chore(release): 0.2.9 [skip ci]

## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05) ### Bug Fixes * **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](6e5ef639c2)) * **docs:** Add security part in README ([ff462ab](ff462ab0dc)) * **docs:** Update scaling docs ([63a1e25](63a1e2568e)) * **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](c5ab1b81fe)) * **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](4f2a8aeee4)) * **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](6e68f7f28c)) * **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](cef11acbae)) * **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](41d40c9b73)) * **services:** Enable security context and use default increased security settings ([9a6d240](9a6d2409a6)) * **services:** Fix image registry templates for postfix ([6321ff5](6321ff50a0)) * **services:** Replace image digest by tag ([f758293](f758293241)) * **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](5fbf86b6bc)) * **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](9d7866480c))
fix(docs): Update scaling docs
2025-12-06 07:21:36 +01:00 · 2023-09-05 11:58:43 +00:00 · 2023-09-03 22:45:29 +02:00 · 2023-09-03 22:26:26 +02:00 · 2023-09-03 21:56:55 +02:00 · 2023-09-03 21:56:45 +02:00
15 changed files with 118 additions and 76 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -463,6 +463,7 @@ generate-release-assets:
    - when: "never"
  script:
    - |
      # yamllint disable-line rule:line-length
      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
      cd opendesk-asset-generator
      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,22 @@
 ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
 ### Bug Fixes
 * **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
 * **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
 * **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
 * **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
 * **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
 * **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
 * **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
 * **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
 * **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
 * **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
 * **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
 * **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
 * **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
 ## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
--- a/README.md
+++ b/README.md
@@ -280,30 +280,46 @@ the application to your own database instances.
 ### Scaling
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
+|-------------|------------------------|:-------------------:|:------------------:|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
-| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
-|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
 ## Security
 This list gives you an overview of default security settings and if they comply with security standards:
 | Component  | Process    | allowPrivilegeEscalation (`false`)  |                       capabilities (`drop: ALL`)                       | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
 |------------|------------|:-----------------------------------:|:----------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV     | clamd      |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | freshclam  |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | icap       |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | milter     |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | MariaDB    | mariadb    |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Postfix    | postfix    |         :white_check_mark:          | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`) |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL | postgresql |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 # Component integration
--- a/helmfile/apps/collabora/values.yaml
+++ b/helmfile/apps/collabora/values.yaml
@@ -26,7 +26,8 @@ ingress:
      http-request track-sc1 url_param(WOPISrc)
      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
      stick store-request url_param(WOPISrc)
-
+    nginx.org/websocket-services: "collabora"
    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
 autoscaling:
  enabled: false
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -2,19 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
+  - name: "opendesk-nextcloud-bootstrap-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      # yamllint disable rule:line-length
-         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
      # yamllint enable rule:line-length
  - name: "nextcloud-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://nextcloud.github.io/helm/" }}
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "2.3.0"
+    version: "3.0.0"
    wait: true
    waitForJobs: true
    values:
@@ -27,7 +30,7 @@ releases:
    chart: "nextcloud-repo/nextcloud"
    version: "3.5.19"
    needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
    values:
      - "values-nextcloud.gotmpl"
      - "values-nextcloud.yaml"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -18,7 +18,7 @@ config:
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml
@@ -21,6 +21,11 @@ cronjob:
        sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
        \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
 internalDatabase:
  enabled: false
 postgresql:
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -7,13 +7,15 @@ repositories:
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
  - name: "postgresql-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
+         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
  - name: "mariadb-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
+         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
  - name: "postfix-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -23,13 +25,14 @@ repositories:
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
  - name: "clamav-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
  - name: "bitnami-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "registry-1.docker.io/bitnamicharts" }}
 releases:
@@ -41,41 +44,41 @@ releases:
    condition: "certificates.enabled"
  - name: "redis"
    chart: "bitnami-repo/redis"
-    version: "17.9.3"
+    version: "18.0.0"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    condition: "redis.enabled"
  - name: "postgresql"
    chart: "postgresql-repo/postgresql"
-    version: "2.0.0"
+    version: "2.0.2"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    condition: "postgresql.enabled"
  - name: "mariadb"
    chart: "mariadb-repo/mariadb"
-    version: "2.0.0"
+    version: "2.0.2"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    condition: "mariadb.enabled"
  - name: "postfix"
    chart: "postfix-repo/postfix"
-    version: "1.13.0"
+    version: "2.0.0"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    condition: "postfix.enabled"
  - name: "clamav"
-    chart: "clamav-repo/sovereign-workplace-clamav"
+    chart: "clamav-repo/opendesk-clamav"
-    version: "2.1.0"
+    version: "4.0.0"
    values:
      - "values-clamav-distributed.gotmpl"
    condition: "clamavDistributed.enabled"
  - name: "clamav-simple"
    chart: "clamav-repo/clamav-simple"
-    version: "2.1.0"
+    version: "4.0.0"
    values:
      - "values-clamav-simple.gotmpl"
    condition: "clamavSimple.enabled"
--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.gotmpl
@@ -5,8 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.clamd }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
@@ -17,8 +15,6 @@ clamd:
 freshclam:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.freshclam }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
@@ -42,8 +38,6 @@ icap:
 milter:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.milter }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
--- a/helmfile/apps/services/values-clamav-simple.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.gotmpl
@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podSecurityContext:
  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
  enabled: false
 replicaCount: {{ .Values.replicas.clamav }}
 image:
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -3,14 +3,15 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
+global:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
+  registry: {{ .Values.global.imageRegistry }}
-  digest: "{{ .Values.images.postfix.digest }}"
+  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-imagePullSecrets:
+image:
-{{- range .Values.global.imagePullSecrets }}
+  registry: {{ .Values.global.imageRegistry }}
-  - name: {{ . }}
+  repository: "{{ .Values.images.postfix.repository }}"
-{{- end }}
+  tag: "{{ .Values.images.postfix.tag }}"
 certificate:
  secretName: "{{ .Values.ingress.tls.secretName }}"
--- a/helmfile/apps/services/values-redis.yaml
+++ b/helmfile/apps/services/values-redis.yaml
@@ -8,4 +8,8 @@ sentinel:
 metrics:
  enabled: false
 master:
  containerSecurityContext:
    readOnlyRootFilesystem: true
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -4,7 +4,7 @@
 images:
  clamd:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  collabora:
    # repository: "collabora/code"
    # tag: "23.05.2.2.1"
@@ -18,7 +18,7 @@ images:
    tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
  freshclam:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  jibri:
    repository: "jitsi/jibri"
    tag: "stable-8615"
@@ -38,8 +38,8 @@ images:
    repository: "jitsi/jvb"
    tag: "stable-8615"
  icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
+    repository: "souvap/tooling/images/c-icap"
-    tag: "1.0.4"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
  intercom:
    repository: "univention/intercom-service"
    tag: "1.4-kubernetes"
@@ -64,10 +64,10 @@ images:
    tag: "1.6.21-debian-11-r4"
  milter:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
  nextcloud:
    repository: "nextcloud"
-    tag: "26.0.1-apache"
+    tag: "26.0.5-apache"
  openproject:
    repository: "souvap/tooling/images/openproject/souvap@sha256"
    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
@@ -103,7 +103,7 @@ images:
    tag: "branch-jconde-listener-entrypoint-chaining"
  postfix:
    repository: "souvap/tooling/images/postfix"
-    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
  postgresql:
    repository: "postgres"
    tag: "15-alpine"
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -8,7 +8,7 @@ replicas:
  clamd: 1
  collabora: 1
  dovecot: 1
-  element: 2
+  element: 1
  # clamav-distributed
  freshclam: 1
  # clamav-distributed
@@ -25,7 +25,7 @@ replicas:
  openproject: 1
  postfix: 1
  synapse: 1
-  synapseWeb: 2
+  synapseWeb: 1
-  wellKnown: 2
+  wellKnown: 1
  xwiki: 1
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -33,10 +33,10 @@ resources:
  icap:
    limits:
      cpu: 2
-      memory: "4Gi"
+      memory: "128Mi"
    requests:
      cpu: 0.1
-      memory: "2Gi"
+      memory: "16Mi"
  jibri:
    limits:
      cpu: 1
Author	SHA1	Message	Date
Thorsten Roßner	e1b84898c5	chore(release): 0.2.9 [skip ci] ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05) ### Bug Fixes * collabora: Add websocket support for NGINX Inc. Ingress ([`6e5ef63`](`6e5ef639c2`)) * docs: Add security part in README ([`ff462ab`](`ff462ab0dc`)) * docs: Update scaling docs ([`63a1e25`](`63a1e2568e`)) * helmfile: Reduce icap resources in default enviroment ([`c5ab1b8`](`c5ab1b81fe`)) * helmfile: Update clamav and nextcloud images in default environment ([`4f2a8ae`](`4f2a8aeee4`)) * nextcloud: Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([`6e68f7f`](`6e68f7f28c`)) * nextcloud: Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([`cef11ac`](`cef11acbae`)) * nextcloud: Use clamav-icap when clamavDistributed is activated ([`41d40c9`](`41d40c9b73`)) * services: Enable security context and use default increased security settings ([`9a6d240`](`9a6d2409a6`)) * services: Fix image registry templates for postfix ([`6321ff5`](`6321ff50a0`)) * services: Replace image digest by tag ([`f758293`](`f758293241`)) * services: Set readOnlyRootFilesystem to true on master ([`5fbf86b`](`5fbf86b6bc`)) * services: Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([`9d78664`](`9d7866480c`))	2023-09-05 11:58:43 +00:00
Dominik Kaminski	63a1e2568e	fix(docs): Update scaling docs	2023-09-03 22:45:29 +02:00
Dominik Kaminski	ca4b1da84f	chore(helmfile): Fix linting errors for yamllint	2023-09-03 22:26:26 +02:00
Dominik Kaminski	ff462ab0dc	fix(docs): Add security part in README	2023-09-03 21:56:55 +02:00
Dominik Kaminski	4f2a8aeee4	fix(helmfile): Update clamav and nextcloud images in default environment	2023-09-03 21:56:45 +02:00
Dominik Kaminski	c5ab1b81fe	fix(helmfile): Reduce icap resources in default enviroment	2023-09-03 21:56:31 +02:00
Dominik Kaminski	9d7866480c	fix(services): Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries	2023-09-03 21:53:09 +02:00
Dominik Kaminski	9a6d2409a6	fix(services): Enable security context and use default increased security settings	2023-09-03 21:51:33 +02:00
Dominik Kaminski	f758293241	fix(services): Replace image digest by tag	2023-09-03 21:49:39 +02:00
Dominik Kaminski	6321ff50a0	fix(services): Fix image registry templates for postfix	2023-09-03 21:46:40 +02:00
Dominik Kaminski	5fbf86b6bc	fix(services): Set readOnlyRootFilesystem to true on master	2023-09-03 21:44:42 +02:00
Dominik Kaminski	6e68f7f28c	fix(nextcloud): Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress	2023-09-03 21:43:55 +02:00
Dominik Kaminski	41d40c9b73	fix(nextcloud): Use clamav-icap when clamavDistributed is activated	2023-09-03 21:43:00 +02:00
Dominik Kaminski	cef11acbae	fix(nextcloud): Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI	2023-09-03 21:40:45 +02:00
Dominik Kaminski	6e5ef639c2	fix(collabora): Add websocket support for NGINX Inc. Ingress	2023-09-03 21:40:06 +02:00