chore(release): 0.2.0 [skip ci]

# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)

### Bug Fixes

* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](4c21fd2286))

### Features

* **helmfile:** Implement private image/chart registry variables ([5788323](5788323621))

.gitlab-ci.yml

@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_ELEMENT:
+    description: "Enable Element deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_KEYCLOAK:
     description: "Enable Keycloak deployment."
     value: "no"
@@ -127,8 +133,7 @@ variables:
       - "yes"
       - "no"
   TESTS_PROJECT_URL:
-    description: "URL of the E2E-test gitlab project API with project ID."
+    description: "URL of the E2E-test Gitlab project API with project ID."
-    value: "gitlab.souvap-univention.de/api/v4/projects/6"
   # please use the following set of variables with normalized names:
   DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
   ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -192,7 +197,7 @@ env-cleanup:
 env-start:
   environment:
     name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
     on_stop: "env-stop"
   extends: ".deploy-common"
   image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -359,6 +364,18 @@ jitsi-deploy:
   variables:
     COMPONENT: "jitsi"
 
+element-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
+      when: "always"
+  variables:
+    COMPONENT: "element"
+
 env-stop:
   extends: ".deploy-common"
   environment:
@@ -445,15 +462,18 @@ run-tests:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
   except:
     - "tags"
+    - "triggers"
     - "web"
 
 common-yaml-linter:
   except:
     - "tags"
+    - "triggers"
     - "web"
 
 reuse-linter:
   allow_failure: false
   except:
     - "tags"
+    - "triggers"
     - "web"

CHANGELOG.md

@@ -1,3 +1,56 @@
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
+## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
+
+
+### Bug Fixes
+
+* **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
+
+## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
+* **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
+
+# [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
+
+
+### Bug Fixes
+
+* **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
+
+
+### Features
+
+* **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
+
+## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
+
+
+### Bug Fixes
+
+* **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
+
+## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
+
+
+### Bug Fixes
+
+* **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
+
 ## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
 
 

README.md

@@ -8,10 +8,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # Disclaimer August 2023
 
-The current state of the Sovereign Workplace misses the component
+The current state of the Sovereign Workplace contains components that are going to be
-_Element Starter Edition_ because it is not generally available yet.
-
-Also does the Sovereign Workplace contain components that are going to be
 replaced. Like for example the UCS dev container monolith will be substituted by
 multiple Univention Management Stack containers.
 
@@ -152,6 +149,16 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |
+
 ## Logging in
 
 When successfully deployed the SWP, all K8s jobs from the deployment should be
@@ -183,26 +190,27 @@ for development and evaluation purposes only - they need to be replaced in
 production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.
 
-| Component                   | Name                                | Default | Description                  | Type       |
+| Component                   | Name                                | Default | Description                    | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
-| Certificates                | `certificates.enabled`              | `true`  | TLS certificates             | Eval       |
+| Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
-| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine             | Eval       |
+| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
-| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine             | Eval       |
+| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
-| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                    | Functional |
+| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
-| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                 | Functional |
+| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
-| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange  | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
-| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing            | Functional |
+| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider            | Functional |
+| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
-| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                     | Eval       |
+| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
-| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                   | Functional |
+| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
-| OpenProject                 | `openproject.enabled`               | `true`  | Project management           | Functional |
+| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
-| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                    | Functional |
+| OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
-| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning         | Functional |
+| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
-| Postfix                     | `postfix.enabled`                   | `true`  | MTA                          | Eval       |
+| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning           | Functional |
-| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                     | Eval       |
+| Postfix                     | `postfix.enabled`                   | `true`  | MTA                            | Eval       |
-| Redis                       | `redis.enabled`                     | `true`  | Cache Database               | Eval       |
+| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal | Functional |
+| Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                | Functional |
+| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
+| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |
 
 
 #### Cluster capabilities
@@ -221,6 +229,12 @@ the application to your own database instances.
 
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -269,10 +283,14 @@ actual scalability of the components (see column `Scales at least to 2`).
 |             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
 | Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
+|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
 | Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |

helmfile.yaml

@@ -15,6 +15,7 @@ helmfiles:
   - path: "helmfile/apps/nextcloud/helmfile.yaml"
   - path: "helmfile/apps/collabora/helmfile.yaml"
   - path: "helmfile/apps/jitsi/helmfile.yaml"
+  - path: "helmfile/apps/element/helmfile.yaml"
   - path: "helmfile/apps/openproject/helmfile.yaml"
   - path: "helmfile/apps/xwiki/helmfile.yaml"
   - path: "helmfile/apps/provisioning/helmfile.yaml"

helmfile/apps/collabora/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
+  - name: "collabora-online-repo"
-    url: "https://collaboraonline.github.io/online"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}
 
 releases:
   - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
     version: "1.0.2"
     values:
       - "values.yaml"

helmfile/apps/element/helmfile.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  - name: "sovereign-workplace-element-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+
+releases:
+  - name: "sovereign-workplace-element"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
+    version: "1.1.2"
+    values:
+      - "values-element.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-well-known"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
+    version: "1.1.2"
+    values:
+      - "values-well-known.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-synapse-web"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
+    version: "1.1.2"
+    values:
+      - "values-synapse-web.gotmpl"
+    condition: "element.enabled"
+
+  - name: "sovereign-workplace-synapse"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
+    version: "1.1.2"
+    values:
+      - "values-synapse.gotmpl"
+    condition: "element.enabled"
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "element"
+
+bases:
+  - "../../bases/environments.yaml"
+...

helmfile/apps/element/values-element.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.element.repository }}"
+  tag: "{{ .Values.images.element.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.element }}
+
+resources:
+  {{ .Values.resources.element | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse-web.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapseWeb.repository }}"
+  tag: "{{ .Values.images.synapseWeb.tag }}"
+
+ingress:
+  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.synapseWeb }}
+
+resources:
+  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-synapse.gotmpl

@@ -0,0 +1,52 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.synapse.repository }}"
+  tag: "{{ .Values.images.synapse.tag }}"
+
+configuration:
+  database:
+    host: "{{ .Values.databases.synapse.host }}"
+    name: "{{ .Values.databases.synapse.name }}"
+    user: "{{ .Values.databases.synapse.username }}"
+    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+
+  homeserver:
+    oidc:
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+
+    turn:
+      sharedSecret: {{ .Values.turn.credentials }}
+      servers:
+        {{- if .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host }}
+          port: {{ .Values.turn.tls.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- else if .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host }}
+          port: {{ .Values.turn.server.port }}
+          transport: {{ .Values.turn.transport }}
+        {{- end }}
+
+persistence:
+  size: "{{ .Values.persistence.size.synapse }}"
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+
+replicaCount: {{ .Values.replicas.synapse }}
+
+resources:
+  {{ .Values.resources.synapse | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-well-known.gotmpl

@@ -0,0 +1,31 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  registry: "{{ .Values.global.imageRegistry }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.wellKnown.repository }}"
+  tag: "{{ .Values.images.wellKnown.tag }}"
+
+ingress:
+  host: "{{ .Values.global.domain }}"
+  enabled: "{{ .Values.ingress.enabled }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls:
+    enabled: "{{ .Values.ingress.tls.enabled }}"
+    secretName: "{{ .Values.ingress.tls.secretName }}"
+
+replicaCount: {{ .Values.replicas.wellKnown }}
+
+resources:
+  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
+...

helmfile/apps/intercom-service/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
+  - name: "intercom-service-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
 
 releases:
   - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
     version: "1.1.3"
     values:
       - "values.yaml"

helmfile/apps/jitsi/helmfile.yaml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
+  - name: "jitsi-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable" }}
 
 releases:
   - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    version: "1.2.1"
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -17,10 +17,10 @@ image:
   tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
 
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
 
 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
   web:
     replicaCount: {{ .Values.replicas.jitsi }}
     image:
@@ -30,13 +30,13 @@ jitsi:
       enabled: "{{ .Values.ingress.enabled }}"
       ingressClassName: "{{ .Values.ingress.ingressClassName }}"
       hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
           paths:
             - "/"
       tls:
         - secretName: "{{ .Values.ingress.tls.secretName }}"
           hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     extraEnvs:
       TURN_ENABLE: "1"
     resources:
@@ -51,11 +51,11 @@ jitsi:
     {{- end }}
     extraEnvs:
       - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
       - name: "JWT_APP_ID"
         value: "myappid"
       - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
       - name: TURNS_HOST
         value: "{{ .Values.turn.tls.host }}"
       - name: TURNS_PORT
@@ -79,8 +79,8 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
       tag: "{{ .Values.images.jicofo.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}
   jvb:
@@ -89,7 +89,7 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
       tag: "{{ .Values.images.jvb.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
     resources:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
@@ -100,9 +100,9 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
       tag: "{{ .Values.images.jibri.tag }}"
     recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
     resources:
       {{ .Values.resources.jibri | toYaml | nindent 6 }}
   imagePullSecrets:
@@ -111,6 +111,8 @@ jitsi:
   {{- end }}
 
 patchJVB:
+  configuration:
+    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.jitsiPatchJVB.repository }}"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
 
 releases:
   - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.11"
     values:
       - "values-bootstrap.gotmpl"

helmfile/apps/keycloak/helmfile.yaml

@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
+  - name: "bitnami-repo"
-    url: "https://charts.bitnami.com/bitnami"
+    oci: true
-  - name: "keycloak-theme"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-  - name: "keycloak-extensions"
+         default "registry-1.docker.io/bitnamicharts" }}
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "keycloak-theme-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
     version: "1.0.0"
     values:
       - "values-theme.gotmpl"
     condition: "keycloak.enabled"
   - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
     version: "12.2.0"
     values:
       - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
     wait: true
     condition: "keycloak.enabled"
   - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
     needs:
       - "keycloak"

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -18,7 +18,11 @@ handler:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+{{- if .Values.images.keycloakExtensionHandler.digest }}
+    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
+{{- else if .Values.images.keycloakExtensionHandler.tag }}
     tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+{{- end }}
     imagePullPolicy: "Always"
   appConfig:
     smtpPassword: "{{ .Values.smtp.password }}"
@@ -31,7 +35,11 @@ proxy:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
+{{- if .Values.images.keycloakExtensionProxy.digest }}
+    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
+{{- else if .Values.images.keycloakExtensionProxy.tag }}
     tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
+{{- end }}
     imagePullPolicy: "Always"
   ingress:
     enabled: "{{ .Values.ingress.enabled }}"

helmfile/apps/keycloak/values-keycloak-idp.yaml

@@ -116,9 +116,9 @@ keycloakConfigCli:
             "enabled": true,
             "alwaysDisplayInConsole": false,
             "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
             "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
             ],
             "webOrigins": [
               "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
             "frontchannelLogout": true,
             "protocol": "openid-connect",
             "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
             },
             "authenticationFlowBindingOverrides": {},
             "fullScopeAllowed": true,

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -55,8 +55,8 @@ keycloakConfigCli:
       value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
     - name: "MATRIX_DOMAIN"
       value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
+    - name: "JITSI_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     - name: "ELEMENT_DOMAIN"
       value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
     - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
     - name: "CLIENT_SECRET_MATRIX_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
     - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
       value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
     - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"

helmfile/apps/nextcloud/helmfile.yaml

@@ -2,14 +2,18 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
+    url: >-
-  - name: "nextcloud"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://nextcloud.github.io/helm/"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}
 
 releases:
   - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
+    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
     version: "2.2.0"
     wait: true
     waitForJobs: true
@@ -20,7 +24,7 @@ releases:
     timeout: 1800
 
   - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"
     needs:
       - "sovereign-workplace-nextcloud-bootstrap"

helmfile/apps/open-xchange/helmfile.yaml

@@ -2,32 +2,38 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
+  - name: "dovecot-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
+    url: >-
-  - name: "openxchange"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "registry.open-xchange.com"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+  - name: "openxchange-repo"
     oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry.open-xchange.com" }}
+  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
 
 releases:
   - name: "dovecot"
-    chart: "dovecot/dovecot"
+    chart: "dovecot-repo/dovecot"
-    version: "1.2.0"
+    version: "1.3.1"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
     condition: "dovecot.enabled"
   - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
     version: "1.2.13"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
     condition: "oxAppsuite.enabled"
   - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+    version: "1.3.1"
     values:
       - "values-openxchange-bootstrap.yaml"
     condition: "oxAppsuite.enabled"

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.dovecot.repository }}"
-  tag: "{{ .Values.images.dovecot.tag }}"
+  digest: "{{ .Values.images.dovecot.digest }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -0,0 +1,15 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+...

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml

@@ -2,22 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: false
+  deletePodsOnSuccess: true
-
-# resources:
-#   limits:
-#     # The max amount of CPUs to consume.
-#     cpu: 1
-#     # The max amount of RAM to consume.
-#     memory: "1Gi"
-#   requests:
-#     # The amount of CPUs which has to be available on the scheduled node.
-#     cpu: 1
-#     # The amount of RAM which has to be available on the scheduled node.
-#     memory: "256Mi"
-
-# Keep default values:
-# coreMiddleware:
-#   statefulSet: "open-xchange-core-mw-default-0"
-#   pod: "open-xchange-core-mw-default-0"
 ...

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -65,6 +65,7 @@ appsuite:
       com.openexchange.capability.smime: "true"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
+      com.openexchange.mail.transport.secondary.authType: "xoauth2"
       # Nextcloud integration
       com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
       com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"

helmfile/apps/openproject/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
+  - name: "openproject-repo"
-    url: "https://charts.openproject.org"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}
 
 releases:
   - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
     version: "1.8.0"
     values:
       - "values.yaml"

helmfile/apps/provisioning/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
+  - name: "ox-connector-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 
 releases:
   - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
     version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
     values:
       - "values-oxconnector.yaml"

helmfile/apps/services/helmfile.yaml

@@ -2,70 +2,85 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
+  - name: "sovereign-workplace-certificates-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
+    url: >-
-  - name: "postgresql"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
-  - name: "mariadb"
+  - name: "postgresql-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
+    url: >-
-  - name: "postfix"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
-  - name: "istio-resources"
+  - name: "mariadb-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
+    url: >-
-  - name: "clamav"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
-  - name: "bitnami"
+  - name: "postfix-repo"
-    url: "https://charts.bitnami.com/bitnami"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+  - name: "istio-resources-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+  - name: "clamav-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
 
 releases:
   - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
-    version: "1.2.1"
+    version: "1.2.2"
     values:
       - "values-certificates.gotmpl"
     condition: "certificates.enabled"
   - name: "redis"
-    chart: "bitnami/redis"
+    chart: "bitnami-repo/redis"
     version: "^17.9.3"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     condition: "redis.enabled"
   - name: "postgresql"
-    chart: "postgresql/postgresql"
+    chart: "postgresql-repo/postgresql"
     version: "2.0.0"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     condition: "postgresql.enabled"
   - name: "mariadb"
-    chart: "mariadb/mariadb"
+    chart: "mariadb-repo/mariadb"
     version: "2.0.0"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
   - name: "postfix"
-    chart: "postfix/postfix"
+    chart: "postfix-repo/postfix"
     version: "1.13.0"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     condition: "postfix.enabled"
   - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
+    chart: "clamav-repo/sovereign-workplace-clamav"
     version: "2.1.0"
     values:
       - "values-clamav-distributed.gotmpl"
     condition: "clamavDistributed.enabled"
   - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
+    chart: "clamav-repo/clamav-simple"
     version: "2.1.0"
     values:
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"
   - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
     version: "1.1.2"
     values:
       - "values-istio-gateway.gotmpl"

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
+  - name: "univention-corporate-container-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
 
 releases:
   - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
     version: "1.0.10"
     values:
       - "values.yaml"

helmfile/apps/xwiki/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
+  - name: "xwiki-repo"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://xwiki-contrib.github.io/xwiki-helm" }}
 
 releases:
   - name: "xwiki"
-    chart: "xwiki/xwiki"
+    chart: "xwiki-repo/xwiki"
     version: "1.1.1"
     wait: true
     timeout: 600

helmfile/apps/xwiki/values-init.gotmpl

@@ -1,20 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-xwiki:
-  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
-  superadmin:
-    username: "superadmin"
-    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
-
-image:
-  repository: "{{ .Values.images.xwikiInit.repository }}"
-  tag: "{{ .Values.images.xwikiInit.tag }}"
-...

helmfile/environments/default/cluster.gotmpl

@@ -19,6 +19,10 @@ cluster:
     domain: "cluster.local"
     # Kubernetes cluster network CIDR.
     cidr: "10.0.0.0/8"
+    # Ingress-gateway IP - only relevant for "NodePort" cluster services.
+    # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
+    # you need to provide the public (load-balanced) ingress gateways ip address.
+    ingressGatewayIP: ""
 
   container:
     # Used container engine in kubernetes cluster.

helmfile/environments/default/database.gotmpl

@@ -32,6 +32,12 @@ databases:
     name: "CONFIGDB"
     username: "root"
     password: ""
+  synapse:
+    host: "postgresql"
+    name: "matrix"
+    username: "matrix_user"
+    password: ""
+    port: 5432
   xwiki:
     name: "xwiki"
     host: "mariadb"

helmfile/environments/default/global.gotmpl

@@ -12,16 +12,14 @@ global:
   hosts:
     collabora: "collabora"
     dimension: "integration"
-    element: "ucc"
+    element: "chat"
     etherpad: "etherpad"
     intercomService: "ics"
-    jitsi: "av"
+    jitsi: "meet"
-    jitsiPlain: "jitsi"
     keycloak: "id"
     meetingWidgetsBot: "meeting-widgets-bot"
     meetingWidgets: "meeting-widgets"
     newWorkBoardWidget: "whiteboard-widget"
-    moodle: "learn"
     nextcloud: "fs"
     openproject: "project"
     openxchange: "webmail"
@@ -38,21 +36,11 @@ global:
 
   ## Define docker registry address.
   #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
 
   ## Credentials to fetch images from private registry
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   #
   imagePullSecrets:
     - "external-registry"
-
-  ## Define internal kubernetes domain, usually svc.cluster.local
-  ## Workaround for calico with postfix
-  #
-  internalDomain: "svc.cluster.local"
-
-  ## Define internal kubernetes network for postfix
-  ## Attention: Mail from this network can be sent without authentication!
-  #
-  internalNetwork: "10.0.0.0/8"
 ...

helmfile/environments/default/images.gotmpl

@@ -12,7 +12,10 @@ images:
     tag: "23.05.2.2.1"
   dovecot:
     repository: "dovecot/dovecot"
-    tag: "2.3.20"
+    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+  element:
+    repository: "vectorim/element-web"
+    tag: "v1.11.35"
   freshclam:
     repository: "clamav/clamav"
     tag: "1.1.0_base"
@@ -48,11 +51,11 @@ images:
     repository: "souvap/tooling/images/ansible"
     tag: "4.10.0"
   keycloakExtensionHandler:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler@sha256"
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
-    tag: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
   keycloakExtensionProxy:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy@sha256"
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    tag: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
+    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
   mariadb:
     repository: "mariadb"
     tag: "10"
@@ -68,6 +71,9 @@ images:
   openproject:
     repository: "souvap/tooling/images/openproject/souvap"
     tag: "dev"
+  openxchangeBootstrap:
+    repository: "alpine/k8s"
+    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
   openxchangeCoreGuidedtours:
     repository: "appsuite-public-sector/core-guidedtours"
     tag: "8.5.0"
@@ -107,13 +113,19 @@ images:
   redis:
     repository: "bitnami/redis"
     tag: "7.0.12-debian-11-r0"
+  synapse:
+    repository: "matrixdotorg/synapse"
+    tag: "v1.87.0"
+  synapseWeb:
+    repository: "library/haproxy"
+    tag: "2.4"
   univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
-    tag: "20230806T234258"
+    tag: "286503f13726399284b49d4521f45fdbed81216875d78e76dcae20e0d8301f65"
+  wellKnown:
+    repository: "library/nginx"
+    tag: "1.23"
   xwiki:
     repository: "xwikisas/swp/xwiki"
     tag: "0.8-mariadb-tomcat"
-  xwikiInit:
-    repository: "curlimages/curl"
-    tag: "8.1.2"
 ...

helmfile/environments/default/persistence.gotmpl

@@ -19,6 +19,7 @@ persistence:
     postgresql: "1Gi"
     prosody: "1Gi"
     redis: "1Gi"
+    synapse: "1Gi"
     univentionCorporateServer: "1Gi"
     xwiki: "1Gi"
 ...

helmfile/environments/default/replicas.gotmpl

@@ -10,6 +10,7 @@ replicas:
   clamd: 1
   collabora: 1
   dovecot: 1
+  element: 2
   {{/* clamav-distributed */}}
   freshclam: 1
   {{/* clamav-distributed */}}
@@ -25,5 +26,8 @@ replicas:
   nextcloud: 1
   openproject: 1
   postfix: 1
+  synapse: 1
+  synapseWeb: 2
+  wellKnown: 2
   xwiki: 1
 ...

helmfile/environments/default/resources.gotmpl

@@ -14,17 +14,24 @@ resources:
   dovecot:
     limits:
       cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
+  element:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
   freshclam:
     limits:
       cpu: 1
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   icap:
     limits:
       cpu: 2
@@ -35,24 +42,24 @@ resources:
   jibri:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "125Mi"
   jicofo:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   jitsi:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   jitsiKeycloakAdapter:
     limits:
       cpu: "100m"
@@ -63,45 +70,45 @@ resources:
   jvb:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   keycloak:
     limits:
       cpu: 2
       memory: "2Gi"
     requests:
       cpu: 0.1
-      memory: "0.75Gi"
+      memory: "750Mi"
   keycloakExtension:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   keycloakBootstrap:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
   keycloakProxy:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   mariadb:
     limits:
       cpu: 2
       memory: "2Gi"
     requests:
       cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
   milter:
     limits:
       cpu: 4
@@ -115,49 +122,63 @@ resources:
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
   openproject:
     limits:
       cpu: 2
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
   oxConnector:
     limits:
       cpu: 2
       memory: "2Gi"
     requests:
       cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
   postfix:
     limits:
       cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   postgresql:
     limits:
       cpu: 2
       memory: "1Gi"
     requests:
       cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
   prosody:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
   redis:
     limits:
       cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
     requests:
       cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
+  synapse:
+    limits:
+      cpu: 4
+      memory: "4Gi"
+    requests:
+      cpu: 1
+      memory: "2Gi"
+  synapseWeb:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
   univentionCorporateServer:
     limits:
       cpu: 2
@@ -165,6 +186,13 @@ resources:
     requests:
       cpu: 0.5
       memory: "1Gi"
+  wellKnown:
+    limits:
+      cpu: 1
+      memory: "250Mi"
+    requests:
+      cpu: 0.1
+      memory: "50Mi"
   xwiki:
     limits:
       cpu: 2

helmfile/environments/default/secrets.gotmpl

@@ -40,7 +40,7 @@ secrets:
     clientSecret:
       intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
       matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
-      jitsiPlain: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
+      jitsi: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
       ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
       openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
       xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
@@ -54,17 +54,6 @@ secrets:
     adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
   jitsi:
     synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "as_token" | sha1sum) }}
-    synapseHsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "hs_token" | sha1sum) }}
-    jicofoAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jicofo_auth" | sha1sum) }}
-    componentAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "component_auth" | sha1sum) }}
-    jvbAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jvb_auth" | sha1sum) }}
-    jigasiAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jigasi_auth" | sha1sum) }}
-    jibriUserAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_user_auth" | sha1sum) }}
-    jibriRecorderAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_recorder_auth" | sha1sum) }}
-    rageshakeListingPass: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "rageshakeListingPass" | sha1sum) }}
-    conferencemapperSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "conferencemapperSecret" | sha1sum) }}
-    jitsiFeedbackBackend: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jitsiFeedbackBackend" | sha1sum) }}
-  jitsiPlain:
     jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
     jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
     jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}

helmfile/environments/default/workplace.gotmpl

@@ -15,6 +15,8 @@ collabora:
   enabled: true
 dovecot:
   enabled: true
+element:
+  enabled: true
 intercom:
   enabled: true
 jitsi: