chore(release): 0.3.1 [skip ci]

## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14) ### Bug Fixes * **collabora:** Update Ingress annotations and set securityContext ([b5583ca](b5583caec1)) * **element:** Improve default container security settings ([882f1fb](882f1fbc93)) * **element:** Update opendesk element version to 2.0.1 ([d725b93](d725b93798)) * **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](e120f5fb9a)) * **helmfile:** Update images and use a tag and digest together ([c7fc187](c7fc187f14)) * **services:** Explicitly set securityContexts ([a799db0](a799db03c4)) * **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](e1070eeb06))
fix(helmfile): Remove default SMTP credentials and create docs for SMTP/TURN
2025-12-06 15:31:38 +01:00 · 2023-09-14 11:11:40 +00:00 · 2023-09-13 23:39:38 +02:00 · 2023-09-13 19:33:47 +02:00 · 2023-09-13 19:33:47 +02:00 · 2023-09-13 19:33:47 +02:00
55 changed files with 813 additions and 258 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,8 +7,10 @@ include:
    file:
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
-  - project: "souvap/devops/sovereign-workplace-env"
+  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
    rules:
      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
 stages:
  - ".pre"
@@ -20,7 +22,7 @@ stages:
  - "component-deploy-stage-2"
  - "tests"
  - "env-stop"
-  - "generate-release-artefacts"
+  - "generate-release-assets"
  - ".post"
 variables:
@@ -127,8 +129,9 @@ variables:
    options:
      - "yes"
      - "no"
-  TESTS_PROJECT_URL:
+  TESTS_BRANCH:
-    description: "URL of the E2E-test Gitlab project API with project ID."
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
    value: "main"
  # please use the following set of variables with normalized names:
  DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
  ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -138,23 +141,6 @@ variables:
  dependencies: []
  extends: ".environments"
  image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
  secrets:
    SMTP_PASSWORD:
      vault:
        engine:
          name: "kv-v2"
          path: "swp"
        path: "accounts/brained/mail/relay@souvap-univention.de"
        field: "password"
      file: false
    TURN_CREDENTIALS:
      vault:
        engine:
          name: "kv-v2"
          path: "swp"
        path: "accounts/souvap-univention.de/develop/turn/secret"
        field: "credentials"
      file: false
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -406,54 +392,53 @@ run-tests:
      when: "always"
  script:
    - |
      COMPONENTS="login or portal or profile or navigation"
      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
          or xwiki"
      else
        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
      fi
      echo "Gathering passwords from UCS container ..."
      UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
+          'app.kubernetes.io/instance=univention-corporate-container' \
-       | awk '{print $1}' \
+        | grep Running \
        | awk '{print $1}' \
      )
      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
      DEFAULT_USER_PASSWORD=$( \
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
        | awk '{print $2}' \
      )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
        | awk '{print $2}' \
      )
-      echo "triggering test pipeline ..."
+      curl --request POST \
-      curl -X POST \
+      --header "Content-Type: application/json" \
-        -F "ref=main" \
+      --data "{ \
-        -F "token=${CI_JOB_TOKEN}" \
+        \"ref\": \"${TESTS_BRANCH}\", \
-        -F "variables[url]=https://portal.${DOMAIN}" \
+        \"token\": \"${CI_JOB_TOKEN}\", \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
+        \"variables\": { \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
+          \"url\": \"https://portal.${DOMAIN}\", \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
-        -F "variables[components]=\"${COMPONENTS}\"" \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
        } \
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
-generate-release-artefacts:
+generate-release-assets:
-  stage: "generate-release-artefacts"
+  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
@@ -461,47 +446,57 @@ generate-release-artefacts:
    - when: "never"
  script:
    - |
-      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/souvap/devops/generate-deployment-artefacts
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
-      cd generate-deployment-artefacts
+      cd opendesk-asset-generator
      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
-      ./artefact_generator.py
+      ./opendesk_asset_generator.py
      mv ./build_artefacts ${CI_PROJECT_DIR}
      cd ..
-      rm -rf generate-deployment-artefacts
+      rm -rf opendesk-asset-generator
      ls -l ./build_artefacts
  artifacts:
    paths:
      - "./build_artefacts/chart-index.json"
      - "./build_artefacts/image-index.json"
-  tags:
+  tags: []
-    - "docker"
+  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
  cache: {}
 # Overwrite shared settings
 .common-semantic-release:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
-  rules:
+  tags: []
    - if: "$CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
      when: "never"
    - when: "always"
 common-yaml-linter:
  rules:
-    - if: "$CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
      when: "never"
    - when: "always"
 reuse-linter:
  allow_failure: false
  rules:
-    - if: "$CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
+    - if: "$JOB_REUSE_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
      when: "never"
    - when: "always"
 generate-release-version:
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false'"
      when: "always"
 release:
  dependencies:
    - "generate-release-assets"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  script:
    - |
      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,111 @@
 ## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
 ### Bug Fixes
 * **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
 * **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
 * **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
 * **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
 * **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
 * **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
 * **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
 # [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
 ### Features
 * **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
 ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
 ### Bug Fixes
 * **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
 * **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
 * **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
 * **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
 * **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
 * **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
 * **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
 * **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
 * **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
 ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
 ### Bug Fixes
 * **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
 * **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
 * **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
 * **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
 * **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
 * **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
 * **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
 * **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
 ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
 ### Bug Fixes
 * **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
 * **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
 * **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
 * **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
 * **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
 * **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
 * **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
 * **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
 * **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
 * **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
 * **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
 * **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
 * **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
 ## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
 ### Bug Fixes
 * **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
 ## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
 ### Bug Fixes
 * **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 ### Bug Fixes
 * **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
 * **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
 * **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 ### Bug Fixes
 * **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
 * **ci:** Include deployment environments ([0f59736](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f59736c5dcff905400ae2e1bbf7ae496ffb9b2c))
 * **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 ### Bug Fixes
 * **ci:** Change path of asset_generator ([6ab4fa0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6ab4fa078b0bb3939c54f46d6475770fa9901936))
 * **ci:** Release artefacts ([2a61b5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2a61b5f2a66bf1dc1ad06f7111ef7ecaf9247b39))
 ## [0.2.5](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/compare/v0.2.4...v0.2.5) (2023-08-30)
--- a/README.md
+++ b/README.md
@@ -45,6 +45,15 @@ repository please use the [issues within this project](https://gitlab.opencode.d
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 # Releases
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
 Gitlab provides an [overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases) of this project.
 The following release artefacts are provided beside the default source code assets:
 - `chart-index.json`: An overview of all Helm charts used by the release.
 - `image-index.json`: An overview of all container images used by the release.
 # Deployment
 **Note for project members:** You can use the project's `dev` K8s cluster to set
@@ -82,8 +91,6 @@ installation.
 | `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
 | `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
 | `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
 | `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
 | `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |
 Please ensure that you set the DNS records pointing to the loadbalancer/IP for
 `DOMAIN` and `ISTIO_DOMAIN`.
@@ -271,30 +278,90 @@ the application to your own database instances.
 ### Scaling
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
+|-------------|------------------------|:-------------------:|:------------------:|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
-| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
-|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
 ### Mail/SMTP configuration
 To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
 the whole subdomain.
 ```yaml
 smtp:
  host:     # your SMTP host or IP-address
  username: # username/email for authentication
  password: # password for authentication, or via environment variable SMTP_PASSWORD
 ```
 ### TURN configuration
 Some components (Jitsi, Element) use for direct communication a TURN server.
 You can configure your own TURN server with these options:
 ```yaml
 turn:
  transport:   # "udp" or "tcp"
  credentials: # turn credential string
  server:      # configuration for unsecure connections
    host:      # your TURN host or IP-address
    port:      # server port
  tls:         # configuration for secure connections
    host:      # your TURN host or IP-address
    port:      # server port
 ```
 ## Security
 This list gives you an overview of default security settings and if they comply with security standards:
 | Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
 |------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
 | Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
 |            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
 |            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
 |            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
 | Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
 |            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 | MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 # Component integration
@@ -425,17 +492,14 @@ components we are going to cover various aspects:
 ## Tests
-There is a frontend end-to-end test suite that can get triggered if the
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
-deployment is performed via a Gitlab pipeline.
+The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-Currently, the test suite is in progress to be published, so right now it is
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
-only usable by project members. But that will change soon, and it could be used
+`TESTS_BRANCH` while creating a new pipeline.
 to create custom tests and perform them after deployment.
 The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
 points to the test pipeline residing in another Gitlab repository. At the end of
 the deployment the test pipeline is triggered. Tests are just performed for
 components that have been deployed prior.
 # Footnotes
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -32,12 +32,15 @@ environments:
  default:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
  dev:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/dev/values.yaml"
  prod:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
      - "helmfile/environments/prod/values.yaml"
 ...
--- a/helmfile/apps/collabora/values.gotmpl
+++ b/helmfile/apps/collabora/values.gotmpl
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
  tag: "{{ .Values.images.collabora.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -32,14 +33,9 @@ collabora:
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 {{- if not (eq .Values.cluster.container.engine "containerd") }}
 # In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
 # Ref.: https://github.com/CollaboraOnline/online/issues/2800
 securityContext:
  capabilities:
    add:
      - "MKNOD"
 {{- end }}
 replicaCount: {{ .Values.replicas.collabora }}
 resources:
  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/collabora/values.yaml
+++ b/helmfile/apps/collabora/values.yaml
@@ -14,19 +14,74 @@ collabora:
 ingress:
  annotations:
-    # nginx
+    # Ingress NGINX
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/server-snippet: |
      # block admin and metrics endpoint from outside by default
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # NGINX
    nginx.org/websocket-services: "collabora"
    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
    nginx.org/proxy-read-timeout: "600"
    nginx.org/proxy-send-timeout: "600"
    nginx.org/client-max-body-size: "0"
    nginx.org/server-snippets: |
      # block admin and metrics endpoint from outside by default
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # HAProxy
    haproxy.org/timeout-tunnel: "3600s"
    haproxy.org/backend-config-snippet: |
-     mode http
+       balance url_param WOPISrc check_post
-      balance leastconn
+       hash-type consistent
-      stick-table type string len 2048 size 1k store conn_cur
+    # HAProxy - Community: https://haproxy-ingress.github.io/
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
+    haproxy-ingress.github.io/timeout-tunnel: "3600s"
-      http-request track-sc1 url_param(WOPISrc)
+    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
+    haproxy-ingress.github.io/config-backend: |
-      stick store-request url_param(WOPISrc)
+      hash-type consistent
-
+      # block admin urls from outside
      acl admin_url path_beg /cool/getMetrics
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
 autoscaling:
  enabled: false
 serviceAccount:
  create: true
 securityContext:
  allowPrivilegeEscalation: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 100
  runAsGroup: 101
  seccompProfile:
    type: "RuntimeDefault"
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
 podSecurityContext:
  fsGroup: 100
 ...
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -2,38 +2,41 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-element-repo"
+  - name: "opendesk-element-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
 releases:
-  - name: "sovereign-workplace-element"
+  - name: "opendesk-element"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
+    chart: "opendesk-element-repo/opendesk-element"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-element.yaml"
      - "values-element.gotmpl"
    condition: "element.enabled"
-  - name: "sovereign-workplace-well-known"
+  - name: "opendesk-well-known"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
+    chart: "opendesk-element-repo/opendesk-well-known"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-well-known.yaml"
      - "values-well-known.gotmpl"
    condition: "element.enabled"
-  - name: "sovereign-workplace-synapse-web"
+  - name: "opendesk-synapse-web"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
+    chart: "opendesk-element-repo/opendesk-synapse-web"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-synapse-web.yaml"
      - "values-synapse-web.gotmpl"
    condition: "element.enabled"
-  - name: "sovereign-workplace-synapse"
+  - name: "opendesk-synapse"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
+    chart: "opendesk-element-repo/opendesk-synapse"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-synapse.yaml"
      - "values-synapse.gotmpl"
    condition: "element.enabled"
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -16,6 +16,7 @@ configuration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.element.repository }}"
  tag: "{{ .Values.images.element.tag }}"
--- a/helmfile/apps/element/values-element.yaml
+++ b/helmfile/apps/element/values-element.yaml
@@ -0,0 +1,21 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapseWeb.repository }}"
  tag: "{{ .Values.images.synapseWeb.tag }}"
--- a/helmfile/apps/element/values-synapse-web.yaml
+++ b/helmfile/apps/element/values-synapse-web.yaml
@@ -0,0 +1,21 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapse.repository }}"
  tag: "{{ .Values.images.synapse.tag }}"
--- a/helmfile/apps/element/values-synapse.yaml
+++ b/helmfile/apps/element/values-synapse.yaml
@@ -0,0 +1,20 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10991
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 10991
 ...
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.wellKnown.repository }}"
  tag: "{{ .Values.images.wellKnown.tag }}"
--- a/helmfile/apps/element/values-well-known.yaml
+++ b/helmfile/apps/element/values-well-known.yaml
@@ -4,4 +4,22 @@
 configuration:
  e2ee:
    forceDisable: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/intercom-service/values.gotmpl
+++ b/helmfile/apps/intercom-service/values.gotmpl
@@ -29,6 +29,7 @@ ics:
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.intercom.repository }}"
  tag: "{{ .Values.images.intercom.tag }}"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -10,7 +10,7 @@ repositories:
 releases:
  - name: "jitsi"
    chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.3.0"
+    version: "1.5.1"
    values:
      - "values-jitsi.gotmpl"
    condition: "jitsi.enabled"
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
@@ -118,6 +119,7 @@ patchJVB:
    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
  image:
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
    tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
--- a/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
+++ b/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
@@ -19,6 +19,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.keycloakBootstrap.repository }}"
  tag: "{{ .Values.images.keycloakBootstrap.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 resources:
  {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
--- a/helmfile/apps/keycloak/values-extensions.gotmpl
+++ b/helmfile/apps/keycloak/values-extensions.gotmpl
@@ -18,12 +18,8 @@ handler:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
 {{- if .Values.images.keycloakExtensionHandler.digest }}
    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
 {{- else if .Values.images.keycloakExtensionHandler.tag }}
    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
-{{- end }}
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullPolicy: "Always"
  appConfig:
    smtpPassword: "{{ .Values.smtp.password }}"
    smtpHost: "{{ .Values.smtp.host }}"
@@ -35,18 +31,11 @@ proxy:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
 {{- if .Values.images.keycloakExtensionProxy.digest }}
    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
 {{- else if .Values.images.keycloakExtensionProxy.tag }}
    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
-{{- end }}
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullPolicy: "Always"
  ingress:
    enabled: "{{ .Values.ingress.enabled }}"
    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
    annotations:
      nginx.org/proxy-buffer-size: "8k"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    tls:
      enabled: "{{ .Values.ingress.tls.enabled }}"
--- a/helmfile/apps/keycloak/values-extensions.yaml
+++ b/helmfile/apps/keycloak/values-extensions.yaml
@@ -11,11 +11,35 @@ global:
 handler:
  appConfig:
    captchaProtectionEnable: "False"
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
 postgresql:
  enabled: false
 proxy:
-  image:
+  ingress:
-    tag: "latest"
+    annotations:
      nginx.org/proxy-buffer-size: "8k"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
 ...
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -13,7 +13,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.keycloak.repository }}"
  tag: "{{ .Values.images.keycloak.tag }}"
-  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 externalDatabase:
  host: "{{ .Values.databases.keycloak.host }}"
@@ -81,6 +81,8 @@ keycloakConfigCli:
      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
    - name: "LDAPSEARCH_USERNAME"
      value: "ldapsearch_keycloak"
  resources:
    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
 resources:
  {{ .Values.resources.keycloak | toYaml | nindent 2 }}
--- a/helmfile/apps/keycloak/values-keycloak.yaml
+++ b/helmfile/apps/keycloak/values-keycloak.yaml
@@ -54,5 +54,32 @@ keycloakConfigCli:
    - "--import.var-substitution.enabled=true"
  cache:
    enabled: false
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsUser: 1001
    runAsGroup: 1001
    runAsNonRoot: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
 podSecurityContext:
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -2,19 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
+  - name: "opendesk-nextcloud-bootstrap-repo"
    oci: true
    # yamllint disable rule:line-length
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
    # yamllint enable rule:line-length
  - name: "nextcloud-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://nextcloud.github.io/helm/" }}
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "2.3.0"
+    version: "3.0.0"
    wait: true
    waitForJobs: true
    values:
@@ -27,7 +30,7 @@ releases:
    chart: "nextcloud-repo/nextcloud"
    version: "3.5.19"
    needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
    values:
      - "values-nextcloud.gotmpl"
      - "values-nextcloud.yaml"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -18,7 +18,7 @@ config:
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
@@ -44,6 +44,7 @@ config:
    password: "{{ .Values.smtp.password }}"
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.nextcloud.repository }}"
  tag: "{{ .Values.images.nextcloud.tag }}"
--- a/helmfile/apps/nextcloud/values-nextcloud.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl
@@ -25,7 +25,7 @@ ingress:
        - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.nextcloud.tag }}"
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml
@@ -21,6 +21,11 @@ cronjob:
        sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
        \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
 internalDatabase:
  enabled: false
 postgresql:
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -26,7 +26,7 @@ releases:
    condition: "dovecot.enabled"
  - name: "open-xchange"
    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "1.2.13"
+    version: "2.0.3"
    values:
      - "values-openxchange.yaml"
      - "values-openxchange.gotmpl"
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.dovecot.repository }}"
-  digest: "{{ .Values.images.dovecot.digest }}"
+  tag: "{{ .Values.images.dovecot.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
-  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -34,6 +34,7 @@ public-sector-ui:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
  {{- end }}
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 appsuite:
  istio:
@@ -96,6 +97,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreMW.repository }}
      tag: {{ .Values.images.openxchangeCoreMW.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -113,6 +115,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreUI.repository }}
      tag: {{ .Values.images.openxchangeCoreUI.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  core-ui-middleware:
    ingress:
@@ -126,6 +129,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  core-guidedtours:
    imagePullSecrets:
@@ -135,6 +139,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  guard-ui:
    imagePullSecrets:
@@ -144,11 +149,13 @@ appsuite:
    image:
      repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
      tag: {{ .Values.images.openxchangeGuardUI.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  core-user-guide:
    image:
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -55,13 +55,17 @@ appsuite:
      com.openexchange.mail.filter.server: "dovecot"
      com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
      # Capabilities
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
      com.openexchange.capability.public-sector-element: "false"
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
      com.openexchange.capability.filestorage_nextcloud: "true"
      com.openexchange.capability.filestorage_nextcloud_oauth: "true"
      com.openexchange.capability.guard: "true"
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.public-sector: "true"
      com.openexchange.capability.smime: "true"
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
@@ -95,6 +99,11 @@ appsuite:
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
    uiSettings:
      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
      io.ox/core//features/enterprisePicker/showLauncher: "false"
      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
      # Text and icon color in the topbar
      io.ox/dynamic-theme//topbarColor: "#000"
      io.ox/dynamic-theme//logoWidth: "82"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -10,7 +10,7 @@ global:
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.openproject.tag }}"
 memcached:
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.oxConnector.tag }}"
 imagePullSecrets:
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -7,13 +7,15 @@ repositories:
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
  - name: "postgresql-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
  - name: "mariadb-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
  - name: "postfix-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -23,13 +25,14 @@ repositories:
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
  - name: "clamav-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
  - name: "bitnami-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "registry-1.docker.io/bitnamicharts" }}
 releases:
@@ -41,48 +44,51 @@ releases:
    condition: "certificates.enabled"
  - name: "redis"
    chart: "bitnami-repo/redis"
-    version: "17.9.3"
+    version: "18.0.4"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    condition: "redis.enabled"
  - name: "postgresql"
    chart: "postgresql-repo/postgresql"
-    version: "2.0.0"
+    version: "2.0.2"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    condition: "postgresql.enabled"
  - name: "mariadb"
    chart: "mariadb-repo/mariadb"
-    version: "2.0.0"
+    version: "2.1.0"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    condition: "mariadb.enabled"
  - name: "postfix"
    chart: "postfix-repo/postfix"
-    version: "1.13.0"
+    version: "2.0.3"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    condition: "postfix.enabled"
  - name: "clamav"
-    chart: "clamav-repo/sovereign-workplace-clamav"
+    chart: "clamav-repo/opendesk-clamav"
-    version: "2.1.0"
+    version: "4.0.0"
    values:
      - "values-clamav-distributed.yaml"
      - "values-clamav-distributed.gotmpl"
    condition: "clamavDistributed.enabled"
  - name: "clamav-simple"
    chart: "clamav-repo/clamav-simple"
-    version: "2.1.0"
+    version: "4.0.0"
    values:
      - "values-clamav-simple.yaml"
      - "values-clamav-simple.gotmpl"
    condition: "clamavSimple.enabled"
  - name: "sovereign-workplace-gateway"
    chart: "istio-resources-repo/istio-gateway"
    version: "1.1.2"
    values:
      - "values-istio-gateway.yaml"
      - "values-istio-gateway.gotmpl"
    condition: "istio.enabled"
--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.gotmpl
@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.clamd }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.clamd.repository }}"
    tag: "{{ .Values.images.clamd.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.clamd | toYaml | nindent 4 }}
 freshclam:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.freshclam }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.freshclam.repository }}"
    tag: "{{ .Values.images.freshclam.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -37,18 +35,18 @@ icap:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.icap.repository }}"
    tag: "{{ .Values.images.icap.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.icap | toYaml | nindent 4 }}
 milter:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.milter }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.milter.repository }}"
    tag: "{{ .Values.images.milter.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.milter | toYaml | nindent 4 }}
--- a/helmfile/apps/services/values-clamav-distributed.yaml
+++ b/helmfile/apps/services/values-clamav-distributed.yaml
@@ -0,0 +1,80 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
 clamd:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 freshclam:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 icap:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 milter:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/services/values-clamav-simple.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.gotmpl
@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podSecurityContext:
  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
  enabled: false
 replicaCount: {{ .Values.replicas.clamav }}
 image:
@@ -15,10 +10,12 @@ image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.clamd.repository }}"
    tag: "{{ .Values.images.clamd.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  icap:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.icap.repository }}"
    tag: "{{ .Values.images.icap.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}
--- a/helmfile/apps/services/values-clamav-simple.yaml
+++ b/helmfile/apps/services/values-clamav-simple.yaml
@@ -0,0 +1,19 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 100
  runAsGroup: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
  fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/services/values-istio-gateway.yaml
+++ b/helmfile/apps/services/values-istio-gateway.yaml
@@ -0,0 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 tls:
  httpsRedirect: false
 ...
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -11,6 +11,7 @@ global:
 image:
  repository: "{{ .Values.images.mariadb.repository }}"
  tag: "{{ .Values.images.mariadb.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
--- a/helmfile/apps/services/values-mariadb.yaml
+++ b/helmfile/apps/services/values-mariadb.yaml
@@ -1,6 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1001
  runAsGroup: 1001
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
+global:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
+  registry: {{ .Values.global.imageRegistry }}
-  digest: "{{ .Values.images.postfix.digest }}"
+  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-imagePullSecrets:
+image:
-{{- range .Values.global.imagePullSecrets }}
+  registry: {{ .Values.global.imageRegistry }}
-  - name: {{ . }}
+  repository: "{{ .Values.images.postfix.repository }}"
-{{- end }}
+  tag: "{{ .Values.images.postfix.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 certificate:
  secretName: "{{ .Values.ingress.tls.secretName }}"
--- a/helmfile/apps/services/values-postfix.yaml
+++ b/helmfile/apps/services/values-postfix.yaml
@@ -5,6 +5,19 @@ certificate:
  request:
    enabled: false
 containerSecurityContext:
  allowPrivilegeEscalation: true
  capabilities: {}
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: false
 podSecurityContext:
  enabled: true
  fsGroup: 101
 postfix:
  hostname: "postfix"
  inetProtocols: "ipv4"
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.gotmpl
@@ -11,6 +11,7 @@ global:
 image:
  repository: "{{ .Values.images.postgresql.repository }}"
  tag: "{{ .Values.images.postgresql.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 job:
  users:
--- a/helmfile/apps/services/values-postgresql.yaml
+++ b/helmfile/apps/services/values-postgresql.yaml
@@ -1,11 +1,29 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-enabled: true
+containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 1001
  runAsGroup: 1001
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 job:
  image:
    digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 postgres:
  user: "postgres"
 ...
--- a/helmfile/apps/services/values-redis.gotmpl
+++ b/helmfile/apps/services/values-redis.gotmpl
@@ -16,6 +16,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.redis.repository }}"
  tag: "{{ .Values.images.redis.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 master:
  persistence:
--- a/helmfile/apps/services/values-redis.yaml
+++ b/helmfile/apps/services/values-redis.yaml
@@ -8,4 +8,8 @@ sentinel:
 metrics:
  enabled: false
 master:
  containerSecurityContext:
    readOnlyRootFilesystem: true
 ...
--- a/helmfile/apps/univention-corporate-container/values.gotmpl
+++ b/helmfile/apps/univention-corporate-container/values.gotmpl
@@ -13,7 +13,7 @@ global:
 image:
  registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  repository: "{{ .Values.images.univentionCorporateServer.repository }}"
  tag: "{{ .Values.images.univentionCorporateServer.tag }}"
--- a/helmfile/apps/xwiki/values.gotmpl
+++ b/helmfile/apps/xwiki/values.gotmpl
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
  tag: "{{ .Values.images.xwiki.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 externalDB:
  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -39,4 +39,8 @@ global:
  imagePullSecrets:
    - "external-registry"
  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
  #
  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -4,128 +4,125 @@
 images:
  clamd:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  collabora:
-    repository: "collabora/code"
+    repository: "souvap/tooling/images/collabora"
-    tag: "23.05.2.2.1"
+    tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
  dovecot:
    repository: "dovecot/dovecot"
-    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+    tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
  element:
-    repository: "souvap/tooling/images/element-web@sha256"
+    repository: "souvap/tooling/images/element-web"
-    tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
+    tag: "latest@sha256:16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
  freshclam:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  jibri:
    repository: "jitsi/jibri"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
  jicofo:
    repository: "jitsi/jicofo"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
  jitsi:
    repository: "jitsi/web"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
  jitsiKeycloakAdapter:
    repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230425"
+    tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
  jitsiPatchJVB:
    repository: "bitnami/kubectl"
-    tag: "1.26.6"
+    tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
  jvb:
    repository: "jitsi/jvb"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
  icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
+    repository: "souvap/tooling/images/c-icap"
-    tag: "1.0.4"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
  intercom:
    repository: "univention/intercom-service"
-    tag: "1.4-kubernetes"
+    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
  keycloak:
    repository: "bitnami/keycloak"
-    tag: "19.0.3-debian-11-r15"
+    tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
    digest: ""
  keycloakBootstrap:
    repository: "souvap/tooling/images/ansible"
-    tag: "4.10.0"
+    tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
  keycloakExtensionHandler:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
-    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+    tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
  keycloakExtensionProxy:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
+    tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
  mariadb:
    repository: "mariadb"
-    tag: "10"
+    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
  memcached:
    repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r4"
+    tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
  milter:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  nextcloud:
    repository: "nextcloud"
-    tag: "26.0.1-apache"
+    tag: "26.0.5-apache@sha256:2a129ba3258300424319e7023e8e60c28d79178ae4143e7ba2d41148646c30e1"
  openproject:
-    repository: "souvap/tooling/images/openproject/souvap@sha256"
+    repository: "souvap/tooling/images/openproject/souvap"
-    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
+    tag: "dev@sha256:03eb1eacc0c0c4e9e7d0f0c3d265fd0c15fd01cda33bc4f89cbc487ad53474a8"
  openxchangeBootstrap:
    repository: "alpine/k8s"
-    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
+    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
  openxchangeCoreGuidedtours:
    repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.0"
+    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
  openxchangeCoreMW:
    repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.15.43"
+    tag: "8.16.55@sha256:11317124714725d61204188ebfebc2220f295fd59b245adcef0b6c3186a68fd3"
  openxchangeCoreUI:
    repository: "appsuite-public-sector/core-ui"
-    tag: "8.15.2"
+    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
  openxchangeCoreUIMiddleware:
    repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.3"
+    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
  openxchangeCoreUserGuide:
    repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.15.702039"
+    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
  openxchangeGuardUI:
    repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.5"
+    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
  openxchangeNextcloudIntegrationUI:
    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.2"
+    tag: "1.0.3@sha256:193fd07a8b83164d175cd55f7e28fb7ec6d81f1037945035ca709825725c038e"
  openxchangePublicSectorUI:
    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "1.0.3"
+    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
  oxConnector:
    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag: "branch-jconde-listener-entrypoint-chaining"
+    tag: "branch-jconde-listener-entrypoint-chaining@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
  postfix:
    repository: "souvap/tooling/images/postfix"
-    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
  postgresql:
    repository: "postgres"
-    tag: "15-alpine"
+    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
  prosody:
    repository: "jitsi/prosody"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
  redis:
    repository: "bitnami/redis"
-    tag: "7.0.12-debian-11-r0"
+    tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
  synapse:
    repository: "matrixdotorg/synapse"
-    tag: "v1.87.0"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
  synapseWeb:
-    repository: "library/haproxy"
+    repository: "rapidfort/haproxy-official"
-    tag: "2.4"
+    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
-    tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
+    tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
  wellKnown:
    repository: "library/nginx"
-    tag: "1.23"
+    tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
  xwiki:
-    # repository: "xwikisas/swp/xwiki"
+    repository: "xwikisas/swp/xwiki"
-    # tag: "0.10-mariadb-tomcat"
+    tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
    repository: "xwikisas/swp/xwiki@sha256"
    tag: "02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -8,7 +8,7 @@ replicas:
  clamd: 1
  collabora: 1
  dovecot: 1
-  element: 2
+  element: 1
  # clamav-distributed
  freshclam: 1
  # clamav-distributed
@@ -25,7 +25,7 @@ replicas:
  openproject: 1
  postfix: 1
  synapse: 1
-  synapseWeb: 2
+  synapseWeb: 1
-  wellKnown: 2
+  wellKnown: 1
  xwiki: 1
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -9,6 +9,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "2Gi"
  collabora:
    limits:
      cpu: 1
      memory: "500Mi"
    requests:
      cpu: 0.1
      memory: "16Mi"
  dovecot:
    limits:
      cpu: 0.5
@@ -33,10 +40,10 @@ resources:
  icap:
    limits:
      cpu: 2
-      memory: "4Gi"
+      memory: "128Mi"
    requests:
      cpu: 0.1
-      memory: "2Gi"
+      memory: "16Mi"
  jibri:
    limits:
      cpu: 1
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 smtp:
-  host: "mail.brained.io"
+  host: ""
-  username: "relay@souvap-univention.de"
+  username: ""
  password: "{{ env "SMTP_PASSWORD" }}"
 ...
Author	SHA1	Message	Date
Thorsten Roßner	5f79763e2b	chore(release): 0.3.1 [skip ci] ## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14) ### Bug Fixes * collabora: Update Ingress annotations and set securityContext ([`b5583ca`](`b5583caec1`)) * element: Improve default container security settings ([`882f1fb`](`882f1fbc93`)) * element: Update opendesk element version to 2.0.1 ([`d725b93`](`d725b93798`)) * helmfile: Remove default SMTP credentials and create docs for SMTP/TURN ([`e120f5f`](`e120f5fb9a`)) * helmfile: Update images and use a tag and digest together ([`c7fc187`](`c7fc187f14`)) * services: Explicitly set securityContexts ([`a799db0`](`a799db03c4`)) * services: Update Postfix to 2.0.2 fixing security gaining ([`e1070ee`](`e1070eeb06`))	2023-09-14 11:11:40 +00:00
Dominik Kaminski	e120f5fb9a	fix(helmfile): Remove default SMTP credentials and create docs for SMTP/TURN	2023-09-13 23:39:38 +02:00
Dominik Kaminski	a799db03c4	fix(services): Explicitly set securityContexts	2023-09-13 19:33:47 +02:00
Dominik Kaminski	d725b93798	fix(element): Update opendesk element version to 2.0.1	2023-09-13 19:33:47 +02:00
Dominik Kaminski	e1070eeb06	fix(services): Update Postfix to 2.0.2 fixing security gaining	2023-09-13 19:33:47 +02:00
Dominik Kaminski	c7fc187f14	fix(helmfile): Update images and use a tag and digest together	2023-09-13 19:33:47 +02:00
Dominik Kaminski	89ac783dc3	chore(collabora): Quote strings	2023-09-13 19:33:47 +02:00
Dominik Kaminski	882f1fbc93	fix(element): Improve default container security settings	2023-09-13 19:33:43 +02:00
Dominik Kaminski	b5583caec1	fix(collabora): Update Ingress annotations and set securityContext	2023-09-13 16:32:35 +02:00
Thorsten Roßner	6d23534ee0	chore(release): 0.3.0 [skip ci] # [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12) ### Features * ci: Selective tests ([`d2e7ac9`](`d2e7ac9348`))	2023-09-12 21:18:26 +00:00
Tobias Heinzmann	d2e7ac9348	feat(ci): Selective tests	2023-09-12 21:16:33 +00:00
Thorsten Roßner	2125037a3c	chore(release): 0.2.10 [skip ci] ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06) ### Bug Fixes * helmfile: Add imagePullPolicy default env variable ([`f988644`](`f9886448b6`)) * helmfile: Update images and add jitsi, keycloak to security section in docs ([`0eceb85`](`0eceb85e7d`)) * jitsi: Update chart to 1.4.2 with improved security and fixed change on each deployment ([`1349181`](`1349181d80`)) * jitsi: Update jitsi to 1.5.1 and fix prosody image ([`ed7e5e4`](`ed7e5e428e`)) * keycloak: Improve default security settings ([`3b90533`](`3b90533063`)) * nextcloud: Fix yamllint disable comment ([`4380e78`](`4380e78981`)) * services: Disable https redirect in istio to fix cert-manager issues ([`1ef4a86`](`1ef4a861ac`)) * services: Fix capabilities of postifix ([`a6fa846`](`a6fa846afc`)) * services: Fix OCI registry address of postgresql, mariadb ([`be82243`](`be82243966`))	2023-09-06 17:12:09 +00:00
Dominik Kaminski	ed7e5e428e	fix(jitsi): Update jitsi to 1.5.1 and fix prosody image	2023-09-06 19:09:59 +02:00
Dominik Kaminski	d28a425673	chore(release): 0.2.10 [skip ci] ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06) ### Bug Fixes * helmfile: Add imagePullPolicy default env variable ([`f988644`](`f9886448b6`)) * helmfile: Update images and add jitsi, keycloak to security section in docs ([`0eceb85`](`0eceb85e7d`)) * jitsi: Update chart to 1.4.2 with improved security and fixed change on each deployment ([`1349181`](`1349181d80`)) * keycloak: Improve default security settings ([`3b90533`](`3b90533063`)) * nextcloud: Fix yamllint disable comment ([`4380e78`](`4380e78981`)) * services: Disable https redirect in istio to fix cert-manager issues ([`1ef4a86`](`1ef4a861ac`)) * services: Fix capabilities of postifix ([`a6fa846`](`a6fa846afc`)) * services: Fix OCI registry address of postgresql, mariadb ([`be82243`](`be82243966`))	2023-09-06 07:53:01 +00:00
Dominik Kaminski	a6fa846afc	fix(services): Fix capabilities of postifix	2023-09-05 21:50:31 +02:00
Dominik Kaminski	4380e78981	fix(nextcloud): Fix yamllint disable comment	2023-09-05 20:31:32 +02:00
Dominik Kaminski	be82243966	fix(services): Fix OCI registry address of postgresql, mariadb	2023-09-05 20:15:03 +02:00
Dominik Kaminski	f9886448b6	fix(helmfile): Add imagePullPolicy default env variable	2023-09-05 19:59:18 +02:00
Dominik Kaminski	0eceb85e7d	fix(helmfile): Update images and add jitsi, keycloak to security section in docs	2023-09-05 18:49:09 +02:00
Dominik Kaminski	1ef4a861ac	fix(services): Disable https redirect in istio to fix cert-manager issues	2023-09-05 18:48:18 +02:00
Dominik Kaminski	3b90533063	fix(keycloak): Improve default security settings	2023-09-05 18:47:28 +02:00
Dominik Kaminski	1349181d80	fix(jitsi): Update chart to 1.4.2 with improved security and fixed change on each deployment	2023-09-05 18:47:04 +02:00
Thorsten Roßner	e1b84898c5	chore(release): 0.2.9 [skip ci] ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05) ### Bug Fixes * collabora: Add websocket support for NGINX Inc. Ingress ([`6e5ef63`](`6e5ef639c2`)) * docs: Add security part in README ([`ff462ab`](`ff462ab0dc`)) * docs: Update scaling docs ([`63a1e25`](`63a1e2568e`)) * helmfile: Reduce icap resources in default enviroment ([`c5ab1b8`](`c5ab1b81fe`)) * helmfile: Update clamav and nextcloud images in default environment ([`4f2a8ae`](`4f2a8aeee4`)) * nextcloud: Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([`6e68f7f`](`6e68f7f28c`)) * nextcloud: Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([`cef11ac`](`cef11acbae`)) * nextcloud: Use clamav-icap when clamavDistributed is activated ([`41d40c9`](`41d40c9b73`)) * services: Enable security context and use default increased security settings ([`9a6d240`](`9a6d2409a6`)) * services: Fix image registry templates for postfix ([`6321ff5`](`6321ff50a0`)) * services: Replace image digest by tag ([`f758293`](`f758293241`)) * services: Set readOnlyRootFilesystem to true on master ([`5fbf86b`](`5fbf86b6bc`)) * services: Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([`9d78664`](`9d7866480c`))	2023-09-05 11:58:43 +00:00
Dominik Kaminski	63a1e2568e	fix(docs): Update scaling docs	2023-09-03 22:45:29 +02:00
Dominik Kaminski	ca4b1da84f	chore(helmfile): Fix linting errors for yamllint	2023-09-03 22:26:26 +02:00
Dominik Kaminski	ff462ab0dc	fix(docs): Add security part in README	2023-09-03 21:56:55 +02:00
Dominik Kaminski	4f2a8aeee4	fix(helmfile): Update clamav and nextcloud images in default environment	2023-09-03 21:56:45 +02:00
Dominik Kaminski	c5ab1b81fe	fix(helmfile): Reduce icap resources in default enviroment	2023-09-03 21:56:31 +02:00
Dominik Kaminski	9d7866480c	fix(services): Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries	2023-09-03 21:53:09 +02:00
Dominik Kaminski	9a6d2409a6	fix(services): Enable security context and use default increased security settings	2023-09-03 21:51:33 +02:00
Dominik Kaminski	f758293241	fix(services): Replace image digest by tag	2023-09-03 21:49:39 +02:00
Dominik Kaminski	6321ff50a0	fix(services): Fix image registry templates for postfix	2023-09-03 21:46:40 +02:00
Dominik Kaminski	5fbf86b6bc	fix(services): Set readOnlyRootFilesystem to true on master	2023-09-03 21:44:42 +02:00
Dominik Kaminski	6e68f7f28c	fix(nextcloud): Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress	2023-09-03 21:43:55 +02:00
Dominik Kaminski	41d40c9b73	fix(nextcloud): Use clamav-icap when clamavDistributed is activated	2023-09-03 21:43:00 +02:00
Dominik Kaminski	cef11acbae	fix(nextcloud): Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI	2023-09-03 21:40:45 +02:00
Dominik Kaminski	6e5ef639c2	fix(collabora): Add websocket support for NGINX Inc. Ingress	2023-09-03 21:40:06 +02:00
Thorsten Roßner	65b0ca5480	chore(release): 0.2.8 [skip ci] ## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31) ### Bug Fixes * open-xchange: Update images and Helm chart ([`39565c7`](`39565c7cfd`))	2023-08-31 10:57:35 +00:00
Thorsten Rossner	39565c7cfd	fix(open-xchange): Update images and Helm chart	2023-08-31 10:56:00 +00:00
Thorsten Roßner	0d374c1fea	chore(release): 0.2.7 [skip ci] ## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30) ### Bug Fixes * jitsi: Update Jitsi Helm chart to set the user's display name as default ([`387bd87`](`387bd8715c`))	2023-08-30 17:08:35 +00:00
Thorsten Rossner	387bd8715c	fix(jitsi): Update Jitsi Helm chart to set the user's display name as default	2023-08-30 17:06:57 +00:00
Dominik Kaminski	f219c42afa	chore(release): 0.2.6 [skip ci] ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30) ### Bug Fixes * ci: Change path of asset_generator ([`6ab4fa0`](`6ab4fa078b`)) * ci: Include deployment environments ([`0f59736`](`0f59736c5d`)) * ci: Release artefacts ([`2a61b5f`](`2a61b5f2a6`))	2023-08-30 14:23:01 +00:00
Thorsten Roßner	4d3bc2799c	chore(release): 0.2.6 [skip ci] ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30) ### Bug Fixes * ci: Change path of asset_generator ([`6ab4fa0`](`6ab4fa078b`)) * ci: Include deployment environments ([`0f59736`](`0f59736c5d`)) * ci: Release artefacts ([`2a61b5f`](`2a61b5f2a6`))	2023-08-30 14:18:36 +00:00
Thorsten Rossner	0f59736c5d	fix(ci): Include deployment environments	2023-08-30 14:16:30 +00:00
Thorsten Roßner	7e9d39cc7f	chore(release): 0.2.6 [skip ci] ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30) ### Bug Fixes * ci: Change path of asset_generator ([`6ab4fa0`](`6ab4fa078b`)) * ci: Release artefacts ([`2a61b5f`](`2a61b5f2a6`))	2023-08-30 13:49:37 +00:00
Dominik Kaminski	6ab4fa078b	fix(ci): Change path of asset_generator	2023-08-30 11:37:09 +00:00
Dominik Kaminski	05361276c0	chore(ci): Improve rules	2023-08-30 11:19:03 +00:00
Dominik Kaminski	cda237a655	chore(ci): Fix gitlab pipeline	2023-08-30 11:16:01 +00:00
Dominik Kaminski	ea77d1712e	chore(ci): Fix runner tags on OpenCoDE	2023-08-30 11:13:47 +00:00
Thorsten Rossner	2a61b5f2a6	fix(ci): Release artefacts	2023-08-30 10:57:54 +00:00