chore(release): 0.2.9 [skip ci]

## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)

### Bug Fixes

* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](6e5ef639c2))
* **docs:** Add security part in README ([ff462ab](ff462ab0dc))
* **docs:** Update scaling docs ([63a1e25](63a1e2568e))
* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](c5ab1b81fe))
* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](4f2a8aeee4))
* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](6e68f7f28c))
* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](cef11acbae))
* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](41d40c9b73))
* **services:** Enable security context and use default increased security settings ([9a6d240](9a6d2409a6))
* **services:** Fix image registry templates for postfix ([6321ff5](6321ff50a0))
* **services:** Replace image digest by tag ([f758293](f758293241))
* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](5fbf86b6bc))
* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](9d7866480c))

.gitlab-ci.yml

@@ -463,6 +463,7 @@ generate-release-assets:
     - when: "never"
   script:
     - |
+      # yamllint disable-line rule:line-length
       git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
       cd opendesk-asset-generator
       export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}

CHANGELOG.md

@@ -1,3 +1,36 @@
+## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
+
+
+### Bug Fixes
+
+* **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
+* **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
+* **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
+* **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
+* **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
+* **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
+* **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
+* **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
+* **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
+* **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
+* **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
+* **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
+* **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
+
+## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
+
+
+### Bug Fixes
+
+* **open-xchange:** Update images and Helm chart ([39565c7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/39565c7cfd89a8d1c2e645e3ecea28fba703ccc1))
+
+## [0.2.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.6...v0.2.7) (2023-08-30)
+
+
+### Bug Fixes
+
+* **jitsi:** Update Jitsi Helm chart to set the user's display name as default ([387bd87](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/387bd8715c5a1cf54733c6642cf57c6ef9a44316))
+
 ## [0.2.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.5...v0.2.6) (2023-08-30)
 
 

README.md

@@ -280,30 +280,46 @@ the application to your own database instances.
 ### Scaling
 
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
 
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
+|-------------|------------------------|:-------------------:|:------------------:|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
-| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
-|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
+
+
+## Security
+
+This list gives you an overview of default security settings and if they comply with security standards:
+
+
+| Component  | Process    | allowPrivilegeEscalation (`false`)  |                       capabilities (`drop: ALL`)                       | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|------------|------------|:-----------------------------------:|:----------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV     | clamd      |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | freshclam  |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | icap       |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | milter     |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| MariaDB    | mariadb    |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix    | postfix    |         :white_check_mark:          | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`) |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL | postgresql |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
 # Component integration

helmfile/apps/collabora/values.yaml

@@ -26,7 +26,8 @@ ingress:
       http-request track-sc1 url_param(WOPISrc)
       stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
       stick store-request url_param(WOPISrc)
-
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
 autoscaling:
   enabled: false
 ...

helmfile/apps/jitsi/helmfile.yaml

@@ -10,7 +10,7 @@ repositories:
 releases:
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.3.0"
+    version: "1.4.1"
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"

helmfile/apps/nextcloud/helmfile.yaml

@@ -2,19 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
+  - name: "opendesk-nextcloud-bootstrap-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      # yamllint disable rule:line-length
-         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
+      # yamllint enable rule:line-length
   - name: "nextcloud-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://nextcloud.github.io/helm/" }}
 
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "2.3.0"
+    version: "3.0.0"
     wait: true
     waitForJobs: true
     values:
@@ -27,7 +30,7 @@ releases:
     chart: "nextcloud-repo/nextcloud"
     version: "3.5.19"
     needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -18,7 +18,7 @@ config:
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
     {{- else if .Values.clamavSimple.enabled }}
     host: "clamav-simple"
     {{- end }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -21,6 +21,11 @@ cronjob:
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 
+ingress:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"
+
 internalDatabase:
   enabled: false
 postgresql:

helmfile/apps/open-xchange/helmfile.yaml

@@ -26,7 +26,7 @@ releases:
     condition: "dovecot.enabled"
   - name: "open-xchange"
     chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "1.2.13"
+    version: "2.0.3"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -55,13 +55,17 @@ appsuite:
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
       # Capabilities
+      # Old capability can be used to toggle all integrations with a single switch
+      com.openexchange.capability.public-sector: "true"
+      # New capabilities in 2.0
+      com.openexchange.capability.public-sector-element: "false"
+      com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
       com.openexchange.capability.filestorage_nextcloud: "true"
       com.openexchange.capability.filestorage_nextcloud_oauth: "true"
       com.openexchange.capability.guard: "true"
       com.openexchange.capability.guard-mail: "true"
-      com.openexchange.capability.public-sector: "true"
       com.openexchange.capability.smime: "true"
       com.openexchange.capability.share_links: "false"
       com.openexchange.capability.invite_guests: "false"
@@ -95,6 +99,11 @@ appsuite:
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
     uiSettings:
+      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
+      io.ox/core//features/enterprisePicker/showLauncher: "false"
+      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
+      # Text and icon color in the topbar
+      io.ox/dynamic-theme//topbarColor: "#000"
       io.ox/dynamic-theme//logoWidth: "82"
       io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
       # Resources

helmfile/apps/services/helmfile.yaml

@@ -7,13 +7,15 @@ repositories:
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
   - name: "postgresql-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
+         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
   - name: "mariadb-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
+         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
   - name: "postfix-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -23,13 +25,14 @@ repositories:
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
   - name: "clamav-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
   - name: "bitnami-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "registry-1.docker.io/bitnamicharts" }}
 
 releases:
@@ -41,41 +44,41 @@ releases:
     condition: "certificates.enabled"
   - name: "redis"
     chart: "bitnami-repo/redis"
-    version: "17.9.3"
+    version: "18.0.0"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     condition: "redis.enabled"
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
-    version: "2.0.0"
+    version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     condition: "postgresql.enabled"
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
-    version: "2.0.0"
+    version: "2.0.2"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
   - name: "postfix"
     chart: "postfix-repo/postfix"
-    version: "1.13.0"
+    version: "2.0.0"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     condition: "postfix.enabled"
   - name: "clamav"
-    chart: "clamav-repo/sovereign-workplace-clamav"
+    chart: "clamav-repo/opendesk-clamav"
-    version: "2.1.0"
+    version: "4.0.0"
     values:
       - "values-clamav-distributed.gotmpl"
     condition: "clamavDistributed.enabled"
   - name: "clamav-simple"
     chart: "clamav-repo/clamav-simple"
-    version: "2.1.0"
+    version: "4.0.0"
     values:
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -5,8 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.clamd }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
@@ -17,8 +15,6 @@ clamd:
 
 freshclam:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
@@ -42,8 +38,6 @@ icap:
 
 milter:
   podSecurityContext:
-    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-    enabled: false
   replicaCount: {{ .Values.replicas.milter }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
-podSecurityContext:
-  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
-  enabled: false
-
 replicaCount: {{ .Values.replicas.clamav }}
 
 image:

helmfile/apps/services/values-postfix.gotmpl

@@ -3,14 +3,15 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
+global:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
+  registry: {{ .Values.global.imageRegistry }}
-  digest: "{{ .Values.images.postfix.digest }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
-imagePullSecrets:
+image:
-{{- range .Values.global.imagePullSecrets }}
+  registry: {{ .Values.global.imageRegistry }}
-  - name: {{ . }}
+  repository: "{{ .Values.images.postfix.repository }}"
-{{- end }}
+  tag: "{{ .Values.images.postfix.tag }}"
 
 certificate:
   secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/services/values-redis.yaml

@@ -8,4 +8,8 @@ sentinel:
 
 metrics:
   enabled: false
+
+master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
 ...

helmfile/environments/default/images.yaml

@@ -4,10 +4,12 @@
 images:
   clamd:
     repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   collabora:
-    repository: "collabora/code"
+    # repository: "collabora/code"
-    tag: "23.05.2.2.1"
+    # tag: "23.05.2.2.1"
+    repository: "souvap/tooling/images/collabora"
+    tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
   dovecot:
     repository: "dovecot/dovecot"
     digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
@@ -16,7 +18,7 @@ images:
     tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
   freshclam:
     repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   jibri:
     repository: "jitsi/jibri"
     tag: "stable-8615"
@@ -28,7 +30,7 @@ images:
     tag: "stable-8615"
   jitsiKeycloakAdapter:
     repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230425"
+    tag: "v20230816"
   jitsiPatchJVB:
     repository: "bitnami/kubectl"
     tag: "1.26.6"
@@ -36,8 +38,8 @@ images:
     repository: "jitsi/jvb"
     tag: "stable-8615"
   icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
+    repository: "souvap/tooling/images/c-icap"
-    tag: "1.0.4"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
   intercom:
     repository: "univention/intercom-service"
     tag: "1.4-kubernetes"
@@ -62,10 +64,10 @@ images:
     tag: "1.6.21-debian-11-r4"
   milter:
     repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   nextcloud:
     repository: "nextcloud"
-    tag: "26.0.1-apache"
+    tag: "26.0.5-apache"
   openproject:
     repository: "souvap/tooling/images/openproject/souvap@sha256"
     tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
@@ -74,34 +76,34 @@ images:
     digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
   openxchangeCoreGuidedtours:
     repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.0"
+    tag: "8.5.1"
   openxchangeCoreMW:
     repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.15.43"
+    tag: "8.16.55"
   openxchangeCoreUI:
     repository: "appsuite-public-sector/core-ui"
-    tag: "8.15.2"
+    tag: "8.16.5"
   openxchangeCoreUIMiddleware:
     repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.3"
+    tag: "1.8.4"
   openxchangeCoreUserGuide:
     repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.15.702039"
+    tag: "8.16.727397"
   openxchangeGuardUI:
     repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.5"
+    tag: "4.0.6"
   openxchangeNextcloudIntegrationUI:
     repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.2"
+    tag: "1.0.3"
   openxchangePublicSectorUI:
     repository: "appsuite-public-sector/public-sector-ui"
-    tag: "1.0.3"
+    tag: "2.0.1"
   oxConnector:
     repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
     tag: "branch-jconde-listener-entrypoint-chaining"
   postfix:
     repository: "souvap/tooling/images/postfix"
-    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
   postgresql:
     repository: "postgres"
     tag: "15-alpine"

helmfile/environments/default/replicas.yaml

@@ -8,7 +8,7 @@ replicas:
   clamd: 1
   collabora: 1
   dovecot: 1
-  element: 2
+  element: 1
   # clamav-distributed
   freshclam: 1
   # clamav-distributed
@@ -25,7 +25,7 @@ replicas:
   openproject: 1
   postfix: 1
   synapse: 1
-  synapseWeb: 2
+  synapseWeb: 1
-  wellKnown: 2
+  wellKnown: 1
   xwiki: 1
 ...

helmfile/environments/default/resources.yaml

@@ -33,10 +33,10 @@ resources:
   icap:
     limits:
       cpu: 2
-      memory: "4Gi"
+      memory: "128Mi"
     requests:
       cpu: 0.1
-      memory: "2Gi"
+      memory: "16Mi"
   jibri:
     limits:
       cpu: 1