chore(release): 0.2.7 [skip ci]

## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30) ### Bug Fixes * **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](387bd8715c))
fix(jitsi): Update Jitsi Helm chart to set the user's display name as default
2025-12-06 15:31:38 +01:00 · 2023-08-30 17:08:35 +00:00 · 2023-08-30 17:06:57 +00:00 · 2023-08-30 14:23:01 +00:00 · 2023-08-30 14:18:36 +00:00 · 2023-08-30 14:16:30 +00:00
67 changed files with 1438 additions and 418 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
-  - project: "souvap/tooling/gitlab-config"
+  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
    ref: "main"
    file:
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
-  - project: "souvap/devops/sovereign-workplace-env"
+  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
    rules:
      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
 stages:
  - ".pre"
@@ -20,22 +22,17 @@ stages:
  - "component-deploy-stage-2"
  - "tests"
  - "env-stop"
-  - "post"
+  - "generate-release-assets"
  - ".post"
 variables:
  NAMESPACE:
    description: "The name of namespaces to deploy to."
    value: ""
  CLUSTER:
-    description: "Define which cluster to use"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
-    value: "develop"
+      sovereign-workplace-env included above."
-    options:
+    value: "dev"
      - "dev"
      - "qa"
      - "ref"
      - "develop"
      - "hubble"
      - "prototype"
  BASE_DOMAIN:
    description: "Define the Cluster Base Domain."
    value: "souvap.cloud"
@@ -78,6 +75,12 @@ variables:
    options:
      - "yes"
      - "no"
  DEPLOY_ELEMENT:
    description: "Enable Element deployment."
    value: "no"
    options:
      - "yes"
      - "no"
  DEPLOY_KEYCLOAK:
    description: "Enable Keycloak deployment."
    value: "no"
@@ -127,8 +130,7 @@ variables:
      - "yes"
      - "no"
  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test gitlab project API with project ID."
+    description: "URL of the E2E-test Gitlab project API with project ID."
    value: "gitlab.souvap-univention.de/api/v4/projects/6"
  # please use the following set of variables with normalized names:
  DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
  ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -192,7 +194,7 @@ env-cleanup:
 env-start:
  environment:
    name: "${NAMESPACE}"
-    url: "https://portal.${NAMESPACE}.${SWP_DOMAIN}"
+    url: "https://portal.${DOMAIN}"
    on_stop: "env-stop"
  extends: ".deploy-common"
  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
@@ -278,6 +280,7 @@ keycloak-bootstrap-deploy:
 ox-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  timeout: "30m"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -359,6 +362,18 @@ jitsi-deploy:
  variables:
    COMPONENT: "jitsi"
 element-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
      when: "always"
  variables:
    COMPONENT: "element"
 env-stop:
  extends: ".deploy-common"
  environment:
@@ -439,21 +454,88 @@ run-tests:
        -F "variables[components]=\"${COMPONENTS}\"" \
        https://${TESTS_PROJECT_URL}/trigger/pipeline
 generate-release-assets:
  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  script:
    - |
      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
      cd opendesk-asset-generator
      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
      ./opendesk_asset_generator.py
      mv ./build_artefacts ${CI_PROJECT_DIR}
      cd ..
      rm -rf opendesk-asset-generator
      ls -l ./build_artefacts
  artifacts:
    paths:
      - "./build_artefacts/chart-index.json"
      - "./build_artefacts/image-index.json"
  tags: []
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
  cache: {}
 # Overwrite shared settings
 .common-semantic-release:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  except:
+  tags: []
    - "tags"
    - "web"
 common-yaml-linter:
-  except:
+  rules:
-    - "tags"
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
-    - "web"
+      when: "never"
    - when: "always"
 reuse-linter:
  allow_failure: false
-  except:
+  rules:
-    - "tags"
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
-    - "web"
+      when: "never"
    - when: "always"
 generate-release-version:
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false'"
      when: "always"
 release:
  dependencies:
    - "generate-release-assets"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
  script:
    - |
      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
      {
        "branches": ["main"],
        "plugins": [
          ["@semantic-release/gitlab",
            {
              "assets": [
                { "path": "./build_artefacts/chart-index.json",
                  "label": "Chart Index JSON" },
                { "path": "./build_artefacts/image-index.json",
                  "label": "Image Index JSON" },
              ]
            }
          ],
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
          }]
        ]
      }
      EOF
    - "semantic-release"
 ...
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -0,0 +1,8 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: openDesk
 Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
 Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
 Files: helmfile/environments/default/theme/*
 Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 License: Apache-2.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,125 @@
 ## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
 ### Bug Fixes
 * **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 ### Bug Fixes
 * **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
 * **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
 * **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 ### Bug Fixes
 * **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
 * **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
 * **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 ### Bug Fixes
 * **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
 * **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
 ## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
 ### Bug Fixes
 * **xwiki:** Theming and language of central navigation ([3d4d45f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3d4d45f7114e6e3bc353b8d6c5fdbcac4cb2460f))
 ## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)
 ### Bug Fixes
 * **element:** Apply the global theme to Element ([7f7eae8](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7f7eae8f99a6d8ad8085ad99c63af27b858ff9b7))
 ## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
 ### Bug Fixes
 * **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
 ## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
 ### Bug Fixes
 * **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
 * **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
 ## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
 ### Bug Fixes
 * **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
 # [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
 ### Bug Fixes
 * **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
 ### Features
 * **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
 ## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
 ### Bug Fixes
 * **jitsi:** Update support for NodePort setups with different ingress/egress ips ([de25789](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/de257893d4ff2b3e8ea1d6988c6bdde5ed1eae9a))
 ## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14)
 ### Bug Fixes
 * **open-xchange:** Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([53796da](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53796dae660463207a460b387b6f3dd23ce20cd0))
 * **open-xchange:** Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([390f2de](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/390f2dee5226b83855a6cca8bf1c0d0f5647ee34))
 # [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14)
 ### Bug Fixes
 * **docs:** Typo ([ee684a7](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/ee684a78910ce721ea834e9ec2f4222ed37572c6))
 ### Features
 * **element:** Add element component ([5f0ca92](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/5f0ca92a058e51a27aa56e35ebcf2048bad88671))
 ## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14)
 ### Bug Fixes
 * **open-xchange:** Functional mailboxes auth settings update in AppSuite and Dovecot ([53948ea](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/53948eae7648cc9785d2b8a813fc7e40b36aa3aa))
 ## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11)
 ### Bug Fixes
 * **keycloak:** Improve digest image pinning ([b8a8932](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/b8a8932221ae4d6632c7d1f4a85f46fea01a92e7))
 ## [0.0.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.3...v0.0.4) (2023-08-11)
--- a/COMPONENTS-FUNCTIONAL.md
+++ b/COMPONENTS-FUNCTIONAL.md
@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function
 ## File & Share - Nextcloud
-## Kollaboration - dOnlineZusammenarbeit 2.0
+## Kollaboration - Element
 ## Videokonferenzen - Jitsi
@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function
 ## Project Management - OpenProject
-## IAM - Univention Corporate Services
+## Portal & IAM - Univention Corporate Services
--- a/COMPONENTS-SERVICE.md
+++ b/COMPONENTS-SERVICE.md
@@ -42,7 +42,7 @@ This service is used by:
 ## TURN Server
- dOZ 2.0
+This services is used by:
 - Jitsi
 ## NFS
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,17 +9,17 @@ Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/b
 # How to contribute?
-When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
+When providing contributes to this project, please adhere to the standards and conventions described further down in this document. Doing so please feel free to create merge requests.
 # Standards and conventions
 ## Branching
-We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
+We use [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
 ## Verified commits
-We only allow verify commits:
+We only allow verified commits:
 - https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
@@ -80,7 +80,7 @@ Due to DVS requirements:
 - we should avoid stand alone Manifests.
 - we do not use Operators and CRDs.
-In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
+In order to align the Helm files from various sources into an unified deployment of the SWP we make use of [Helmfile](https://github.com/helmfile/helmfile).
 ## Tooling
--- a/README.md
+++ b/README.md
@@ -8,10 +8,7 @@ SPDX-License-Identifier: Apache-2.0
 # Disclaimer August 2023
-The current state of the Sovereign Workplace misses the component
+The current state of the Sovereign Workplace contains components that are going to be
 _Element Starter Edition_ because it is not generally available yet.
 Also does the Sovereign Workplace contain components that are going to be
 replaced. Like for example the UCS dev container monolith will be substituted by
 multiple Univention Management Stack containers.
@@ -48,6 +45,15 @@ repository please use the [issues within this project](https://gitlab.opencode.d
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 # Releases
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
 Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
 The following release artefacts are provided beside the default source code assets:
 - `chart-index.json`: An overview of all Helm charts used by the release.
 - `image-index.json`: An overview of all container images used by the release.
 # Deployment
 **Note for project members:** You can use the project's `dev` K8s cluster to set
@@ -67,8 +73,7 @@ These are the requirements of the Sovereign Workplace deployment:
 [HelmDiff](https://github.com/databus23/helm-diff)
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
 working with Open-Xchange to get rid of this dependency.
 #### TLS Certificate
@@ -152,6 +157,16 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 ## Offline deployment
 Before executing a [local deployment](#local-deployment), you can set following
 environment variables to use your own container image and helm chart registry:
 | name                         | description                    |
 |------------------------------|--------------------------------|
 | PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
 | PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |
 ## Logging in
 When successfully deployed the SWP, all K8s jobs from the deployment should be
@@ -183,26 +198,27 @@ for development and evaluation purposes only - they need to be replaced in
 production deployments. These components are grouped together in the
 subdirectory `/helmfile/apps/services`.
-| Component                   | Name                                | Default | Description                  | Type       |
+| Component                   | Name                                | Default | Description                    | Type       |
-|-----------------------------|-------------------------------------|---------|------------------------------|------------|
+|-----------------------------|-------------------------------------|---------|--------------------------------|------------|
-| Certificates                | `certificates.enabled`              | `true`  | TLS certificates             | Eval       |
+| Certificates                | `certificates.enabled`              | `true`  | TLS certificates               | Eval       |
-| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine             | Eval       |
+| ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
-| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine             | Eval       |
+| ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
-| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                    | Functional |
+| Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
-| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                 | Functional |
+| Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
-| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange  | Functional |
+| Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
-| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing            | Functional |
+| Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider            | Functional |
+| Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
-| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                     | Eval       |
+| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
-| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                   | Functional |
+| MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
-| OpenProject                 | `openproject.enabled`               | `true`  | Project management           | Functional |
+| Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
-| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                    | Functional |
+| OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
-| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning         | Functional |
+| OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
-| Postfix                     | `postfix.enabled`                   | `true`  | MTA                          | Eval       |
+| Provisioning                | `oxConnector.enabled`               | `true`  | Backend provisioning           | Functional |
-| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                     | Eval       |
+| Postfix                     | `postfix.enabled`                   | `true`  | MTA                            | Eval       |
-| Redis                       | `redis.enabled`                     | `true`  | Cache Database               | Eval       |
+| PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal | Functional |
+| Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                | Functional |
+| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
 | XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |
 #### Cluster capabilities
@@ -221,6 +237,12 @@ the application to your own database instances.
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
 | Element     | Synapse            | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
 |             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
 |             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
 |             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
 |             |                    |            | Password  | `databases.synapse.password`           |                            |
 | Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
 |             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
 |             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
@@ -269,10 +291,14 @@ actual scalability of the components (see column `Scales at least to 2`).
 |             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
 | Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
 |             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
 |             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
 |             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
 | Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 |             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | tested               |
+|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
 | Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
 | OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
@@ -354,7 +380,7 @@ flowchart TD
    A[OX AppSuite]-->L
    D[OX Dovecot]-->L
    P[Portal/Admin]-->L
-    O[OpenProject]-->|in 2023|L
+    O[OpenProject]-->L
    X[XWiki]-->|in 2023|L
    A-->K
    N-->K
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -15,6 +15,7 @@ helmfiles:
  - path: "helmfile/apps/nextcloud/helmfile.yaml"
  - path: "helmfile/apps/collabora/helmfile.yaml"
  - path: "helmfile/apps/jitsi/helmfile.yaml"
  - path: "helmfile/apps/element/helmfile.yaml"
  - path: "helmfile/apps/openproject/helmfile.yaml"
  - path: "helmfile/apps/xwiki/helmfile.yaml"
  - path: "helmfile/apps/provisioning/helmfile.yaml"
@@ -31,12 +32,15 @@ environments:
  default:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
  dev:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/dev/values.yaml"
  prod:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/prod/values.yaml"
 ...
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
+  - name: "collabora-online-repo"
-    url: "https://collaboraonline.github.io/online"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://collaboraonline.github.io/online" }}
 releases:
  - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
    version: "1.0.2"
    values:
      - "values.yaml"
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -0,0 +1,46 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
  - name: "sovereign-workplace-element-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
 releases:
  - name: "sovereign-workplace-element"
    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
    version: "1.3.0"
    values:
      - "values-element.gotmpl"
    condition: "element.enabled"
  - name: "sovereign-workplace-well-known"
    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
    version: "1.3.0"
    values:
      - "values-well-known.yaml"
      - "values-well-known.gotmpl"
    condition: "element.enabled"
  - name: "sovereign-workplace-synapse-web"
    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
    version: "1.3.0"
    values:
      - "values-synapse-web.gotmpl"
    condition: "element.enabled"
  - name: "sovereign-workplace-synapse"
    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
    version: "1.3.0"
    values:
      - "values-synapse.gotmpl"
    condition: "element.enabled"
 commonLabels:
  deploy-stage: "component-1"
  component: "element"
 bases:
  - "../../bases/environments.yaml"
 ...
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -0,0 +1,38 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: "{{ .Values.global.domain }}"
  registry: "{{ .Values.global.imageRegistry }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.element.repository }}"
  tag: "{{ .Values.images.element.tag }}"
 ingress:
  host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
  enabled: "{{ .Values.ingress.enabled }}"
  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: "{{ .Values.ingress.tls.secretName }}"
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 replicaCount: {{ .Values.replicas.element }}
 resources:
  {{ .Values.resources.element | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -0,0 +1,31 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: "{{ .Values.global.domain }}"
  registry: "{{ .Values.global.imageRegistry }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapseWeb.repository }}"
  tag: "{{ .Values.images.synapseWeb.tag }}"
 ingress:
  host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
  enabled: "{{ .Values.ingress.enabled }}"
  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: "{{ .Values.ingress.tls.secretName }}"
 replicaCount: {{ .Values.replicas.synapseWeb }}
 resources:
  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -0,0 +1,52 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: "{{ .Values.global.domain }}"
  registry: "{{ .Values.global.imageRegistry }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapse.repository }}"
  tag: "{{ .Values.images.synapse.tag }}"
 configuration:
  database:
    host: "{{ .Values.databases.synapse.host }}"
    name: "{{ .Values.databases.synapse.name }}"
    user: "{{ .Values.databases.synapse.username }}"
    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
  homeserver:
    oidc:
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
    turn:
      sharedSecret: {{ .Values.turn.credentials }}
      servers:
        {{- if .Values.turn.tls.host }}
        - server: {{ .Values.turn.tls.host }}
          port: {{ .Values.turn.tls.port }}
          transport: {{ .Values.turn.transport }}
        {{- else if .Values.turn.server.host }}
        - server: {{ .Values.turn.server.host }}
          port: {{ .Values.turn.server.port }}
          transport: {{ .Values.turn.transport }}
        {{- end }}
 persistence:
  size: "{{ .Values.persistence.size.synapse }}"
  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
 replicaCount: {{ .Values.replicas.synapse }}
 resources:
  {{ .Values.resources.synapse | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -0,0 +1,31 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: "{{ .Values.global.domain }}"
  registry: "{{ .Values.global.imageRegistry }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.wellKnown.repository }}"
  tag: "{{ .Values.images.wellKnown.tag }}"
 ingress:
  host: "{{ .Values.global.domain }}"
  enabled: "{{ .Values.ingress.enabled }}"
  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
  tls:
    enabled: "{{ .Values.ingress.tls.enabled }}"
    secretName: "{{ .Values.ingress.tls.secretName }}"
 replicaCount: {{ .Values.replicas.wellKnown }}
 resources:
  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-well-known.yaml
+++ b/helmfile/apps/element/values-well-known.yaml
@@ -0,0 +1,7 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  e2ee:
    forceDisable: true
 ...
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
+  - name: "intercom-service-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
 releases:
  - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
    version: "1.1.3"
    values:
      - "values.yaml"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
+  - name: "jitsi-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
+    oci: true
-
+    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
 releases:
  - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.1.0"
+    version: "1.4.1"
    values:
      - "values-jitsi.gotmpl"
    condition: "jitsi.enabled"
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -17,10 +17,13 @@ image:
  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 jitsi:
-  publicURL: "https://{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+  publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
@@ -30,13 +33,13 @@ jitsi:
      enabled: "{{ .Values.ingress.enabled }}"
      ingressClassName: "{{ .Values.ingress.ingressClassName }}"
      hosts:
-        - host: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
          paths:
            - "/"
      tls:
        - secretName: "{{ .Values.ingress.tls.secretName }}"
          hosts:
-            - "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+            - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    extraEnvs:
      TURN_ENABLE: "1"
    resources:
@@ -51,11 +54,11 @@ jitsi:
    {{- end }}
    extraEnvs:
      - name: "AUTH_TYPE"
-        value: "jwt"
+        value: "hybrid_matrix_token"
      - name: "JWT_APP_ID"
        value: "myappid"
      - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsiPlain.jwtAppSecret }}"
+        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
      - name: TURNS_HOST
        value: "{{ .Values.turn.tls.host }}"
      - name: TURNS_PORT
@@ -79,8 +82,8 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
      tag: "{{ .Values.images.jicofo.tag }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jicofoAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
-      componentSecret: "{{ .Values.secrets.jitsiPlain.jicofoComponentPassword }}"
+      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
    resources:
      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
  jvb:
@@ -89,7 +92,7 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
      tag: "{{ .Values.images.jvb.tag }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jvbAuthPassword }}"
+      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
    resources:
      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
@@ -100,9 +103,9 @@ jitsi:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
      tag: "{{ .Values.images.jibri.tag }}"
    recorder:
-      password: "{{ .Values.secrets.jitsiPlain.jibriRecorderPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
    xmpp:
-      password: "{{ .Values.secrets.jitsiPlain.jibriXmppPassword }}"
+      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
    resources:
      {{ .Values.resources.jibri | toYaml | nindent 6 }}
  imagePullSecrets:
@@ -111,6 +114,9 @@ jitsi:
  {{- end }}
 patchJVB:
  configuration:
    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
--- a/helmfile/apps/keycloak-bootstrap/helmfile.yaml
+++ b/helmfile/apps/keycloak-bootstrap/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
 releases:
  - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
    version: "1.1.11"
    values:
      - "values-bootstrap.gotmpl"
--- a/helmfile/apps/keycloak/helmfile.yaml
+++ b/helmfile/apps/keycloak/helmfile.yaml
@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
+  - name: "bitnami-repo"
-    url: "https://charts.bitnami.com/bitnami"
+    oci: true
-  - name: "keycloak-theme"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-  - name: "keycloak-extensions"
+         default "registry-1.docker.io/bitnamicharts" }}
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "keycloak-theme-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
  - name: "keycloak-extensions-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 releases:
  - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
-    version: "1.0.0"
+    version: "1.1.0"
    values:
      - "values-theme.gotmpl"
    condition: "keycloak.enabled"
  - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
    version: "12.2.0"
    values:
      - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
    wait: true
    condition: "keycloak.enabled"
  - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
    version: "0.1.0"
    needs:
      - "keycloak"
--- a/helmfile/apps/keycloak/values-extensions.gotmpl
+++ b/helmfile/apps/keycloak/values-extensions.gotmpl
@@ -18,7 +18,11 @@ handler:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
 {{- if .Values.images.keycloakExtensionHandler.digest }}
    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
 {{- else if .Values.images.keycloakExtensionHandler.tag }}
    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
 {{- end }}
    imagePullPolicy: "Always"
  appConfig:
    smtpPassword: "{{ .Values.smtp.password }}"
@@ -31,13 +35,18 @@ proxy:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
 {{- if .Values.images.keycloakExtensionProxy.digest }}
    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
 {{- else if .Values.images.keycloakExtensionProxy.tag }}
    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
 {{- end }}
    imagePullPolicy: "Always"
  ingress:
    enabled: "{{ .Values.ingress.enabled }}"
    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
    annotations:
      nginx.org/proxy-buffer-size: "8k"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    tls:
      enabled: "{{ .Values.ingress.tls.enabled }}"
--- a/helmfile/apps/keycloak/values-keycloak-idp.yaml
+++ b/helmfile/apps/keycloak/values-keycloak-idp.yaml
@@ -116,9 +116,9 @@ keycloakConfigCli:
            "enabled": true,
            "alwaysDisplayInConsole": false,
            "clientAuthenticatorType": "client-secret",
-            "secret": "$(CLIENT_SECRET_JITSI_PLAIN_PASSWORD)",
+            "secret": "$(CLIENT_SECRET_JITSI_PASSWORD)",
            "redirectUris": [
-              "https://$(JITSI_PLAIN_DOMAIN)/*"
+              "https://$(JITSI_DOMAIN)/*"
            ],
            "webOrigins": [
              "*"
@@ -135,7 +135,7 @@ keycloakConfigCli:
            "frontchannelLogout": true,
            "protocol": "openid-connect",
            "attributes": {
-              "post.logout.redirect.uris": "https://$(JITSI_PLAIN_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
+              "post.logout.redirect.uris": "https://$(JITSI_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
            },
            "authenticationFlowBindingOverrides": {},
            "fullScopeAllowed": true,
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -55,8 +55,8 @@ keycloakConfigCli:
      value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    - name: "MATRIX_DOMAIN"
      value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_PLAIN_DOMAIN"
+    - name: "JITSI_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsiPlain }}.{{ .Values.global.domain }}"
+      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
    - name: "ELEMENT_DOMAIN"
      value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
    - name: "INTERCOM_SERVICE_DOMAIN"
@@ -65,8 +65,8 @@ keycloakConfigCli:
      value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
    - name: "CLIENT_SECRET_MATRIX_PASSWORD"
      value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
-    - name: "CLIENT_SECRET_JITSI_PLAIN_PASSWORD"
+    - name: "CLIENT_SECRET_JITSI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsiPlain }}
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
    - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
    - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
--- a/helmfile/apps/keycloak/values-theme.gotmpl
+++ b/helmfile/apps/keycloak/values-theme.gotmpl
@@ -7,4 +7,7 @@ global:
  domain: "{{ .Values.global.domain }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -2,15 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
+    url: >-
-  - name: "nextcloud"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://nextcloud.github.io/helm/"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
  - name: "nextcloud-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://nextcloud.github.io/helm/" }}
 releases:
  - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
+    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
-    version: "2.2.0"
+    version: "2.3.0"
    wait: true
    waitForJobs: true
    values:
@@ -20,7 +24,7 @@ releases:
    timeout: 1800
  - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
    version: "3.5.19"
    needs:
      - "sovereign-workplace-nextcloud-bootstrap"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -64,4 +64,7 @@ persistence:
 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-bootstrap.yaml
+++ b/helmfile/apps/nextcloud/values-bootstrap.yaml
@@ -11,6 +11,9 @@ config:
    userOidc:
      username: "ncoidc"
  ldapSearch:
    host: "univention-corporate-container"
 cleanup:
  deletePodsOnSuccess: false
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -2,32 +2,40 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
+  - name: "dovecot-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
+    url: >-
-  - name: "openxchange"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "registry.open-xchange.com"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
  - name: "openxchange-repo"
    oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
+    url: >-
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "registry.open-xchange.com" }}
  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
 releases:
  - name: "dovecot"
-    chart: "dovecot/dovecot"
+    chart: "dovecot-repo/dovecot"
-    version: "1.2.0"
+    version: "1.3.1"
    values:
      - "values-dovecot.yaml"
      - "values-dovecot.gotmpl"
    condition: "dovecot.enabled"
  - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
    version: "1.2.13"
    values:
      - "values-openxchange.yaml"
      - "values-openxchange.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml"
      - "values-openxchange-enterprise-contact-picker.gotmpl"
    condition: "oxAppsuite.enabled"
  - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
-    version: "1.2.2"
+    version: "1.3.1"
    values:
      - "values-openxchange-bootstrap.yaml"
    condition: "oxAppsuite.enabled"
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.dovecot.repository }}"
-  tag: "{{ .Values.images.dovecot.tag }}"
+  digest: "{{ .Values.images.dovecot.digest }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
@@ -0,0 +1,15 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . }}
 {{- end }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml
@@ -2,22 +2,5 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: false
+  deletePodsOnSuccess: true
 # resources:
 #   limits:
 #     # The max amount of CPUs to consume.
 #     cpu: 1
 #     # The max amount of RAM to consume.
 #     memory: "1Gi"
 #   requests:
 #     # The amount of CPUs which has to be available on the scheduled node.
 #     cpu: 1
 #     # The amount of RAM which has to be available on the scheduled node.
 #     memory: "256Mi"
 # Keep default values:
 # coreMiddleware:
 #   statefulSet: "open-xchange-core-mw-default-0"
 #   pod: "open-xchange-core-mw-default-0"
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
@@ -0,0 +1,14 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 appsuite:
  core-mw:
    secretYAMLFiles:
      ldap-client-config.yml:
        contactsLdapClient:
          auth:
            adminDN:
              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml
@@ -0,0 +1,349 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 appsuite:
  core-mw:
    properties:
      # Enterprise contact picker
      com.openexchange.contacts.ldap.accounts: "opendesk"
      com.openexchange.admin.bypassAccessCombinationChecks: "true"
      ENABLE_INTERNAL_USER_EDIT: "false"
    # Enterprise contact picker (see also gotmpl)
    secretYAMLFiles:
      ldap-client-config.yml:
        contactsLdapClient:
          pool:
            type: "simple"
            host:
              address: "univention-corporate-container"
              port: 389
          auth:
            type: "adminDN"
            adminDN:
              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
    uiSettings:
      # Enterprise contact picker
      io.ox/core//features/enterprisePicker/enabled: "true"
    yamlFiles:
      contacts-provider-ldap.yml:
        # Example definitions of available LDAP contact providers, together with their corresponding configuration,
        # referenced LDAP client connection settings and attribute mappings.
        #
        # This template contains examples and will be overwritten during updates. To use, copy this file to
        # /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
        #
        # Each configured contacts provider can be enabled for users using the corresponding identifier used in this
        # .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
        # is available.
        #
        # Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
        # need to be referenced.
        #
        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
        # for further details and a complete list of available configuration options.
        #
        # Key will be used as identifier for the contact provider
        opendesk:
          # The display name of this contacts provider.
          name: "Example Address Lists"
          # Configures the identifier of the LDAP client configuration settings to use, as defined in
          # 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
          # be specified.
          ldapClientId: "contactsLdapClient"
          # A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
          # corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
          mappings: "ucs"
          # Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
          # identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
          # control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
          # provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
          # 'usedForSync' folders property. Defaults to "false".
          isDeletedSupport: false
          # Specifies the requested maximum size for paged results. "0" disables paged results. This should be
          #  configured, especially when the there are server-side restrictions towards the maximum result size.
          # Defaults to "500".
          maxPageSize: 500
          # Optionally enables a local cache that holds certain properties of all of the provider's contacts in
          # memory to speed up access. Can only be used if no individual authentication is used to access the
          # LDAP server.
          cache:
            useCache: false
          # Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
          # one with its specific configuration settings. The template contains examples for all possible modes,
          # however, only the one specified through 'mode' property is actually used.
          folders:
            # Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
            # are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
            # attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
            # dynamically, or "static" to have a static search filter associated with each contact folder.
            # The corresponding mode-specific section needs to be configured as well.
            mode: "dynamicAttributes"
            # Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
            # If set to "false", the folders are only available in the web client. If set to "true", folders can
            # be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
            # and 'uid' contact properties are available, and the LDAP server supports the special
            # "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
            # controls whether the default value can be changed by the client or not.
            usedForSync:
              protected: true
              defaultValue: false
            # Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
            # If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
            # hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
            usedInPicker:
              protected: false
              defaultValue: true
            # Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
            # If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
            # Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
            # the default value can be changed by the client or not.
            shownInTree:
              protected: false
              defaultValue: true
            # In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
            # filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
            # defined, which is used for operations that are not bound to
            # a specific folder, like lookups across all visible folders.
            # The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
            # (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
            # and all default to "sub" unless specified otherwise.
            static:
              commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
              commonContactSearchScope: "sub"
              folders:
                - name: "Cupertino"
                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
                  contactSearchScope: "sub"
                - name: "San Mateo"
                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
                  contactSearchScope: "sub"
                - name: "Redwood Shores"
                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
                  contactSearchScope: "sub"
                - name: "Armonk"
                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
                  contactSearchScope: "sub"
            # With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
            # serve as folders. The list of values is fetched by querying all entries that match the
            # "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
            # Then, the folders are derived based on all distinct attribute values found, with the value as name.
            # Depending on the configured authentication mode, this is either done per user individually, or globally.
            # Therefore, per-user authentication is not recommend in this mode.
            # The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
            # using units of measurement:
            # "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
            # allows to sort the attributes lexicographically, either "ascending" or "descending".
            dynamicAttributes:
              attributeName: "o"
              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
              contactSearchScope: "sub"
              # refreshInterval: 1h
              refreshInterval: "5m"
              sortOrder: "ascending"
            # With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
            # defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
            # possible values.
            # All items defined in the "attributeValues" array are used as folder (with the value as name). When
            # listing the contents of a specific folder, this folder's specific attribute value is inserted in the
            # configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
            fixedAttributes:
              contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
              contactSearchScope: "sub"
              attributeValues:
                - "Janitorial"
                - "Product Development"
                - "Management"
                - "Human Resources"
      contacts-provider-ldap-mappings.yml:
        # Example definitions of contact property <-> LDAP attribute mappings.
        #
        # This template contains examples and will be overwritten during updates. To use, copy this file to
        # /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
        #
        # Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
        # file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
        #
        # Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
        # Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
        # used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
        # display name, or to have multiple mappings for contacts and distribution lists.
        #
        # For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
        # (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
        # Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
        # the internal user- and context identifier based on attributes yielding the corresponding
        # login information (username / contextname), the special appendix ';logininfo' can be used.
        # Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
        # by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
        # property based on a specific 'objectClass' value.
        # Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
        # using '*'.
        #
        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
        # for further details and a complete list of available configuration options.
        #
        # Mappings for a typical OpenLDAP server.
        ucs:
          # == ID Mappings =======================================================
          # The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
          # unless overridden.
          # The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
          # flag 'binary' should be used.
          objectid: "uidNumber,gidNumber"
          # The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
          # entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
          # Will only be considered if an entry's context identifier matches the one from the actual session of
          # the requesting operation.
          # If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
          # "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
          # Alternatively, if no internal context- or user identifier is available, also attributes yielding
          # the corresponding login information (username / contextname) can be used by appending ';logininfo'
          # to the attribute name.
          internal_userid: "uid;logininfo"
          contextid: "oxContextIDNum"
          # The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
          # format, the flag 'binary' should be used.
          # uid                   : entryUUID;binary;logininfo
          # == String Mappings ===================================================
          displayname: "oxDisplayName,displayName,name"
          file_as: "oxDisplayName,displayName,name"
          givenname: "givenName"
          surname: "sn"
          email1: "mailPrimaryAddress"
          department: "oxDepartment,department"
          company: "oxCompany,o"
          branches: "oxBranches"
          # business_category     :
          postal_code_business: "postalCode"
          state_business: "oxStateBusiness,st"
          street_business: "streetAddress"
          # telephone_callback    :
          city_home: "oxCityHome"
          commercial_register: "oxCommercialRegister"
          country_home: "oxCountryHome"
          email2: "oxEmail2"
          email3: "oxEmail3"
          employeetype: "employeeType"
          fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
          fax_home: "oxFaxHome"
          fax_other: "oxFaxOther"
          instant_messenger1: "oxInstantMessenger1"
          instant_messenger2: "oxInstantMessenger2"
          telephone_ip: "oxTelephoneIp"
          telephone_isdn: "internationaliSDNNumber"
          marital_status: "oxMaritalStatus"
          cellular_telephone1: "mobile"
          # cellular_telephone2   :
          nickname: "oxNickName"
          number_of_children: "oxNumOfChildren"
          number_of_employee: "employeeNumber"
          note: "oxNote,description"
          telephone_pager: "oxTelephonePager,pager"
          telephone_assistant: "oxTelephoneAssistant"
          telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
          telephone_business2: "oxTelephoneBusiness2"
          telephone_car: "oxTelephoneCar"
          telephone_company: "oxTelephoneCompany"
          telephone_home1: "oxTelephoneHome1,homePhone"
          telephone_home2: "oxTelephoneHome2"
          telephone_other: "oxTelephoneOther"
          postal_code_home: "oxPostalCodeHome"
          # telephone_radio       :
          room_number: "roomNumber"
          sales_volume: "oxSalesVolume"
          city_other: "oxCityOther"
          country_other: "oxCountryOther"
          middle_name: "oxMiddleName,middleName"
          postal_code_other: "oxPostalCodeOther"
          state_other: "oxStateOther"
          street_other: "oxStreetOther"
          spouse_name: "oxSpouseName"
          state_home: "oxStateHome"
          street_home: "oxStreetHome"
          suffix: "oxSuffix"
          tax_id: "oxTaxId"
          telephone_telex: "oxTelephoneTelex,telexNumber"
          telephone_ttytdd: "oxTelephoneTtydd"
          url: "oxUrl,wWWHome"
          userfield01: "oxUserfiels01"
          userfield02: "oxUserfiels02"
          userfield03: "oxUserfiels03"
          userfield04: "oxUserfiels04"
          userfield05: "oxUserfiels05"
          userfield06: "oxUserfiels06"
          userfield07: "oxUserfiels07"
          userfield08: "oxUserfiels08"
          userfield09: "oxUserfiels09"
          userfield10: "oxUserfiels10"
          userfield11: "oxUserfiels11"
          userfield12: "oxUserfiels12"
          userfield13: "oxUserfiels13"
          userfield14: "oxUserfiels14"
          userfield15: "oxUserfiels15"
          userfield16: "oxUserfiels16"
          userfield17: "oxUserfiels17"
          userfield18: "oxUserfiels18"
          userfield19: "oxUserfiels19"
          userfield20: "oxUserfiels20"
          city_business: "l"
          country_business: "oxCountryBusiness,country"
          # telephone_primary     :
          # categories            :
          title: "title"
          position: "oxPosition"
          profession: "oxProfession"
          # == Date Mappings =====================================================
          birthday: "oxBirthday"
          anniversary: "oxAnniversary"
          # The last-modified and creation dates are required by the groupware server, therefore an implicit
          # default date is assumed when no LDAP attribute is mapped here, and no results are available for this
          # folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
          # not be available.
          lastmodified: "modifyTimestamp"
          creationdate: "createTimestamp"
          # == Misc Mappings =====================================================
          # Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
          # Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
          # plain email address of the member.
          distributionlist: "memberUid"
          # Special mapping where the value is evaluated using a string comparison with, or the existence of
          # the attribute value.
          markasdistributionlist: "objectClass=posixGroup"
          # The values for the for assistant- and manager name mappings are either used as-is, or get resolved
          # dynamically using the DNs found
          # in the mapped LDAP attribute.
          assistant_name: "secretary"
          manager_name: "oxManagerName,manager"
          # Contact image, binary format is expected.
          image1: "jpegPhoto"
          # Special mapping where the value is evaluated using a string comparison with, or the existence of
          # the attribute value.
          number_of_images: "jpegPhoto=*"
          # Will be set internally if not defined.
          # image_last_modified   :
          # Will be set automatically to "image/jpeg" if not defined.
          # image1_content_type   :
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -76,6 +76,16 @@ appsuite:
    uiSettings:
      "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
@@ -108,6 +118,7 @@ appsuite:
    ingress:
      hosts:
        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -63,8 +63,11 @@ appsuite:
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.public-sector: "true"
      com.openexchange.capability.smime: "true"
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
@@ -92,6 +95,8 @@ appsuite:
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
    uiSettings:
      io.ox/dynamic-theme//logoWidth: "82"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
@@ -106,18 +111,6 @@ appsuite:
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: "#004B76"
      io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
      io.ox/dynamic-theme//logoWidth: "80"
      io.ox/dynamic-theme//topbarBackground: "#fff"
      io.ox/dynamic-theme//topbarColor: "#1f1f1f"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      io.ox/dynamic-theme//listSelected: "#ADC8F0"
      io.ox/dynamic-theme//listHover: "#ddd"
      io.ox/dynamic-theme//folderBackground: "#fff"
      io.ox/dynamic-theme//folderSelected: "#ADC8F0"
      io.ox/dynamic-theme//folderHover: "#ddd"
    asConfig:
      default:
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
+  - name: "openproject-repo"
-    url: "https://charts.openproject.org"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://charts.openproject.org" }}
 releases:
  - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
    version: "1.8.0"
    values:
      - "values.yaml"
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -59,6 +59,8 @@ environment:
  OPENPROJECT_SMTP__PORT: "587" # (default=587)
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 persistence:
  size: "{{ .Values.persistence.size.openproject }}"
@@ -68,4 +70,5 @@ replicaCount: {{ .Values.replicas.openproject }}
 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/openproject/values.yaml
+++ b/helmfile/apps/openproject/values.yaml
@@ -40,5 +40,24 @@ environment:
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
 ...
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
+  - name: "ox-connector-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 releases:
  - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
    version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
    values:
      - "values-oxconnector.yaml"
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -2,70 +2,85 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
+  - name: "sovereign-workplace-certificates-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
+    url: >-
-  - name: "postgresql"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
-  - name: "mariadb"
+  - name: "postgresql-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
+    url: >-
-  - name: "postfix"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
-  - name: "istio-resources"
+  - name: "mariadb-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
+    url: >-
-  - name: "clamav"
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
+         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
-  - name: "bitnami"
+  - name: "postfix-repo"
-    url: "https://charts.bitnami.com/bitnami"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
  - name: "istio-resources-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
  - name: "clamav-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
  - name: "bitnami-repo"
    oci: true
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "registry-1.docker.io/bitnamicharts" }}
 releases:
  - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
-    version: "1.2.1"
+    version: "1.2.2"
    values:
      - "values-certificates.gotmpl"
    condition: "certificates.enabled"
  - name: "redis"
-    chart: "bitnami/redis"
+    chart: "bitnami-repo/redis"
-    version: "^17.9.3"
+    version: "17.9.3"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    condition: "redis.enabled"
  - name: "postgresql"
-    chart: "postgresql/postgresql"
+    chart: "postgresql-repo/postgresql"
    version: "2.0.0"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    condition: "postgresql.enabled"
  - name: "mariadb"
-    chart: "mariadb/mariadb"
+    chart: "mariadb-repo/mariadb"
    version: "2.0.0"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    condition: "mariadb.enabled"
  - name: "postfix"
-    chart: "postfix/postfix"
+    chart: "postfix-repo/postfix"
    version: "1.13.0"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    condition: "postfix.enabled"
  - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
+    chart: "clamav-repo/sovereign-workplace-clamav"
    version: "2.1.0"
    values:
      - "values-clamav-distributed.gotmpl"
    condition: "clamavDistributed.enabled"
  - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
+    chart: "clamav-repo/clamav-simple"
    version: "2.1.0"
    values:
      - "values-clamav-simple.gotmpl"
    condition: "clamavSimple.enabled"
  - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
    version: "1.1.2"
    values:
      - "values-istio-gateway.gotmpl"
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -12,6 +12,8 @@ image:
  repository: "{{ .Values.images.mariadb.repository }}"
  tag: "{{ .Values.images.mariadb.tag }}"
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
 job:
  users:
    - username: "xwiki_user"
--- a/helmfile/apps/univention-corporate-container/helmfile.yaml
+++ b/helmfile/apps/univention-corporate-container/helmfile.yaml
@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
+  - name: "univention-corporate-container-repo"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
 releases:
  - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
    version: "1.0.10"
    values:
      - "values.yaml"
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
+  - name: "xwiki-repo"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://xwiki-contrib.github.io/xwiki-helm" }}
 releases:
  - name: "xwiki"
-    chart: "xwiki/xwiki"
+    chart: "xwiki-repo/xwiki"
-    version: "1.1.1"
+    version: "1.1.3"
    wait: true
    timeout: 600
    values:
--- a/helmfile/apps/xwiki/values-init.gotmpl
+++ b/helmfile/apps/xwiki/values-init.gotmpl
@@ -1,20 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: "{{ .Values.global.imageRegistry }}"
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 xwiki:
  url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/"
  superadmin:
    username: "superadmin"
    password: {{ .Values.secrets.xwiki.superadminpassword | quote }}
 image:
  repository: "{{ .Values.images.xwikiInit.repository }}"
  tag: "{{ .Values.images.xwikiInit.tag }}"
 ...
--- a/helmfile/apps/xwiki/values.gotmpl
+++ b/helmfile/apps/xwiki/values.gotmpl
@@ -8,14 +8,23 @@ image:
  tag: "{{ .Values.images.xwiki.tag }}"
 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}"
+  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
  database: "{{ .Values.databases.xwiki.name }}"
  user: "{{ .Values.databases.xwiki.username }}"
  host: "{{ .Values.databases.xwiki.host }}"
 customConfigs:
  "xwiki.cfg":
-    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
    ## LDAP Server configuration
    # "xwiki.authentication.ldap.server": "univention-corporate-container"
    # xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
    ## Base DN used for searching for users
    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
  "xwiki.properties":
    "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
    "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
@@ -25,10 +34,16 @@ customConfigs:
    "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
    "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }}
+    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
  ## Link LDAP users and users authenticated through OIDC
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 ingress:
  enabled: {{ .Values.ingress.enabled }}
--- a/helmfile/apps/xwiki/values.yaml
+++ b/helmfile/apps/xwiki/values.yaml
@@ -2,9 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
-  name: "git.xwikisas.com:5050/xwikisas/swp/xwiki"
+  pullPolicy: "IfNotPresent"
  tag: "0.4-mariadb-tomcat"
  pullPolicy: "Always"
 ingress:
  # enabled: true
@@ -32,9 +30,9 @@ mariadb:
 properties:
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -43,15 +41,37 @@ properties:
    "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color":
    "@brand-primary"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff"
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff"
  # yamllint disable-line rule:line-length
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; } #menuview .navbar-brand img { padding: 5px; }'"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": " li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd; height: 64px; } div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
  #   "sn,givenname,uid"
  ## Restrict user import in the UI to global administrators
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
  ## Enable group and user synchronization
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
  #   1
  ## Base DN under which groups should be searched for
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
  #  "dc=swp-ldap,dc=internal"
  ## LDAP filter to only synchronize some groups
  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 customConfigs:
  xwiki.cfg:
    xwiki.url.protocol: "https"
    ## Indicate the LDAP field defining the user UID
    # xwiki.authentication.ldap.UID_attr: "uid"
    ## Indicate the LDAP field defining the user profile picture
    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
    ## Enable the synchronization of the LDAP profile picture
    # xwiki.authentication.ldap.update_photo: 1
  xwiki.properties:
    oidc.scope: "openid,profile,email,address,phoenix"
    oidc.endpoint.userinfo.method: "GET"
--- a/helmfile/bases/environments.yaml
+++ b/helmfile/bases/environments.yaml
@@ -5,12 +5,15 @@ environments:
  default:
    values:
      - "../../environments/default/*.gotmpl"
      - "../../environments/default/*.yaml"
  dev:
    values:
      - "../../environments/default/*.gotmpl"
      - "../../environments/default/*.yaml"
      - "../../environments/dev/values.yaml"
  prod:
    values:
      - "../../environments/default/*.gotmpl"
      - "../../environments/default/*.yaml"
      - "../../environments/prod/values.yaml"
 ...
--- a/helmfile/environments/default/certificate.gotmpl
+++ b/helmfile/environments/default/certificate.gotmpl
@@ -1,9 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 certificate:
  issuerRef:
    name: "letsencrypt-prod"
 ...
--- a/helmfile/environments/default/certificate.yaml
+++ b/helmfile/environments/default/certificate.yaml
@@ -0,0 +1,7 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 certificate:
  issuerRef:
    name: "letsencrypt-prod"
 ...
--- a/helmfile/environments/default/cluster.gotmpl
+++ b/helmfile/environments/default/cluster.gotmpl
@@ -1,26 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cluster:
  service:
    # Based on the available Implementations of your cluster, choose the type of Service.
    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
    type: "LoadBalancer"
  persistence:
    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
    readWriteMany:
      enabled: false
  networking:
    # Kubernetes internal cluster domain.
    domain: "cluster.local"
    # Kubernetes cluster network CIDR.
    cidr: "10.0.0.0/8"
  container:
    # Used container engine in kubernetes cluster.
    engine: "cri-o"
 ...
--- a/helmfile/environments/default/cluster.yaml
+++ b/helmfile/environments/default/cluster.yaml
@@ -0,0 +1,33 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 cluster:
  service:
    # Based on the available Implementations of your cluster, choose the type of Service.
    # Choose out of "ClusterIP", "NodePort" or "LoadBalancer.
    type: "LoadBalancer"
  persistence:
    # Enable if ReadWriteMany (RWX) storage is available (f.e. CephFS, NFS, ...).
    readWriteMany:
      enabled: false
  networking:
    # Kubernetes internal cluster domain.
    domain: "cluster.local"
    # Kubernetes cluster network CIDR.
    cidr: "10.0.0.0/8"
    # Ingress-gateway IP - only relevant for "NodePort" cluster services.
    # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
    # you need to provide the public (load-balanced) ingress gateways ip address.
    ingressGatewayIP: ""
    # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services.
    # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
    # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
    loadBalancerStatusField: "ip"
  container:
    # Used container engine in kubernetes cluster.
    engine: "cri-o"
 ...
--- a/helmfile/environments/default/database.gotmpl
+++ b/helmfile/environments/default/database.gotmpl
@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 databases:
  keycloak:
@@ -32,9 +30,15 @@ databases:
    name: "CONFIGDB"
    username: "root"
    password: ""
  synapse:
    host: "postgresql"
    name: "matrix"
    username: "matrix_user"
    password: ""
    port: 5432
  xwiki:
    name: "xwiki"
    host: "mariadb"
-    username: "xwiki_user"
+    username: "root"
    password: ""
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -7,52 +7,12 @@ SPDX-License-Identifier: Apache-2.0
 #
 global:
  ## Define ingress/virtualservice host.
  #
  hosts:
    collabora: "collabora"
    dimension: "integration"
    element: "ucc"
    etherpad: "etherpad"
    intercomService: "ics"
    jitsi: "av"
    jitsiPlain: "jitsi"
    keycloak: "id"
    meetingWidgetsBot: "meeting-widgets-bot"
    meetingWidgets: "meeting-widgets"
    newWorkBoardWidget: "whiteboard-widget"
    moodle: "learn"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    openxchangeProvisioning: "ox-provisioning"
    pollWidget: "poll-widget"
    synapse: "matrix"
    univentionCorporateServer: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
  ## Define host
  #
  domain: {{ env "DOMAIN" | default "souvap.cloud" }}
  ## Define docker registry address.
  #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
  ## Define internal kubernetes domain, usually svc.cluster.local
  ## Workaround for calico with postfix
  #
  internalDomain: "svc.cluster.local"
  ## Define internal kubernetes network for postfix
  ## Attention: Mail from this network can be sent without authentication!
  #
  internalNetwork: "10.0.0.0/8"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -0,0 +1,42 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
 #
 global:
  ## Define ingress/virtualservice host.
  #
  hosts:
    collabora: "collabora"
    dimension: "integration"
    element: "chat"
    etherpad: "etherpad"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
    meetingWidgetsBot: "meeting-widgets-bot"
    meetingWidgets: "meeting-widgets"
    newWorkBoardWidget: "whiteboard-widget"
    nextcloud: "fs"
    openproject: "project"
    openxchange: "webmail"
    openxchangeProvisioning: "ox-provisioning"
    pollWidget: "poll-widget"
    synapse: "matrix"
    univentionCorporateServer: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
  ## Define docker registry address.
  #
  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
  ## Credentials to fetch images from private registry
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  imagePullSecrets:
    - "external-registry"
 ...
--- a/helmfile/environments/default/images.gotmpl
+++ b/helmfile/environments/default/images.gotmpl
@@ -1,18 +1,21 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 images:
  clamd:
    repository: "clamav/clamav"
    tag: "1.1.0_base"
  collabora:
-    repository: "collabora/code"
+    # repository: "collabora/code"
-    tag: "23.05.2.2.1"
+    # tag: "23.05.2.2.1"
    repository: "souvap/tooling/images/collabora"
    tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
  dovecot:
    repository: "dovecot/dovecot"
-    tag: "2.3.20"
+    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
  element:
    repository: "souvap/tooling/images/element-web@sha256"
    tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
  freshclam:
    repository: "clamav/clamav"
    tag: "1.1.0_base"
@@ -27,7 +30,7 @@ images:
    tag: "stable-8615"
  jitsiKeycloakAdapter:
    repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230425"
+    tag: "v20230816"
  jitsiPatchJVB:
    repository: "bitnami/kubectl"
    tag: "1.26.6"
@@ -48,11 +51,11 @@ images:
    repository: "souvap/tooling/images/ansible"
    tag: "4.10.0"
  keycloakExtensionHandler:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler@sha256"
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
-    tag: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
  keycloakExtensionProxy:
-    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy@sha256"
+    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    tag: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
+    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
  mariadb:
    repository: "mariadb"
    tag: "10"
@@ -66,8 +69,11 @@ images:
    repository: "nextcloud"
    tag: "26.0.1-apache"
  openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
+    repository: "souvap/tooling/images/openproject/souvap@sha256"
-    tag: "dev"
+    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
  openxchangeBootstrap:
    repository: "alpine/k8s"
    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
  openxchangeCoreGuidedtours:
    repository: "appsuite-public-sector/core-guidedtours"
    tag: "8.5.0"
@@ -107,13 +113,21 @@ images:
  redis:
    repository: "bitnami/redis"
    tag: "7.0.12-debian-11-r0"
  synapse:
    repository: "matrixdotorg/synapse"
    tag: "v1.87.0"
  synapseWeb:
    repository: "library/haproxy"
    tag: "2.4"
  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
-    tag: "20230806T234258"
+    tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
  wellKnown:
    repository: "library/nginx"
    tag: "1.23"
  xwiki:
-    repository: "xwikisas/swp/xwiki"
+    # repository: "xwikisas/swp/xwiki"
-    tag: "0.8-mariadb-tomcat"
+    # tag: "0.10-mariadb-tomcat"
-  xwikiInit:
+    repository: "xwikisas/swp/xwiki@sha256"
-    repository: "curlimages/curl"
+    tag: "02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
    tag: "8.1.2"
 ...
--- a/helmfile/environments/default/ingress.gotmpl
+++ b/helmfile/environments/default/ingress.gotmpl
@@ -1,12 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ingress:
  enabled: true
  ingressClassName: ""
  tls:
    enabled: true
    secretName: "sovereign-workplace-certificates-tls"
 ...
--- a/helmfile/environments/default/ingress.yaml
+++ b/helmfile/environments/default/ingress.yaml
@@ -0,0 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 ingress:
  enabled: true
  ingressClassName: ""
  tls:
    enabled: true
    secretName: "sovereign-workplace-certificates-tls"
 ...
--- a/helmfile/environments/default/persistence.gotmpl
+++ b/helmfile/environments/default/persistence.gotmpl
@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 persistence:
  storageClassNames:
@@ -19,6 +17,7 @@ persistence:
    postgresql: "1Gi"
    prosody: "1Gi"
    redis: "1Gi"
    synapse: "1Gi"
    univentionCorporateServer: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.gotmpl
+++ b/helmfile/environments/default/replicas.gotmpl
@@ -1,29 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 replicas:
  {{/* clamav-simple */}}
  clamav: 1
  {{/* clamav-distributed */}}
  clamd: 1
  collabora: 1
  dovecot: 1
  {{/* clamav-distributed */}}
  freshclam: 1
  {{/* clamav-distributed */}}
  icap: 1
  jibri: 1
  jicofo: 1
  jitsi: 1
  jitsiKeycloakAdapter: 1
  jvb: 1
  keycloak: 1
  {{/* clamav-distributed */}}
  milter: 1
  nextcloud: 1
  openproject: 1
  postfix: 1
  xwiki: 1
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -0,0 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 replicas:
  # clamav-simple
  clamav: 1
  # clamav-distributed
  clamd: 1
  collabora: 1
  dovecot: 1
  element: 2
  # clamav-distributed
  freshclam: 1
  # clamav-distributed
  icap: 1
  jibri: 1
  jicofo: 1
  jitsi: 1
  jitsiKeycloakAdapter: 1
  jvb: 1
  keycloak: 1
  # clamav-distributed
  milter: 1
  nextcloud: 1
  openproject: 1
  postfix: 1
  synapse: 1
  synapseWeb: 2
  wellKnown: 2
  xwiki: 1
 ...
--- a/helmfile/environments/default/resources.gotmpl
+++ b/helmfile/environments/default/resources.gotmpl
@@ -1,7 +1,5 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 resources:
  clamd:
@@ -14,17 +12,24 @@ resources:
  dovecot:
    limits:
      cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  element:
    limits:
      cpu: 1
      memory: "250Mi"
    requests:
      cpu: 0.1
      memory: "50Mi"
  freshclam:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  icap:
    limits:
      cpu: 2
@@ -35,24 +40,24 @@ resources:
  jibri:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "125Mi"
  jicofo:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  jitsi:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  jitsiKeycloakAdapter:
    limits:
      cpu: "100m"
@@ -63,45 +68,45 @@ resources:
  jvb:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  keycloak:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.75Gi"
+      memory: "750Mi"
  keycloakExtension:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  keycloakBootstrap:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  keycloakProxy:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  mariadb:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
  milter:
    limits:
      cpu: 4
@@ -115,49 +120,63 @@ resources:
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.5Gi"
+      memory: "500Mi"
  openproject:
    limits:
      cpu: 2
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  oxConnector:
    limits:
      cpu: 2
      memory: "2Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  postfix:
    limits:
      cpu: 0.5
-      memory: "0.25Gi"
+      memory: "250Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  postgresql:
    limits:
      cpu: 2
      memory: "1Gi"
    requests:
      cpu: 0.1
-      memory: "0.25Gi"
+      memory: "250Mi"
  prosody:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  redis:
    limits:
      cpu: 1
-      memory: "0.5Gi"
+      memory: "500Mi"
    requests:
      cpu: 0.1
-      memory: "0.1Gi"
+      memory: "100Mi"
  synapse:
    limits:
      cpu: 4
      memory: "4Gi"
    requests:
      cpu: 1
      memory: "2Gi"
  synapseWeb:
    limits:
      cpu: 1
      memory: "250Mi"
    requests:
      cpu: 0.1
      memory: "50Mi"
  univentionCorporateServer:
    limits:
      cpu: 2
@@ -165,6 +184,13 @@ resources:
    requests:
      cpu: 0.5
      memory: "1Gi"
  wellKnown:
    limits:
      cpu: 1
      memory: "250Mi"
    requests:
      cpu: 0.1
      memory: "50Mi"
  xwiki:
    limits:
      cpu: 2
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -40,7 +40,7 @@ secrets:
    clientSecret:
      intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
      matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
-      jitsiPlain: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
+      jitsi: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
      ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
@@ -54,17 +54,6 @@ secrets:
    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
  jitsi:
    synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "as_token" | sha1sum) }}
    synapseHsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "hs_token" | sha1sum) }}
    jicofoAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jicofo_auth" | sha1sum) }}
    componentAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "component_auth" | sha1sum) }}
    jvbAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jvb_auth" | sha1sum) }}
    jigasiAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jigasi_auth" | sha1sum) }}
    jibriUserAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_user_auth" | sha1sum) }}
    jibriRecorderAuth: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jibri_recorder_auth" | sha1sum) }}
    rageshakeListingPass: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "rageshakeListingPass" | sha1sum) }}
    conferencemapperSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "conferencemapperSecret" | sha1sum) }}
    jitsiFeedbackBackend: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jitsi" "jitsiFeedbackBackend" | sha1sum) }}
  jitsiPlain:
    jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
    jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
    jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}
--- a/helmfile/environments/default/theme.yaml
+++ b/helmfile/environments/default/theme.yaml
--- a/helmfile/environments/default/theme/logo_favicon.ico
+++ b/helmfile/environments/default/theme/logo_favicon.ico
--- a/helmfile/environments/default/theme/logo_header.svg
+++ b/helmfile/environments/default/theme/logo_header.svg
@@ -0,0 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <svg id="a" xmlns="http://www.w3.org/2000/svg" width="45.826mm" height="19.308mm" viewBox="0 0 129.90047 54.73134">
 <polygon points="110.92403 22.71425 107.01094 22.71425 103.42012 26.36172 103.42012 18.38613 100.18867 18.38613 100.18867 32.27773 103.42012 32.27773 103.42012 28.32754 107.01094 32.27773 110.92403 32.27773 106.31172 27.36367 110.92403 22.71425"/>
 <path d="m48.75874,23.35201c-.6499-.35986-1.40991-.54004-2.27979-.54004-.86011,0-1.59009.18018-2.25.56006-.65015.37012-1.14014.8999-1.49023,1.6001-.33984.70996-.52002,1.5498-.52002,2.5498,0,.93018.16016,1.77002.48022,2.52002.32983.77002.81982,1.37012,1.47998,1.82007.67993.42993,1.5.65991,2.47998.65991,1.26001,0,2.19995-.31982,2.84985-.97998.51001-.53003.90015-1.15991,1.16016-1.90991l-.8501-.47998c-.19995.78003-.56006,1.37988-1.08008,1.84009-.53979.44971-1.23975.68994-2.09985.68994-1.13989,0-2.01001-.38013-2.58008-1.13013-.54004-.69995-.82007-1.59985-.84009-2.70996h7.61011v-.5c0-.93994-.17993-1.75-.54004-2.42993-.35986-.68994-.86987-1.2002-1.53003-1.56006Zm-5.54004,3.62988c.03027-.60986.17017-1.16992.41016-1.62988.28003-.56006.66992-.95996,1.16992-1.25.47998-.28003,1.03003-.41992,1.65015-.41992,1.03003,0,1.83984.31982,2.45996.92993.55005.59009.86987,1.38013.8999,2.36987h-6.59009Z"/>
 <path d="m73.28517,19.52694c-1.06494-.34503-2.28003-.51001-3.6449-.51001h-1.83032v2.64001h1.83032c.95984,0,1.72485.07495,2.29468.22504.55518.14996,1.02026.50995,1.38025,1.09497.375.57001.55481,1.46997.55481,2.68494,0,1.23004-.17981,2.13-.53979,2.70001-.35999.58502-.82507.94501-1.37988,1.09503-.55518.13495-1.33521.20996-2.31006.20996h-1.85999v-5.36346h-3.04504v8.03351h4.90503c1.36487,0,2.57996-.16498,3.6449-.51007,1.04993-.34497,1.92004-1.00494,2.60999-1.97992.67493-.99005,1.0199-2.38501,1.0199-4.18506,0-1.78497-.34497-3.17999-1.0199-4.15491-.68994-.99005-1.56006-1.65009-2.60999-1.98004Z"/>
 <path d="m25.67378,23.4869c-.73499-.45001-1.57507-.67493-2.54993-.67493-.97522,0-1.81531.22491-2.54993.67493-.73535.43506-1.29016,1.03497-1.68018,1.78497-.375.73511-.56982,1.53003-.56982,2.40009,0,.85498.19482,1.64996.56982,2.39996.39001.73499.94482,1.33502,1.68018,1.78497.73462.435,1.57471.66003,2.54993.66003.97485,0,1.81494-.22504,2.54993-.66003.73499-.44995,1.28979-1.04999,1.66479-1.78497.39038-.75.58521-1.54498.58521-2.39996,0-.87006-.19482-1.66498-.58521-2.40009-.375-.75-.92981-1.34991-1.66479-1.78497Zm.79504,6.15002c-.28528.59998-.71997,1.09497-1.29016,1.46997-.58484.375-1.25977.57001-2.05481.57001s-1.48499-.19501-2.05518-.57001c-.56982-.375-1.00488-.87-1.28979-1.46997-.28528-.61505-.43506-1.26001-.43506-1.96497,0-.70508.14978-1.36505.43506-1.96503.28491-.61505.71997-1.09503,1.28979-1.47003.57019-.375,1.26013-.55499,2.05518-.55499s1.46997.17999,2.05481.55499c.57019.375,1.00488.85498,1.29016,1.47003.28491.59998.43506,1.25995.43506,1.96503,0,.70496-.15015,1.34991-.43506,1.96497Z"/>
 <path d="m37.94368,23.41189c-.67493-.40491-1.42493-.59991-2.26501-.59991-1.07996,0-1.97974.26996-2.72974.79492-.69031.49506-1.17004,1.15503-1.46997,1.99506v-2.60999h-1.02026v12.77991h1.02026v-6c.17981.51007.44971.94501.77966,1.33502.40503.45001.88513.81,1.47034,1.05005.56982.23993,1.22974.35999,1.94971.35999.84009,0,1.59009-.19501,2.26501-.60004.66028-.40497,1.18506-.97498,1.56006-1.69495.39001-.73505.57019-1.58997.57019-2.54999s-.18018-1.81506-.57019-2.55005c-.375-.73499-.89978-1.30499-1.56006-1.71002Zm.61487,6.45001c-.32959.60004-.76465,1.04999-1.31982,1.36505-.55518.29999-1.17004.44995-1.82996.44995-.67493,0-1.30481-.16498-1.89001-.46497-.59985-.31506-1.06494-.76501-1.43994-1.36499-.35999-.61505-.54016-1.33502-.54016-2.17499,0-.85504.18018-1.57501.54016-2.17505.375-.61493.84009-1.065,1.43994-1.36493.58521-.30005,1.21509-.45007,1.89001-.45007.65991,0,1.27478.13501,1.82996.43506.55518.28497.99023.73499,1.31982,1.3349.33032.60004.49512,1.35004.49512,2.22009,0,.86993-.16479,1.60498-.49512,2.18994Z"/>
 <path d="m60.05366,23.23189c-.47974-.28497-1.06494-.41992-1.73987-.41992-1.06494,0-1.95007.26996-2.64001.82495-.62988.50995-1.06494,1.20001-1.29016,2.05499v-2.69995h-1.0199v9.34497h1.0199v-4.21503c0-.83997.15015-1.58997.43506-2.26501.28528-.67499.70496-1.19995,1.26013-1.58997.53979-.39001,1.17004-.58502,1.89001-.58502.86975,0,1.51501.21002,1.92004.65997.41968.43506.61487,1.15503.61487,2.14502v5.85004h1.03491v-5.89502c0-.76501-.11975-1.42499-.375-1.96497-.2699-.53998-.62988-.96002-1.10999-1.24506Z"/>
 <path d="m85.85536,23.18697c-.75-.375-1.66516-.57001-2.70007-.57001-.97522,0-1.82996.19501-2.57996.5849-.75.39001-1.33521.96002-1.77026,1.71002-.42004.73499-.62988,1.60504-.62988,2.60999,0,.97504.20984,1.84509.61487,2.59509.42004.76501,1.00525,1.34991,1.7699,1.76996.76538.41998,1.68018.63,2.71509.63,1.43994,0,2.59497-.31506,3.45007-.96002.46509-.35999.84009-.77997,1.09497-1.25995l-2.36975-1.32001h-.07507c-.09009.43494-.32996.78003-.70496,1.01996-.375.23999-.84009.35999-1.41028.35999-.68994,0-1.22974-.22491-1.61975-.65997-.33032-.375-.52515-.88495-.55518-1.51501h7.125v-.79498c0-1.00494-.19482-1.85999-.59985-2.565-.40503-.70496-.99023-1.25995-1.75488-1.63495Zm-4.81531,3.43494c.03003-.33002.13513-.62994.2699-.88501.18018-.32996.43506-.57001.75-.75.33032-.16498.70532-.255,1.17041-.255.67493,0,1.21472.19501,1.60474.57001.34497.33008.52515.76501.57019,1.32001h-4.36523Z"/>
 <path d="m95.82881,26.81692l-2.20496-.55499c-.34497-.08997-.60022-.19501-.76501-.34503-.18018-.14996-.25488-.31494-.25488-.49493,0-.24005.10474-.42004.32959-.55499.22522-.12006.57019-.17999,1.00525-.17999.58484,0,1.0199.10492,1.30481.32996.28528.22504.43506.57001.43506,1.01996h2.87988c0-1.10999-.41968-1.94995-1.22974-2.53497s-1.95007-.88495-3.40503-.88495c-.88513,0-1.63513.10498-2.26501.32996-.62988.21002-1.125.52502-1.45496.92999-.32996.40503-.49512.91498-.49512,1.51501,0,.75.22485,1.33502.68994,1.74005.4801.41992,1.03491.71997,1.66516.91498l2.90991.76501c.29993.08997.51013.2099.6449.34497.13513.12.21021.28497.21021.47998,0,.28503-.1051.49506-.32996.63-.22522.13501-.60022.19501-1.125.19501-.70496,0-1.2301-.12006-1.57507-.39001-.34497-.255-.52515-.66003-.52515-1.20001h-2.86487c0,.79498.17981,1.46997.55481,2.01007.39038.53998.93018.94489,1.66516,1.22992.71997.27008,1.62012.40503,2.70007.40503.97485,0,1.78491-.10504,2.42981-.31506.66028-.2099,1.14001-.53998,1.47034-.9599.32959-.43506.49475-.96002.49475-1.57507,0-.81-.25488-1.42493-.78003-1.875-.51013-.435-1.21472-.76495-2.11487-.97498Z"/>
 </svg>
--- a/helmfile/environments/default/theme/logo_portal_background.svg
+++ b/helmfile/environments/default/theme/logo_portal_background.svg
--- a/helmfile/environments/default/workplace.gotmpl
+++ b/helmfile/environments/default/workplace.gotmpl
@@ -1,10 +1,6 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 masterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" }}
 certificates:
  enabled: true
 clamavDistributed:
@@ -15,6 +11,8 @@ collabora:
  enabled: true
 dovecot:
  enabled: true
 element:
  enabled: true
 intercom:
  enabled: true
 jitsi:
Author	SHA1	Message	Date
Thorsten Roßner	0d374c1fea	chore(release): 0.2.7 [skip ci] ## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30) ### Bug Fixes * jitsi: Update Jitsi Helm chart to set the user's display name as default ([`387bd87`](`387bd8715c`))	2023-08-30 17:08:35 +00:00
Thorsten Rossner	387bd8715c	fix(jitsi): Update Jitsi Helm chart to set the user's display name as default	2023-08-30 17:06:57 +00:00
Dominik Kaminski	f219c42afa	chore(release): 0.2.6 [skip ci] ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30) ### Bug Fixes * ci: Change path of asset_generator ([`6ab4fa0`](`6ab4fa078b`)) * ci: Include deployment environments ([`0f59736`](`0f59736c5d`)) * ci: Release artefacts ([`2a61b5f`](`2a61b5f2a6`))	2023-08-30 14:23:01 +00:00
Thorsten Roßner	4d3bc2799c	chore(release): 0.2.6 [skip ci] ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30) ### Bug Fixes * ci: Change path of asset_generator ([`6ab4fa0`](`6ab4fa078b`)) * ci: Include deployment environments ([`0f59736`](`0f59736c5d`)) * ci: Release artefacts ([`2a61b5f`](`2a61b5f2a6`))	2023-08-30 14:18:36 +00:00
Thorsten Rossner	0f59736c5d	fix(ci): Include deployment environments	2023-08-30 14:16:30 +00:00
Thorsten Roßner	7e9d39cc7f	chore(release): 0.2.6 [skip ci] ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30) ### Bug Fixes * ci: Change path of asset_generator ([`6ab4fa0`](`6ab4fa078b`)) * ci: Release artefacts ([`2a61b5f`](`2a61b5f2a6`))	2023-08-30 13:49:37 +00:00
Dominik Kaminski	6ab4fa078b	fix(ci): Change path of asset_generator	2023-08-30 11:37:09 +00:00
Dominik Kaminski	05361276c0	chore(ci): Improve rules	2023-08-30 11:19:03 +00:00
Dominik Kaminski	cda237a655	chore(ci): Fix gitlab pipeline	2023-08-30 11:16:01 +00:00
Dominik Kaminski	ea77d1712e	chore(ci): Fix runner tags on OpenCoDE	2023-08-30 11:13:47 +00:00
Thorsten Rossner	2a61b5f2a6	fix(ci): Release artefacts	2023-08-30 10:57:54 +00:00
Thorsten Rossner	f4dbdfb321	chore(release): 0.2.5 [skip ci] ## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30) ### Bug Fixes * xwiki: Theming and language of central navigation ([`3d4d45f`](`3d4d45f711`))	2023-08-30 09:50:06 +00:00
Thorsten Rossner	3d4d45f711	fix(xwiki): Theming and language of central navigation	2023-08-30 09:48:20 +00:00
Johannes Bornhold	86fdb34735	chore(docs): Language pass in the contribution guide	2023-08-29 18:20:48 +02:00
Thorsten Rossner	7c9c6f9000	chore(release): 0.2.4 [skip ci] ## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29) ### Bug Fixes * element: Apply the global theme to Element ([`7f7eae8`](`7f7eae8f99`))	2023-08-29 15:41:16 +00:00
Dominik Henneke	7f7eae8f99	fix(element): Apply the global theme to Element	2023-08-29 15:39:37 +00:00
Thorsten Rossner	c9953299cc	chore(release): 0.2.3 [skip ci] ## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29) ### Bug Fixes * ci: Add central branding information ([`a14c42f`](`a14c42f6ed`))	2023-08-29 14:29:25 +00:00
Thorsten Rossner	a14c42f6ed	fix(ci): Add central branding information	2023-08-29 14:27:52 +00:00
Dominik Kaminski	c520b0047c	chore(release): 0.2.2 [skip ci] ## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16) ### Bug Fixes * jitsi: Allow configuration of LoadBalancer status field for patchJVB job ([`7491582`](`7491582c28`)) * open-xchange: Explicitly disable core-ui-middleware ingress ([`06dc7a1`](`06dc7a115d`))	2023-08-16 14:44:44 +00:00
Dominik Kaminski	7491582c28	fix(jitsi): Allow configuration of LoadBalancer status field for patchJVB job	2023-08-16 15:21:49 +02:00
Dominik Kaminski	06dc7a115d	fix(open-xchange): Explicitly disable core-ui-middleware ingress	2023-08-16 10:36:14 +02:00
Dominik Kaminski	b9c895b357	chore(release): 0.2.1 [skip ci] ## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16) ### Bug Fixes * keycloak: Increase proxy-buffer-size for ingress-nginx ([`d8adcc4`](`d8adcc463a`))	2023-08-16 07:39:28 +00:00
Dominik Kaminski	d8adcc463a	fix(keycloak): Increase proxy-buffer-size for ingress-nginx	2023-08-16 09:33:27 +02:00
Dominik Kaminski	83aeb4ece2	chore(release): 0.2.0 [skip ci] # [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15) ### Bug Fixes * helmfile: Replace bitnami repositories with OCI ([`4c21fd2`](`4c21fd2286`)) ### Features * helmfile: Implement private image/chart registry variables ([`5788323`](`5788323621`))	2023-08-15 10:40:25 +00:00
Dominik Kaminski	4c21fd2286	fix(helmfile): Replace bitnami repositories with OCI	2023-08-15 11:32:03 +02:00
Dominik Kaminski	5788323621	feat(helmfile): Implement private image/chart registry variables	2023-08-15 11:32:03 +02:00
Dominik Kaminski	3cad4ce886	chore(release): 0.1.2 [skip ci] ## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15) ### Bug Fixes * jitsi: Update support for NodePort setups with different ingress/egress ips ([`de25789`](`de257893d4`))	2023-08-15 09:20:34 +00:00
Dominik Kaminski	de257893d4	fix(jitsi): Update support for NodePort setups with different ingress/egress ips	2023-08-14 18:50:42 +02:00
Thomas Kaltenbrunner	dcbb9981f5	chore(release): 0.1.1 [skip ci] ## [0.1.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.0...v0.1.1) (2023-08-14) ### Bug Fixes * open-xchange: Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support ([`53796da`](`53796dae66`)) * open-xchange: Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1 ([`390f2de`](`390f2dee52`))	2023-08-14 10:32:36 +00:00
Thomas Kaltenbrunner	390f2dee52	fix(open-xchange): Bump sovereign-workplace-open-xchange-bootstrap to 1.3.1	2023-08-14 11:18:35 +02:00
Thomas Kaltenbrunner	53796dae66	fix(open-xchange): Bump dovecot and sovereign-workplace-open-xchange-bootstrap to 1.3.0 with image digest support	2023-08-14 11:18:33 +02:00
Thomas Kaltenbrunner	2d376b35ed	chore(xwiki): Remove xwiki init	2023-08-14 11:17:29 +02:00
Dominik Kaminski	bcee05d537	chore(release): 0.1.0 [skip ci] # [0.1.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.6...v0.1.0) (2023-08-14) ### Bug Fixes * docs: Typo ([`ee684a7`](`ee684a7891`)) ### Features * element: Add element component ([`5f0ca92`](`5f0ca92a05`))	2023-08-14 08:36:35 +00:00
Thorsten Rossner	ee684a7891	fix(docs): Typo	2023-08-14 08:34:08 +00:00
Dominik Kaminski	5f0ca92a05	feat(element): Add element component	2023-08-14 08:48:42 +02:00
Thorsten Rossner	152b4fb7b5	chore(release): 0.0.6 [skip ci] ## [0.0.6](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.5...v0.0.6) (2023-08-14) ### Bug Fixes * open-xchange: Functional mailboxes auth settings update in AppSuite and Dovecot ([`53948ea`](`53948eae76`))	2023-08-14 06:44:08 +00:00
Thorsten Rossner	53948eae76	fix(open-xchange): Functional mailboxes auth settings update in AppSuite and Dovecot	2023-08-14 06:42:59 +00:00
Thorsten Rossner	48a87fb839	chore(release): 0.0.5 [skip ci] ## [0.0.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.0.4...v0.0.5) (2023-08-11) ### Bug Fixes * keycloak: Improve digest image pinning ([`b8a8932`](`b8a8932221`))	2023-08-11 09:31:56 +00:00
Thorsten Rossner	b8a8932221	fix(keycloak): Improve digest image pinning	2023-08-11 09:30:37 +00:00