chore(release): 0.3.1 [skip ci]

## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)

### Bug Fixes

* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](b5583caec1))
* **element:** Improve default container security settings ([882f1fb](882f1fbc93))
* **element:** Update opendesk element version to 2.0.1 ([d725b93](d725b93798))
* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](e120f5fb9a))
* **helmfile:** Update images and use a tag and digest together ([c7fc187](c7fc187f14))
* **services:** Explicitly set securityContexts ([a799db0](a799db03c4))
* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](e1070eeb06))

.gitlab-ci.yml

@@ -129,8 +129,9 @@ variables:
     options:
       - "yes"
       - "no"
-  TESTS_PROJECT_URL:
-    description: "URL of the E2E-test Gitlab project API with project ID."
+  TESTS_BRANCH:
+    description: "Branch of E2E-tests on which the test pipeline is triggered"
+    value: "main"
   # please use the following set of variables with normalized names:
   DOMAIN: "${NAMESPACE}.${CLUSTER}.${BASE_DOMAIN}"
   ISTIO_DOMAIN: "${NAMESPACE}.istio.${CLUSTER}.${BASE_DOMAIN}"
@@ -140,23 +141,6 @@ variables:
   dependencies: []
   extends: ".environments"
   image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
-  secrets:
-    SMTP_PASSWORD:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/brained/mail/relay@souvap-univention.de"
-        field: "password"
-      file: false
-    TURN_CREDENTIALS:
-      vault:
-        engine:
-          name: "kv-v2"
-          path: "swp"
-        path: "accounts/souvap-univention.de/develop/turn/secret"
-        field: "credentials"
-      file: false
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -408,51 +392,50 @@ run-tests:
       when: "always"
   script:
     - |
-      COMPONENTS="login or portal or profile or navigation"
-      if [ "${DEPLOY_ALL_COMPONENTS}" != "no" ]; then
-        COMPONENTS="${COMPONENTS} or collabora or ics or jitsi or keycloak or nextcloud or openproject or ox or ucs \
-          or xwiki"
-      else
-        [ "${DEPLOY_COLLABORA}" != "no" ] && COMPONENTS="${COMPONENTS} or collabora"
-        [ "${DEPLOY_ICS}" != "no" ] && COMPONENTS="${COMPONENTS} or ics"
-        [ "${DEPLOY_JITSI}" != "no" ] && COMPONENTS="${COMPONENTS} or jitsi"
-        [ "${DEPLOY_KEYCLOAK}" != "no" ] && COMPONENTS="${COMPONENTS} or keycloak"
-        [ "${DEPLOY_NEXTCLOUD}" != "no" ] && COMPONENTS="${COMPONENTS} or nextcloud"
-        [ "${DEPLOY_OPENPROJECT}" != "no" ] && COMPONENTS="${COMPONENTS} or openproject"
-        [ "${DEPLOY_OX}" != "no" ] && COMPONENTS="${COMPONENTS} or ox"
-        [ "${DEPLOY_UCS}" != "no" ] && COMPONENTS="${COMPONENTS} or ucs"
-        [ "${DEPLOY_XWIKI}" != "no" ] && COMPONENTS="${COMPONENTS} or xwiki"
-      fi
-
-      echo "Gathering passwords from UCS container ..."
       UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers \
-        --selector 'app.kubernetes.io/instance=univention-corporate-container' \
+        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
+          'app.kubernetes.io/instance=univention-corporate-container' \
+        | grep Running \
         | awk '{print $1}' \
       )
-      echo "UCS_CONTAINER_NAME: ${UCS_CONTAINER_NAME}"
       DEFAULT_USER_PASSWORD=$( \
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_USER_PASSWORD \
         | awk '{print $2}' \
       )
-      DEFAULT_ADMIN_PASSWORD=$( \
+      DEFAULT_ADMIN_PASSWORD=$(
         kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
         | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
         | awk '{print $2}' \
       )
 
-      echo "triggering test pipeline ..."
-      curl -X POST \
-        -F "ref=main" \
-        -F "token=${CI_JOB_TOKEN}" \
-        -F "variables[url]=https://portal.${DOMAIN}" \
-        -F "variables[user_name]=${DEFAULT_USER_NAME}" \
-        -F "variables[user_password]=${DEFAULT_USER_PASSWORD}" \
-        -F "variables[admin_name]=${DEFAULT_ADMIN_NAME}" \
-        -F "variables[admin_password]=${DEFAULT_ADMIN_PASSWORD}" \
-        -F "variables[components]=\"${COMPONENTS}\"" \
-        https://${TESTS_PROJECT_URL}/trigger/pipeline
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"url\": \"https://portal.${DOMAIN}\", \
+          \"user_name\": \"${DEFAULT_USER_NAME}\", \
+          \"user_password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_name\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"DEPLOY_ALL_COMPONENTS\": \"${DEPLOY_ALL_COMPONENTS}\", \
+          \"DEPLOY_COLLABORA\": \"${DEPLOY_COLLABORA}\", \
+          \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
+          \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
+          \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
+          \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
+          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
+          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
+          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
+          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
+        } \
+      }" \
+      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
 
 generate-release-assets:
   stage: "generate-release-assets"
@@ -463,8 +446,7 @@ generate-release-assets:
     - when: "never"
   script:
     - |
-      # yamllint disable-line rule:line-length
-      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator
+      git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${ASSET_GENERATOR_REPO_PATH}
       cd opendesk-asset-generator
       export OPENDESK_DEPLOYMENT_AUTOMATION_PATH=${CI_PROJECT_DIR}
       ./opendesk_asset_generator.py
@@ -477,6 +459,8 @@ generate-release-assets:
       - "./build_artefacts/chart-index.json"
       - "./build_artefacts/image-index.json"
   tags: []
+  variables:
+    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
 
 
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.

CHANGELOG.md

@@ -1,3 +1,52 @@
+## [0.3.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.3.0...v0.3.1) (2023-09-14)
+
+
+### Bug Fixes
+
+* **collabora:** Update Ingress annotations and set securityContext ([b5583ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b5583caec10c24e3bfb312edcb2800e6a60a9b10))
+* **element:** Improve default container security settings ([882f1fb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/882f1fbc93ceb4ac33683d445e100e445798b202))
+* **element:** Update opendesk element version to 2.0.1 ([d725b93](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d725b937989987ffacf87d7a9ee05803dcdd4c93))
+* **helmfile:** Remove default SMTP credentials and create docs for SMTP/TURN ([e120f5f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e120f5fb9a91b80ba71ce78eace99852b4da5fda))
+* **helmfile:** Update images and use a tag and digest together ([c7fc187](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c7fc187f14b78cdcc698abbbaec1ba0bbfc718a1))
+* **services:** Explicitly set securityContexts ([a799db0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a799db03c4115ba69303be1c265f7aefef95d659))
+* **services:** Update Postfix to 2.0.2 fixing security gaining ([e1070ee](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e1070eeb0602523c240a91dae1b0869a7cc42a78))
+
+# [0.3.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.10...v0.3.0) (2023-09-12)
+
+
+### Features
+
+* **ci:** Selective tests ([d2e7ac9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d2e7ac93481249e9eb7e5e1a41a6c6e333abe2dc))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **jitsi:** Update jitsi to 1.5.1 and fix prosody image ([ed7e5e4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ed7e5e428e5d9213a92f97dc03d72fa3e04334c2))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
+## [0.2.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.9...v0.2.10) (2023-09-06)
+
+
+### Bug Fixes
+
+* **helmfile:** Add imagePullPolicy default env variable ([f988644](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f9886448b60bbbd917b5ba04d188401275293eec))
+* **helmfile:** Update images and add jitsi, keycloak to security section in docs ([0eceb85](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0eceb85e7df7455fa61cb17a854807069fbcf51a))
+* **jitsi:** Update chart to 1.4.2 with improved security and fixed change on each deployment ([1349181](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1349181d802ccb80d9e48cf50fe39f1505116c8e))
+* **keycloak:** Improve default security settings ([3b90533](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/3b90533063c151a9f3cdc9861a115481f6dc440a))
+* **nextcloud:** Fix yamllint disable comment ([4380e78](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4380e789814ec2b0458fb2c341c8160ab2743afc))
+* **services:** Disable https redirect in istio to fix cert-manager issues ([1ef4a86](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1ef4a861acc955e2e85715c62f715a6629ada940))
+* **services:** Fix capabilities of postifix ([a6fa846](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a6fa846afc9744f2b399c37cc754f878b6b9e90b))
+* **services:** Fix OCI registry address of postgresql, mariadb ([be82243](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/be822439661f766c4db6044fd3581db0cce214bb))
+
 ## [0.2.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.2.8...v0.2.9) (2023-09-05)
 
 

README.md

@@ -91,8 +91,6 @@ installation.
 | `DOMAIN`            | `souvap.cloud`        | External reachable domain                         |
 | `ISTIO_DOMAIN`      | `istio.souvap.cloud`  | External reachable domain for Istio Gateway       |
 | `MASTER_PASSWORD`   | `sovereign-workplace` | The password that seeds the autogenerated secrets |
-| `SMTP_PASSWORD`     |                       | Password for SMTP relay gateway                   |
-| `TURN_CREDENTIALS`  |                       | Credentials for coturn server                     |
 
 Please ensure that you set the DNS records pointing to the loadbalancer/IP for
 `DOMAIN` and `ISTIO_DOMAIN`.
@@ -306,20 +304,64 @@ actual scalability of the components (see column `Scaling (verified)`).
 | XWiki       | `replicas.xwiki`       | :white_check_mark:  |       :gear:       |
 
 
+### Mail/SMTP configuration
+
+To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
+the whole subdomain.
+
+```yaml
+smtp:
+  host:     # your SMTP host or IP-address
+  username: # username/email for authentication
+  password: # password for authentication, or via environment variable SMTP_PASSWORD
+```
+
+### TURN configuration
+
+Some components (Jitsi, Element) use for direct communication a TURN server.
+You can configure your own TURN server with these options:
+
+```yaml
+turn:
+  transport:   # "udp" or "tcp"
+  credentials: # turn credential string
+  server:      # configuration for unsecure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+  tls:         # configuration for secure connections
+    host:      # your TURN host or IP-address
+    port:      # server port
+```
+
 ## Security
 
 This list gives you an overview of default security settings and if they comply with security standards:
 
 
-| Component  | Process    | allowPrivilegeEscalation (`false`)  |                       capabilities (`drop: ALL`)                       | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|------------|------------|:-----------------------------------:|:----------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV     | clamd      |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | freshclam  |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | icap       |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | milter     |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| MariaDB    | mariadb    |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Postfix    | postfix    |         :white_check_mark:          | :x: (`DAC_OVERRIDE`, `FOWNER`, `SETUID`, `SETGID`, `NET_BIND_SERVICE`) |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
-| PostgreSQL | postgresql |         :white_check_mark:          |                           :white_check_mark:                           |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
+|            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+| Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
 # Component integration
@@ -450,17 +492,14 @@ components we are going to cover various aspects:
 
 ## Tests
 
-There is a frontend end-to-end test suite that can get triggered if the
-deployment is performed via a Gitlab pipeline.
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The `DEPLOY_`-variables are used to determine which components should be tested.
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
+`<domain of gitlab>/api/v4/projects/<id>`.
 
-Currently, the test suite is in progress to be published, so right now it is
-only usable by project members. But that will change soon, and it could be used
-to create custom tests and perform them after deployment.
-
-The deployment pipeline provides a variable named `TESTS_PROJECT_URL` that
-points to the test pipeline residing in another Gitlab repository. At the end of
-the deployment the test pipeline is triggered. Tests are just performed for
-components that have been deployed prior.
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+`TESTS_BRANCH` while creating a new pipeline.
 
 
 # Footnotes

helmfile/apps/collabora/values.gotmpl

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
   tag: "{{ .Values.images.collabora.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
@@ -32,14 +33,9 @@ collabora:
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 
-{{- if not (eq .Values.cluster.container.engine "containerd") }}
-# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
-# Ref.: https://github.com/CollaboraOnline/online/issues/2800
-securityContext:
-  capabilities:
-    add:
-      - "MKNOD"
-{{- end }}
 
 replicaCount: {{ .Values.replicas.collabora }}
+
+resources:
+  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...

helmfile/apps/collabora/values.yaml

@@ -14,20 +14,74 @@ collabora:
 
 ingress:
   annotations:
-    # nginx
+    # Ingress NGINX
     nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    # NGINX
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+    nginx.org/proxy-read-timeout: "600"
+    nginx.org/proxy-send-timeout: "600"
+    nginx.org/client-max-body-size: "0"
+    nginx.org/server-snippets: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
     # HAProxy
     haproxy.org/timeout-tunnel: "3600s"
     haproxy.org/backend-config-snippet: |
-     mode http
-      balance leastconn
-      stick-table type string len 2048 size 1k store conn_cur
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
-      http-request track-sc1 url_param(WOPISrc)
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
-      stick store-request url_param(WOPISrc)
-    nginx.org/websocket-services: "collabora"
-    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+       balance url_param WOPISrc check_post
+       hash-type consistent
+    # HAProxy - Community: https://haproxy-ingress.github.io/
+    haproxy-ingress.github.io/timeout-tunnel: "3600s"
+    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
+    haproxy-ingress.github.io/config-backend: |
+      hash-type consistent
+      # block admin urls from outside
+      acl admin_url path_beg /cool/getMetrics
+      acl admin_url path_beg /cool/adminws/
+      acl admin_url path_beg /browser/dist/admin/admin.html
+      http-request deny if admin_url
 autoscaling:
   enabled: false
+
+serviceAccount:
+  create: true
+
+securityContext:
+  allowPrivilegeEscalation: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+      - "MKNOD"
+
+podSecurityContext:
+  fsGroup: 100
 ...

helmfile/apps/element/helmfile.yaml

@@ -2,38 +2,41 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-element-repo"
+  - name: "opendesk-element-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
 
 releases:
-  - name: "sovereign-workplace-element"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-element"
-    version: "1.3.0"
+  - name: "opendesk-element"
+    chart: "opendesk-element-repo/opendesk-element"
+    version: "2.0.1"
     values:
+      - "values-element.yaml"
       - "values-element.gotmpl"
     condition: "element.enabled"
 
-  - name: "sovereign-workplace-well-known"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-well-known"
-    version: "1.3.0"
+  - name: "opendesk-well-known"
+    chart: "opendesk-element-repo/opendesk-well-known"
+    version: "2.0.1"
     values:
       - "values-well-known.yaml"
       - "values-well-known.gotmpl"
     condition: "element.enabled"
 
-  - name: "sovereign-workplace-synapse-web"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse-web"
-    version: "1.3.0"
+  - name: "opendesk-synapse-web"
+    chart: "opendesk-element-repo/opendesk-synapse-web"
+    version: "2.0.1"
     values:
+      - "values-synapse-web.yaml"
       - "values-synapse-web.gotmpl"
     condition: "element.enabled"
 
-  - name: "sovereign-workplace-synapse"
-    chart: "sovereign-workplace-element-repo/sovereign-workplace-synapse"
-    version: "1.3.0"
+  - name: "opendesk-synapse"
+    chart: "opendesk-element-repo/opendesk-synapse"
+    version: "2.0.1"
     values:
+      - "values-synapse.yaml"
       - "values-synapse.gotmpl"
     condition: "element.enabled"
 

helmfile/apps/element/values-element.gotmpl

@@ -16,6 +16,7 @@ configuration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.element.repository }}"
   tag: "{{ .Values.images.element.tag }}"

helmfile/apps/element/values-element.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse-web.gotmpl

@@ -12,6 +12,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.synapseWeb.repository }}"
   tag: "{{ .Values.images.synapseWeb.tag }}"

helmfile/apps/element/values-synapse-web.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse.gotmpl

@@ -12,6 +12,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.synapse.repository }}"
   tag: "{{ .Values.images.synapse.tag }}"

helmfile/apps/element/values-synapse.yaml

@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+...

helmfile/apps/element/values-well-known.gotmpl

@@ -12,6 +12,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.wellKnown.repository }}"
   tag: "{{ .Values.images.wellKnown.tag }}"

helmfile/apps/element/values-well-known.yaml

@@ -4,4 +4,22 @@
 configuration:
   e2ee:
     forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
 ...

helmfile/apps/intercom-service/values.gotmpl

@@ -29,6 +29,7 @@ ics:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.intercom.repository }}"
   tag: "{{ .Values.images.intercom.tag }}"

helmfile/apps/jitsi/helmfile.yaml

@@ -10,7 +10,7 @@ repositories:
 releases:
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.4.1"
+    version: "1.5.1"
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -12,6 +12,7 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
   tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
@@ -118,6 +119,7 @@ patchJVB:
     staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
     loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
   image:
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
     tag: "{{ .Values.images.jitsiPatchJVB.tag }}"

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -19,6 +19,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloakBootstrap.repository }}"
   tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -18,12 +18,8 @@ handler:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
-{{- if .Values.images.keycloakExtensionHandler.digest }}
-    sha256: "{{ .Values.images.keycloakExtensionHandler.digest}}"
-{{- else if .Values.images.keycloakExtensionHandler.tag }}
     tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
-{{- end }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   appConfig:
     smtpPassword: "{{ .Values.smtp.password }}"
     smtpHost: "{{ .Values.smtp.host }}"
@@ -35,18 +31,11 @@ proxy:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
-{{- if .Values.images.keycloakExtensionProxy.digest }}
-    sha256: "{{ .Values.images.keycloakExtensionProxy.digest}}"
-{{- else if .Values.images.keycloakExtensionProxy.tag }}
     tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
-{{- end }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   ingress:
     enabled: "{{ .Values.ingress.enabled }}"
     ingressClassName: "{{ .Values.ingress.ingressClassName }}"
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
-      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
       enabled: "{{ .Values.ingress.tls.enabled }}"

helmfile/apps/keycloak/values-extensions.yaml

@@ -11,11 +11,35 @@ global:
 handler:
   appConfig:
     captchaProtectionEnable: "False"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 
 postgresql:
   enabled: false
 
 proxy:
-  image:
-    tag: "latest"
+  ingress:
+    annotations:
+      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
 ...

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -13,7 +13,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.keycloak.repository }}"
   tag: "{{ .Values.images.keycloak.tag }}"
-  digest: "{{ .Values.images.keycloak.digest }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDatabase:
   host: "{{ .Values.databases.keycloak.host }}"
@@ -81,6 +81,8 @@ keycloakConfigCli:
       value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
     - name: "LDAPSEARCH_USERNAME"
       value: "ldapsearch_keycloak"
+  resources:
+    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
 
 resources:
   {{ .Values.resources.keycloak | toYaml | nindent 2 }}

helmfile/apps/keycloak/values-keycloak.yaml

@@ -54,5 +54,32 @@ keycloakConfigCli:
     - "--import.var-substitution.enabled=true"
   cache:
     enabled: false
+  containerSecurityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
 
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  runAsNonRoot: true
+
+podSecurityContext:
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -4,8 +4,8 @@
 repositories:
   - name: "opendesk-nextcloud-bootstrap-repo"
     oci: true
-    url: >-
     # yamllint disable rule:line-length
+    url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
     # yamllint enable rule:line-length

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -44,6 +44,7 @@ config:
     password: "{{ .Values.smtp.password }}"
 
 image:
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.nextcloud.repository }}"
   tag: "{{ .Values.images.nextcloud.tag }}"

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -25,7 +25,7 @@ ingress:
         - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.nextcloud.tag }}"
   pullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.dovecot.repository }}"
-  digest: "{{ .Values.images.dovecot.digest }}"
+  tag: "{{ .Values.images.dovecot.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -6,7 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.openxchangeBootstrap.repository }}"
-  digest: "{{ .Values.images.openxchangeBootstrap.digest }}"
+  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -34,6 +34,7 @@ public-sector-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . }}
   {{- end }}
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 appsuite:
   istio:
@@ -96,6 +97,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreMW.repository }}
       tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     update:
       image:
         repository: {{ .Values.images.openxchangeCoreMW.repository }}
@@ -113,6 +115,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUI.repository }}
       tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-ui-middleware:
     ingress:
@@ -126,6 +129,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-guidedtours:
     imagePullSecrets:
@@ -135,6 +139,7 @@ appsuite:
     image:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   guard-ui:
     imagePullSecrets:
@@ -144,11 +149,13 @@ appsuite:
     image:
       repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
       tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
   core-user-guide:
     image:
       repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
       tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . }}

helmfile/apps/openproject/values.gotmpl

@@ -10,7 +10,7 @@ global:
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.openproject.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.openproject.tag }}"
 
 memcached:

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.oxConnector.repository }}"
-  pullPolicy: "Always"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
   tag: "{{ .Values.images.oxConnector.tag }}"
 
 imagePullSecrets:

helmfile/apps/services/helmfile.yaml

@@ -10,12 +10,12 @@ repositories:
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
   - name: "mariadb-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
   - name: "postfix-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -44,7 +44,7 @@ releases:
     condition: "certificates.enabled"
   - name: "redis"
     chart: "bitnami-repo/redis"
-    version: "18.0.0"
+    version: "18.0.4"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
@@ -58,14 +58,14 @@ releases:
     condition: "postgresql.enabled"
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
-    version: "2.0.2"
+    version: "2.1.0"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
   - name: "postfix"
     chart: "postfix-repo/postfix"
-    version: "2.0.0"
+    version: "2.0.3"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
@@ -74,18 +74,21 @@ releases:
     chart: "clamav-repo/opendesk-clamav"
     version: "4.0.0"
     values:
+      - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
     condition: "clamavDistributed.enabled"
   - name: "clamav-simple"
     chart: "clamav-repo/clamav-simple"
     version: "4.0.0"
     values:
+      - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"
   - name: "sovereign-workplace-gateway"
     chart: "istio-resources-repo/istio-gateway"
     version: "1.1.2"
     values:
+      - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     condition: "istio.enabled"
 

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -10,6 +10,7 @@ clamd:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
@@ -20,6 +21,7 @@ freshclam:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.freshclam.repository }}"
     tag: "{{ .Values.images.freshclam.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -33,6 +35,7 @@ icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
@@ -43,6 +46,7 @@ milter:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.milter.repository }}"
     tag: "{{ .Values.images.milter.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 

helmfile/apps/services/values-clamav-distributed.yaml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -10,10 +10,12 @@ image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.clamd.repository }}"
     tag: "{{ .Values.images.clamd.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   icap:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.icap.repository }}"
     tag: "{{ .Values.images.icap.tag }}"
+    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 resources:
   {{ .Values.resources.clamd | toYaml | nindent 4 }}

helmfile/apps/services/values-clamav-simple.yaml

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+...

helmfile/apps/services/values-istio-gateway.yaml

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+tls:
+  httpsRedirect: false
+...

helmfile/apps/services/values-mariadb.gotmpl

@@ -11,6 +11,7 @@ global:
 image:
   repository: "{{ .Values.images.mariadb.repository }}"
   tag: "{{ .Values.images.mariadb.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.

helmfile/apps/services/values-mariadb.yaml

@@ -1,6 +1,25 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
 ...

helmfile/apps/services/values-postfix.gotmpl

@@ -12,6 +12,7 @@ image:
   registry: {{ .Values.global.imageRegistry }}
   repository: "{{ .Values.images.postfix.repository }}"
   tag: "{{ .Values.images.postfix.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 certificate:
   secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/services/values-postfix.yaml

@@ -5,6 +5,19 @@ certificate:
   request:
     enabled: false
 
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
 postfix:
   hostname: "postfix"
   inetProtocols: "ipv4"

helmfile/apps/services/values-postgresql.gotmpl

@@ -11,6 +11,7 @@ global:
 image:
   repository: "{{ .Values.images.postgresql.repository }}"
   tag: "{{ .Values.images.postgresql.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 job:
   users:

helmfile/apps/services/values-postgresql.yaml

@@ -1,11 +1,29 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
   enabled: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 job:
   image:
     digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
 
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+
 postgres:
   user: "postgres"
 ...

helmfile/apps/services/values-redis.gotmpl

@@ -16,6 +16,7 @@ image:
   registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.redis.repository }}"
   tag: "{{ .Values.images.redis.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 master:
   persistence:

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -13,7 +13,7 @@ global:
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
-  imagePullPolicy: "Always"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   repository: "{{ .Values.images.univentionCorporateServer.repository }}"
   tag: "{{ .Values.images.univentionCorporateServer.tag }}"
 

helmfile/apps/xwiki/values.gotmpl

@@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 image:
   name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
   tag: "{{ .Values.images.xwiki.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDB:
   password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"

helmfile/environments/default/global.yaml

@@ -39,4 +39,8 @@ global:
   imagePullSecrets:
     - "external-registry"
 
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
 ...

helmfile/environments/default/images.yaml

@@ -6,128 +6,123 @@ images:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   collabora:
-    # repository: "collabora/code"
-    # tag: "23.05.2.2.1"
     repository: "souvap/tooling/images/collabora"
     tag: "23.05.3.1.1@sha256:f1248a50e67940e3be3dfa58dc37eca73267cf73a679b459707d2520cee7720e"
   dovecot:
     repository: "dovecot/dovecot"
-    digest: "sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
+    tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
   element:
-    repository: "souvap/tooling/images/element-web@sha256"
-    tag: "16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
+    repository: "souvap/tooling/images/element-web"
+    tag: "latest@sha256:16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
   freshclam:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   jibri:
     repository: "jitsi/jibri"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
   jicofo:
     repository: "jitsi/jicofo"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:820fcd4b072b29f42c1c37389fbefda1065f1e9654694941485dc08123c8a93b"
   jitsi:
     repository: "jitsi/web"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:24bd4179998fe01ace1be74e53fea5308f4d91722953bb4334611e6886753f46"
   jitsiKeycloakAdapter:
     repository: "nordeck/jitsi-keycloak-adapter"
-    tag: "v20230816"
+    tag: "v20230906@sha256:54d45ee1a1205f98641810ffb171bd92e6478e2957a349ee4ff599359239fbf2"
   jitsiPatchJVB:
     repository: "bitnami/kubectl"
-    tag: "1.26.6"
+    tag: "1.26.8@sha256:c6902a1fdce0a24c9f93ac8d1f317039b206a4b307d8fc76cab4a92911345757"
   jvb:
     repository: "jitsi/jvb"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
   icap:
     repository: "souvap/tooling/images/c-icap"
     tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
   intercom:
     repository: "univention/intercom-service"
-    tag: "1.4-kubernetes"
+    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
   keycloak:
     repository: "bitnami/keycloak"
-    tag: "19.0.3-debian-11-r15"
-    digest: ""
+    tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
   keycloakBootstrap:
     repository: "souvap/tooling/images/ansible"
-    tag: "4.10.0"
+    tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
   keycloakExtensionHandler:
     repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
-    digest: "cdaaab8fb1b658ee2ca45557e76570153bb306c43061db5b5ee0f418c40e2200"
+    tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
   keycloakExtensionProxy:
     repository: "souvap/tooling/images/keycloak-extensions/keycloak-proxy"
-    digest: "15ad665620368178d98721c0bd91744dd9c965c2e470abc3838e353fff530093"
+    tag: "latest@sha256:57026fb4ba7d4579461e7ddd4b1b8ce9585d1cac4adbe64040f5e1063c80a6ba"
   mariadb:
     repository: "mariadb"
-    tag: "10"
+    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
   memcached:
     repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r4"
+    tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
   milter:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
   nextcloud:
     repository: "nextcloud"
-    tag: "26.0.5-apache"
+    tag: "26.0.5-apache@sha256:2a129ba3258300424319e7023e8e60c28d79178ae4143e7ba2d41148646c30e1"
   openproject:
-    repository: "souvap/tooling/images/openproject/souvap@sha256"
-    tag: "5da1ae8be3d7483bf0f3d9ec50c3470586528e0ff51b663e2c3a57bceb489423"
+    repository: "souvap/tooling/images/openproject/souvap"
+    tag: "dev@sha256:03eb1eacc0c0c4e9e7d0f0c3d265fd0c15fd01cda33bc4f89cbc487ad53474a8"
   openxchangeBootstrap:
     repository: "alpine/k8s"
-    digest: "sha256:199a4457602b4e260d9781358cd2e342f63c177f4bcfa8053493be01e57beddf"
+    tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
   openxchangeCoreGuidedtours:
     repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.1"
+    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
   openxchangeCoreMW:
     repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.16.55"
+    tag: "8.16.55@sha256:11317124714725d61204188ebfebc2220f295fd59b245adcef0b6c3186a68fd3"
   openxchangeCoreUI:
     repository: "appsuite-public-sector/core-ui"
-    tag: "8.16.5"
+    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
   openxchangeCoreUIMiddleware:
     repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.4"
+    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
   openxchangeCoreUserGuide:
     repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.16.727397"
+    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
   openxchangeGuardUI:
     repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.6"
+    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
   openxchangeNextcloudIntegrationUI:
     repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.3"
+    tag: "1.0.3@sha256:193fd07a8b83164d175cd55f7e28fb7ec6d81f1037945035ca709825725c038e"
   openxchangePublicSectorUI:
     repository: "appsuite-public-sector/public-sector-ui"
-    tag: "2.0.1"
+    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
   oxConnector:
     repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag: "branch-jconde-listener-entrypoint-chaining"
+    tag: "branch-jconde-listener-entrypoint-chaining@sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
   postfix:
     repository: "souvap/tooling/images/postfix"
     tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"
   postgresql:
     repository: "postgres"
-    tag: "15-alpine"
+    tag: "15.4-alpine3.18@sha256:f36c528a2dc8747ea40b4cb8578da69fa75c5063fd6a71dcea3e3b2a6404ff7b"
   prosody:
     repository: "jitsi/prosody"
-    tag: "stable-8615"
+    tag: "stable-8922@sha256:243547f24ae7d686d1f0c18ee230cf93119a66f095dda282bacbf45d4bb69f77"
   redis:
     repository: "bitnami/redis"
-    tag: "7.0.12-debian-11-r0"
+    tag: "7.2.1-debian-11-r5@sha256:e664fa63dfe88cd099180c32f2c9a109a958f053b75d195beb48b06ffd8a0b5b"
   synapse:
     repository: "matrixdotorg/synapse"
-    tag: "v1.87.0"
+    tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
   synapseWeb:
-    repository: "library/haproxy"
-    tag: "2.4"
+    repository: "rapidfort/haproxy-official"
+    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
   univentionCorporateServer:
-    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs@sha256"
-    tag: "6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
+    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
+    tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
   wellKnown:
     repository: "library/nginx"
-    tag: "1.23"
+    tag: "1.25.2-bookworm@sha256:9504f3f64a3f16f0eaf9adca3542ff8b2a6880e6abfb13e478cca23f6380080a"
   xwiki:
-    # repository: "xwikisas/swp/xwiki"
-    # tag: "0.10-mariadb-tomcat"
-    repository: "xwikisas/swp/xwiki@sha256"
-    tag: "02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
+    repository: "xwikisas/swp/xwiki"
+    tag: "0.10-mariadb-tomcat@sha256:02f0ff6407ccdd8dab17814202e28991fe0aa8d44fa106ba171cff5249eaf58f"
 ...

helmfile/environments/default/resources.yaml

@@ -9,6 +9,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "2Gi"
+  collabora:
+    limits:
+      cpu: 1
+      memory: "500Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
   dovecot:
     limits:
       cpu: 0.5

helmfile/environments/default/smtp.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 smtp:
-  host: "mail.brained.io"
-  username: "relay@souvap-univention.de"
+  host: ""
+  username: ""
   password: "{{ env "SMTP_PASSWORD" }}"
 ...