registry: {{ .Values.global.imageRegistry }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
-{{- end }}
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: "{{ .Values.images.postfix.repository }}"
+  tag: "{{ .Values.images.postfix.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 certificate:
   secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/services/values-postfix.yaml

@@ -5,6 +5,19 @@ certificate:
   request:
     enabled: false
 
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 postfix:
   hostname: "postfix"
   inetProtocols: "ipv4"

helmfile/apps/services/values-postgresql.gotmpl

@@ -11,6 +11,7 @@ global:
 image:
   repository: "{{ .Values.images.postgresql.repository }}"
   tag: "{{ .Values.images.postgresql.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 job:
   users:

helmfile/apps/services/values-postgresql.yaml

@@ -1,11 +1,29 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-enabled: true
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   image:
     digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+
 postgres:
   user: "postgres"
 ...

helmfile/apps/services/values-redis.gotmpl

@@ -16,6 +16,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.redis.repository }}"
   tag: "{{ .Values.images.redis.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 master:
   persistence:

helmfile/apps/services/values-redis.yaml

@@ -8,4 +8,8 @@ sentinel:
 
 metrics:
   enabled: false
+
+master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
 ...

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+  - name: "univention-corporate-container-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
 
 releases:
   - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
     version: "1.0.10"
     values:
       - "values.yaml"

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -13,7 +13,7 @@ global:
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   repository: "{{ .Values.images.univentionCorporateServer.repository }}"
   tag: "{{ .Values.images.univentionCorporateServer.tag }}"
 

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -0,0 +1,117 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+repositories:
+  - name: "univention"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+
+releases:
+  - name: "ums-store-dav"
+    chart: "univention/store-dav"
+    version: "0.2.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-store-dav.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-ldap-server"
+    chart: "univention/ldap-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-ldap-notifier"
+    chart: "univention/ldap-notifier"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-notifier.gotmpl"
+      - "values-ldap-notifier.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-udm-rest-api"
+    chart: "univention/udm-rest-api"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-udm-rest-api.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-stack-data-ums"
+    chart: "univention/stack-data-ums"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-ums.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-stack-data-swp"
+    chart: "univention/stack-data-swp"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-swp.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-portal-server"
+    chart: "univention/portal-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-notifications-api"
+    chart: "univention/notifications-api"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-notifications-api.gotmpl"
+      - "values-notifications-api.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-portal-listener"
+    chart: "univention/portal-listener"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-listener.gotmpl"
+      - "values-portal-listener.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-portal-frontend"
+    chart: "univention/portal-frontend"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-frontend.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-umc-gateway"
+    chart: "univention/umc-gateway"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-gateway.gotmpl"
+      - "values-umc-gateway.yaml"
+    condition: "univentionManagementStack.enabled"
+  - name: "ums-umc-server"
+    chart: "univention/umc-server"
+    version: "0.1.0"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-server.gotmpl"
+    condition: "univentionManagementStack.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "univention-management-stack"

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
+    enabled: false
+    secretName: ""

helmfile/apps/univention-management-stack/values-common.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+istio:
+  enabled: false

helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl

@@ -0,0 +1,20 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+volumes:
+  claims:
+    shared-data: "shared-data-ums-ldap-server-0"
+    shared-run: "shared-run-ums-ldap-server-0"
+
+...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+ldapServer:
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+
+  # TODO: Certificates handling
+  # caCert: ""
+  # certPem: ""
+  # privateKey: ""
+  # dhParam: ""
+  tlsMode: "off"
+
+  # TODO: SAML integration
+  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
+  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsLdapServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsLdapServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+# TODO: Pending upstream support, #199
+persistence:
+  data:
+    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
+  shared:
+    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
+
+
+resources:
+  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+postgresql:
+  bundled: false
+  connection:
+    host: "postgresql"
+    port: 5432
+  auth:
+    username: "notificationsapi_user"
+    database: "notificationsapi"
+    password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-notifications-api.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+notificationsapi:
+  apply_database_migrations: "True"
+  dev_mode: "False"
+  environment: "staging"
+  log_level: "DEBUG"
+  sql_echo: "False"
+  api_prefix: "/univention/portal/notifications-api"
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+extraIngresses:
+  redirects:
+    # The TLS configuration is on the "master" Ingress, see below.
+    tls:
+      enabled: false
+  master:
+    enabled: {{ .Values.ingress.enabled }}
+    tls:
+      enabled: {{ .Values.ingress.tls.enabled }}
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+resources:
+  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -0,0 +1,54 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalListener:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  environment: "staging"
+  debugLevel: "4"
+  assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
+  ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHost: "ums-ldap-server"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  notifierServer: "ums-ldap-notifier"
+  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalListener.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalListener.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+  waitForDependency:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    imagePullPolicy: "Always"
+    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+
+# TODO: Pending upstream support, #200
+persistence:
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
+
+resources:
+  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
+
+resourcesDependencyWaiter:
+  {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-portal-listener.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+store-dav:
+  bundled: false
+
+...

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -0,0 +1,28 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+portalServer:
+  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  authMode: "saml"
+  environment: "staging"
+  editable: "true"
+  logLevel: "DEBUG"
+  ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsPortalServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsPortalServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -0,0 +1,38 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+stackDataSwp:
+  udmApiUsername: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  loadDevData: true
+
+stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  externalDomainName: "{{ .Values.global.domain }}"
+  externalMailDomain: "{{ .Values.global.domain }}"
+
+  portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
+  portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
+  portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
+  portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
+  portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
+  portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
+
+  oxDefaultContext: "10"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+stackDataUms:
+  udmApiUser: "cn=admin"
+  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  loadDevData: true
+
+stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
+
+  # The SWP configuration brings its own UMC policies.
+  installUmcPolicies: false
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -0,0 +1,39 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+storeDav:
+  auth:
+    basicAuth:
+      portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
+      portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsStoreDav.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsStoreDav.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+  configHtpasswd:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
+    pullPolicy: "Always"
+    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . }}
+      {{- end }}
+
+# TODO: Pending upstream support, #201
+persistence:
+  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
+
+resources:
+  {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -0,0 +1,44 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+udmRestApi:
+  apiLogLevel: "4"
+  authGroups:
+    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
+    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
+    domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  ldapHost: "ums-ldap-server"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: Secret should be entered without b64enc
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: why do we need this many subprocesses?
+  numberOfSubprocesses: 8
+  # TODO: Stub value currently
+  caCert: ""
+  # TODO: This should not be part of the udm-rest-api anymore
+  loadJoinData:
+    enabled: true
+  # TODO: configurable
+  tlsMode: "off"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUdmRestApi.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsUdmRestApi.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+umcGateway:
+  domainname: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ssoFqdn: "localhost:8097"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUmcGateway.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsUmcGateway.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+umcGateway:
+  showCookieBanner: true
+  cookieBannerTitleDE: "Cookie Zustimmung"
+  cookieBannerTitleEN: "Cookie Consent"
+  cookieBannerTextDE: >-
+    Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
+    verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
+    Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
+    Seite.
+  cookieBannerTextEN: >-
+    Usage of this site is only possible by storing and processing cookie
+    information (essential cookies). We require your consent. Please accept to
+    continue or close the page.
+
+...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -0,0 +1,42 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+umcServer:
+  domainname: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ldapHost: "ums-ldap-server"
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+  enforceSessionCookie: "true"
+
+  # TODO: The keycloak integration is pending
+  samlEnabled: false
+  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
+  samlSpServer: "localhost:8000"
+  samlSchemes: "http"
+
+  tlsMode: "off"
+
+  # TODO: Secret should be entered without b64enc
+  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  # TODO: Secret should be entered without b64enc
+  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.umsUmcServer.repository }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  tag: "{{ .Values.images.umsUmcServer.tag }}"
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
+...

helmfile/apps/xwiki/helmfile.yaml

@@ -2,19 +2,21 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+  - name: "xwiki-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://xwiki-contrib.github.io/xwiki-helm" }}
 
 releases:
   - name: "xwiki"
-    chart: "xwiki/xwiki"
-    version: "1.1.1"
+    chart: "xwiki-repo/xwiki"
+    version: "1.1.3"
     wait: true
-    timeout: 600
     values:
       - "values.yaml"
       - "values.gotmpl"
     condition: "xwiki.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/xwiki/values-init.gotmpl

@@ -1,20 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-xwiki:
-  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
-  superadmin:
-    username: "superadmin"
-    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-
-image:
-  repository: "{{ .Values.images.xwikiInit.repository }}"
-  tag: "{{ .Values.images.xwikiInit.tag }}"
-...

helmfile/apps/xwiki/values.gotmpl

@@ -6,16 +6,26 @@ SPDX-License-Identifier: Apache-2.0
 image:
   name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
   tag: "{{ .Values.images.xwiki.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}"
+  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
   database: "{{ .Values.databases.xwiki.name }}"
   user: "{{ .Values.databases.xwiki.username }}"
   host: "{{ .Values.databases.xwiki.host }}"
 
 customConfigs:
   "xwiki.cfg":
-    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
+    ## LDAP Server configuration
+    # "xwiki.authentication.ldap.server": "univention-corporate-container"
+    # xwiki.authentication.ldap.port: 389
+    ## Authentication to the LDAP server
+    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    ## Base DN used for searching for users
+    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+
   "xwiki.properties":
     "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
     "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
@@ -25,10 +35,16 @@ customConfigs:
     "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }}
+    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
 
 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
+  ## Link LDAP users and users authenticated through OIDC
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}

helmfile/apps/xwiki/values.yaml

@@ -2,9 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
-  name: "git.xwikisas.com:5050/xwikisas/swp/xwiki"
-  tag: "0.4-mariadb-tomcat"
-  pullPolicy: "Always"
+  pullPolicy: "IfNotPresent"
 
 ingress:
   # enabled: true
@@ -32,9 +30,9 @@ mariadb:
 
 properties:
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -43,15 +41,37 @@ properties:
     "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color":
     "@brand-primary"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff"
   # yamllint disable-line rule:line-length
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; } #menuview .navbar-brand img { padding: 5px; }'"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": " li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd; height: 64px; } div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
+
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
+  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+  #   "sn,givenname,uid"
+  ## Restrict user import in the UI to global administrators
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  ## Enable group and user synchronization
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+  #   1
+  ## Base DN under which groups should be searched for
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+  #  "dc=swp-ldap,dc=internal"
+  ## LDAP filter to only synchronize some groups
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
 customConfigs:
   xwiki.cfg:
     xwiki.url.protocol: "https"
+    ## Indicate the LDAP field defining the user UID
+    # xwiki.authentication.ldap.UID_attr: "uid"
+    ## Indicate the LDAP field defining the user profile picture
+    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
+    ## Enable the synchronization of the LDAP profile picture
+    # xwiki.authentication.ldap.update_photo: 1
+
   xwiki.properties:
     oidc.scope: "openid,profile,email,address,phoenix"
     oidc.endpoint.userinfo.method: "GET"

helmfile/bases/environments.yaml

@@ -5,12 +5,15 @@ environments:
   default:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
   dev:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
       - "../../environments/dev/values.yaml"
   prod:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
       - "../../environments/prod/values.yaml"
 ...

helmfile/environments/default/certificate.gotmpl

@@ -1,9 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-certificate:
-  issuerRef:
-    name: "letsencrypt-prod"
-...

helmfile/environments/default/certificate.yaml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+certificate:
+  issuerRef:
+    name: "letsencrypt-prod"
+...

helmfile/environments/default/cluster.gotmpl

@@ -1,26 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-cluster:
-  service:
-    # Based on the available Implementations of your cluster, choose the type of Service.
-    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
-    type: "LoadBalancer"
-
-  persistence:
-    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
-    readWriteMany:
-      enabled: false
-
-  networking:
-    # Kubernetes internal cluster domain.
-    domain: "cluster.local"
-    # Kubernetes cluster network CIDR.
-    cidr: "10.0.0.0/8"
-
-  container:
-    # Used container engine in kubernetes cluster.
-    engine: "cri-o"
-...

helmfile/environments/default/cluster.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cluster:
+  service:
+    # Based on the available Implementations of your cluster, choose the type of Service.
+    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
+    type: "LoadBalancer"
+
+  persistence:
+    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
+    readWriteMany:
+      enabled: false
+
+  networking:
+    # Kubernetes internal cluster domain.
+    domain: "cluster.local"
+    # Kubernetes cluster network CIDR.
+    cidr: "10.0.0.0/8"
+    # Ingress-gateway IP - only relevant for "NodePort" cluster services.
+    # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
+    # you need to provide the public (load-balanced) ingress gateways ip address.
+    ingressGatewayIP: ""
+    # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services.
+    # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
+    # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
+    loadBalancerStatusField: "ip"
+
+  container:
+    # Used container engine in kubernetes cluster.
+    engine: "cri-o"
+
+...

helmfile/environments/default/database.yaml

@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 databases:
   keycloak:
@@ -32,9 +30,15 @@ databases:
     name: "CONFIGDB"
     username: "root"
     password: ""
+  synapse:
+    host: "postgresql"
+    name: "matrix"
+    username: "matrix_user"
+    password: ""
+    port: 5432
   xwiki:
     name: "xwiki"
     host: "mariadb"
-    username: "xwiki_user"
+    username: "root"
     password: ""
 ...

helmfile/environments/default/global.gotmpl

@@ -7,52 +7,12 @@ SPDX-License-Identifier: Apache-2.0
 #
 global:
 
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    dimension: "integration"
-    element: "ucc"
-    etherpad: "etherpad"
-    intercomService: "ics"
-    jitsi: "av"
-    jitsiPlain: "jitsi"
-    keycloak: "id"
-    meetingWidgetsBot: "meeting-widgets-bot"
-    meetingWidgets: "meeting-widgets"
-    newWorkBoardWidget: "whiteboard-widget"
-    moodle: "learn"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    openxchangeProvisioning: "ox-provisioning"
-    pollWidget: "poll-widget"
-    synapse: "matrix"
-    univentionCorporateServer: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
   ## Define host
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" }}
 
   ## Define docker registry address.
   #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
 
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define internal kubernetes domain, usually svc.cluster.local
-  ## Workaround for calico with postfix
-  #
-  internalDomain: "svc.cluster.local"
-
-  ## Define internal kubernetes network for postfix
-  ## Attention: Mail from this network can be sent without authentication!
-  #
-  internalNetwork: "10.0.0.0/8"
 ...

helmfile/environments/default/global.yaml

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+## The global properties are used to configure multiple charts at once.
+#
+global:
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    dimension: "integration"
+    element: "chat"
+    etherpad: "etherpad"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    meetingWidgetsBot: "meeting-widgets-bot"
+    meetingWidgets: "meeting-widgets"
+    newWorkBoardWidget: "whiteboard-widget"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    openxchangeProvisioning: "ox-provisioning"
+    pollWidget: "poll-widget"
+    synapse: "matrix"
+    univentionCorporateServer: "portal"
+    univentionManagementStack: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+
+  ## Define docker registry address.
+  #
+  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
+...

helmfile/environments/default/images.gotmpl

@@ -1,119 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-images:
-  clamd:
-    repository: "clamav/clamav"
-    tag: "1.1.0_base"
-  collabora:
-    repository: "collabora/code"
-    tag: "23.05.2.2.1"
-  dovecot:
-    repository: "dovecot/dovecot"
-    tag: "2.3.20"
-  freshclam:
-    repository: "clamav/clamav"
-    tag: "1.1.0_base"
-  jibri:
-    repository: "jitsi/jibri"
-    tag: "stable-8615"
-  jicofo:
-    repository: "jitsi/jicofo"
-    tag: "stable-8615"
-  jitsi:
-    repository: "jitsi/web"
-    tag: "stable-8615"
-  jitsiKeycloakAdapter:
-    repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230425"
-  jitsiPatchJVB:
-    repository: "bitnami/kubectl"
-    tag: "1.26.6"
-  jvb:
-    repository: "jitsi/jvb"
-    tag: "stable-8615"
-  icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
-    tag: "1.0.4"
-  intercom:
-    repository: "univention/intercom-service"
-    tag: "1.4-kubernetes"
-  keycloak:
-    repository: "bitnami/keycloak"
-    tag: "19.0.3-debian-11-r15"
-    digest: ""
-  keycloakBootstrap:
-    repository: "souvap/tooling/images/ansible"
-    tag: "4.10.0"
-  keycloakExtensionHandler:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler@sha256"
-    tag: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
-  keycloakExtensionProxy:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy@sha256"
-    tag: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
-  mariadb:
-    repository: "mariadb"
-    tag: "10"
-  memcached:
-    repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r4"
-  milter:
-    repository: "clamav/clamav"
-    tag: "1.1.0_base"
-  nextcloud:
-    repository: "nextcloud"
-    tag: "26.0.1-apache"
-  openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
-    tag: "dev"
-  openxchangeCoreGuidedtours:
-    repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.0"
-  openxchangeCoreMW:
-    repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.15.43"
-  openxchangeCoreUI:
-    repository: "appsuite-public-sector/core-ui"
-    tag: "8.15.2"
-  openxchangeCoreUIMiddleware:
-    repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.3"
-  openxchangeCoreUserGuide:
-    repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.15.702039"
-  openxchangeGuardUI:
-    repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.5"
-  openxchangeNextcloudIntegrationUI:
-    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.2"
-  openxchangePublicSectorUI:
-    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "1.0.3"
-  oxConnector:
-    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag: "branch-jconde-listener-entrypoint-chaining"
-  postfix:
-    repository: "souvap/tooling/images/postfix"
-    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
-  postgresql:
-    repository: "postgres"
-    tag: "15-alpine"
-  prosody:
-    repository: "jitsi/prosody"
-    tag: "stable-8615"
-  redis:
-    repository: "bitnami/redis"
-    tag: "7.0.12-debian-11-r0"
-  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
-    tag: "20230806T234258"
-  xwiki:
-    repository: "xwikisas/swp/xwiki"
-    tag: "0.8-mariadb-tomcat"
-  xwikiInit:
-    repository: "curlimages/curl"
-    tag: "8.1.2"
-...

helmfile/environments/default/images.yaml

@@ -0,0 +1,231 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+images:
+  clamd:
+    repository: "clamav/clamav"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    # @supplier: "openDesk DevSecOps"
+  collabora:
+    repository: "souvap/tooling/images/collabora"
+    tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
+    # @supplier: "Collabora"
+  dovecot:
+    repository: "dovecot/dovecot"
+    tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+    # @supplier: "Open-Xchange"
+  element:
+    repository: "souvap/tooling/images/element-web"
+    tag: "1.1.0@sha256:4fc2df523090cf012b50a681c92482f61231baf4cce67de467dd9f79c181bc93"
+    # @supplier: "Element"
+  freshclam:
+    repository: "clamav/clamav"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    # @supplier: "openDesk DevSecOps"
+  jibri:
+    repository: "jitsi/jibri"
+    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
+    # @supplier: "Nordeck"
+  jicofo:
+    repository: "jitsi/jicofo"
+    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
+    # @supplier: "Nordeck"
+  jitsi:
+    repository: "jitsi/web"
+    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
+    # @supplier: "Nordeck"
+  jitsiKeycloakAdapter:
+    repository: "nordeck/jitsi-keycloak-adapter"
+    tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
+    # @supplier: "Nordeck"
+  jitsiPatchJVB:
+    repository: "bitnami/kubectl"
+    tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
+    # @supplier: "Nordeck"
+  jvb:
+    repository: "jitsi/jvb"
+    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
+    # @supplier: "Nordeck"
+  icap:
+    repository: "souvap/tooling/images/c-icap"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
+    # @supplier: "openDesk DevSecOps"
+  intercom:
+    repository: "univention/intercom-service"
+    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
+    # @supplier: "Univention"
+  keycloak:
+    repository: "bitnami/keycloak"
+    tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
+    # @supplier: "Univention"
+  keycloakBootstrap:
+    repository: "souvap/tooling/images/ansible"
+    tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
+    # @supplier: "Univention"
+  keycloakExtensionHandler:
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
+    tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
+    # @supplier: "Univention"
+  keycloakExtensionProxy:
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
+    tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
+    # @supplier: "Univention"
+  mariadb:
+    repository: "mariadb"
+    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
+    # @supplier: "openDesk DevSecOps"
+  memcached:
+    repository: "bitnami/memcached"
+    tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
+    # @supplier: "OpenProject"
+  milter:
+    repository: "clamav/clamav"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
+    # @supplier: "openDesk DevSecOps"
+  nextcloud:
+    repository: "nextcloud"
+    tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
+    # @supplier: "Nextcloud Community"
+  openproject:
+    repository: "souvap/tooling/images/openproject/souvap"
+    tag: "dev@sha256:03eb1eacc0c0c4e9e7d0f0c3d265fd0c15fd01cda33bc4f89cbc487ad53474a8"
+    # @supplier: "OpenProject"
+  openxchangeBootstrap:
+    repository: "alpine/k8s"
+    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreGuidedtours:
+    repository: "appsuite-public-sector/core-guidedtours"
+    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreMW:
+    repository: "appsuite-public-sector/middleware-public-sector"
+    tag: "8.16.60@sha256:269c5b72f380c49ba1888c4300c409745d2ce757ca0b269afe1e8ac9bb26f028"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreUI:
+    repository: "appsuite-public-sector/core-ui"
+    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreUIMiddleware:
+    repository: "appsuite-public-sector/core-ui-middleware"
+    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
+    # @supplier: "Open-Xchange"
+  openxchangeCoreUserGuide:
+    repository: "appsuite-public-sector/core-user-guide"
+    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
+    # @supplier: "Open-Xchange"
+  openxchangeGuardUI:
+    repository: "appsuite-public-sector/guard-ui"
+    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
+    # @supplier: "Open-Xchange"
+  openxchangeNextcloudIntegrationUI:
+    repository: "appsuite-public-sector/nextcloud-integration-ui"
+    tag: "1.0.5@sha256:cad4ecba431f84b8627d2e541cfea773d5ef54b65d847fa8f7e3fd0d63156497"
+    # @supplier: "Open-Xchange"
+  openxchangePublicSectorUI:
+    repository: "appsuite-public-sector/public-sector-ui"
+    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
+    # @supplier: "Open-Xchange"
+  openxchangeGotenberg:
+    repository: "appsuite-public-sector/3rdparty/gotenberg"
+    tag: "7.8.2@sha256:34af7b6d21c02b8183785177f5f3f1731633d72ec69e1f2ecdb8b43747887f62"
+    # @supplier: "Open-Xchange"
+  oxConnector:
+    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
+    tag:
+      "branch-jconde-listener-entrypoint-chaining\
+      @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
+    # @supplier: "Univention"
+  postfix:
+    repository: "souvap/tooling/images/postfix"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    # @supplier: "openDesk DevSecOps"
+  postgresql:
+    repository: "postgres"
+    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
+    # @supplier: "openDesk DevSecOps"
+  prosody:
+    repository: "jitsi/prosody"
+    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
+    # @supplier: "Nordeck"
+  redis:
+    repository: "bitnami/redis"
+    tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
+    # @supplier: "openDesk DevSecOps"
+  synapse:
+    repository: "matrixdotorg/synapse"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
+    # @supplier: "Element"
+  synapseGuestModule:
+    repository: "nordeck/synapse-guest-module"
+    tag: "1.0.0@sha256:e9c736d84a77df93b2dbe3e3afa7b0ca3efcbc4457677adaac5df3cc79a85923"
+    # @supplier: "Nordeck"
+  synapseWeb:
+    repository: "rapidfort/haproxy-official"
+    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
+    # @supplier: "Element"
+  univentionCorporateServer:
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
+    tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
+    # @supplier: "Univention"
+  umsConfigHtpasswd:
+    repository: "souvap/tooling/images/univention/config-htpasswd"
+    tag: "latest@sha256:24c5e218baa62b169e7222d8ee4d3951ddc8622cd359def6b660bb23a1052f9e"
+    # @supplier: "Univention"
+  umsDataLoader:
+    repository: "souvap/tooling/images/univention/data-loader"
+    tag: "latest@sha256:857837c1810f82362d441544dc32bd2c1d6fe358bbb5ae0e2c60b7f8f4092190"
+    # @supplier: "Univention"
+  umsLdapNotifier:
+    repository: "souvap/tooling/images/univention/ldap-notifier"
+    tag: "latest@sha256:6eccf86fe78926247ec9b59d7ba83c53271bc3ca7d0195863c0489e22c836002"
+    # @supplier: "Univention"
+  umsLdapServer:
+    repository: "souvap/tooling/images/univention/ldap-server"
+    tag: "latest@sha256:4a7c44b37c727cdc03e4043c88e3dbf6b1f119772c5c1904eaed3298bdd49a3d"
+    # @supplier: "Univention"
+  umsNotificationsApi:
+    repository: "souvap/tooling/images/univention/notifications-api"
+    tag: "latest@sha256:87a047c2d0669fcbb3501ef94192812e17e09aecabc1edd2e4b92afbb7ea4b20"
+    # @supplier: "Univention"
+  umsPortalListener:
+    repository: "souvap/tooling/images/univention/portal-listener"
+    tag: "latest@sha256:bcf48d108bc2f1afd745659a1d4f11f1dd0d8ada034899aa401dfea32a29c87a"
+    # @supplier: "Univention"
+  umsPortalFrontend:
+    repository: "souvap/tooling/images/univention/portal-frontend"
+    tag: "latest@sha256:a1b11db009e992d91cfef2bc60a5022cd4498c38908194020c881ef6dd325bae"
+    # @supplier: "Univention"
+  umsPortalServer:
+    repository: "souvap/tooling/images/univention/portal-server"
+    tag: "latest@sha256:eb0b032c4cf4b207f78b80c69f3e593e01e577779d877e16908902f19b4fc2ee"
+    # @supplier: "Univention"
+  umsWaitForDependency:
+    repository: "souvap/tooling/images/univention/wait-for-dependency"
+    tag: "latest@sha256:5d8d5e9ed55af2d12fef25856e5e61c7d13081458e4b14e6a01b10488b8067d3"
+    # @supplier: "Univention"
+  umsStoreDav:
+    repository: "souvap/tooling/images/univention/store-dav"
+    tag: "latest@sha256:d65f705e46a497ba58e7373f19973835f731796baeace16a32d6331469bf0068"
+    # @supplier: "Univention"
+  umsUdmRestApi:
+    repository: "souvap/tooling/images/univention/udm-rest-api"
+    tag: "latest@sha256:dce4322646749692c5d4692ccd7ff55df080a4af3485585a50c82871715e0cae"
+    # @supplier: "Univention"
+  umsUmcGateway:
+    repository: "souvap/tooling/images/univention/umc-gateway"
+    tag: "latest@sha256:18172ee4317a9259291f251c0cc1d2be05e003558cbd18d6dc062098a127cc8d"
+    # @supplier: "Univention"
+  umsUmcServer:
+    repository: "souvap/tooling/images/univention/umc-server"
+    tag: "latest@sha256:6cbb1708109c5a0c13f3ee433989094d04cecfb8b32975e723d0f5a2e526f8db"
+    # @supplier: "Univention"
+  wellKnown:
+    repository: "library/nginx"
+    tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
+    # @supplier: "Element"
+  xwiki:
+    repository: "xwikisas/swp/xwiki"
+    tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
+    # @supplier: "XWiki"
+...