chore(release): 0.4.6 [skip ci]

## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26) ### Bug Fixes * **openproject:** Use renamed registry open_desk ([a37faf3](a37faf3b57))
fix(openproject): Use renamed registry open_desk
2025-12-06 07:21:36 +01:00 · 2023-09-26 12:51:57 +00:00 · 2023-09-26 12:50:26 +00:00 · 2023-09-26 12:20:31 +00:00 · 2023-09-26 12:18:13 +00:00 · 2023-09-25 17:29:54 +00:00
79 changed files with 1724 additions and 247 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -58,10 +58,13 @@ variables:
      - "yes"
      - "no"
  DEPLOY_UCS:
-    description: "Enable Univention Corporate Server deployment."
+    description: >-
      Enable Univention Corporate Server deployment.
      "ums-eval" does deploy the Univention Management Stack instead of the UCS container.
    value: "no"
    options:
      - "yes"
      - "ums-eval"
      - "no"
  DEPLOY_PROVISIONING:
    description: "Enable Provisioning Components."
@@ -129,8 +132,18 @@ variables:
    options:
      - "yes"
      - "no"
-  TESTS_PROJECT_URL:
+  TESTS_BRANCH:
-    description: "URL of the E2E-test Gitlab project API with project ID."
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
    value: "main"
  RUN_UMS_TESTS:
    description: "Run E2E test suite of SouvAP Dev team"
    value: "no"
    options:
      - "yes"
      - "no"
  UMS_TESTS_BRANCH:
    description: "Branch of E2E test suite of SouvAP Dev team"
    value: "main"
  # please use the following set of variables with normalized names:
  DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
  ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -140,23 +153,6 @@ variables:
  dependencies: []
  extends: ".environments"
  image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
  secrets:
    SMTP_PASSWORD:
      vault:
        engine:
          name: "kv-v2"
          path: "swp"
        path: "accounts/brained/mail/relay@souvap-univention.de"
        field: "password"
      file: false
    TURN_CREDENTIALS:
      vault:
        engine:
          name: "kv-v2"
          path: "swp"
        path: "accounts/souvap-univention.de/develop/turn/secret"
        field: "credentials"
      file: false
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -235,7 +231,7 @@ ucs-deploy:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no")
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
      when: "always"
  variables:
    COMPONENT: "univention-corporate-container"
@@ -252,6 +248,18 @@ provisioning-deploy:
  variables:
    COMPONENT: "provisioning"
 ums-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          $DEPLOY_UCS == "ums-eval"
      when: "always"
  variables:
    COMPONENT: "univention-management-stack"
 keycloak-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
@@ -408,51 +416,98 @@ run-tests:
      when: "always"
  script:
    - |
      COMPONENTS="login or portal or profile or navigation"
      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
          or xwiki"
      else
        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
      fi
      echo "Gathering passwords from UCS container ..."
      UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
+          'app.kubernetes.io/instance=univention-corporate-container' \
-       | awk '{print $1}' \
+        | grep Running \
        | awk '{print $1}' \
      )
      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
      DEFAULT_USER_PASSWORD=$( \
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
        | awk '{print $2}' \
      )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
        | awk '{print $2}' \
      )
-      echo "triggering test pipeline ..."
+      curl --request POST \
-      curl -X POST \
+      --header "Content-Type: application/json" \
-        -F "ref=main" \
+      --data "{ \
-        -F "token=${CI_JOB_TOKEN}" \
+        \"ref\": \"${TESTS_BRANCH}\", \
-        -F "variables[url]=https://portal.${DOMAIN}" \
+        \"token\": \"${CI_JOB_TOKEN}\", \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
+        \"variables\": { \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
+          \"url\": \"https://portal.${DOMAIN}\", \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
-        -F "variables[components]=\"${COMPONENTS}\"" \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
        } \
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
 run-souvap-dev-tests:
  extends: ".deploy-common"
  environment:
    name: "${NAMESPACE}"
  tags:
    - "docker"
    - "kubernetes"
    - "${CLUSTER}"
  stage: "tests"
  rules:
    - if: >
        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
      when: "always"
  script:
    - |
      UCS_CONTAINER_NAME=$( \
        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
          'app.kubernetes.io/instance=univention-corporate-container' \
        | grep Running \
        | awk '{print $1}' \
      )
      DEFAULT_USER_PASSWORD=$( \
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
        | awk '{print $2}' \
      )
      DEFAULT_ADMIN_PASSWORD=$(
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
        | awk '{print $2}' \
      )
      curl --request POST \
      --header "Content-Type: application/json" \
      --data "{ \
        \"ref\": \"${UMS_TESTS_BRANCH}\", \
        \"token\": \"${CI_JOB_TOKEN}\", \
        \"variables\": { \
          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
          \"username\": \"${DEFAULT_USER_NAME}\", \
          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
        } \
      }" \
      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
 generate-release-assets:
  stage: "generate-release-assets"
@@ -463,7 +518,7 @@ generate-release-assets:
    - when: "never"
  script:
    - |
-      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
      cd opendesk-asset-generator
      export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
      ./opendesk_asset_generator.py
@@ -476,6 +531,8 @@ generate-release-assets:
      - "./build_artefacts/chart-index.json"
      - "./build_artefacts/image-index.json"
  tags: []
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,152 @@
 ## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
 ### Bug Fixes
 * **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
 ## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
 ### Bug Fixes
 * **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
 ## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
 ### Bug Fixes
 * **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
 ## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
 ### Bug Fixes
 * **nextcloud:** Update image to 27.1.1 ([ce7e5f6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ce7e5f670a4dbc980eb8be73e5f7d15b27e8b1de))
 ## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21)
 ### Bug Fixes
 * **nextcloud:** Add Nextcloud app for OpenProject integration; Bump Collabora Image ([f46c8a9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f46c8a9a5f4f9778cb171d65e9a0280e4ce61c16))
 ## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19)
 ### Bug Fixes
 * **univention-management-stack:** Remove doublette triple dashes in helmfile.yaml ([41b9afb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41b9afb3648a0e1fddc5aa4337cc1501756b370c))
 # [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18)
 ### Features
 * **ci:** Optionally trigger E2E tests of the SouvAP Dev team ([a99c088](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a99c088361b95b2bb7ee2b161e3a254f02bcd9ae))
 ## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14)
 ### Bug Fixes
 * **helmfile:** Fix linter issues ([1514678](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1514678db00d32c1463d8fc496c0e6d1c2a2df96))
 * **univention-management-stack:** Add "commonLabels" into helmfile ([16c08f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16c08f82c9b4934567bb3b9c7fccab754bfad494))
 * **univention-management-stack:** Add Helm charts ([a74d662](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a74d66240423fd5ba87854cc2b71132f11271ec7))
 * **univention-management-stack:** Add switch "univentionManagementStack.enabled" ([471a2fa](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/471a2fa26205b8ca3afb5eeeb4524897a57f5c20))
 * **univention-management-stack:** Adjust Ingress configuration for portal-server ([13bcd78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/13bcd785e8f7db22d20903020e0cdd28094309a9))
 * **univention-management-stack:** Adjust Ingress configuration for umc ([320da3b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/320da3bec3a49d974765e567878d5c2f2b4e93ef))
 * **univention-management-stack:** Adjust Ingress configuration of notifications-api ([5e1a7b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5e1a7b19e278147d010c48dac2da111f828dd115))
 * **univention-management-stack:** Adjust ingress configuration of the portal-frontend ([c54bab1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c54bab165bf81854471d790200781b4181eba22a))
 * **univention-management-stack:** Adjust Ingress configuration of udm-rest-api ([c61b1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c61b1b828150caa8d2fe1a5b9f0a862b2fbef4f1))
 * **univention-management-stack:** Adjust Ingress conifguration of store-dav ([96097e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/96097e470483a5251acd81eb772da70ad7f55137))
 * **univention-management-stack:** Configure cookie banner data ([12c931f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/12c931fcff5536116af11df1c9c0468429949fe2))
 * **univention-management-stack:** Define resource requests and limits ([2f8a298](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2f8a2989250ea0f3b50dd3417f214a8864fe62d0))
 * **univention-management-stack:** Disable istio for the stack ([4835a2b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4835a2beec408ec6267177f82257edd9ccb0d937))
 * **univention-management-stack:** Prepare persistence configuration ([7ab1cb5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7ab1cb5c7e7bca85394eae2ed17141e513dd5a42))
 * **univention-management-stack:** Process bases before releases ([ec3f1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ec3f1d96ac17cf1fb9d34ab692240460d5bd4ba1))
 * **univention-management-stack:** Set externalDomainName for bootstrapping the stack ([0ba71f2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ba71f2749eaf51b09429a5f3c705bd0075c1efa))
 * **univention-management-stack:** Split templated from static values ([09079a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/09079a13031be7894a34bf92945bd25a040c2290))
 * **univention-management-stack:** Split values into templated and static ([d3c4390](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d3c439038a2551ec90324ab8659d24b65b223d4f))
 * **univention-management-stack:** Update portal-listener to leverage dependency waiting ([c840608](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c84060811229bb131bcd473a9e4668dfa73f97d7))
 * **univention-management-stack:** Use global secrets to fill initialPasswordAdministrator ([a4bab40](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a4bab4068dc298056ed864e60a244d49a2934c8b))
 * **univention-management-stack:** Use global secrets to populate ldap related secrets ([9409ad8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9409ad829a725c84ebc3de5d1c4d42fe735e9d0c))
 * **univention-management-stack:** Use global secrets to set store-dav related passwords ([90019e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/90019e3ef6de5e4ed1742ee9ddc3bbb256cd3dec))
 * **univention-management-stack:** Use ldap base DN "dc=swp-ldap,dc=internal" ([77e362f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/77e362f6bc053c5d456bf65649f15130ce53547c))
 * **univention-management-stack:** Use postgresql service for notifications-api ([fe0e0cd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fe0e0cdce4622352afbf74875adcae8324d769a3))
 * **univention-management-stack:** Use the prefix "ums-" for all releases ([edb25bd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/edb25bd7655beeefa73a62fb9a8c85e076c4cc2f))
 * **univention-management-stack:** Use the value "global.imagePullPolicy" ([15db5dc](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15db5dcbba33c39f752499f2d73c77cac32d1e8c))
 ## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
 ### Bug Fixes
 * **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
 * **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
 * **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
 * **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
 * **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
 * **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
 * **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
 # [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
 ### Features
 * **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
 ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
 ### Bug Fixes
 * **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
 * **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
 * **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
 * **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
 * **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
 * **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
 * **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
 * **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
 * **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
 ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
 ### Bug Fixes
 * **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
 * **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
 * **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
 * **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
 * **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
 * **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
 * **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
 * **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
 ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
 ### Bug Fixes
 * **collabora:** Add websocket support for NGINX Inc. Ingress ([6e5ef63](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e5ef639c22aad93fd2d0eb75f7a1ffc00d6cc9a))
 * **docs:** Add security part in README ([ff462ab](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ff462ab0dc2252cc7b517874f5337427b8d19053))
 * **docs:** Update scaling docs ([63a1e25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/63a1e2568e8c5ff62081c6e6594d2019c1aa4b74))
 * **helmfile:** Reduce icap resources in default enviroment ([c5ab1b8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c5ab1b81fecbce46788c50b282ed6d1770124fa5))
 * **helmfile:** Update clamav and nextcloud images in default environment ([4f2a8ae](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4f2a8aeee4ee6c3d27b1c8a99bad14f603486be5))
 * **nextcloud:** Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([6e68f7f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6e68f7f28c937319d93f8afe1dbb302012f77233))
 * **nextcloud:** Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([cef11ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cef11acbae28510809f9bfa13224dc3a6996207f))
 * **nextcloud:** Use clamav-icap when clamavDistributed is activated ([41d40c9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41d40c9b731b866da2666fa4ffa8cb6493737112))
 * **services:** Enable security context and use default increased security settings ([9a6d240](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9a6d2409a697f7e9811a0f4f8d31bb18bac1b926))
 * **services:** Fix image registry templates for postfix ([6321ff5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6321ff50a00203abbfb7f5822e67a3c0e00d4b01))
 * **services:** Replace image digest by tag ([f758293](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f7582932412f13b1a087d40459e97cf633b1a97e))
 * **services:** Set readOnlyRootFilesystem to true on master ([5fbf86b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5fbf86b6bc7b63c81b3ac07c5e0fa8cd464fdad1))
 * **services:** Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([9d78664](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9d7866480cee889fd3b3003b2eea313a6ed73344))
 ## [0.2.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.7...v0.2.8) (2023-08-31)
--- a/README.md
+++ b/README.md
@@ -91,8 +91,6 @@ installation.
 | `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
 | `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
 | `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
 | `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
 | `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |
 Please ensure that you set the DNS records pointing to the loadbalancer/IP for
 `DOMAIN` and `ISTIO_DOMAIN`.
@@ -218,6 +216,7 @@ subdirectory `/helmfile/apps/services`.
 | PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       | Eval       |
 | Redis                       | `redis.enabled`                     | `true`  | Cache Database                 | Eval       |
 | Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   | Functional |
 | Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal   | Eval       |
 | XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  | Functional |
@@ -280,30 +279,90 @@ the application to your own database instances.
 ### Scaling
 The Replicas of components can be increased, while we still have to look in the
-actual scalability of the components (see column `Scales at least to 2`).
+actual scalability of the components (see column `Scaling (verified)`).
-| Component   | Name                   | Default | Service            | Scaling            | Scales at least to 2 |
+| Component   | Name                   | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------|---------|--------------------|--------------------|----------------------|
+|-------------|------------------------|:-------------------:|:------------------:|
-| ClamAV      | `replicas.clamav`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| ClamAV      | `replicas.clamav`      | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.clamd`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.clamd`       | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.freshclam`   | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.freshclam`   |         :x:         |        :x:         |
-|             | `replicas.icap`        | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.milter`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
-| Collabora   | `replicas.collabora`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
-| Dovecot     | `replicas.dovecot`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
-| Element     | `replicas.element`     | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+| Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.synapse`     | `1`     | :white_check_mark: | :x:                | not tested           |
+|             | `replicas.synapse`     |         :x:         |       :gear:       |
-|             | `replicas.synapseWeb`  | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.synapseWeb`  | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.wellKnown`   | `2`     | :white_check_mark: | :white_check_mark: | :white_check_mark:   |
+|             | `replicas.wellKnown`   | :white_check_mark:  | :white_check_mark: |
-| Jitsi       | `replicas.jibri`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Jitsi       | `replicas.jibri`       | :white_check_mark:  |       :gear:       |
-|             | `replicas.jicofo`      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jicofo`      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jitsi `      | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+|             | `replicas.jitsi `      | :white_check_mark:  |       :gear:       |
-|             | `replicas.jvb `        | `1`     | :white_check_mark: | :x:                | :x:                  |
+|             | `replicas.jvb `        |         :x:         |        :x:         |
-| Keycloak    | `replicas.keycloak`    | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Keycloak    | `replicas.keycloak`    | :white_check_mark:  |       :gear:       |
-| Nextcloud   | `replicas.nextcloud`   | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| Nextcloud   | `replicas.nextcloud`   | :white_check_mark:  |       :gear:       |
-| OpenProject | `replicas.openproject` | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| OpenProject | `replicas.openproject` | :white_check_mark:  |       :gear:       |
-| Postfix     | `replicas.postfix`     | `1`     | :white_check_mark: | :x:                | not tested           |
+| Postfix     | `replicas.postfix`     |         :x:         |       :gear:       |
-| XWiki       | `replicas.xwiki`       | `1`     | :white_check_mark: | :white_check_mark: | not tested           |
+| XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
 ### Mail/SMTP configuration
 To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
 the whole subdomain.
 ```yaml
 smtp:
  host:     # your SMTP host or IP-address
  username: # username/email for authentication
  password: # password for authentication, or via environment variable SMTP_PASSWORD
 ```
 ### TURN configuration
 Some components (Jitsi, Element) use for direct communication a TURN server.
 You can configure your own TURN server with these options:
 ```yaml
 turn:
  transport:   # "udp" or "tcp"
  credentials: # turn credential string
  server:      # configuration for unsecure connections
    host:      # your TURN host or IP-address
    port:      # server port
  tls:         # configuration for secure connections
    host:      # your TURN host or IP-address
    port:      # server port
 ```
 ## Security
 This list gives you an overview of default security settings and if they comply with security standards:
 | Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
 |------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
 | Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
 |            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
 |            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
 |            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
 | Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
 |            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 | MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 # Component integration
@@ -434,17 +493,14 @@ components we are going to cover various aspects:
 ## Tests
-There is a frontend end-to-end test suite that can get triggered if the
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
-deployment is performed via a Gitlab pipeline.
+The `DEPLOY_`-variables are used to determine which components should be tested.
 In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-Currently, the test suite is in progress to be published, so right now it is
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
-only usable by project members. But that will change soon, and it could be used
+`TESTS_BRANCH` while creating a new pipeline.
 to create custom tests and perform them after deployment.
 The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
 points to the test pipeline residing in another Gitlab repository. At the end of
 the deployment the test pipeline is triggered. Tests are just performed for
 components that have been deployed prior.
 # Footnotes
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -9,6 +9,7 @@ helmfiles:
  - path: "helmfile/apps/services/helmfile.yaml"
  - path: "helmfile/apps/keycloak/helmfile.yaml"
  - path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
  - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
  - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
  - path: "helmfile/apps/intercom-service/helmfile.yaml"
  - path: "helmfile/apps/open-xchange/helmfile.yaml"
--- a/helmfile/apps/collabora/values.gotmpl
+++ b/helmfile/apps/collabora/values.gotmpl
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
  tag: "{{ .Values.images.collabora.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -32,14 +33,9 @@ collabora:
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 {{- if not (eq .Values.cluster.container.engine "containerd") }}
 # In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
 # Ref.: https://github.com/CollaboraOnline/online/issues/2800
 securityContext:
  capabilities:
    add:
      - "MKNOD"
 {{- end }}
 replicaCount: {{ .Values.replicas.collabora }}
 resources:
  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/collabora/values.yaml
+++ b/helmfile/apps/collabora/values.yaml
@@ -14,19 +14,74 @@ collabora:
 ingress:
  annotations:
-    # nginx
+    # Ingress NGINX
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/server-snippet: |
      # block admin and metrics endpoint from outside by default
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # NGINX
    nginx.org/websocket-services: "collabora"
    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
    nginx.org/proxy-read-timeout: "600"
    nginx.org/proxy-send-timeout: "600"
    nginx.org/client-max-body-size: "0"
    nginx.org/server-snippets: |
      # block admin and metrics endpoint from outside by default
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # HAProxy
    haproxy.org/timeout-tunnel: "3600s"
    haproxy.org/backend-config-snippet: |
-     mode http
+       balance url_param WOPISrc check_post
-      balance leastconn
+       hash-type consistent
-      stick-table type string len 2048 size 1k store conn_cur
+    # HAProxy - Community: https://haproxy-ingress.github.io/
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
+    haproxy-ingress.github.io/timeout-tunnel: "3600s"
-      http-request track-sc1 url_param(WOPISrc)
+    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
+    haproxy-ingress.github.io/config-backend: |
-      stick store-request url_param(WOPISrc)
+      hash-type consistent
-
+      # block admin urls from outside
      acl admin_url path_beg /cool/getMetrics
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
 autoscaling:
  enabled: false
 serviceAccount:
  create: true
 securityContext:
  allowPrivilegeEscalation: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 100
  runAsGroup: 101
  seccompProfile:
    type: "RuntimeDefault"
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
 podSecurityContext:
  fsGroup: 100
 ...
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -2,38 +2,41 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-element-repo"
+  - name: "opendesk-element-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
 releases:
-  - name: "sovereign-workplace-element"
+  - name: "opendesk-element"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
+    chart: "opendesk-element-repo/opendesk-element"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-element.yaml"
      - "values-element.gotmpl"
    condition: "element.enabled"
-  - name: "sovereign-workplace-well-known"
+  - name: "opendesk-well-known"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
+    chart: "opendesk-element-repo/opendesk-well-known"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-well-known.yaml"
      - "values-well-known.gotmpl"
    condition: "element.enabled"
-  - name: "sovereign-workplace-synapse-web"
+  - name: "opendesk-synapse-web"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
+    chart: "opendesk-element-repo/opendesk-synapse-web"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-synapse-web.yaml"
      - "values-synapse-web.gotmpl"
    condition: "element.enabled"
-  - name: "sovereign-workplace-synapse"
+  - name: "opendesk-synapse"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
+    chart: "opendesk-element-repo/opendesk-synapse"
-    version: "1.3.0"
+    version: "2.0.1"
    values:
      - "values-synapse.yaml"
      - "values-synapse.gotmpl"
    condition: "element.enabled"
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -16,6 +16,7 @@ configuration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.element.repository }}"
  tag: "{{ .Values.images.element.tag }}"
--- a/helmfile/apps/element/values-element.yaml
+++ b/helmfile/apps/element/values-element.yaml
@@ -0,0 +1,21 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapseWeb.repository }}"
  tag: "{{ .Values.images.synapseWeb.tag }}"
--- a/helmfile/apps/element/values-synapse-web.yaml
+++ b/helmfile/apps/element/values-synapse-web.yaml
@@ -0,0 +1,21 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.synapse.repository }}"
  tag: "{{ .Values.images.synapse.tag }}"
--- a/helmfile/apps/element/values-synapse.yaml
+++ b/helmfile/apps/element/values-synapse.yaml
@@ -0,0 +1,20 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10991
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 10991
 ...
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.wellKnown.repository }}"
  tag: "{{ .Values.images.wellKnown.tag }}"
--- a/helmfile/apps/element/values-well-known.yaml
+++ b/helmfile/apps/element/values-well-known.yaml
@@ -4,4 +4,22 @@
 configuration:
  e2ee:
    forceDisable: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/intercom-service/values.gotmpl
+++ b/helmfile/apps/intercom-service/values.gotmpl
@@ -29,6 +29,7 @@ ics:
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.intercom.repository }}"
  tag: "{{ .Values.images.intercom.tag }}"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -10,10 +10,11 @@ repositories:
 releases:
  - name: "jitsi"
    chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.4.1"
+    version: "1.5.1"
    values:
      - "values-jitsi.gotmpl"
    condition: "jitsi.enabled"
    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -12,6 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
@@ -118,6 +119,7 @@ patchJVB:
    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
  image:
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
    tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
--- a/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
+++ b/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
@@ -19,6 +19,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.keycloakBootstrap.repository }}"
  tag: "{{ .Values.images.keycloakBootstrap.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 resources:
  {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
--- a/helmfile/apps/keycloak/values-extensions.gotmpl
+++ b/helmfile/apps/keycloak/values-extensions.gotmpl
@@ -18,12 +18,8 @@ handler:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
 {{- if .Values.images.keycloakExtensionHandler.digest }}
    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
 {{- else if .Values.images.keycloakExtensionHandler.tag }}
    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
-{{- end }}
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullPolicy: "Always"
  appConfig:
    smtpPassword: "{{ .Values.smtp.password }}"
    smtpHost: "{{ .Values.smtp.host }}"
@@ -35,18 +31,11 @@ proxy:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
 {{- if .Values.images.keycloakExtensionProxy.digest }}
    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
 {{- else if .Values.images.keycloakExtensionProxy.tag }}
    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
-{{- end }}
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullPolicy: "Always"
  ingress:
    enabled: "{{ .Values.ingress.enabled }}"
    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
    annotations:
      nginx.org/proxy-buffer-size: "8k"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    tls:
      enabled: "{{ .Values.ingress.tls.enabled }}"
--- a/helmfile/apps/keycloak/values-extensions.yaml
+++ b/helmfile/apps/keycloak/values-extensions.yaml
@@ -11,11 +11,35 @@ global:
 handler:
  appConfig:
    captchaProtectionEnable: "False"
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
 postgresql:
  enabled: false
 proxy:
-  image:
+  ingress:
-    tag: "latest"
+    annotations:
      nginx.org/proxy-buffer-size: "8k"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
 ...
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -13,7 +13,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.keycloak.repository }}"
  tag: "{{ .Values.images.keycloak.tag }}"
-  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 externalDatabase:
  host: "{{ .Values.databases.keycloak.host }}"
@@ -81,6 +81,8 @@ keycloakConfigCli:
      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
    - name: "LDAPSEARCH_USERNAME"
      value: "ldapsearch_keycloak"
  resources:
    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
 resources:
  {{ .Values.resources.keycloak | toYaml | nindent 2 }}
--- a/helmfile/apps/keycloak/values-keycloak.yaml
+++ b/helmfile/apps/keycloak/values-keycloak.yaml
@@ -54,5 +54,32 @@ keycloakConfigCli:
    - "--import.var-substitution.enabled=true"
  cache:
    enabled: false
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsUser: 1001
    runAsGroup: 1001
    runAsNonRoot: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 1001
  runAsGroup: 1001
  runAsNonRoot: true
 podSecurityContext:
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -2,37 +2,40 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-nextcloud-bootstrap-repo"
+  - name: "opendesk-nextcloud-bootstrap-repo"
    oci: true
    # yamllint disable rule:line-length
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/130/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
    # yamllint enable rule:line-length
  - name: "nextcloud-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://nextcloud.github.io/helm/" }}
 releases:
-  - name: "sovereign-workplace-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-bootstrap"
-    chart: "sovereign-workplace-nextcloud-bootstrap-repo/sovereign-workplace-nextcloud-bootstrap"
+    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "2.3.0"
+    version: "3.1.1"
    wait: true
    waitForJobs: true
    values:
      - "values-bootstrap.gotmpl"
      - "values-bootstrap.yaml"
    condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
  - name: "nextcloud"
    chart: "nextcloud-repo/nextcloud"
    version: "3.5.19"
    needs:
-      - "sovereign-workplace-nextcloud-bootstrap"
+      - "opendesk-nextcloud-bootstrap"
    values:
      - "values-nextcloud.gotmpl"
      - "values-nextcloud.yaml"
    condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -18,7 +18,7 @@ config:
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
-    host: "clamav-sovereign-workplace-icap"
+    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
@@ -44,6 +44,7 @@ config:
    password: "{{ .Values.smtp.password }}"
 image:
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.nextcloud.repository }}"
  tag: "{{ .Values.images.nextcloud.tag }}"
--- a/helmfile/apps/nextcloud/values-nextcloud.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl
@@ -25,7 +25,7 @@ ingress:
        - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.nextcloud.tag }}"
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml
@@ -21,6 +21,11 @@ cronjob:
        sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
        \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
 internalDatabase:
  enabled: false
 postgresql:
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -24,21 +24,26 @@ releases:
      - "values-dovecot.yaml"
      - "values-dovecot.gotmpl"
    condition: "dovecot.enabled"
    timeout: 900
  - name: "open-xchange"
    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "2.0.3"
+    version: "2.0.4"
    values:
      - "values-openxchange.yaml"
      - "values-openxchange.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml"
      - "values-openxchange-enterprise-contact-picker.gotmpl"
    condition: "oxAppsuite.enabled"
    timeout: 900
  - name: "sovereign-workplace-open-xchange-bootstrap"
    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
    version: "1.3.1"
    values:
      - "values-openxchange-bootstrap.yaml"
    condition: "oxAppsuite.enabled"
    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.dovecot.repository }}"
-  digest: "{{ .Values.images.dovecot.digest }}"
+  tag: "{{ .Values.images.dovecot.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl
@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
-  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -34,6 +34,7 @@ public-sector-ui:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
  {{- end }}
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 appsuite:
  istio:
@@ -52,6 +53,15 @@ appsuite:
  core-mw:
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    gotenberg:
      imagePullSecrets:
      {{- range .Values.global.imagePullSecrets }}
        - name: {{ . }}
      {{- end }}
      image:
        repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
        tag: {{ .Values.images.openxchangeGotenberg.tag }}
        pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    properties:
      "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
      "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -96,6 +106,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreMW.repository }}
      tag: {{ .Values.images.openxchangeCoreMW.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -113,6 +124,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreUI.repository }}
      tag: {{ .Values.images.openxchangeCoreUI.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  core-ui-middleware:
    ingress:
@@ -126,6 +138,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  core-guidedtours:
    imagePullSecrets:
@@ -135,6 +148,7 @@ appsuite:
    image:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  guard-ui:
    imagePullSecrets:
@@ -144,11 +158,13 @@ appsuite:
    image:
      repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
      tag: {{ .Values.images.openxchangeGuardUI.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  core-user-guide:
    image:
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -9,6 +9,8 @@ appsuite:
  core-mw:
    enabled: true
    masterAdmin: "admin"
    gotenberg:
      enabled: true
    features:
      status:
        # enable admin pack
@@ -22,6 +24,13 @@ appsuite:
        open-xchange-authentication-oauth: "enabled"
    properties:
      com.openexchange.UIWebPath: "/appsuite/"
      # PDF Export
      com.openexchange.capability.mail_export_pdf: "true"
      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
      # OIDC
      com.openexchange.oidc.enabled: "true"
      com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -120,6 +129,8 @@ appsuite:
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
      # Mail templates
      io.ox/core//features/templates: "true"
    asConfig:
      default:
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -10,7 +10,7 @@ global:
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.openproject.tag }}"
 memcached:
--- a/helmfile/apps/openproject/values.yaml
+++ b/helmfile/apps/openproject/values.yaml
@@ -34,12 +34,14 @@ environment:
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.oxConnector.tag }}"
 imagePullSecrets:
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -7,13 +7,15 @@ repositories:
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
  - name: "postgresql-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/83/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
  - name: "mariadb-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/86/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
  - name: "postfix-repo"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -23,13 +25,14 @@ repositories:
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
  - name: "clamav-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/73/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
  - name: "bitnami-repo"
    oci: true
    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "registry-1.docker.io/bitnamicharts" }}
 releases:
@@ -41,48 +44,51 @@ releases:
    condition: "certificates.enabled"
  - name: "redis"
    chart: "bitnami-repo/redis"
-    version: "17.9.3"
+    version: "18.0.4"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    condition: "redis.enabled"
  - name: "postgresql"
    chart: "postgresql-repo/postgresql"
-    version: "2.0.0"
+    version: "2.0.2"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    condition: "postgresql.enabled"
  - name: "mariadb"
    chart: "mariadb-repo/mariadb"
-    version: "2.0.0"
+    version: "2.1.0"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    condition: "mariadb.enabled"
  - name: "postfix"
    chart: "postfix-repo/postfix"
-    version: "1.13.0"
+    version: "2.0.3"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    condition: "postfix.enabled"
  - name: "clamav"
-    chart: "clamav-repo/sovereign-workplace-clamav"
+    chart: "clamav-repo/opendesk-clamav"
-    version: "2.1.0"
+    version: "4.0.0"
    values:
      - "values-clamav-distributed.yaml"
      - "values-clamav-distributed.gotmpl"
    condition: "clamavDistributed.enabled"
  - name: "clamav-simple"
    chart: "clamav-repo/clamav-simple"
-    version: "2.1.0"
+    version: "4.0.0"
    values:
      - "values-clamav-simple.yaml"
      - "values-clamav-simple.gotmpl"
    condition: "clamavSimple.enabled"
  - name: "sovereign-workplace-gateway"
    chart: "istio-resources-repo/istio-gateway"
    version: "1.1.2"
    values:
      - "values-istio-gateway.yaml"
      - "values-istio-gateway.gotmpl"
    condition: "istio.enabled"
--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.gotmpl
@@ -5,25 +5,23 @@ SPDX-License-Identifier: Apache-2.0
 ---
 clamd:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.clamd }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.clamd.repository }}"
    tag: "{{ .Values.images.clamd.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.clamd | toYaml | nindent 4 }}
 freshclam:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.freshclam }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.freshclam.repository }}"
    tag: "{{ .Values.images.freshclam.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
@@ -37,18 +35,18 @@ icap:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.icap.repository }}"
    tag: "{{ .Values.images.icap.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.icap | toYaml | nindent 4 }}
 milter:
  podSecurityContext:
    {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
    enabled: false
  replicaCount: {{ .Values.replicas.milter }}
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.milter.repository }}"
    tag: "{{ .Values.images.milter.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  resources:
    {{ .Values.resources.milter | toYaml | nindent 4 }}
--- a/helmfile/apps/services/values-clamav-distributed.yaml
+++ b/helmfile/apps/services/values-clamav-distributed.yaml
@@ -0,0 +1,80 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
 clamd:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 freshclam:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 icap:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 milter:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 100
    runAsGroup: 101
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  podSecurityContext:
    enabled: true
    fsGroup: 101
    fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/services/values-clamav-simple.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.gotmpl
@@ -3,11 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 podSecurityContext:
  {{/* Disabled until NFS Provisioner on IONOS is fixed */}}
  enabled: false
 replicaCount: {{ .Values.replicas.clamav }}
 image:
@@ -15,10 +10,12 @@ image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.clamd.repository }}"
    tag: "{{ .Values.images.clamd.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  icap:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.icap.repository }}"
    tag: "{{ .Values.images.icap.tag }}"
    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}
--- a/helmfile/apps/services/values-clamav-simple.yaml
+++ b/helmfile/apps/services/values-clamav-simple.yaml
@@ -0,0 +1,19 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 100
  runAsGroup: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
  fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/services/values-istio-gateway.yaml
+++ b/helmfile/apps/services/values-istio-gateway.yaml
@@ -0,0 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 tls:
  httpsRedirect: false
 ...
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -11,6 +11,7 @@ global:
 image:
  repository: "{{ .Values.images.mariadb.repository }}"
  tag: "{{ .Values.images.mariadb.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
--- a/helmfile/apps/services/values-mariadb.yaml
+++ b/helmfile/apps/services/values-mariadb.yaml
@@ -1,6 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1001
  runAsGroup: 1001
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -3,14 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-image:
+global:
-  url: "{{ .Values.global.imageRegistry }}/{{ .Values.images.postfix.repository }}"
+  registry: {{ .Values.global.imageRegistry }}
-  digest: "{{ .Values.images.postfix.digest }}"
+  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-imagePullSecrets:
+image:
-{{- range .Values.global.imagePullSecrets }}
+  registry: {{ .Values.global.imageRegistry }}
-  - name: {{ . }}
+  repository: "{{ .Values.images.postfix.repository }}"
-{{- end }}
+  tag: "{{ .Values.images.postfix.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 certificate:
  secretName: "{{ .Values.ingress.tls.secretName }}"
--- a/helmfile/apps/services/values-postfix.yaml
+++ b/helmfile/apps/services/values-postfix.yaml
@@ -5,6 +5,19 @@ certificate:
  request:
    enabled: false
 containerSecurityContext:
  allowPrivilegeEscalation: true
  capabilities: {}
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: false
 podSecurityContext:
  enabled: true
  fsGroup: 101
 postfix:
  hostname: "postfix"
  inetProtocols: "ipv4"
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.gotmpl
@@ -11,6 +11,7 @@ global:
 image:
  repository: "{{ .Values.images.postgresql.repository }}"
  tag: "{{ .Values.images.postgresql.tag }}"
  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 job:
  users:
--- a/helmfile/apps/services/values-postgresql.yaml
+++ b/helmfile/apps/services/values-postgresql.yaml
@@ -1,11 +1,29 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-enabled: true
+containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 1001
  runAsGroup: 1001
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 job:
  image:
    digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 postgres:
  user: "postgres"
 ...
--- a/helmfile/apps/services/values-redis.gotmpl
+++ b/helmfile/apps/services/values-redis.gotmpl
@@ -16,6 +16,7 @@ image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.redis.repository }}"
  tag: "{{ .Values.images.redis.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 master:
  persistence:
--- a/helmfile/apps/services/values-redis.yaml
+++ b/helmfile/apps/services/values-redis.yaml
@@ -8,4 +8,8 @@ sentinel:
 metrics:
  enabled: false
 master:
  containerSecurityContext:
    readOnlyRootFilesystem: true
 ...
--- a/helmfile/apps/univention-corporate-container/values.gotmpl
+++ b/helmfile/apps/univention-corporate-container/values.gotmpl
@@ -13,7 +13,7 @@ global:
 image:
  registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
  repository: "{{ .Values.images.univentionCorporateServer.repository }}"
  tag: "{{ .Values.images.univentionCorporateServer.tag }}"
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -0,0 +1,117 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 repositories:
  - name: "univention"
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
 releases:
  - name: "ums-store-dav"
    chart: "univention/store-dav"
    version: "0.2.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-store-dav.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-ldap-server"
    chart: "univention/ldap-server"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-ldap-server.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-ldap-notifier"
    chart: "univention/ldap-notifier"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-ldap-notifier.gotmpl"
      - "values-ldap-notifier.yaml"
    condition: "univentionManagementStack.enabled"
  - name: "ums-udm-rest-api"
    chart: "univention/udm-rest-api"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-udm-rest-api.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-stack-data-ums"
    chart: "univention/stack-data-ums"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-stack-data-ums.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-stack-data-swp"
    chart: "univention/stack-data-swp"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-stack-data-swp.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-portal-server"
    chart: "univention/portal-server"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-portal-server.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-notifications-api"
    chart: "univention/notifications-api"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-notifications-api.gotmpl"
      - "values-notifications-api.yaml"
    condition: "univentionManagementStack.enabled"
  - name: "ums-portal-listener"
    chart: "univention/portal-listener"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-portal-listener.gotmpl"
      - "values-portal-listener.yaml"
    condition: "univentionManagementStack.enabled"
  - name: "ums-portal-frontend"
    chart: "univention/portal-frontend"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-portal-frontend.gotmpl"
    condition: "univentionManagementStack.enabled"
  - name: "ums-umc-gateway"
    chart: "univention/umc-gateway"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-umc-gateway.gotmpl"
      - "values-umc-gateway.yaml"
    condition: "univentionManagementStack.enabled"
  - name: "ums-umc-server"
    chart: "univention/umc-server"
    version: "0.1.0"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-umc-server.gotmpl"
    condition: "univentionManagementStack.enabled"
 commonLabels:
  deploy-stage: "component-1"
  component: "univention-management-stack"
--- a/helmfile/apps/univention-management-stack/values-common.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-common.gotmpl
@@ -0,0 +1,14 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
  tls:
    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
    enabled: false
    secretName: ""
--- a/helmfile/apps/univention-management-stack/values-common.yaml
+++ b/helmfile/apps/univention-management-stack/values-common.yaml
@@ -0,0 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 istio:
  enabled: false
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
@@ -0,0 +1,20 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
@@ -0,0 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 volumes:
  claims:
    shared-data: "shared-data-ums-ldap-server-0"
    shared-run: "shared-run-ums-ldap-server-0"
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
@@ -0,0 +1,44 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ldapServer:
  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  # TODO: Certificates handling
  # caCert: ""
  # certPem: ""
  # privateKey: ""
  # dhParam: ""
  tlsMode: "off"
  # TODO: SAML integration
  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsLdapServer.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsLdapServer.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 # TODO: Pending upstream support, #199
 persistence:
  data:
    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
  shared:
    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
 resources:
  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
@@ -0,0 +1,28 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 postgresql:
  bundled: false
  connection:
    host: "postgresql"
    port: 5432
  auth:
    username: "notificationsapi_user"
    database: "notificationsapi"
    password: {{ .Values.secrets.postgresql.notificationsapiUser }}
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 notificationsapi:
  apply_database_migrations: "True"
  dev_mode: "False"
  environment: "staging"
  log_level: "DEBUG"
  sql_echo: "False"
  api_prefix: "/univention/portal/notifications-api"
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
@@ -0,0 +1,31 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 extraIngresses:
  redirects:
    # The TLS configuration is on the "master" Ingress, see below.
    tls:
      enabled: false
  master:
    enabled: {{ .Values.ingress.enabled }}
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: "{{ .Values.ingress.tls.secretName }}"
 resources:
  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
@@ -0,0 +1,54 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalListener:
  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
  environment: "staging"
  debugLevel: "4"
  assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
  ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHost: "ums-ldap-server"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  notifierServer: "ums-ldap-notifier"
  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
  udmApiUrl: "http://ums-udm-rest-api/udm/"
  udmApiUsername: "cn=admin"
  tlsMode: "off"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsPortalListener.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsPortalListener.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
  waitForDependency:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
    imagePullPolicy: "Always"
    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
 # TODO: Pending upstream support, #200
 persistence:
  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
  size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
 resources:
  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
 resourcesDependencyWaiter:
  {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml
@@ -0,0 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 store-dav:
  bundled: false
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.gotmpl
@@ -0,0 +1,28 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalServer:
  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
  authMode: "saml"
  environment: "staging"
  editable: "true"
  logLevel: "DEBUG"
  ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsPortalServer.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsPortalServer.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
@@ -0,0 +1,38 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
  udmApiUsername: "cn=admin"
  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  udmApiUrl: "http://ums-udm-rest-api/udm/"
  loadDevData: true
 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
  externalDomainName: "{{ .Values.global.domain }}"
  externalMailDomain: "{{ .Values.global.domain }}"
  portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
  portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
  portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
  portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
  portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
  portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
  oxDefaultContext: "10"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsDataLoader.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsDataLoader.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
@@ -0,0 +1,31 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataUms:
  udmApiUser: "cn=admin"
  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
  udmApiUrl: "http://ums-udm-rest-api/udm/"
  loadDevData: true
 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
  # The SWP configuration brings its own UMC policies.
  installUmcPolicies: false
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsDataLoader.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsDataLoader.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-store-dav.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.gotmpl
@@ -0,0 +1,39 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 storeDav:
  auth:
    basicAuth:
      portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
      portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsStoreDav.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsStoreDav.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
  configHtpasswd:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
    pullPolicy: "Always"
    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . }}
      {{- end }}
 # TODO: Pending upstream support, #201
 persistence:
  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
  size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
 resources:
  {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
@@ -0,0 +1,44 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 udmRestApi:
  apiLogLevel: "4"
  authGroups:
    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
    domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
  ldapHost: "ums-ldap-server"
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  # TODO: This should not be required, the machine account is not there
  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
  # TODO: Secret should be entered without b64enc
  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
  # TODO: Secret should be entered without b64enc
  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
  # TODO: why do we need this many subprocesses?
  numberOfSubprocesses: 8
  # TODO: Stub value currently
  caCert: ""
  # TODO: This should not be part of the udm-rest-api anymore
  loadJoinData:
    enabled: true
  # TODO: configurable
  tlsMode: "off"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsUdmRestApi.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsUdmRestApi.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
@@ -0,0 +1,23 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcGateway:
  domainname: "{{ .Values.global.domain }}"
  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
  ssoFqdn: "localhost:8097"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsUmcGateway.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsUmcGateway.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml
@@ -0,0 +1,18 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 umcGateway:
  showCookieBanner: true
  cookieBannerTitleDE: "Cookie Zustimmung"
  cookieBannerTitleEN: "Cookie Consent"
  cookieBannerTextDE: >-
    Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
    verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
    Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
    Seite.
  cookieBannerTextEN: >-
    Usage of this site is only possible by storing and processing cookie
    information (essential cookies). We require your consent. Please accept to
    continue or close the page.
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
@@ -0,0 +1,42 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcServer:
  domainname: "{{ .Values.global.domain }}"
  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
  ldapHost: "ums-ldap-server"
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  # TODO: This should not be required, the machine account is not there
  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
  enforceSessionCookie: "true"
  # TODO: The keycloak integration is pending
  samlEnabled: false
  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
  samlSpServer: "localhost:8000"
  samlSchemes: "http"
  tlsMode: "off"
  # TODO: Secret should be entered without b64enc
  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
  # TODO: Secret should be entered without b64enc
  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
 image:
  registry: "{{ .Values.global.imageRegistry }}"
  repository: "{{ .Values.images.umsUmcServer.repository }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
  tag: "{{ .Values.images.umsUmcServer.tag }}"
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . }}
    {{- end }}
 resources:
  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -12,11 +12,11 @@ releases:
    chart: "xwiki-repo/xwiki"
    version: "1.1.3"
    wait: true
    timeout: 600
    values:
      - "values.yaml"
      - "values.gotmpl"
    condition: "xwiki.enabled"
    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/xwiki/values.gotmpl
+++ b/helmfile/apps/xwiki/values.gotmpl
@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
  name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
  tag: "{{ .Values.images.xwiki.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 externalDB:
  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -25,6 +25,7 @@ global:
    pollWidget: "poll-widget"
    synapse: "matrix"
    univentionCorporateServer: "portal"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
@@ -39,4 +40,8 @@ global:
  imagePullSecrets:
    - "external-registry"
  ## Define the policy to pull container images.
  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
  #
  imagePullPolicy: "IfNotPresent"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -4,130 +4,224 @@
 images:
  clamd:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
    # @supplier: "openDesk DevSecOps"
  collabora:
    # repository: "collabora/code"
    # tag: "23.05.2.2.1"
    repository: "souvap/tooling/images/collabora"
-    tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
+    tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
    # @supplier: "Collabora"
  dovecot:
    repository: "dovecot/dovecot"
-    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+    tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
    # @supplier: "Open-Xchange"
  element:
-    repository: "souvap/tooling/images/element-web@sha256"
+    repository: "souvap/tooling/images/element-web"
-    tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
+    tag: "latest@sha256:16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
    # @supplier: "Element"
  freshclam:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
    # @supplier: "openDesk DevSecOps"
  jibri:
    repository: "jitsi/jibri"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
    # @supplier: "Nordeck"
  jicofo:
    repository: "jitsi/jicofo"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
    # @supplier: "Nordeck"
  jitsi:
    repository: "jitsi/web"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
    # @supplier: "Nordeck"
  jitsiKeycloakAdapter:
    repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230816"
+    tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
    # @supplier: "Nordeck"
  jitsiPatchJVB:
    repository: "bitnami/kubectl"
-    tag: "1.26.6"
+    tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
    # @supplier: "Nordeck"
  jvb:
    repository: "jitsi/jvb"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
    # @supplier: "Nordeck"
  icap:
-    repository: "souvap/tooling/images/c-icap/c-icap-clamav"
+    repository: "souvap/tooling/images/c-icap"
-    tag: "1.0.4"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
    # @supplier: "openDesk DevSecOps"
  intercom:
    repository: "univention/intercom-service"
-    tag: "1.4-kubernetes"
+    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
    # @supplier: "Univention"
  keycloak:
    repository: "bitnami/keycloak"
-    tag: "19.0.3-debian-11-r15"
+    tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
-    digest: ""
+    # @supplier: "Univention"
  keycloakBootstrap:
    repository: "souvap/tooling/images/ansible"
-    tag: "4.10.0"
+    tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
    # @supplier: "Univention"
  keycloakExtensionHandler:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
-    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+    tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
    # @supplier: "Univention"
  keycloakExtensionProxy:
    repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
+    tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
    # @supplier: "Univention"
  mariadb:
    repository: "mariadb"
-    tag: "10"
+    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
    # @supplier: "openDesk DevSecOps"
  memcached:
    repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r4"
+    tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
    # @supplier: "OpenProject"
  milter:
    repository: "clamav/clamav"
-    tag: "1.1.0_base"
+    tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
    # @supplier: "openDesk DevSecOps"
  nextcloud:
    repository: "nextcloud"
-    tag: "26.0.1-apache"
+    tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
    # @supplier: "Nextcloud Community"
  openproject:
-    repository: "souvap/tooling/images/openproject/souvap@sha256"
+    repository: "souvap/tooling/images/openproject/open_desk"
-    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
+    tag: "dev@sha256:d2adb649aab0abdbff853d46a3b3038e096a67db46bb10208b2c5536d0dfa523"
    # @supplier: "OpenProject"
  openxchangeBootstrap:
    repository: "alpine/k8s"
-    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
+    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
    # @supplier: "Open-Xchange"
  openxchangeCoreGuidedtours:
    repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.1"
+    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
    # @supplier: "Open-Xchange"
  openxchangeCoreMW:
    repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.16.55"
+    tag: "8.16.60@sha256:269c5b72f380c49ba1888c4300c409745d2ce757ca0b269afe1e8ac9bb26f028"
    # @supplier: "Open-Xchange"
  openxchangeCoreUI:
    repository: "appsuite-public-sector/core-ui"
-    tag: "8.16.5"
+    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
    # @supplier: "Open-Xchange"
  openxchangeCoreUIMiddleware:
    repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.4"
+    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
    # @supplier: "Open-Xchange"
  openxchangeCoreUserGuide:
    repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.16.727397"
+    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
    # @supplier: "Open-Xchange"
  openxchangeGuardUI:
    repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.6"
+    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
    # @supplier: "Open-Xchange"
  openxchangeNextcloudIntegrationUI:
    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.3"
+    tag: "1.0.5@sha256:cad4ecba431f84b8627d2e541cfea773d5ef54b65d847fa8f7e3fd0d63156497"
    # @supplier: "Open-Xchange"
  openxchangePublicSectorUI:
    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "2.0.1"
+    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
    # @supplier: "Open-Xchange"
  openxchangeGotenberg:
    repository: "appsuite-public-sector/3rdparty/gotenberg"
    tag: "7.8.2@sha256:34af7b6d21c02b8183785177f5f3f1731633d72ec69e1f2ecdb8b43747887f62"
    # @supplier: "Open-Xchange"
  oxConnector:
    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag: "branch-jconde-listener-entrypoint-chaining"
+    tag:
      "branch-jconde-listener-entrypoint-chaining\
      @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
    # @supplier: "Univention"
  postfix:
    repository: "souvap/tooling/images/postfix"
-    digest: "sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
+    tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
    # @supplier: "openDesk DevSecOps"
  postgresql:
    repository: "postgres"
-    tag: "15-alpine"
+    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
    # @supplier: "openDesk DevSecOps"
  prosody:
    repository: "jitsi/prosody"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
    # @supplier: "Nordeck"
  redis:
    repository: "bitnami/redis"
-    tag: "7.0.12-debian-11-r0"
+    tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
    # @supplier: "openDesk DevSecOps"
  synapse:
    repository: "matrixdotorg/synapse"
-    tag: "v1.87.0"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
    # @supplier: "Element"
  synapseWeb:
-    repository: "library/haproxy"
+    repository: "rapidfort/haproxy-official"
-    tag: "2.4"
+    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
    # @supplier: "Element"
  univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
-    tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
+    tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
    # @supplier: "Univention"
  umsConfigHtpasswd:
    repository: "souvap/tooling/images/univention/config-htpasswd"
    tag: "latest@sha256:24c5e218baa62b169e7222d8ee4d3951ddc8622cd359def6b660bb23a1052f9e"
    # @supplier: "Univention"
  umsDataLoader:
    repository: "souvap/tooling/images/univention/data-loader"
    tag: "latest@sha256:857837c1810f82362d441544dc32bd2c1d6fe358bbb5ae0e2c60b7f8f4092190"
    # @supplier: "Univention"
  umsLdapNotifier:
    repository: "souvap/tooling/images/univention/ldap-notifier"
    tag: "latest@sha256:6eccf86fe78926247ec9b59d7ba83c53271bc3ca7d0195863c0489e22c836002"
    # @supplier: "Univention"
  umsLdapServer:
    repository: "souvap/tooling/images/univention/ldap-server"
    tag: "latest@sha256:4a7c44b37c727cdc03e4043c88e3dbf6b1f119772c5c1904eaed3298bdd49a3d"
    # @supplier: "Univention"
  umsNotificationsApi:
    repository: "souvap/tooling/images/univention/notifications-api"
    tag: "latest@sha256:87a047c2d0669fcbb3501ef94192812e17e09aecabc1edd2e4b92afbb7ea4b20"
    # @supplier: "Univention"
  umsPortalListener:
    repository: "souvap/tooling/images/univention/portal-listener"
    tag: "latest@sha256:bcf48d108bc2f1afd745659a1d4f11f1dd0d8ada034899aa401dfea32a29c87a"
    # @supplier: "Univention"
  umsPortalFrontend:
    repository: "souvap/tooling/images/univention/portal-frontend"
    tag: "latest@sha256:a1b11db009e992d91cfef2bc60a5022cd4498c38908194020c881ef6dd325bae"
    # @supplier: "Univention"
  umsPortalServer:
    repository: "souvap/tooling/images/univention/portal-server"
    tag: "latest@sha256:eb0b032c4cf4b207f78b80c69f3e593e01e577779d877e16908902f19b4fc2ee"
    # @supplier: "Univention"
  umsWaitForDependency:
    repository: "souvap/tooling/images/univention/wait-for-dependency"
    tag: "latest@sha256:5d8d5e9ed55af2d12fef25856e5e61c7d13081458e4b14e6a01b10488b8067d3"
    # @supplier: "Univention"
  umsStoreDav:
    repository: "souvap/tooling/images/univention/store-dav"
    tag: "latest@sha256:d65f705e46a497ba58e7373f19973835f731796baeace16a32d6331469bf0068"
    # @supplier: "Univention"
  umsUdmRestApi:
    repository: "souvap/tooling/images/univention/udm-rest-api"
    tag: "latest@sha256:dce4322646749692c5d4692ccd7ff55df080a4af3485585a50c82871715e0cae"
    # @supplier: "Univention"
  umsUmcGateway:
    repository: "souvap/tooling/images/univention/umc-gateway"
    tag: "latest@sha256:18172ee4317a9259291f251c0cc1d2be05e003558cbd18d6dc062098a127cc8d"
    # @supplier: "Univention"
  umsUmcServer:
    repository: "souvap/tooling/images/univention/umc-server"
    tag: "latest@sha256:6cbb1708109c5a0c13f3ee433989094d04cecfb8b32975e723d0f5a2e526f8db"
    # @supplier: "Univention"
  wellKnown:
    repository: "library/nginx"
-    tag: "1.23"
+    tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
    # @supplier: "Element"
  xwiki:
-    # repository: "xwikisas/swp/xwiki"
+    repository: "xwikisas/swp/xwiki"
-    # tag: "0.10-mariadb-tomcat"
+    tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
-    repository: "xwikisas/swp/xwiki@sha256"
+    # @supplier: "XWiki"
    tag: "02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
 ...
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -19,5 +19,10 @@ persistence:
    redis: "1Gi"
    synapse: "1Gi"
    univentionCorporateServer: "1Gi"
    univentionManagementStack:
      ldapServerData: "1Gi"
      ldapServerShared: "1Gi"
      portalListener: "1Gi"
      storeDav: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/replicas.yaml
+++ b/helmfile/environments/default/replicas.yaml
@@ -8,7 +8,7 @@ replicas:
  clamd: 1
  collabora: 1
  dovecot: 1
-  element: 2
+  element: 1
  # clamav-distributed
  freshclam: 1
  # clamav-distributed
@@ -25,7 +25,7 @@ replicas:
  openproject: 1
  postfix: 1
  synapse: 1
-  synapseWeb: 2
+  synapseWeb: 1
-  wellKnown: 2
+  wellKnown: 1
  xwiki: 1
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -9,6 +9,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "2Gi"
  collabora:
    limits:
      cpu: 1
      memory: "500Mi"
    requests:
      cpu: 0.1
      memory: "16Mi"
  dovecot:
    limits:
      cpu: 0.5
@@ -33,10 +40,10 @@ resources:
  icap:
    limits:
      cpu: 2
-      memory: "4Gi"
+      memory: "128Mi"
    requests:
      cpu: 0.1
-      memory: "2Gi"
+      memory: "16Mi"
  jibri:
    limits:
      cpu: 1
@@ -184,6 +191,97 @@ resources:
    requests:
      cpu: 0.5
      memory: "1Gi"
  umsLdapNotifier:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsLdapServer:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsNotificationsApi:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsPortalFrontend:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsPortalListener:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsPortalListenerDependencies:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsPortalServer:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsStackDataUms:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsStackDataSwp:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsStoreDav:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsUdmRestApi:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsUmcGateway:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  umsUmcServer:
    limits:
      cpu: 1
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "250Mi"
  wellKnown:
    limits:
      cpu: 1
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -23,6 +23,13 @@ secrets:
      ox: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum) }}
      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }}
      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }}
  univentionManagementStack:
    ldapSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum) }}
    defaultAccounts:
      administratorPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum) }}
    storeDavUsers:
      portalServer: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum) }}
      portalListener: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum) }}
  postgresql:
    postgresUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum) }}
    keycloakUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum) }}
--- a/helmfile/environments/default/smtp.gotmpl
+++ b/helmfile/environments/default/smtp.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 smtp:
-  host: "mail.brained.io"
+  host: ""
-  username: "relay@souvap-univention.de"
+  username: ""
  password: "{{ env "SMTP_PASSWORD" }}"
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -37,6 +37,8 @@ redis:
  enabled: true
 univentionCorporateServer:
  enabled: true
 univentionManagementStack:
  enabled: false
 xwiki:
  enabled: true
 ...
Author	SHA1	Message	Date
Thorsten Roßner	6456f68b7b	chore(release): 0.4.6 [skip ci] ## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26) ### Bug Fixes * openproject: Use renamed registry open_desk ([`a37faf3`](`a37faf3b57`))	2023-09-26 12:51:57 +00:00
Oliver Günther	a37faf3b57	fix(openproject): Use renamed registry open_desk	2023-09-26 12:50:26 +00:00
Thorsten Roßner	fbbf3f253b	chore(release): 0.4.5 [skip ci] ## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26) ### Bug Fixes * helmfile: Streamline timeouts ([`2703615`](`2703615dff`))	2023-09-26 12:20:31 +00:00
Thorsten Rossner	2703615dff	fix(helmfile): Streamline timeouts	2023-09-26 12:18:13 +00:00
Thorsten Roßner	85ad5ecd6d	chore(release): 0.4.4 [skip ci] ## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25) ### Bug Fixes * open-xchange: Updates for mail templates and mail export ([`ae3d0da`](`ae3d0daa11`))	2023-09-25 17:29:54 +00:00
Thorsten Rossner	ae3d0daa11	fix(open-xchange): Updates for mail templates and mail export	2023-09-25 17:27:48 +00:00
Thorsten Roßner	0a17976aca	chore(release): 0.4.3 [skip ci] ## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25) ### Bug Fixes * nextcloud: Update image to 27.1.1 ([`ce7e5f6`](`ce7e5f670a`))	2023-09-25 11:24:24 +00:00
Thorsten Rossner	ce7e5f670a	fix(nextcloud): Update image to 27.1.1	2023-09-25 11:22:39 +00:00
Thorsten Roßner	917f9fb452	chore(release): 0.4.2 [skip ci] ## [0.4.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.1...v0.4.2) (2023-09-21) ### Bug Fixes * nextcloud: Add Nextcloud app for OpenProject integration; Bump Collabora Image ([`f46c8a9`](`f46c8a9a5f`))	2023-09-21 12:38:44 +00:00
Thorsten Rossner	f46c8a9a5f	fix(nextcloud): Add Nextcloud app for OpenProject integration; Bump Collabora Image	2023-09-21 12:25:53 +00:00
Thorsten Roßner	c2b44da34e	chore(release): 0.4.1 [skip ci] ## [0.4.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.0...v0.4.1) (2023-09-19) ### Bug Fixes * univention-management-stack: Remove doublette triple dashes in helmfile.yaml ([`41b9afb`](`41b9afb364`))	2023-09-19 12:40:28 +00:00
Thorsten Roßner	41b9afb364	fix(univention-management-stack): Remove doublette triple dashes in helmfile.yaml	2023-09-19 13:54:20 +02:00
Thorsten Roßner	63bdcf594b	chore(release): 0.4.0 [skip ci] # [0.4.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.2...v0.4.0) (2023-09-18) ### Features * ci: Optionally trigger E2E tests of the SouvAP Dev team ([`a99c088`](`a99c088361`))	2023-09-18 14:48:12 +00:00
Dibya Chakravorty	a99c088361	feat(ci): Optionally trigger E2E tests of the SouvAP Dev team	2023-09-18 14:46:17 +00:00
Thorsten Roßner	8d09aa02f9	chore(release): 0.3.2 [skip ci] ## [0.3.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.1...v0.3.2) (2023-09-14) ### Bug Fixes * helmfile: Fix linter issues ([`1514678`](`1514678db0`)) * univention-management-stack: Add "commonLabels" into helmfile ([`16c08f8`](`16c08f82c9`)) * univention-management-stack: Add Helm charts ([`a74d662`](`a74d662404`)) * univention-management-stack: Add switch "univentionManagementStack.enabled" ([`471a2fa`](`471a2fa262`)) * univention-management-stack: Adjust Ingress configuration for portal-server ([`13bcd78`](`13bcd785e8`)) * univention-management-stack: Adjust Ingress configuration for umc ([`320da3b`](`320da3bec3`)) * univention-management-stack: Adjust Ingress configuration of notifications-api ([`5e1a7b1`](`5e1a7b19e2`)) * univention-management-stack: Adjust ingress configuration of the portal-frontend ([`c54bab1`](`c54bab165b`)) * univention-management-stack: Adjust Ingress configuration of udm-rest-api ([`c61b1b8`](`c61b1b8281`)) * univention-management-stack: Adjust Ingress conifguration of store-dav ([`96097e4`](`96097e4704`)) * univention-management-stack: Configure cookie banner data ([`12c931f`](`12c931fcff`)) * univention-management-stack: Define resource requests and limits ([`2f8a298`](`2f8a298925`)) * univention-management-stack: Disable istio for the stack ([`4835a2b`](`4835a2beec`)) * univention-management-stack: Prepare persistence configuration ([`7ab1cb5`](`7ab1cb5c7e`)) * univention-management-stack: Process bases before releases ([`ec3f1d9`](`ec3f1d96ac`)) * univention-management-stack: Set externalDomainName for bootstrapping the stack ([`0ba71f2`](`0ba71f2749`)) * univention-management-stack: Split templated from static values ([`09079a1`](`09079a1303`)) * univention-management-stack: Split values into templated and static ([`d3c4390`](`d3c439038a`)) * univention-management-stack: Update portal-listener to leverage dependency waiting ([`c840608`](`c840608112`)) * univention-management-stack: Use global secrets to fill initialPasswordAdministrator ([`a4bab40`](`a4bab4068d`)) * univention-management-stack: Use global secrets to populate ldap related secrets ([`9409ad8`](`9409ad829a`)) * univention-management-stack: Use global secrets to set store-dav related passwords ([`90019e3`](`90019e3ef6`)) * univention-management-stack: Use ldap base DN "dc=swp-ldap,dc=internal" ([`77e362f`](`77e362f6bc`)) * univention-management-stack: Use postgresql service for notifications-api ([`fe0e0cd`](`fe0e0cdce4`)) * univention-management-stack: Use the prefix "ums-" for all releases ([`edb25bd`](`edb25bd765`)) * univention-management-stack: Use the value "global.imagePullPolicy" ([`15db5dc`](`15db5dcbba`))	2023-09-14 20:16:01 +00:00
Johannes Bornhold	1514678db0	fix(helmfile): Fix linter issues	2023-09-14 15:37:35 +02:00
Johannes Bornhold	b7254cf5dc	ci(univention-management-stack): Enforce choice between UCS and UMS	2023-09-14 15:26:58 +02:00
Johannes Bornhold	7ab1cb5c7e	fix(univention-management-stack): Prepare persistence configuration	2023-09-14 15:21:46 +02:00
Johannes Bornhold	0ba71f2749	fix(univention-management-stack): Set externalDomainName for bootstrapping the stack	2023-09-14 15:21:46 +02:00
Johannes Bornhold	77e362f6bc	fix(univention-management-stack): Use ldap base DN "dc=swp-ldap,dc=internal"	2023-09-14 15:21:45 +02:00
Johannes Bornhold	09079a1303	fix(univention-management-stack): Split templated from static values	2023-09-14 15:21:45 +02:00
Johannes Bornhold	15db5dcbba	fix(univention-management-stack): Use the value "global.imagePullPolicy"	2023-09-14 15:18:00 +02:00
Johannes Bornhold	d3c439038a	fix(univention-management-stack): Split values into templated and static	2023-09-14 15:18:00 +02:00
Johannes Bornhold	9409ad829a	fix(univention-management-stack): Use global secrets to populate ldap related secrets	2023-09-14 15:18:00 +02:00
Johannes Bornhold	a4bab4068d	fix(univention-management-stack): Use global secrets to fill initialPasswordAdministrator	2023-09-14 15:18:00 +02:00
Johannes Bornhold	90019e3ef6	fix(univention-management-stack): Use global secrets to set store-dav related passwords	2023-09-14 15:18:00 +02:00
Johannes Bornhold	4835a2beec	fix(univention-management-stack): Disable istio for the stack	2023-09-14 15:18:00 +02:00
Johannes Bornhold	12c931fcff	fix(univention-management-stack): Configure cookie banner data	2023-09-14 15:18:00 +02:00
Johannes Bornhold	2f8a298925	fix(univention-management-stack): Define resource requests and limits	2023-09-14 15:18:00 +02:00
Johannes Bornhold	ec3f1d96ac	fix(univention-management-stack): Process bases before releases	2023-09-14 15:17:59 +02:00
Johannes Bornhold	16c08f82c9	fix(univention-management-stack): Add "commonLabels" into helmfile	2023-09-14 15:17:59 +02:00
Johannes Bornhold	edb25bd765	fix(univention-management-stack): Use the prefix "ums-" for all releases	2023-09-14 15:17:59 +02:00
Johannes Bornhold	c840608112	fix(univention-management-stack): Update portal-listener to leverage dependency waiting	2023-09-14 15:17:59 +02:00
Johannes Bornhold	320da3bec3	fix(univention-management-stack): Adjust Ingress configuration for umc	2023-09-14 15:17:59 +02:00
Johannes Bornhold	c61b1b8281	fix(univention-management-stack): Adjust Ingress configuration of udm-rest-api	2023-09-14 15:17:59 +02:00
Johannes Bornhold	96097e4704	fix(univention-management-stack): Adjust Ingress conifguration of store-dav	2023-09-14 15:17:59 +02:00
Johannes Bornhold	5e1a7b19e2	fix(univention-management-stack): Adjust Ingress configuration of notifications-api	2023-09-14 15:17:59 +02:00
Johannes Bornhold	13bcd785e8	fix(univention-management-stack): Adjust Ingress configuration for portal-server	2023-09-14 15:17:58 +02:00
Johannes Bornhold	c54bab165b	fix(univention-management-stack): Adjust ingress configuration of the portal-frontend	2023-09-14 15:17:58 +02:00
Johannes Bornhold	836f491766	ci(univention-management-stack): Add option to deploy UMS	2023-09-14 15:17:58 +02:00
Johannes Bornhold	fe0e0cdce4	fix(univention-management-stack): Use postgresql service for notifications-api	2023-09-14 15:17:58 +02:00
Johannes Bornhold	a74d662404	fix(univention-management-stack): Add Helm charts	2023-09-14 15:17:58 +02:00
Johannes Bornhold	471a2fa262	fix(univention-management-stack): Add switch "univentionManagementStack.enabled"	2023-09-14 14:58:22 +02:00
Thorsten Roßner	5f79763e2b	chore(release): 0.3.1 [skip ci] ## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14) ### Bug Fixes * collabora: Update Ingress annotations and set securityContext ([`b5583ca`](`b5583caec1`)) * element: Improve default container security settings ([`882f1fb`](`882f1fbc93`)) * element: Update opendesk element version to 2.0.1 ([`d725b93`](`d725b93798`)) * helmfile: Remove default SMTP credentials and create docs for SMTP/TURN ([`e120f5f`](`e120f5fb9a`)) * helmfile: Update images and use a tag and digest together ([`c7fc187`](`c7fc187f14`)) * services: Explicitly set securityContexts ([`a799db0`](`a799db03c4`)) * services: Update Postfix to 2.0.2 fixing security gaining ([`e1070ee`](`e1070eeb06`))	2023-09-14 11:11:40 +00:00
Dominik Kaminski	e120f5fb9a	fix(helmfile): Remove default SMTP credentials and create docs for SMTP/TURN	2023-09-13 23:39:38 +02:00
Dominik Kaminski	a799db03c4	fix(services): Explicitly set securityContexts	2023-09-13 19:33:47 +02:00
Dominik Kaminski	d725b93798	fix(element): Update opendesk element version to 2.0.1	2023-09-13 19:33:47 +02:00
Dominik Kaminski	e1070eeb06	fix(services): Update Postfix to 2.0.2 fixing security gaining	2023-09-13 19:33:47 +02:00
Dominik Kaminski	c7fc187f14	fix(helmfile): Update images and use a tag and digest together	2023-09-13 19:33:47 +02:00
Dominik Kaminski	89ac783dc3	chore(collabora): Quote strings	2023-09-13 19:33:47 +02:00
Dominik Kaminski	882f1fbc93	fix(element): Improve default container security settings	2023-09-13 19:33:43 +02:00
Dominik Kaminski	b5583caec1	fix(collabora): Update Ingress annotations and set securityContext	2023-09-13 16:32:35 +02:00
Thorsten Roßner	6d23534ee0	chore(release): 0.3.0 [skip ci] # [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12) ### Features * ci: Selective tests ([`d2e7ac9`](`d2e7ac9348`))	2023-09-12 21:18:26 +00:00
Tobias Heinzmann	d2e7ac9348	feat(ci): Selective tests	2023-09-12 21:16:33 +00:00
Thorsten Roßner	2125037a3c	chore(release): 0.2.10 [skip ci] ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06) ### Bug Fixes * helmfile: Add imagePullPolicy default env variable ([`f988644`](`f9886448b6`)) * helmfile: Update images and add jitsi, keycloak to security section in docs ([`0eceb85`](`0eceb85e7d`)) * jitsi: Update chart to 1.4.2 with improved security and fixed change on each deployment ([`1349181`](`1349181d80`)) * jitsi: Update jitsi to 1.5.1 and fix prosody image ([`ed7e5e4`](`ed7e5e428e`)) * keycloak: Improve default security settings ([`3b90533`](`3b90533063`)) * nextcloud: Fix yamllint disable comment ([`4380e78`](`4380e78981`)) * services: Disable https redirect in istio to fix cert-manager issues ([`1ef4a86`](`1ef4a861ac`)) * services: Fix capabilities of postifix ([`a6fa846`](`a6fa846afc`)) * services: Fix OCI registry address of postgresql, mariadb ([`be82243`](`be82243966`))	2023-09-06 17:12:09 +00:00
Dominik Kaminski	ed7e5e428e	fix(jitsi): Update jitsi to 1.5.1 and fix prosody image	2023-09-06 19:09:59 +02:00
Dominik Kaminski	d28a425673	chore(release): 0.2.10 [skip ci] ## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06) ### Bug Fixes * helmfile: Add imagePullPolicy default env variable ([`f988644`](`f9886448b6`)) * helmfile: Update images and add jitsi, keycloak to security section in docs ([`0eceb85`](`0eceb85e7d`)) * jitsi: Update chart to 1.4.2 with improved security and fixed change on each deployment ([`1349181`](`1349181d80`)) * keycloak: Improve default security settings ([`3b90533`](`3b90533063`)) * nextcloud: Fix yamllint disable comment ([`4380e78`](`4380e78981`)) * services: Disable https redirect in istio to fix cert-manager issues ([`1ef4a86`](`1ef4a861ac`)) * services: Fix capabilities of postifix ([`a6fa846`](`a6fa846afc`)) * services: Fix OCI registry address of postgresql, mariadb ([`be82243`](`be82243966`))	2023-09-06 07:53:01 +00:00
Dominik Kaminski	a6fa846afc	fix(services): Fix capabilities of postifix	2023-09-05 21:50:31 +02:00
Dominik Kaminski	4380e78981	fix(nextcloud): Fix yamllint disable comment	2023-09-05 20:31:32 +02:00
Dominik Kaminski	be82243966	fix(services): Fix OCI registry address of postgresql, mariadb	2023-09-05 20:15:03 +02:00
Dominik Kaminski	f9886448b6	fix(helmfile): Add imagePullPolicy default env variable	2023-09-05 19:59:18 +02:00
Dominik Kaminski	0eceb85e7d	fix(helmfile): Update images and add jitsi, keycloak to security section in docs	2023-09-05 18:49:09 +02:00
Dominik Kaminski	1ef4a861ac	fix(services): Disable https redirect in istio to fix cert-manager issues	2023-09-05 18:48:18 +02:00
Dominik Kaminski	3b90533063	fix(keycloak): Improve default security settings	2023-09-05 18:47:28 +02:00
Dominik Kaminski	1349181d80	fix(jitsi): Update chart to 1.4.2 with improved security and fixed change on each deployment	2023-09-05 18:47:04 +02:00
Thorsten Roßner	e1b84898c5	chore(release): 0.2.9 [skip ci] ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05) ### Bug Fixes * collabora: Add websocket support for NGINX Inc. Ingress ([`6e5ef63`](`6e5ef639c2`)) * docs: Add security part in README ([`ff462ab`](`ff462ab0dc`)) * docs: Update scaling docs ([`63a1e25`](`63a1e2568e`)) * helmfile: Reduce icap resources in default enviroment ([`c5ab1b8`](`c5ab1b81fe`)) * helmfile: Update clamav and nextcloud images in default environment ([`4f2a8ae`](`4f2a8aeee4`)) * nextcloud: Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress ([`6e68f7f`](`6e68f7f28c`)) * nextcloud: Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI ([`cef11ac`](`cef11acbae`)) * nextcloud: Use clamav-icap when clamavDistributed is activated ([`41d40c9`](`41d40c9b73`)) * services: Enable security context and use default increased security settings ([`9a6d240`](`9a6d2409a6`)) * services: Fix image registry templates for postfix ([`6321ff5`](`6321ff50a0`)) * services: Replace image digest by tag ([`f758293`](`f758293241`)) * services: Set readOnlyRootFilesystem to true on master ([`5fbf86b`](`5fbf86b6bc`)) * services: Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries ([`9d78664`](`9d7866480c`))	2023-09-05 11:58:43 +00:00
Dominik Kaminski	63a1e2568e	fix(docs): Update scaling docs	2023-09-03 22:45:29 +02:00
Dominik Kaminski	ca4b1da84f	chore(helmfile): Fix linting errors for yamllint	2023-09-03 22:26:26 +02:00
Dominik Kaminski	ff462ab0dc	fix(docs): Add security part in README	2023-09-03 21:56:55 +02:00
Dominik Kaminski	4f2a8aeee4	fix(helmfile): Update clamav and nextcloud images in default environment	2023-09-03 21:56:45 +02:00
Dominik Kaminski	c5ab1b81fe	fix(helmfile): Reduce icap resources in default enviroment	2023-09-03 21:56:31 +02:00
Dominik Kaminski	9d7866480c	fix(services): Update clamav to 4.0.0, redis to 18.0.0, postgresql to 2.0.2, mariadb to 2.0.2 and use OCI registries	2023-09-03 21:53:09 +02:00
Dominik Kaminski	9a6d2409a6	fix(services): Enable security context and use default increased security settings	2023-09-03 21:51:33 +02:00
Dominik Kaminski	f758293241	fix(services): Replace image digest by tag	2023-09-03 21:49:39 +02:00
Dominik Kaminski	6321ff50a0	fix(services): Fix image registry templates for postfix	2023-09-03 21:46:40 +02:00
Dominik Kaminski	5fbf86b6bc	fix(services): Set readOnlyRootFilesystem to true on master	2023-09-03 21:44:42 +02:00
Dominik Kaminski	6e68f7f28c	fix(nextcloud): Add support for up to 4G large upload for Ingress NGINX and NGINX Inc. Ingress	2023-09-03 21:43:55 +02:00
Dominik Kaminski	41d40c9b73	fix(nextcloud): Use clamav-icap when clamavDistributed is activated	2023-09-03 21:43:00 +02:00
Dominik Kaminski	cef11acbae	fix(nextcloud): Rename sovereign-workplace-nextcloud-bootstrap to opendesk-nextcloud-bootstrap and use OCI	2023-09-03 21:40:45 +02:00
Dominik Kaminski	6e5ef639c2	fix(collabora): Add websocket support for NGINX Inc. Ingress	2023-09-03 21:40:06 +02:00