chore(release): 0.2.9 [skip ci]

## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)

### Bug Fixes

* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](6e5ef639c2))
* **docs:** Add security part in README ([ff462ab](ff462ab0dc))
* **docs:** Update scaling docs ([63a1e25](63a1e2568e))
* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](c5ab1b81fe))
* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](4f2a8aeee4))
* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](6e68f7f28c))
* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](cef11acbae))
* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](41d40c9b73))
* **services:** Enable security context and use default increased security settings ([9a6d240](9a6d2409a6))
* **services:** Fix image registry templates for postfix ([6321ff5](6321ff50a0))
* **services:** Replace image digest by tag ([f758293](f758293241))
* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](5fbf86b6bc))
* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](9d7866480c))

.gitlab-ci.yml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
-  - project: "souvap/tooling/gitlab-config"
+  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
     ref: "main"
     file:
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
-  - project: "souvap/devops/sovereign-workplace-env"
+  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    rules:
+      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
 
 stages:
   - ".pre"
@@ -20,22 +22,17 @@ stages:
   - "component-deploy-stage-2"
   - "tests"
   - "env-stop"
-  - "post"
+  - "generate-release-assets"
+  - ".post"
 
 variables:
   NAMESPACE:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use"
-    value: "develop"
-    options:
-      - "dev"
-      - "qa"
-      - "ref"
-      - "develop"
-      - "hubble"
-      - "prototype"
+    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
+      sovereign-workplace-env included above."
+    value: "dev"
   BASE_DOMAIN:
     description: "Define the Cluster Base Domain."
     value: "souvap.cloud"
@@ -283,6 +280,7 @@ keycloak-bootstrap-deploy:
 ox-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
+  timeout: "30m"
   rules:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -456,24 +454,89 @@ run-tests:
         -F "variables[components]=\"${COMPONENTS}\"" \
         https://${TESTS_PROJECT_URL}/trigger/pipeline
 
+generate-release-assets:
+  stage: "generate-release-assets"
+  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+    - when: "never"
+  script:
+    - |
+      # yamllint disable-line rule:line-length
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
+      cd opendesk-asset-generator
+      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
+      ./opendesk_asset_generator.py
+      mv ./build_artefacts ${CI_PROJECT_DIR}
+      cd ..
+      rm -rf opendesk-asset-generator
+      ls -l ./build_artefacts
+  artifacts:
+    paths:
+      - "./build_artefacts/chart-index.json"
+      - "./build_artefacts/image-index.json"
+  tags: []
+
+
+# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
+# 'cache' is used because job must contain at least one key, so cache is just a dummy key.
+.environments:
+  cache: {}
 
 # Overwrite shared settings
 .common-semantic-release:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  except:
-    - "tags"
-    - "triggers"
-    - "web"
+  tags: []
 
 common-yaml-linter:
-  except:
-    - "tags"
-    - "triggers"
-    - "web"
+  rules:
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
 
 reuse-linter:
   allow_failure: false
-  except:
-    - "tags"
-    - "triggers"
-    - "web"
+  rules:
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+generate-release-version:
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false'"
+      when: "always"
+
+release:
+  dependencies:
+    - "generate-release-assets"
+  rules:
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: "always"
+  script:
+    - |
+      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
+      {
+        "branches": ["main"],
+        "plugins": [
+          ["@semantic-release/gitlab",
+            {
+              "assets": [
+                { "path": "./build_artefacts/chart-index.json",
+                  "label": "Chart Index JSON" },
+                { "path": "./build_artefacts/image-index.json",
+                  "label": "Image Index JSON" },
+              ]
+            }
+          ],
+          "@semantic-release/release-notes-generator",
+          "@semantic-release/changelog",
+          ["@semantic-release/git", {
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+          }]
+        ]
+      }
+      EOF
+    - "semantic-release"
+...

.reuse/dep5

@@ -0,0 +1,8 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: openDesk
+Upstream-Contact: <git+bmi-souveraener-arbeitsplatz-cla-1339-29pr0g9pj4or9yi6wfly6pbhg-issue@opencode.de>
+Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace
+
+Files: helmfile/environments/default/theme/*
+Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+License: Apache-2.0

CHANGELOG.md

@@ -1,3 +1,110 @@
+## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
+
+
+### Bug Fixes
+
+* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
+* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
+* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
+* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
+* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
+* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
+* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
+* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
+* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
+* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
+* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
+* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
+* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
+
+## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
+
+
+### Bug Fixes
+
+* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
+
+## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
+
+
+### Bug Fixes
+
+* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
+
+
+### Bug Fixes
+
+* **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
+* **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
+
+## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
+
+
+### Bug Fixes
+
+* **xwiki:** Theming and language of central navigation ([3d4d45f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/3d4d45f7114e6e3bc353b8d6c5fdbcac4cb2460f))
+
+## [0.2.4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.3...v0.2.4) (2023-08-29)
+
+
+### Bug Fixes
+
+* **element:** Apply the global theme to Element ([7f7eae8](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7f7eae8f99a6d8ad8085ad99c63af27b858ff9b7))
+
+## [0.2.3](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.2...v0.2.3) (2023-08-29)
+
+
+### Bug Fixes
+
+* **ci:** Add central branding information ([a14c42f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/a14c42f6ed2e3d8e12af5d04cae1a4bb1336fb3d))
+
+## [0.2.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.1...v0.2.2) (2023-08-16)
+
+
+### Bug Fixes
+
+* **jitsi:** Allow configuration of LoadBalancer status field for patchJVB job ([7491582](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/7491582c28c21e83a0bc6349fb68045472146aad))
+* **open-xchange:** Explicitly disable core-ui-middleware ingress ([06dc7a1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/06dc7a115d36841f1109f9e75aac844d934c2f4c))
+
+## [0.2.1](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.0...v0.2.1) (2023-08-16)
+
+
+### Bug Fixes
+
+* **keycloak:** Increase proxy-buffer-size for ingress-nginx ([d8adcc4](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/d8adcc463adc8bec5a793a97977dddd89d7363cc))
+
+# [0.2.0](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.2...v0.2.0) (2023-08-15)
+
+
+### Bug Fixes
+
+* **helmfile:** Replace bitnami repositories with OCI ([4c21fd2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/4c21fd228654520bb71d56dc1bda96332334002b))
+
+
+### Features
+
+* **helmfile:** Implement private image/chart registry variables ([5788323](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/57883236219811d2a5fc422649b4f9b042a0ac22))
+
 ## [0.1.2](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.1.1...v0.1.2) (2023-08-15)
 
 

COMPONENTS-FUNCTIONAL.md

@@ -17,7 +17,7 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## File & Share - Nextcloud
 
-## Kollaboration - dOnlineZusammenarbeit 2.0
+## Kollaboration - Element
 
 ## Videokonferenzen - Jitsi
 
@@ -25,4 +25,4 @@ Functional components are the core of the SWP as they provide it's rich function
 
 ## Project Management - OpenProject
 
-## IAM - Univention Corporate Services
+## Portal & IAM - Univention Corporate Services

COMPONENTS-SERVICE.md

@@ -42,7 +42,7 @@ This service is used by:
 
 ## TURN Server
 
-- dOZ 2.0
+This services is used by:
 - Jitsi
 
 ## NFS

CONTRIBUTING.md

@@ -9,17 +9,17 @@ Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/b
 
 # How to contribute?
 
-When providing contributes to this project, please adhere to the standards and conventions described in further down in this document. Doing so please feel free to create merge requests.
+When providing contributes to this project, please adhere to the standards and conventions described further down in this document. Doing so please feel free to create merge requests.
 
 # Standards and conventions
 
 ## Branching
 
-We use of [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
+We use [Github flow](https://docs.github.com/en/get-started/quickstart/github-flow).
 
 ## Verified commits
 
-We only allow verify commits:
+We only allow verified commits:
 - https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/
 - https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
@@ -80,7 +80,7 @@ Due to DVS requirements:
 - we should avoid stand alone Manifests.
 - we do not use Operators and CRDs.
 
-In order to align the Helm files from various sources into an unified deployment of the SWP we make use of to [Helmfile](https://github.com/helmfile/helmfile).
+In order to align the Helm files from various sources into an unified deployment of the SWP we make use of [Helmfile](https://github.com/helmfile/helmfile).
 
 ## Tooling
 

README.md

@@ -45,6 +45,15 @@ repository please use the [issues within this project](https://gitlab.opencode.d
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 
+# Releases
+
+All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
+
+Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
+
+The following release artefacts are provided beside the default source code assets:
+- `chart-index.json`: An overview of all Helm charts used by the release.
+- `image-index.json`: An overview of all container images used by the release.
 # Deployment
 
 **Note for project members:** You can use the project's `dev` K8s cluster to set
@@ -64,8 +73,7 @@ These are the requirements of the Sovereign Workplace deployment:
 [HelmDiff](https://github.com/databus23/helm-diff)
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
-- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are
-working with Open-Xchange to get rid of this dependency.
+- [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
 
 #### TLS Certificate
 
@@ -149,6 +157,16 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+## Offline deployment
+
+Before executing a [local deployment](#local-deployment), you can set following
+environment variables to use your own container image and helm chart registry:
+
+| name                         | description                    |
+|------------------------------|--------------------------------|
+| PRIVATE_CHART_REPOSITORY_URL | Your helm chart repository url |
+| PRIVATE_IMAGE_REGISTRY_URL   | Your image registry url        |
+
 ## Logging in
 
 When successfully deployed the SWP, all K8s jobs from the deployment should be
@@ -262,30 +280,46 @@ the application to your own database instances.
 ### Scaling
 
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
 
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
-| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
-|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
-|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
-|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
+|-------------|------------------------|:-------------------:|:------------------:|
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
+
+
+## Security
+
+This list gives you an overview of default security settings and if they comply with security standards:
+
+
+| Component  | Process    | allowPrivilegeEscalation (`false`)  |                       capabilities (`drop: ALL`)                       | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|------------|------------|:-----------------------------------:|:----------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV     | clamd      |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | freshclam  |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | icap       |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | milter     |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| MariaDB    | mariadb    |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix    | postfix    |         :white_check_mark:          | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`) |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL | postgresql |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
 # Component integration
@@ -362,7 +396,7 @@ flowchart TD
     A[OX AppSuite]-->L
     D[OX Dovecot]-->L
     P[Portal/Admin]-->L
-    O[OpenProject]-->|in 2023|L
+    O[OpenProject]-->L
     X[XWiki]-->|in 2023|L
     A-->K
     N-->K

helmfile.yaml

@@ -32,12 +32,15 @@ environments:
   default:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
   dev:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
 ...

helmfile/apps/collabora/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "collabora-online"
-    url: "https://collaboraonline.github.io/online"
+  - name: "collabora-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://collaboraonline.github.io/online" }}
 
 releases:
   - name: "collabora-online"
-    chart: "collabora-online/collabora-online"
+    chart: "collabora-online-repo/collabora-online"
     version: "1.0.2"
     values:
       - "values.yaml"

helmfile/apps/collabora/values.yaml

@@ -26,7 +26,8 @@ ingress:
       http-request track-sc1 url_param(WOPISrc)
       stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
       stick store-request url_param(WOPISrc)
-
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
 autoscaling:
   enabled: false
 ...

helmfile/apps/element/helmfile.yaml

@@ -2,34 +2,37 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-element"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable"
+  - name: "sovereign-workplace-element-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
 
 releases:
   - name: "sovereign-workplace-element"
-    chart: "sovereign-workplace-element/sovereign-workplace-element"
-    version: "1.1.2"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
+    version: "1.3.0"
     values:
       - "values-element.gotmpl"
     condition: "element.enabled"
 
   - name: "sovereign-workplace-well-known"
-    chart: "sovereign-workplace-element/sovereign-workplace-well-known"
-    version: "1.1.2"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
+    version: "1.3.0"
     values:
+      - "values-well-known.yaml"
       - "values-well-known.gotmpl"
     condition: "element.enabled"
 
   - name: "sovereign-workplace-synapse-web"
-    chart: "sovereign-workplace-element/sovereign-workplace-synapse-web"
-    version: "1.1.2"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
+    version: "1.3.0"
     values:
       - "values-synapse-web.gotmpl"
     condition: "element.enabled"
 
   - name: "sovereign-workplace-synapse"
-    chart: "sovereign-workplace-element/sovereign-workplace-synapse"
-    version: "1.1.2"
+    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
+    version: "1.3.0"
     values:
       - "values-synapse.gotmpl"
     condition: "element.enabled"

helmfile/apps/element/values-element.gotmpl

@@ -11,6 +11,10 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+configuration:
+  additionalConfiguration:
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.element.repository }}"
@@ -24,6 +28,9 @@ ingress:
     enabled: "{{ .Values.ingress.tls.enabled }}"
     secretName: "{{ .Values.ingress.tls.secretName }}"
 
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 replicaCount: {{ .Values.replicas.element }}
 
 resources:

helmfile/apps/element/values-well-known.yaml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  e2ee:
+    forceDisable: true
+...

helmfile/apps/intercom-service/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "intercom-service"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable"
+  - name: "intercom-service-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
 
 releases:
   - name: "intercom-service"
-    chart: "intercom-service/intercom-service"
+    chart: "intercom-service-repo/intercom-service"
     version: "1.1.3"
     values:
       - "values.yaml"

helmfile/apps/jitsi/helmfile.yaml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "jitsi"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/137/packages/helm/stable"
-
+  - name: "jitsi-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
 releases:
   - name: "jitsi"
-    chart: "jitsi/sovereign-workplace-jitsi"
-    version: "1.2.1"
+    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    version: "1.4.1"
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -19,6 +19,9 @@ image:
 settings:
   jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
 
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
 jitsi:
   publicURL: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
   web:
@@ -113,6 +116,7 @@ jitsi:
 patchJVB:
   configuration:
     staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.jitsiPatchJVB.repository }}"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable"
+  - name: "sovereign-workplace-keycloak-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
 
 releases:
   - name: "sovereign-workplace-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap"
+    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.11"
     values:
       - "values-bootstrap.gotmpl"

helmfile/apps/keycloak/helmfile.yaml

@@ -2,22 +2,29 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
-  - name: "keycloak-theme"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable"
-  - name: "keycloak-extensions"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable"
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
+  - name: "keycloak-theme-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+  - name: "keycloak-extensions-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme/sovereign-workplace-theme"
-    version: "1.0.0"
+    chart: "keycloak-theme-repo/sovereign-workplace-theme"
+    version: "1.1.0"
     values:
       - "values-theme.gotmpl"
     condition: "keycloak.enabled"
   - name: "keycloak"
-    chart: "bitnami/keycloak"
+    chart: "bitnami-repo/keycloak"
     version: "12.2.0"
     values:
       - "values-keycloak.gotmpl"
@@ -26,7 +33,7 @@ releases:
     wait: true
     condition: "keycloak.enabled"
   - name: "keycloak-extensions"
-    chart: "keycloak-extensions/keycloak-extensions"
+    chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
     needs:
       - "keycloak"

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -46,6 +46,7 @@ proxy:
     ingressClassName: "{{ .Values.ingress.ingressClassName }}"
     annotations:
       nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
       enabled: "{{ .Values.ingress.tls.enabled }}"

helmfile/apps/keycloak/values-theme.gotmpl

@@ -7,4 +7,7 @@ global:
   domain: "{{ .Values.global.domain }}"
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -2,15 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable"
-  - name: "nextcloud"
-    url: "https://nextcloud.github.io/helm/"
+  - name: "opendesk-nextcloud-bootstrap-repo"
+    oci: true
+    url: >-
+      # yamllint disable rule:line-length
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
+      # yamllint enable rule:line-length
+  - name: "nextcloud-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://nextcloud.github.io/helm/" }}
 
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap/sovereign-workplace-nextcloud-bootstrap"
-    version: "2.2.0"
+  - name: "opendesk-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
+    version: "3.0.0"
     wait: true
     waitForJobs: true
     values:
@@ -20,10 +27,10 @@ releases:
     timeout: 1800
 
   - name: "nextcloud"
-    chart: "nextcloud/nextcloud"
+    chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"
     needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -18,7 +18,7 @@ config:
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
     {{- else if .Values.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}
@@ -64,4 +64,7 @@ persistence:
 
 resources:
   {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
 ...

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
+  ldapSearch:
+    host: "univention-corporate-container"
+
 cleanup:
   deletePodsOnSuccess: false
 ...

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -21,6 +21,11 @@ cronjob:
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 
+ingress:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"
+
 internalDatabase:
   enabled: false
 postgresql:

helmfile/apps/open-xchange/helmfile.yaml

@@ -2,31 +2,39 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable"
-  - name: "openxchange"
-    url: "registry.open-xchange.com"
+  - name: "dovecot-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+  - name: "openxchange-repo"
     oci: true
-  - name: "sovereign-workplace-open-xchange-bootstrap"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "registry.open-xchange.com" }}
+  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
 
 releases:
   - name: "dovecot"
-    chart: "dovecot/dovecot"
+    chart: "dovecot-repo/dovecot"
     version: "1.3.1"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
     condition: "dovecot.enabled"
   - name: "open-xchange"
-    chart: "openxchange/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "1.2.13"
+    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
+    version: "2.0.3"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
+      - "values-openxchange-enterprise-contact-picker.yaml"
+      - "values-openxchange-enterprise-contact-picker.gotmpl"
     condition: "oxAppsuite.enabled"
   - name: "sovereign-workplace-open-xchange-bootstrap"
-    chart: "sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap"
+    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
     version: "1.3.1"
     values:
       - "values-openxchange-bootstrap.yaml"

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -0,0 +1,14 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+appsuite:
+  core-mw:
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          auth:
+            adminDN:
+              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -0,0 +1,349 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+appsuite:
+  core-mw:
+
+    properties:
+      # Enterprise contact picker
+      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.admin.bypassAccessCombinationChecks: "true"
+      ENABLE_INTERNAL_USER_EDIT: "false"
+
+    # Enterprise contact picker (see also gotmpl)
+    secretYAMLFiles:
+      ldap-client-config.yml:
+        contactsLdapClient:
+          pool:
+            type: "simple"
+            host:
+              address: "univention-corporate-container"
+              port: 389
+          auth:
+            type: "adminDN"
+            adminDN:
+              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
+
+    uiSettings:
+      # Enterprise contact picker
+      io.ox/core//features/enterprisePicker/enabled: "true"
+
+    yamlFiles:
+      contacts-provider-ldap.yml:
+        # Example definitions of available LDAP contact providers, together with their corresponding configuration,
+        # referenced LDAP client connection settings and attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap.yml and configure as needed.
+        #
+        # Each configured contacts provider can be enabled for users using the corresponding identifier used in this
+        # .yml file. For this purpose, the config-cascade-enabled setting "com.openexchange.contacts.provider.ldap"
+        # is available.
+        #
+        # Besides the provider configuration in this file, also accompanying LDAP client and contact property mappings
+        # need to be referenced.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Key will be used as identifier for the contact provider
+        opendesk:
+
+          # The display name of this contacts provider.
+          name: "Example Address Lists"
+
+          # Configures the identifier of the LDAP client configuration settings to use, as defined in
+          # 'ldap-client-config.yml'. There, all further connection-related properties to access the LDAP server can
+          # be specified.
+          ldapClientId: "contactsLdapClient"
+
+          # A reference to the contact property <-> LDAP attribute mapping definitions to use, referencing the
+          # corresponding entry in the file 'contact-provider-ldap-mappings.yml'.
+          mappings: "ucs"
+
+          # Specifies if support for querying deleted objects is enabled or not. When enabled, deleted objects are
+          # identified with the filter 'isDeleted=TRUE', which is usually only available in Active Directory (as
+          # control with OID 1.2.840.113556.1.4.417). If disabled, no results are available for folders from this
+          # provider for the 'deleted' API call, and therefore no incremental synchronizations are possible. See also
+          # 'usedForSync' folders property. Defaults to "false".
+          isDeletedSupport: false
+
+          # Specifies the requested maximum size for paged results. "0" disables paged results. This should be
+          #  configured, especially when the there are server-side restrictions towards the maximum result size.
+          # Defaults to "500".
+          maxPageSize: 500
+
+          # Optionally enables a local cache that holds certain properties of all of the provider's contacts in
+          # memory to speed up access. Can only be used if no individual authentication is used to access the
+          # LDAP server.
+          cache:
+            useCache: false
+
+          # Definition of addressbook folders of the contacts provider. Different folder modes are possible, each
+          # one with its specific configuration settings. The template contains examples for all possible modes,
+          # however, only the one specified through 'mode' property is actually used.
+          folders:
+
+            # Configures in which mode addressbook folders are provided by the contacts provider. Possible modes
+            # are "fixedAttributes" to have a common search filter per folder that varies by a fixed set of possible
+            # attribute values, "dynamicAttributes" to use a common filter and retrieve all possible values
+            # dynamically, or "static" to have a static search filter associated with each contact folder.
+            # The corresponding mode-specific section needs to be configured as well.
+            mode: "dynamicAttributes"
+
+            # Configures if the addressbook folders can be synchronized to external clients via CardDAV or not.
+            # If set to "false", the folders are only available in the web client. If set to "true", folders can
+            # be activated for synchronization. Should only be enabled if attribute mappings for the 'changing_date'
+            # and 'uid' contact properties are available, and the LDAP server supports the special
+            # "LDAP Show Deleted Control" to query tombstone entries via 'isDeleted=TRUE'. The 'protected' flag
+            # controls whether the default value can be changed by the client or not.
+            usedForSync:
+              protected: true
+              defaultValue: false
+
+            # Defines whether addressbook folders will be available in the contact picker dialog of App Suite.
+            # If enabled, contacts from this provider can be looked up through this dialog, otherwise they are
+            # hidden. The 'protected' flag controls whether the default value can be changed by the client or not.
+            usedInPicker:
+              protected: false
+              defaultValue: true
+
+            # Defines whether addressbook folders will be shown as 'subscribed' folders in the tree or not.
+            # If enabled, the folders will appear in the contacts module of App Suite as regular, subscribed folder.
+            # Otherwise, they're treated as hidden, unsubscribed folders. The 'protected' flag controls whether
+            # the default value can be changed by the client or not.
+            shownInTree:
+              protected: false
+              defaultValue: true
+
+            # In "static" folder mode, a fixed list of folder definitions is used, each one with its own contact
+            # filter and name (the names must be unique). Additionally, a "commonContactFilter" needs to be
+            # defined, which is used for operations that are not bound to
+            # a specific folder, like lookups across all visible folders.
+            # The filter's search scopes relative to the LDAP client's 'baseDN' can be configured as "one"
+            # (only immediate subordinates) or "sub" (base entry itself and any subordinate entries to any depth),
+            # and all default to "sub" unless specified otherwise.
+            static:
+              commonContactFilter: "(|(objectClass=person)(objectClass=groupOfNames))"
+              commonContactSearchScope: "sub"
+              folders:
+                - name: "Cupertino"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Cupertino))"
+                  contactSearchScope: "sub"
+                - name: "San Mateo"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=San Mateo))"
+                  contactSearchScope: "sub"
+                - name: "Redwood Shores"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Redwood Shores))"
+                  contactSearchScope: "sub"
+                - name: "Armonk"
+                  contactFilter: "(&(|(objectClass=person)(objectClass=groupOfNames))(l=Armonk))"
+                  contactSearchScope: "sub"
+
+            # With mode "dynamic attributes", all possible values for one attribute are fetched periodically and
+            # serve as folders. The list of values is fetched by querying all entries that match the
+            # "contactFilterTemplate" (with the wildcard "*" as value) and "contactSearchScope" ("one"/"sub").
+            # Then, the folders are derived based on all distinct attribute values found, with the value as name.
+            # Depending on the configured authentication mode, this is either done per user individually, or globally.
+            # Therefore, per-user authentication is not recommend in this mode.
+            # The "refreshInterval" determines how often the list of attributes is refreshed, and can be defined
+            # using units of measurement:
+            # "D" (=days), "W" (=weeks), "H" (=hours) and "m" (=minutes). Defaults to "1h". The optional "sortOrder"
+            # allows to sort the attributes lexicographically, either "ascending" or "descending".
+            dynamicAttributes:
+              attributeName: "o"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactSearchScope: "sub"
+              # refreshInterval: 1h
+              refreshInterval: "5m"
+              sortOrder: "ascending"
+
+            # With mode "fixed attributes", all entries matching a filter and having an attribute set to one of the
+            # defined values do form a folder. Works similar to "dynamic attributes", but with a static list of
+            # possible values.
+            # All items defined in the "attributeValues" array are used as folder (with the value as name). When
+            # listing the contents of a specific folder, this folder's specific attribute value is inserted in the
+            # configured "contactFilterTemplate", using the "contactSearchScope" ("one"/"sub").
+            fixedAttributes:
+              contactFilterTemplate: "(&(|(objectClass=person)(objectClass=groupOfNames))(ou=[value]))"
+              contactSearchScope: "sub"
+              attributeValues:
+                - "Janitorial"
+                - "Product Development"
+                - "Management"
+                - "Human Resources"
+
+      contacts-provider-ldap-mappings.yml:
+        # Example definitions of contact property <-> LDAP attribute mappings.
+        #
+        # This template contains examples and will be overwritten during updates. To use, copy this file to
+        # /opt/open-xchange/etc/contacts-provider-ldap-mappings.yml and configure as needed.
+        #
+        # Each configured set of mappings can be used for an LDAP contact provider (as defined through separate
+        # file contacts-provider-ldap.yml), by using the corresponding identifier used in this .yml file.
+        #
+        # Generally, contact properties are set based on an entry's value of the mapped LDAP attribute name.
+        # Empty mappings are ignored. It's possible to define a second LDAP attribute name for a property that is
+        # used as fall-back if the first one is empty in an LDAP result, e.g. to define multiple attributes for a
+        # display name, or to have multiple mappings for contacts and distribution lists.
+        #
+        # For the data-types, each LDAP attribute value is converted/parsed to the type necessary on the server
+        # (Strings, Numbers, Booleans). Dates are assumed to be in UTC and parsed using the pattern 'yyyyMMddHHmmss'.
+        # Binary properties may be indicated by appending ';binary' to the LDAP attribute name. In order to assign
+        # the internal user- and context identifier based on attributes yielding the corresponding
+        # login information (username / contextname), the special appendix ';logininfo' can be used.
+        # Boolean properties may also be set based on a comparison with the LDAP attribute value, which is defined
+        # by the syntax '[LDAP_ATTRIBUTE_NAME]=[EXPECTED_VALUE]', e.g. to set the 'mark_as_distribution_list'
+        # property based on a specific 'objectClass' value.
+        # Alternatively, a Boolean value may also be assigned based on the the existence of any attribute value
+        # using '*'.
+        #
+        # See also https://documentation.open-xchange.com/latest/middleware/contacts/contacts_provider_ldap.html
+        # for further details and a complete list of available configuration options.
+        #
+
+        # Mappings for a typical OpenLDAP server.
+        ucs:
+          # == ID Mappings =======================================================
+          # The object ID is always required and must be unique for the LDAP server. Will use the DN of the entry
+          # unless overridden.
+          # The 'guid' flag can be passed along to properly decode a Microsoft GUID. For 'regular' UUIDs, the
+          # flag 'binary' should be used.
+          objectid: "uidNumber,gidNumber"
+          # The user and context identifiers can be mapped to certain LDAP attributes to aid resolving contact
+          # entries to internal users, e.g. in scenarios where the default global addressbook folder is disabled.
+          # Will only be considered if an entry's context identifier matches the one from the actual session of
+          # the requesting operation.
+          # If used, they should be mapped to attributes that provide the matching rules "integerMatch" for
+          # "EQUALITY" as well as "integerOrderingMatch" for "ORDERING".
+          # Alternatively, if no internal context- or user identifier is available, also attributes yielding
+          # the corresponding login information (username / contextname) can be used by appending ';logininfo'
+          # to the attribute name.
+          internal_userid: "uid;logininfo"
+          contextid: "oxContextIDNum"
+          # The 'guid' flag can be passed along properly decode a Microsoft GUID. For 'regular' UUIDs in binary
+          # format, the flag 'binary' should be used.
+          # uid                   : entryUUID;binary;logininfo
+
+          # == String Mappings ===================================================
+          displayname: "oxDisplayName,displayName,name"
+          file_as: "oxDisplayName,displayName,name"
+          givenname: "givenName"
+          surname: "sn"
+          email1: "mailPrimaryAddress"
+          department: "oxDepartment,department"
+          company: "oxCompany,o"
+          branches: "oxBranches"
+          # business_category     :
+          postal_code_business: "postalCode"
+          state_business: "oxStateBusiness,st"
+          street_business: "streetAddress"
+          # telephone_callback    :
+          city_home: "oxCityHome"
+          commercial_register: "oxCommercialRegister"
+          country_home: "oxCountryHome"
+          email2: "oxEmail2"
+          email3: "oxEmail3"
+          employeetype: "employeeType"
+          fax_business: "oxFaxBusiness,facsimileTelehoneNumber"
+          fax_home: "oxFaxHome"
+          fax_other: "oxFaxOther"
+          instant_messenger1: "oxInstantMessenger1"
+          instant_messenger2: "oxInstantMessenger2"
+          telephone_ip: "oxTelephoneIp"
+          telephone_isdn: "internationaliSDNNumber"
+          marital_status: "oxMaritalStatus"
+          cellular_telephone1: "mobile"
+          # cellular_telephone2   :
+          nickname: "oxNickName"
+          number_of_children: "oxNumOfChildren"
+          number_of_employee: "employeeNumber"
+          note: "oxNote,description"
+          telephone_pager: "oxTelephonePager,pager"
+          telephone_assistant: "oxTelephoneAssistant"
+          telephone_business1: "oxTelephoneBusiness1,telephoneNumber"
+          telephone_business2: "oxTelephoneBusiness2"
+          telephone_car: "oxTelephoneCar"
+          telephone_company: "oxTelephoneCompany"
+          telephone_home1: "oxTelephoneHome1,homePhone"
+          telephone_home2: "oxTelephoneHome2"
+          telephone_other: "oxTelephoneOther"
+          postal_code_home: "oxPostalCodeHome"
+          # telephone_radio       :
+          room_number: "roomNumber"
+          sales_volume: "oxSalesVolume"
+          city_other: "oxCityOther"
+          country_other: "oxCountryOther"
+          middle_name: "oxMiddleName,middleName"
+          postal_code_other: "oxPostalCodeOther"
+          state_other: "oxStateOther"
+          street_other: "oxStreetOther"
+          spouse_name: "oxSpouseName"
+          state_home: "oxStateHome"
+          street_home: "oxStreetHome"
+          suffix: "oxSuffix"
+          tax_id: "oxTaxId"
+          telephone_telex: "oxTelephoneTelex,telexNumber"
+          telephone_ttytdd: "oxTelephoneTtydd"
+          url: "oxUrl,wWWHome"
+          userfield01: "oxUserfiels01"
+          userfield02: "oxUserfiels02"
+          userfield03: "oxUserfiels03"
+          userfield04: "oxUserfiels04"
+          userfield05: "oxUserfiels05"
+          userfield06: "oxUserfiels06"
+          userfield07: "oxUserfiels07"
+          userfield08: "oxUserfiels08"
+          userfield09: "oxUserfiels09"
+          userfield10: "oxUserfiels10"
+          userfield11: "oxUserfiels11"
+          userfield12: "oxUserfiels12"
+          userfield13: "oxUserfiels13"
+          userfield14: "oxUserfiels14"
+          userfield15: "oxUserfiels15"
+          userfield16: "oxUserfiels16"
+          userfield17: "oxUserfiels17"
+          userfield18: "oxUserfiels18"
+          userfield19: "oxUserfiels19"
+          userfield20: "oxUserfiels20"
+          city_business: "l"
+          country_business: "oxCountryBusiness,country"
+          # telephone_primary     :
+          # categories            :
+          title: "title"
+          position: "oxPosition"
+          profession: "oxProfession"
+
+          # == Date Mappings =====================================================
+          birthday: "oxBirthday"
+          anniversary: "oxAnniversary"
+          # The last-modified and creation dates are required by the groupware server, therefore an implicit
+          # default date is assumed when no LDAP attribute is mapped here, and no results are available for this
+          # folder for the 'modified' and 'deleted' API calls. Therefore, any synchronization-based usage will
+          # not be available.
+          lastmodified: "modifyTimestamp"
+          creationdate: "createTimestamp"
+
+          # == Misc Mappings =====================================================
+          # Distribution list members are resolved dynamically using the DNs found in the mapped LDAP attribute.
+          # Alternatively, if the attribute value does not denote a DN reference, the value is assumed to be the
+          # plain email address of the member.
+          distributionlist: "memberUid"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          markasdistributionlist: "objectClass=posixGroup"
+          # The values for the for assistant- and manager name mappings are either used as-is, or get resolved
+          # dynamically using the DNs found
+          # in the mapped LDAP attribute.
+          assistant_name: "secretary"
+          manager_name: "oxManagerName,manager"
+          # Contact image, binary format is expected.
+          image1: "jpegPhoto"
+          # Special mapping where the value is evaluated using a string comparison with, or the existence of
+          # the attribute value.
+          number_of_images: "jpegPhoto=*"
+          # Will be set internally if not defined.
+          # image_last_modified   :
+          # Will be set automatically to "image/jpeg" if not defined.
+          # image1_content_type   :

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -76,6 +76,16 @@ appsuite:
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
+      # Dynamic theme
+      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
     secretETCFiles:
       # Format of the OX Guard master key:
       # MC+base64(20 random bytes)
@@ -108,6 +118,7 @@ appsuite:
     ingress:
       hosts:
         - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+      enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -55,14 +55,20 @@ appsuite:
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
       # Capabilities
+      # Old capability can be used to toggle all integrations with a single switch
+      com.openexchange.capability.public-sector: "true"
+      # New capabilities in 2.0
+      com.openexchange.capability.public-sector-element: "false"
+      com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
       com.openexchange.capability.filestorage_nextcloud: "true"
       com.openexchange.capability.filestorage_nextcloud_oauth: "true"
       com.openexchange.capability.guard: "true"
       com.openexchange.capability.guard-mail: "true"
-      com.openexchange.capability.public-sector: "true"
       com.openexchange.capability.smime: "true"
+      com.openexchange.capability.share_links: "false"
+      com.openexchange.capability.invite_guests: "false"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
       com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -93,6 +99,13 @@ appsuite:
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
     uiSettings:
+      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
+      io.ox/core//features/enterprisePicker/showLauncher: "false"
+      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
+      # Text and icon color in the topbar
+      io.ox/dynamic-theme//topbarColor: "#000"
+      io.ox/dynamic-theme//logoWidth: "82"
+      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
       # Resources
       io.ox/core//features/resourceCalendars: "true"
       io.ox/core//features/managedResources: "true"
@@ -107,18 +120,6 @@ appsuite:
       # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
       io.ox/core//apps/quickLaunchCount: "0"
       io.ox/core//coloredIcons: "false"
-      # Dynamic theme
-      io.ox/dynamic-theme//mainColor: "#004B76"
-      io.ox/dynamic-theme//logoURL: "io.ox.public-sector/logo.svg"
-      io.ox/dynamic-theme//logoWidth: "80"
-      io.ox/dynamic-theme//topbarBackground: "#fff"
-      io.ox/dynamic-theme//topbarColor: "#1f1f1f"
-      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
-      io.ox/dynamic-theme//listSelected: "#ADC8F0"
-      io.ox/dynamic-theme//listHover: "#ddd"
-      io.ox/dynamic-theme//folderBackground: "#fff"
-      io.ox/dynamic-theme//folderSelected: "#ADC8F0"
-      io.ox/dynamic-theme//folderHover: "#ddd"
 
     asConfig:
       default:

helmfile/apps/openproject/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "openproject"
-    url: "https://charts.openproject.org"
+  - name: "openproject-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://charts.openproject.org" }}
 
 releases:
   - name: "openproject"
-    chart: "openproject/openproject"
+    chart: "openproject-repo/openproject"
     version: "1.8.0"
     values:
       - "values.yaml"

helmfile/apps/openproject/values.gotmpl

@@ -59,6 +59,8 @@ environment:
   OPENPROJECT_SMTP__PORT: "587" # (default=587)
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 
 persistence:
   size: "{{ .Values.persistence.size.openproject }}"
@@ -68,4 +70,5 @@ replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
+
 ...

helmfile/apps/openproject/values.yaml

@@ -40,5 +40,24 @@ environment:
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
+  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
+  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
+  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
+  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
+    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
+  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
 
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "ox-connector"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable"
+  - name: "ox-connector-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
 
 releases:
   - name: "ox-connector"
-    chart: "ox-connector/ox-connector"
+    chart: "ox-connector-repo/ox-connector"
     version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
     values:
       - "values-oxconnector.yaml"

helmfile/apps/services/helmfile.yaml

@@ -2,70 +2,88 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable"
-  - name: "postgresql"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable"
-  - name: "mariadb"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable"
-  - name: "postfix"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable"
-  - name: "istio-resources"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable"
-  - name: "clamav"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable"
-  - name: "bitnami"
-    url: "https://charts.bitnami.com/bitnami"
+  - name: "sovereign-workplace-certificates-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
+  - name: "postgresql-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+  - name: "mariadb-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+  - name: "postfix-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+  - name: "istio-resources-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+  - name: "clamav-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "registry-1.docker.io/bitnamicharts" }}
 
 releases:
   - name: "sovereign-workplace-certificates"
-    chart: "sovereign-workplace-certificates/sovereign-workplace-certificates"
+    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
     version: "1.2.2"
     values:
       - "values-certificates.gotmpl"
     condition: "certificates.enabled"
   - name: "redis"
-    chart: "bitnami/redis"
-    version: "^17.9.3"
+    chart: "bitnami-repo/redis"
+    version: "18.0.0"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     condition: "redis.enabled"
   - name: "postgresql"
-    chart: "postgresql/postgresql"
-    version: "2.0.0"
+    chart: "postgresql-repo/postgresql"
+    version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     condition: "postgresql.enabled"
   - name: "mariadb"
-    chart: "mariadb/mariadb"
-    version: "2.0.0"
+    chart: "mariadb-repo/mariadb"
+    version: "2.0.2"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
   - name: "postfix"
-    chart: "postfix/postfix"
-    version: "1.13.0"
+    chart: "postfix-repo/postfix"
+    version: "2.0.0"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     condition: "postfix.enabled"
   - name: "clamav"
-    chart: "clamav/sovereign-workplace-clamav"
-    version: "2.1.0"
+    chart: "clamav-repo/opendesk-clamav"
+    version: "4.0.0"
     values:
       - "values-clamav-distributed.gotmpl"
     condition: "clamavDistributed.enabled"
   - name: "clamav-simple"
-    chart: "clamav/clamav-simple"
-    version: "2.1.0"
+    chart: "clamav-repo/clamav-simple"
+    version: "4.0.0"
     values:
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"
   - name: "sovereign-workplace-gateway"
-    chart: "istio-resources/istio-gateway"
+    chart: "istio-resources-repo/istio-gateway"
     version: "1.1.2"
     values:
       - "values-istio-gateway.gotmpl"

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -5,8 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.clamd }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
@@ -17,8 +15,6 @@ clamd:
 
 freshclam:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
@@ -42,8 +38,6 @@ icap:
 
 milter:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.milter }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
-podSecurityContext:
-  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-  enabled: false
-
 replicaCount: {{ .Values.replicas.clamav }}
 
 image:

helmfile/apps/services/values-mariadb.gotmpl

@@ -12,6 +12,8 @@ image:
   repository: "{{ .Values.images.mariadb.repository }}"
   tag: "{{ .Values.images.mariadb.tag }}"
 
+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
   users:
     - username: "xwiki_user"

helmfile/apps/services/values-postfix.gotmpl

@@ -3,14 +3,15 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
-  digest: "{{ .Values.images.postfix.digest }}"
+global:
+  registry: {{ .Values.global.imageRegistry }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
-{{- end }}
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: "{{ .Values.images.postfix.repository }}"
+  tag: "{{ .Values.images.postfix.tag }}"
 
 certificate:
   secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/services/values-redis.yaml

@@ -8,4 +8,8 @@ sentinel:
 
 metrics:
   enabled: false
+
+master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
 ...

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -2,12 +2,14 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "univention-corporate-container"
-    url: "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable"
+  - name: "univention-corporate-container-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
 
 releases:
   - name: "univention-corporate-container"
-    chart: "univention-corporate-container/univention-corporate-container"
+    chart: "univention-corporate-container-repo/univention-corporate-container"
     version: "1.0.10"
     values:
       - "values.yaml"

helmfile/apps/xwiki/helmfile.yaml

@@ -2,13 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "xwiki"
-    url: "https://xwiki-contrib.github.io/xwiki-helm"
+  - name: "xwiki-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://xwiki-contrib.github.io/xwiki-helm" }}
 
 releases:
   - name: "xwiki"
-    chart: "xwiki/xwiki"
-    version: "1.1.1"
+    chart: "xwiki-repo/xwiki"
+    version: "1.1.3"
     wait: true
     timeout: 600
     values:

helmfile/apps/xwiki/values.gotmpl

@@ -8,14 +8,23 @@ image:
   tag: "{{ .Values.images.xwiki.tag }}"
 
 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.xwikiUser }}"
+  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
   database: "{{ .Values.databases.xwiki.name }}"
   user: "{{ .Values.databases.xwiki.username }}"
   host: "{{ .Values.databases.xwiki.host }}"
 
 customConfigs:
   "xwiki.cfg":
-    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
+    ## LDAP Server configuration
+    # "xwiki.authentication.ldap.server": "univention-corporate-container"
+    # xwiki.authentication.ldap.port: 389
+    ## Authentication to the LDAP server
+    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    ## Base DN used for searching for users
+    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+
   "xwiki.properties":
     "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
     "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
@@ -25,10 +34,16 @@ customConfigs:
     "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey }}
+    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
 
 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
+  ## Link LDAP users and users authenticated through OIDC
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}

helmfile/apps/xwiki/values.yaml

@@ -2,9 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
-  name: "git.xwikisas.com:5050/xwikisas/swp/xwiki"
-  tag: "0.4-mariadb-tomcat"
-  pullPolicy: "Always"
+  pullPolicy: "IfNotPresent"
 
 ingress:
   # enabled: true
@@ -32,9 +30,9 @@ mariadb:
 
 properties:
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "#004B76"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -43,15 +41,37 @@ properties:
     "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-active-color":
     "@brand-primary"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "#fff"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "#fff"
   # yamllint disable-line rule:line-length
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "'@list-group-active-border: @list-group-border; @gray-light: #727272; @text-muted: @gray; @xwiki-drawer-menu-item-hover-bg: @list-group-hover-bg; @xwiki-drawer-menu-item-hover-color: @list-group-link-hover-color; @well-bg: @body-bg; .navbar-default { border-bottom: 3px solid @brand-primary !important; } #menuview .navbar-brand img { padding: 5px; }'"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": " li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd; height: 64px; } div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
+
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
+  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+  #   "sn,givenname,uid"
+  ## Restrict user import in the UI to global administrators
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  ## Enable group and user synchronization
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+  #   1
+  ## Base DN under which groups should be searched for
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+  #  "dc=swp-ldap,dc=internal"
+  ## LDAP filter to only synchronize some groups
+  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
 customConfigs:
   xwiki.cfg:
     xwiki.url.protocol: "https"
+    ## Indicate the LDAP field defining the user UID
+    # xwiki.authentication.ldap.UID_attr: "uid"
+    ## Indicate the LDAP field defining the user profile picture
+    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
+    ## Enable the synchronization of the LDAP profile picture
+    # xwiki.authentication.ldap.update_photo: 1
+
   xwiki.properties:
     oidc.scope: "openid,profile,email,address,phoenix"
     oidc.endpoint.userinfo.method: "GET"

helmfile/bases/environments.yaml

@@ -5,12 +5,15 @@ environments:
   default:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
   dev:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
       - "../../environments/dev/values.yaml"
   prod:
     values:
       - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
       - "../../environments/prod/values.yaml"
 ...

helmfile/environments/default/certificate.gotmpl

@@ -1,9 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-certificate:
-  issuerRef:
-    name: "letsencrypt-prod"
-...

helmfile/environments/default/certificate.yaml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+certificate:
+  issuerRef:
+    name: "letsencrypt-prod"
+...

helmfile/environments/default/cluster.yaml

@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 cluster:
   service:
@@ -23,8 +21,13 @@ cluster:
     # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
     # you need to provide the public (load-balanced) ingress gateways ip address.
     ingressGatewayIP: ""
+    # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services.
+    # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
+    # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
+    loadBalancerStatusField: "ip"
 
   container:
     # Used container engine in kubernetes cluster.
     engine: "cri-o"
+
 ...

helmfile/environments/default/database.yaml

@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 databases:
   keycloak:
@@ -41,6 +39,6 @@ databases:
   xwiki:
     name: "xwiki"
     host: "mariadb"
-    username: "xwiki_user"
+    username: "root"
     password: ""
 ...

helmfile/environments/default/global.gotmpl

@@ -7,50 +7,12 @@ SPDX-License-Identifier: Apache-2.0
 #
 global:
 
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    dimension: "integration"
-    element: "chat"
-    etherpad: "etherpad"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    meetingWidgetsBot: "meeting-widgets-bot"
-    meetingWidgets: "meeting-widgets"
-    newWorkBoardWidget: "whiteboard-widget"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    openxchangeProvisioning: "ox-provisioning"
-    pollWidget: "poll-widget"
-    synapse: "matrix"
-    univentionCorporateServer: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
   ## Define host
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" }}
 
   ## Define docker registry address.
   #
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
 
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define internal kubernetes domain, usually svc.cluster.local
-  ## Workaround for calico with postfix
-  #
-  internalDomain: "svc.cluster.local"
-
-  ## Define internal kubernetes network for postfix
-  ## Attention: Mail from this network can be sent without authentication!
-  #
-  internalNetwork: "10.0.0.0/8"
 ...

helmfile/environments/default/global.yaml

@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+## The global properties are used to configure multiple charts at once.
+#
+global:
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    dimension: "integration"
+    element: "chat"
+    etherpad: "etherpad"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    meetingWidgetsBot: "meeting-widgets-bot"
+    meetingWidgets: "meeting-widgets"
+    newWorkBoardWidget: "whiteboard-widget"
+    nextcloud: "fs"
+    openproject: "project"
+    openxchange: "webmail"
+    openxchangeProvisioning: "ox-provisioning"
+    pollWidget: "poll-widget"
+    synapse: "matrix"
+    univentionCorporateServer: "portal"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+
+  ## Define docker registry address.
+  #
+  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+...

helmfile/environments/default/images.yaml

@@ -1,24 +1,24 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 images:
   clamd:
     repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   collabora:
-    repository: "collabora/code"
-    tag: "23.05.2.2.1"
+    # repository: "collabora/code"
+    # tag: "23.05.2.2.1"
+    repository: "souvap/tooling/images/collabora"
+    tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
   dovecot:
     repository: "dovecot/dovecot"
     digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
   element:
-    repository: "vectorim/element-web"
-    tag: "v1.11.35"
+    repository: "souvap/tooling/images/element-web@sha256"
+    tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
   freshclam:
     repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   jibri:
     repository: "jitsi/jibri"
     tag: "stable-8615"
@@ -30,7 +30,7 @@ images:
     tag: "stable-8615"
   jitsiKeycloakAdapter:
     repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230425"
+    tag: "v20230816"
   jitsiPatchJVB:
     repository: "bitnami/kubectl"
     tag: "1.26.6"
@@ -38,8 +38,8 @@ images:
     repository: "jitsi/jvb"
     tag: "stable-8615"
   icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
-    tag: "1.0.4"
+    repository: "souvap/tooling/images/c-icap"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
   intercom:
     repository: "univention/intercom-service"
     tag: "1.4-kubernetes"
@@ -64,46 +64,46 @@ images:
     tag: "1.6.21-debian-11-r4"
   milter:
     repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   nextcloud:
     repository: "nextcloud"
-    tag: "26.0.1-apache"
+    tag: "26.0.5-apache"
   openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
-    tag: "dev"
+    repository: "souvap/tooling/images/openproject/souvap@sha256"
+    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
   openxchangeBootstrap:
     repository: "alpine/k8s"
     digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
   openxchangeCoreGuidedtours:
     repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.0"
+    tag: "8.5.1"
   openxchangeCoreMW:
     repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.15.43"
+    tag: "8.16.55"
   openxchangeCoreUI:
     repository: "appsuite-public-sector/core-ui"
-    tag: "8.15.2"
+    tag: "8.16.5"
   openxchangeCoreUIMiddleware:
     repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.3"
+    tag: "1.8.4"
   openxchangeCoreUserGuide:
     repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.15.702039"
+    tag: "8.16.727397"
   openxchangeGuardUI:
     repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.5"
+    tag: "4.0.6"
   openxchangeNextcloudIntegrationUI:
     repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.2"
+    tag: "1.0.3"
   openxchangePublicSectorUI:
     repository: "appsuite-public-sector/public-sector-ui"
-    tag: "1.0.3"
+    tag: "2.0.1"
   oxConnector:
     repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
     tag: "branch-jconde-listener-entrypoint-chaining"
   postfix:
     repository: "souvap/tooling/images/postfix"
-    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
   postgresql:
     repository: "postgres"
     tag: "15-alpine"
@@ -121,11 +121,13 @@ images:
     tag: "2.4"
   univentionCorporateServer:
     repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
-    tag: "286503f13726399284b49d4521f45fdbed81216875d78e76dcae20e0d8301f65"
+    tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
   wellKnown:
     repository: "library/nginx"
     tag: "1.23"
   xwiki:
-    repository: "xwikisas/swp/xwiki"
-    tag: "0.8-mariadb-tomcat"
+    # repository: "xwikisas/swp/xwiki"
+    # tag: "0.10-mariadb-tomcat"
+    repository: "xwikisas/swp/xwiki@sha256"
+    tag: "02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
 ...

helmfile/environments/default/ingress.gotmpl

@@ -1,12 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-ingress:
-  enabled: true
-  ingressClassName: ""
-  tls:
-    enabled: true
-    secretName: "sovereign-workplace-certificates-tls"
-...

helmfile/environments/default/ingress.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  enabled: true
+  ingressClassName: ""
+  tls:
+    enabled: true
+    secretName: "sovereign-workplace-certificates-tls"
+...

helmfile/environments/default/persistence.yaml

@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 persistence:
   storageClassNames:

helmfile/environments/default/replicas.gotmpl

@@ -1,33 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-replicas:
-  {{/* clamav-simple */}}
-  clamav: 1
-  {{/* clamav-distributed */}}
-  clamd: 1
-  collabora: 1
-  dovecot: 1
-  element: 2
-  {{/* clamav-distributed */}}
-  freshclam: 1
-  {{/* clamav-distributed */}}
-  icap: 1
-  jibri: 1
-  jicofo: 1
-  jitsi: 1
-  jitsiKeycloakAdapter: 1
-  jvb: 1
-  keycloak: 1
-  {{/* clamav-distributed */}}
-  milter: 1
-  nextcloud: 1
-  openproject: 1
-  postfix: 1
-  synapse: 1
-  synapseWeb: 2
-  wellKnown: 2
-  xwiki: 1
-...

helmfile/environments/default/replicas.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+replicas:
+  # clamav-simple
+  clamav: 1
+  # clamav-distributed
+  clamd: 1
+  collabora: 1
+  dovecot: 1
+  element: 1
+  # clamav-distributed
+  freshclam: 1
+  # clamav-distributed
+  icap: 1
+  jibri: 1
+  jicofo: 1
+  jitsi: 1
+  jitsiKeycloakAdapter: 1
+  jvb: 1
+  keycloak: 1
+  # clamav-distributed
+  milter: 1
+  nextcloud: 1
+  openproject: 1
+  postfix: 1
+  synapse: 1
+  synapseWeb: 1
+  wellKnown: 1
+  xwiki: 1
+...

helmfile/environments/default/resources.yaml

@@ -1,7 +1,5 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 resources:
   clamd:
@@ -35,10 +33,10 @@ resources:
   icap:
     limits:
       cpu: 2
-      memory: "4Gi"
+      memory: "128Mi"
     requests:
       cpu: 0.1
-      memory: "2Gi"
+      memory: "16Mi"
   jibri:
     limits:
       cpu: 1

helmfile/environments/default/theme/logo_header.svg

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="a" xmlns="http://www.w3.org/2000/svg" width="45.826mm" height="19.308mm" viewBox="0 0 129.90047 54.73134">
+<polygon points="110.92403 22.71425 107.01094 22.71425 103.42012 26.36172 103.42012 18.38613 100.18867 18.38613 100.18867 32.27773 103.42012 32.27773 103.42012 28.32754 107.01094 32.27773 110.92403 32.27773 106.31172 27.36367 110.92403 22.71425"/>
+<path d="m48.75874,23.35201c-.6499-.35986-1.40991-.54004-2.27979-.54004-.86011,0-1.59009.18018-2.25.56006-.65015.37012-1.14014.8999-1.49023,1.6001-.33984.70996-.52002,1.5498-.52002,2.5498,0,.93018.16016,1.77002.48022,2.52002.32983.77002.81982,1.37012,1.47998,1.82007.67993.42993,1.5.65991,2.47998.65991,1.26001,0,2.19995-.31982,2.84985-.97998.51001-.53003.90015-1.15991,1.16016-1.90991l-.8501-.47998c-.19995.78003-.56006,1.37988-1.08008,1.84009-.53979.44971-1.23975.68994-2.09985.68994-1.13989,0-2.01001-.38013-2.58008-1.13013-.54004-.69995-.82007-1.59985-.84009-2.70996h7.61011v-.5c0-.93994-.17993-1.75-.54004-2.42993-.35986-.68994-.86987-1.2002-1.53003-1.56006Zm-5.54004,3.62988c.03027-.60986.17017-1.16992.41016-1.62988.28003-.56006.66992-.95996,1.16992-1.25.47998-.28003,1.03003-.41992,1.65015-.41992,1.03003,0,1.83984.31982,2.45996.92993.55005.59009.86987,1.38013.8999,2.36987h-6.59009Z"/>
+<path d="m73.28517,19.52694c-1.06494-.34503-2.28003-.51001-3.6449-.51001h-1.83032v2.64001h1.83032c.95984,0,1.72485.07495,2.29468.22504.55518.14996,1.02026.50995,1.38025,1.09497.375.57001.55481,1.46997.55481,2.68494,0,1.23004-.17981,2.13-.53979,2.70001-.35999.58502-.82507.94501-1.37988,1.09503-.55518.13495-1.33521.20996-2.31006.20996h-1.85999v-5.36346h-3.04504v8.03351h4.90503c1.36487,0,2.57996-.16498,3.6449-.51007,1.04993-.34497,1.92004-1.00494,2.60999-1.97992.67493-.99005,1.0199-2.38501,1.0199-4.18506,0-1.78497-.34497-3.17999-1.0199-4.15491-.68994-.99005-1.56006-1.65009-2.60999-1.98004Z"/>
+<path d="m25.67378,23.4869c-.73499-.45001-1.57507-.67493-2.54993-.67493-.97522,0-1.81531.22491-2.54993.67493-.73535.43506-1.29016,1.03497-1.68018,1.78497-.375.73511-.56982,1.53003-.56982,2.40009,0,.85498.19482,1.64996.56982,2.39996.39001.73499.94482,1.33502,1.68018,1.78497.73462.435,1.57471.66003,2.54993.66003.97485,0,1.81494-.22504,2.54993-.66003.73499-.44995,1.28979-1.04999,1.66479-1.78497.39038-.75.58521-1.54498.58521-2.39996,0-.87006-.19482-1.66498-.58521-2.40009-.375-.75-.92981-1.34991-1.66479-1.78497Zm.79504,6.15002c-.28528.59998-.71997,1.09497-1.29016,1.46997-.58484.375-1.25977.57001-2.05481.57001s-1.48499-.19501-2.05518-.57001c-.56982-.375-1.00488-.87-1.28979-1.46997-.28528-.61505-.43506-1.26001-.43506-1.96497,0-.70508.14978-1.36505.43506-1.96503.28491-.61505.71997-1.09503,1.28979-1.47003.57019-.375,1.26013-.55499,2.05518-.55499s1.46997.17999,2.05481.55499c.57019.375,1.00488.85498,1.29016,1.47003.28491.59998.43506,1.25995.43506,1.96503,0,.70496-.15015,1.34991-.43506,1.96497Z"/>
+<path d="m37.94368,23.41189c-.67493-.40491-1.42493-.59991-2.26501-.59991-1.07996,0-1.97974.26996-2.72974.79492-.69031.49506-1.17004,1.15503-1.46997,1.99506v-2.60999h-1.02026v12.77991h1.02026v-6c.17981.51007.44971.94501.77966,1.33502.40503.45001.88513.81,1.47034,1.05005.56982.23993,1.22974.35999,1.94971.35999.84009,0,1.59009-.19501,2.26501-.60004.66028-.40497,1.18506-.97498,1.56006-1.69495.39001-.73505.57019-1.58997.57019-2.54999s-.18018-1.81506-.57019-2.55005c-.375-.73499-.89978-1.30499-1.56006-1.71002Zm.61487,6.45001c-.32959.60004-.76465,1.04999-1.31982,1.36505-.55518.29999-1.17004.44995-1.82996.44995-.67493,0-1.30481-.16498-1.89001-.46497-.59985-.31506-1.06494-.76501-1.43994-1.36499-.35999-.61505-.54016-1.33502-.54016-2.17499,0-.85504.18018-1.57501.54016-2.17505.375-.61493.84009-1.065,1.43994-1.36493.58521-.30005,1.21509-.45007,1.89001-.45007.65991,0,1.27478.13501,1.82996.43506.55518.28497.99023.73499,1.31982,1.3349.33032.60004.49512,1.35004.49512,2.22009,0,.86993-.16479,1.60498-.49512,2.18994Z"/>
+<path d="m60.05366,23.23189c-.47974-.28497-1.06494-.41992-1.73987-.41992-1.06494,0-1.95007.26996-2.64001.82495-.62988.50995-1.06494,1.20001-1.29016,2.05499v-2.69995h-1.0199v9.34497h1.0199v-4.21503c0-.83997.15015-1.58997.43506-2.26501.28528-.67499.70496-1.19995,1.26013-1.58997.53979-.39001,1.17004-.58502,1.89001-.58502.86975,0,1.51501.21002,1.92004.65997.41968.43506.61487,1.15503.61487,2.14502v5.85004h1.03491v-5.89502c0-.76501-.11975-1.42499-.375-1.96497-.2699-.53998-.62988-.96002-1.10999-1.24506Z"/>
+<path d="m85.85536,23.18697c-.75-.375-1.66516-.57001-2.70007-.57001-.97522,0-1.82996.19501-2.57996.5849-.75.39001-1.33521.96002-1.77026,1.71002-.42004.73499-.62988,1.60504-.62988,2.60999,0,.97504.20984,1.84509.61487,2.59509.42004.76501,1.00525,1.34991,1.7699,1.76996.76538.41998,1.68018.63,2.71509.63,1.43994,0,2.59497-.31506,3.45007-.96002.46509-.35999.84009-.77997,1.09497-1.25995l-2.36975-1.32001h-.07507c-.09009.43494-.32996.78003-.70496,1.01996-.375.23999-.84009.35999-1.41028.35999-.68994,0-1.22974-.22491-1.61975-.65997-.33032-.375-.52515-.88495-.55518-1.51501h7.125v-.79498c0-1.00494-.19482-1.85999-.59985-2.565-.40503-.70496-.99023-1.25995-1.75488-1.63495Zm-4.81531,3.43494c.03003-.33002.13513-.62994.2699-.88501.18018-.32996.43506-.57001.75-.75.33032-.16498.70532-.255,1.17041-.255.67493,0,1.21472.19501,1.60474.57001.34497.33008.52515.76501.57019,1.32001h-4.36523Z"/>
+<path d="m95.82881,26.81692l-2.20496-.55499c-.34497-.08997-.60022-.19501-.76501-.34503-.18018-.14996-.25488-.31494-.25488-.49493,0-.24005.10474-.42004.32959-.55499.22522-.12006.57019-.17999,1.00525-.17999.58484,0,1.0199.10492,1.30481.32996.28528.22504.43506.57001.43506,1.01996h2.87988c0-1.10999-.41968-1.94995-1.22974-2.53497s-1.95007-.88495-3.40503-.88495c-.88513,0-1.63513.10498-2.26501.32996-.62988.21002-1.125.52502-1.45496.92999-.32996.40503-.49512.91498-.49512,1.51501,0,.75.22485,1.33502.68994,1.74005.4801.41992,1.03491.71997,1.66516.91498l2.90991.76501c.29993.08997.51013.2099.6449.34497.13513.12.21021.28497.21021.47998,0,.28503-.1051.49506-.32996.63-.22522.13501-.60022.19501-1.125.19501-.70496,0-1.2301-.12006-1.57507-.39001-.34497-.255-.52515-.66003-.52515-1.20001h-2.86487c0,.79498.17981,1.46997.55481,2.01007.39038.53998.93018.94489,1.66516,1.22992.71997.27008,1.62012.40503,2.70007.40503.97485,0,1.78491-.10504,2.42981-.31506.66028-.2099,1.14001-.53998,1.47034-.9599.32959-.43506.49475-.96002.49475-1.57507,0-.81-.25488-1.42493-.78003-1.875-.51013-.435-1.21472-.76495-2.11487-.97498Z"/>
+</svg>

helmfile/environments/default/workplace.yaml

@@ -1,10 +1,6 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
-masterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" }}
-
 certificates:
   enabled: true
 clamavDistributed: